R3303-HP HSR6800 Routers Security Configuration Guide
93
Configuration guidelines
Follow these guidelines when you configure the authentication trigger function:
• Enable the multicast trigger on a port when the clients attached to the port cannot send EAPOL-Start
packets to initiate 802.1X authentication.
• Enable the unicast trigger on a port if only a few 802.1X clients are attached to the port and these
clients cannot initiate authentication.
• To avoid duplicate authentication packets, do not enable both triggers on a port.
Configuration procedure
To configure the authentication trigger function on a port:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Set the username
request timeout timer.
dot1x timer tx-period
tx-period-value
Optional.
The default setting is 30 seconds.
3. Enter Ethernet
interface view.
interface interface-type
interface-number
N/A
4. Enable an
authentication trigger.
dot1x { multicast-trigger |
unicast-trigger }
Required if you want to enable the unicast trigger.
By default, the multicast trigger is enabled, and the
unicast trigger is disabled.
Specifying a mandatory authentication domain on
a port
You can place all 802.1X users in a mandatory authentication domain for authentication, authorization,
and accounting on a port. No user can use an account in any other domain to access the network
through the port. The implementation of a mandatory authentication domain enhances the flexibility of
802.1X access control deployment.
To specify a mandatory authentication domain for a port:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter Ethernet interface view.
interface interface-type
interface-number
N/A
3. Specify a mandatory 802.1X
authentication domain on the
port.
dot1x mandatory-domain
domain-name
By default, no mandatory 802.1X
authentication domain is specified.