R2511-HP MSR Router Series Security Configuration Guide(V5)
91
Any of the following RADIUS authentication server changes in the ISP domain for 802.1X users on a port
can cause the users to be removed from the critical VLAN:
• An authentication server is reconfigured, added, or removed.
• The status of any RADIUS authentication server automatically changes to active or is
administratively set to active.
• The RADIUS server probing function detects that a RADIUS authentication server is reachable and
sets its state to active.
You can use the dot1x critical recovery-action reinitialize command to configure the port to trigger
802.1X re-authentication when the port or an 802.1X user on the port is removed from the critical VLAN.
• If MAC-based access control is used, the port sends a unicast Identity EAP/Request to the 802.1X
user to trigger authentication.
• If port-based access control is used, the port sends a multicast Identity EAP/Request to the 802.1X
users to trigger authentication.
ACL assignment
You can specify an ACL for an 802.1X user to control its access to network resources. After the user
passes 802.1X authentication, the authentication server, either the local access device or a RADIUS
server, assigns the ACL to the port to filter the traffic from this user. In either case, you must configure the
ACL on the access device. You can change ACL rules while the user is online.
The following matrix shows the feature and router compatibility:
Feature MSR900 MSR93
X
MSR20-1
X
MSR20
MSR30
MSR50 MSR1000
ACL
assignment
No No No No
Only available
on MSR30-11E
and MSR30-11F
No No
Configuration prerequisites
• Configure an ISP domain and AAA scheme (local or RADIUS authentication) for 802.1X users.
• If RADIUS authentication is used, create user accounts on the RADIUS server.
• If local authentication is used, create local user accounts on the access device and set the service
type to lan-access.
For information about RADIUS client configuration, see "Configuring AAA."
802.1X configuration task list
Task Remarks
Enabling 802.1X Required.
Enabling EAP relay or EAP termination Optional.
Setting the port authorization state Optional.
Specifying an access control method Optional.
Setting the maximum number of concurrent 802.1X users on a port Optional.
Setting the maximum number of authentication request attempts Optional.