Alcatel-Lucent 6850-48 ネットワークガイド
Configuring 802.1X
Setting Up Port-Based Network Access Control
OmniSwitch AOS Release 6 Network Configuration Guide
September 2009
page 37-9
Configuring 802.1X Port Parameters
By default, when 802.1X is enabled on a port, the port is configured for bidirectional control, automatic
authorization, and re-authentication. In addition, there are several timeout values that are set by default as
well as a maximum number of times the switch will retransmit an authentication request to the user.
authorization, and re-authentication. In addition, there are several timeout values that are set by default as
well as a maximum number of times the switch will retransmit an authentication request to the user.
All of these parameters may be configured on the same command line but are shown here configured
separately for simplicity.
separately for simplicity.
Configuring the Port Control Direction
To configure the port control direction, use the
command with the direction keyword with both
for bidirectional or in for incoming traffic only. For example:
-> 802.1x 3/1 direction in
In this example, the port control direction is set to incoming traffic only on port 1 of slot 3.
The type of port control (or authorization) is configured with the port-control parameter described in the
next section.
next section.
Configuring the Port Authorization
Port authorization determines whether the port is open to all traffic, closed to all traffic, or open to traffic
after the port is authenticated. To configure the port authorization, use the
after the port is authenticated. To configure the port authorization, use the
command with the port-
control keyword and the force-authorized, force-unauthorized, or auto option.
-> 802.1x 3/1 port-control force-authorized
In this example, the port control on port 1 of slot 3 is always authorized for any traffic.
The auto option configures the port to be open for traffic when a device successfully completes an 802.1X
authentication exchange with the switch.
authentication exchange with the switch.
Configuring 802.1X Port Timeouts
There are several timeouts that may be modified per port:
• Quiet timeout—The time during which the port will not accept an 802.1X authentication attempt after
an authentication failure.
• Transmit timeout—The time before an EAP Request Identity message will be re-transmitted.
• Supplicant (or user) timeout—The time before the switch will timeout an 802.1X user who is attempt-
ing to authenticate. During the authentication attempt, the switch sends requests for authentication
information (identity requests, challenge response, etc.) to the supplicant (see
information (identity requests, challenge response, etc.) to the supplicant (see
). If the supplicant does not reply to these requests, the
supplicant is timed out when the timeout expires.
command with the quiet-period keyword. To modify the
transmit timeout, use the
command with the tx-period keyword. To modify the supplicant or user
timeout, use the
command with the supp-timeout keyword. For example:
-> 802.1x 3/1 quiet-period 50 tx-period 25 supp-timeout 25
This command changes the quiet timeout to 50 seconds; the transmit timeout to 25 seconds; and the user
timeout to 25 seconds.
timeout to 25 seconds.