R3303-HP HSR6800 Routers Security Configuration Guide
100
# Specify aabbcc.net as the default ISP domain. If a user does not provide any ISP domain name,
it is assigned to the default ISP domain.
[Router] domain default enable aabbcc.net
7. Configure 802.1X:
# Enable 802.1X globally.
[Router] dot1x
# Enable 802.1X on port GigabitEthernet 3/0/1.
[Router] interface gigabitethernet 3/0/1
[Router-GigabitEthernet3/0/1] dot1x
[Router-GigabitEthernet3/0/1] quit
# Enable MAC-based access control on the port. (Optional. MAC-based access control is the
default setting.)
[Router] dot1x port-method macbased interface gigabitethernet 3/0/1
Verifying the configuration
Use the display dot1x interface gigabitethernet 3/0/1 command to verify the 802.1X configuration.
After an 802.1X user passes RADIUS authentication, you can use the display connection command to
view the user connection information. If the user fails RADIUS authentication, local authentication is
performed.
802.1X guest VLAN and VLAN assignment
configuration example
Network requirements
As shown in Figure 38, the host connected to port GigabitEthernet 3/0/2 of the Router must pass 802.1X
authentication to access the Internet. GigabitEthernet 3/0/2 is in VLAN 1. The port implements
port-based access control.
The authentication server runs RADIUS and is in VLAN 2. The update server in VLAN 10 is for client
software download and upgrade.
If no user performs 802.1X authentication on GigabitEthernet 3/0/2 within a period of time, the Router
adds GigabitEthernet 3/0/2 to its guest VLAN, VLAN 10. The host and the update server are both in
VLAN 10 and the host can access the update server and download the 802.1X client software.
After the host passes 802.1X authentication, the network Router assigns the host to VLAN 5 where
GigabitEthernet 3/0/3 is. The host can access the Internet.