R2511-HP MSR Router Series Security Configuration Guide(V5)
111
Configuring a free IP
When a free IP is configured, the EAD fast deployment is enabled. To allow a user to obtain a dynamic
IP address before passing 802.1X authentication, make sure the DHCP server is on the free IP segment.
When global MAC authentication, Layer-2 portal authentication, or port security is enabled, the free IP
does not take effect.
If you use free IP, guest VLAN, and Auth-Fail VLAN features together, make sure the free IP segments are
in both guest VLAN and Auth-Fail VLAN. Users can access only the free IP segments.
To configure a free IP:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Configure a free IP.
dot1x free-ip ip-address
{ mask-address | mask-length }
By default, no free IP is configured.
Configuring the redirect URL
To configure a redirect URL:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Configure the redirect
URL.
dot1x url url-string
By default, no redirect URL is configured.
The redirect URL must be on the free IP subnet.
Setting the EAD rule timer
EAD fast deployment automatically creates an ACL rule, or an EAD rule, to open access to the redirect
URL for each redirected user seeking to access the network. The EAD rule timer sets the lifetime of each
ACL rule. When the timer expires or the user passes authentication, the rule is removed. If users fail to
download EAD client or fail to pass authentication before the timer expires, they must reconnect to the
network to access the free IP.
To prevent ACL rule resources from being used up, you can shorten the timer when the amount of EAD
users is large.
To set the EAD rule timer:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Set the EAD rule timer.
dot1x timer ead-timeout
ead-timeout-value
The default timer is 30 minutes.