3Com Switch 8800 Advanced Software V5 Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 9400sl 4-Port 10-GbE Module

911

912

913

914

915

916

917

918

919

920

802.1x Overview 925

■ Supplicant timeout timer (supp-timeout): Once an authenticator sends an

EAP-Request/MD5 Challenge frame to a supplicant, it starts this timer. If this

timer expires but it receives no response from the supplicant, it retransmits the

request.

■ Server timeout timer (server-timeout): Once an authenticator sends a RADIUS

Access-Request packet to the authentication server, it starts this timer. If this

timer expires but it receives no response from the server, it retransmits the

request.

■ Handshake timer (handshake-period): After a supplicant passes authentication,

the authenticator sends to the supplicant handshake requests at this interval to

check whether the supplicant is online. If the authenticator receives no

response after sending the allowed maximum number of handshake requests,

it considers that the supplicant is offline.

■ Quiet timer (quiet-period): When a supplicant fails the authentication, the

authenticator refuses further authentication requests from the supplicant in

this period of time.

Implementation of

802.1x in the Devices

The devices extend and optimize the mechanism that the 802.1x protocol specifies

by:

■ Allowing multiple users to access network services through the same physical

port.

■ Supporting two authentication methods: portbased and macbased. With the

portbased method, after the first user of a port passes authentication, all

other users of the port can access the network without authentication, and

when the first user goes offline, all other users get offline at the same time.

With the macbased method, each user of a port must be authenticated

separately, and when an authenticated user goes offline, no other users are

affected.

These extensions can help improve network security and manageability

dramatically.

After an 802.1x supplicant passes authentication, the authentication server sends

authorization information to the authenticator. If the authorization information

contains VLAN authorization information, the authenticator adds the port

connecting the supplicant to the assigned VLAN. This neither changes nor affects

the configurations of the port. The only result is that the assigned VLAN takes

precedence over the manually configured one, that is, the assigned VLAN takes

effect. After the supplicant goes offline, the configured one takes effect.

Features Working

Together with 802.1x

VLAN Assigning

After an 802.1x user passes the authentication, the server will send an

authorization message to the switch. If the authorization message includes the

assigned VLAN information, the switch adds the port that the user uses for 802.1x

authentication to the assigned VLAN.

The assigned VLAN neither changes nor affects the configuration of a port.

However, since the assigned VLAN has higher priority than the user-configured

VLAN, it is the assigned VLAN that takes effect after a user passes authentication.

After the user goes offline, the port returns to its original VLAN.