3Com Switch 8800 Advanced Software V5 Configuration Guide
926 CHAPTER 71: 802.1X CONFIGURATION
n
■ If the port link type is Access, the authentication server will assign a VLAN
successfully.
■ If the port link type is Hybrid or Trunk, the authentication server will fail to
assign a VLAN.
Guest VLAN
Guest VLAN is the default VLAN that a supplicant can access without
authentication. After the supplicant passes 802.1x authentication, s/he can access
other network resources. A user of the guest VLAN can perform operations such
as downloading and upgrading the authentication client software. If a supplicant
does not have the required authentication client software or the version of the
client software is lower, the supplicant will fail the authentication and the port the
supplicant uses to access the authenticator will be added into the guest VLAN.
If a device with 802.1x enabled and the guest VLAN correctly configured sends an
EAP-Request/Identity packet for the allowed maximum number of times but gets
no response, it adds the port into the guest VLAN.
When a supplicant added into the guest VLAN initiates another authentication
process, if the authentication is not successful, the supplicant stays in the guest
VLAN; otherwise, two cases may occur:
■ The authentication server assigns a VLAN: The port leaves the guest VLAN and
joins the assigned VLAN. If the supplicant goes offline, the port returns to its
original VLAN, that is, the VLAN to which it is configured to belong and it
belongs before joining the guest VLAN.
■ The authentication server does not assign any VLAN: The port leaves the guest
VLAN and returns to its original VLAN. If the supplicant goes offline, the port
just stays in its original VLAN.
Configuring 802.1x
Configuration
Prerequisites
802.1x provides a user identity authentication scheme. However, 802.1x cannot
implement the authentication scheme solely by itself. RADIUS or local
authentication must be configured to work with 802.1x:
■ For remote RADIUS authentication, the username and password information
must be configured on the RADIUS server and the RADIUS client-related
configurations must be performed on the authenticator.
■ For local authentication, the username and password information must be
configured on the authenticator and the service type must be set to
lan-access.
For details about these configuration tasks, refer to “AAA, RADIUS and
HWTACACS Configuration Overview” on page 879.
Configuration Procedure Follow these steps to configure 802.1x:
To do... Use the command... Remarks
Enter system view system-view -