3com 5500-ei pwr Installation Instruction
1-12
z
Users belonging to the guest VLAN can access the resources of the guest VLAN without being
authenticated. But they need to be authenticated when accessing external resources.
Normally, the guest VLAN function is coupled with the dynamic VLAN delivery function.
Refer to AAA Operation for detailed information about the dynamic VLAN delivery function.
Enabling 802.1x re-authentication
802.1x re-authentication is timer-triggered or packet-triggered. It re-authenticates users who have
passed authentication. With 802.1x re-authentication enabled, the switch can monitor the connection
status of users periodically. If the switch receives no re-authentication response from a user in a period
of time, it tears down the connection to the user. To connect to the switch again, the user needs to
initiate 802.1x authentication with the client software again.
Note:
z
When re-authenticating a user, a switch goes through the complete authentication process. It
transmits the username and password of the user to the server. The server may authenticate the
username and password, or, however, use re-authentication for only accounting and user
connection status checking and therefore does not authenticate the username and password any
more.
z
An authentication server running CAMS authenticates the username and password during
re-authentication of a user in the EAP authentication mode but does not in PAP or CHAP
authentication mode.
Figure 1-10 802.1x re-authentication
PC
Internet
PC
PC
RADIUS
Server
Switch
802.1x re-authentication can be enabled in one of the following two ways:
z
The RADIUS server has the switch perform 802.1x re-authentication of users. The RADIUS server
sends the switch an Access-Accept packet with the Termination-Action attribute field of 1. Upon
receiving the packet, the switch re-authenticates the user periodically.
z
You enable 802.1x re-authentication on the switch. With 802.1x re-authentication enabled, the
switch re-authenticates users periodically.