Alcatel-Lucent 6850-48 ネットワークガイド

ページ / 1162
Configuring 802.1X
Setting Up Port-Based Network Access Control
OmniSwitch AOS Release 6 Network Configuration Guide
September 2009
page 37-9
Configuring 802.1X Port Parameters
By default, when 802.1X is enabled on a port, the port is configured for bidirectional control, automatic 
authorization, and re-authentication. In addition, there are several timeout values that are set by default as 
well as a maximum number of times the switch will retransmit an authentication request to the user.
All of these parameters may be configured on the same command line but are shown here configured 
separately for simplicity.
Configuring the Port Control Direction
To configure the port control direction, use the 
 command with the direction keyword with both 
for bidirectional or in for incoming traffic only. For example:
-> 802.1x 3/1 direction in
In this example, the port control direction is set to incoming traffic only on port 1 of slot 3.
The type of port control (or authorization) is configured with the port-control parameter described in the 
next section.
Configuring the Port Authorization
Port authorization determines whether the port is open to all traffic, closed to all traffic, or open to traffic 
after the port is authenticated. To configure the port authorization, use the 
 command with the port-
control keyword and the force-authorizedforce-unauthorized, or auto option.
-> 802.1x 3/1 port-control force-authorized
In this example, the port control on port 1 of slot 3 is always authorized for any traffic. 
The auto option configures the port to be open for traffic when a device successfully completes an 802.1X 
authentication exchange with the switch.
Configuring 802.1X Port Timeouts
There are several timeouts that may be modified per port:
• Quiet timeout—The time during which the port will not accept an 802.1X authentication attempt after 
an authentication failure.
• Transmit timeout—The time before an EAP Request Identity message will be re-transmitted.
• Supplicant (or user) timeout—The time before the switch will timeout an 802.1X user who is attempt-
ing to authenticate. During the authentication attempt, the switch sends requests for authentication 
information (identity requests, challenge response, etc.) to the supplicant (see 
). If the supplicant does not reply to these requests, the 
supplicant is timed out when the timeout expires. 
To modify the quiet timeout, use the 
 command with the quiet-period keyword. To modify the 
transmit timeout, use th
 command with the tx-period keyword. To modify the supplicant or user 
timeout, use the 
 command with the supp-timeout keyword. For example:
-> 802.1x 3/1 quiet-period 50 tx-period 25 supp-timeout 25
This command changes the quiet timeout to 50 seconds; the transmit timeout to 25 seconds; and the user 
timeout to 25 seconds.