Manualshelf

R0106-HP MSR Router Series Security Configuration Guide(V7)

ManualsBrandsHP ManualsNetwork HardwareHP MSR4060 Router Chassis
919293949596979899100
87
Unicast trigger—Enables the network device to initiate 802.1X authentication when it receives a
data frame from an unknown source MAC address. The device sends a unicast Identity
EAP/Request packet to the unknown source MAC address, and retransmits the packet if it has
received no response within a period of time. This process continues until the maximum number of
request attempts set with the dot1x retry command is reached (see "Setting the maximum number
o
f authentication request attempts").
The identity request timeout timer sets both the identity request interval for the multicast trigger and the
identity request timeout interval for the unicast trigger.
Configuration guidelines
Follow these guidelines when you configure the authentication trigger function:
Enable the multicast trigger on a port when the clients attached to the port cannot send EAPOL-Start
packets to initiate 802.1X authentication.
Disable the multicast trigger in a wireless LAN. Wireless clients and the wireless module of the
network access device can both initiate 802.1X authentication.
Enable the unicast trigger on a port if only a few 802.1X clients are attached to the port and these
clients cannot initiate authentication.
To avoid duplicate authentication packets, do not enable both triggers on a port.
Configuration procedure
To configure the authentication trigger function on a port:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. (Optional.) Set the username
request timeout timer.
dot1x timer tx-period
tx-period-value
The default is 30 seconds.
3. Enter Ethernet interface view.
interface interface-type
interface-number
N/A
4. Enable an authentication
trigger.
dot1x { multicast-trigger |
unicast-trigger }
By default, the multicast trigger is
enabled, and the unicast trigger is
disabled.
Specifying a mandatory authentication domain on
a port
You can place all 802.1X users in a mandatory authentication domain for authentication, authorization,
and accounting on a port. No user can use an account in any other domain to access the network
through the port. The implementation of a mandatory authentication domain enhances the flexibility of
802.1X access control deployment.
To specify a mandatory authentication domain for a port:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A