R0106-HP MSR Router Series Security Configuration Guide(V7)
86
Configuring the online user handshake function
The online user handshake function checks the connectivity status of online 802.1X users. The network
access device sends handshake messages to online users at the interval specified by the dot1x timer
handshake-period command. If no response is received from an online user after the access device has
made the maximum handshake attempts (set by the dot1x retry command), the device sets the user to the
offline state.
If iNode clients are deployed, you can also enable the online user handshake security function. This
function checks authentication information in the handshake packets from clients. With this function, the
device prevents 802.1X users who use illegal client software from bypassing iNode security check such
as dual network interface cards (NICs) detection. If a user fails the handshake security checking, the
device sets the user to the offline state.
When you configure the online user handshake function, follow these restrictions and guidelines:
• The SmartOn feature and the online user handshake function are mutually exclusive. Before you
enable the online user handshake function, make sure the SmartOn feature is disabled.
• To use the online user handshake security function, make sure the online user handshake function is
enabled.
• The online user handshake security function takes effect only on the network where the iNode client
and IMC server are used.
• If the network has 802.1X clients that cannot exchange handshake packets with the network access
device, disable the online user handshake function to prevent their connections from being
inappropriately torn down.
To configure the online user handshake function:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. (Optional.) Set the handshake
timer.
dot1x timer handshake-period
handshake-period-value
The default is 15 seconds.
3. Enter Ethernet interface view.
interface interface-type
interface-number
N/A
4. Enable the online user
handshake function.
dot1x handshake By default, the function is enabled.
5. (Optional.) Enable the online
user handshake security
function.
dot1x handshake secure By default, the function is disabled.
Configuring the authentication trigger function
The authentication trigger function enables the network access device to initiate 802.1X authentication
when 802.1X clients cannot initiate authentication.
This function provides the following types of authentication trigger:
• Multicast trigger—Periodically multicasts Identity EAP-Request packets out of a port to detect 802.1X
clients and trigger authentication.