Alcatel-Lucent 6850-48 网络指南
Setting Up Port-Based Network Access Control
Configuring 802.1X
page 37-10
OmniSwitch AOS Release 6 Network Configuration Guide
September 2009
Note. The authentication server timeout may also be configured (with the server-timeout keyword) but
the value is always superseded by the value set for the RADIUS server through the
the value is always superseded by the value set for the RADIUS server through the
command.
Configuring the Maximum Number of Requests
During the authentication process, the switch sends requests for authentication information from the
supplicant. By default, the switch will send up to two requests for information. If the supplicant does not
reply within the timeout value configured for the supplicant timeout, the authentication session attempt
will expire. The switch will then use its quiet timeout and transmit timeout before accepting an authentica-
tion attempt or sending out an identity request.
supplicant. By default, the switch will send up to two requests for information. If the supplicant does not
reply within the timeout value configured for the supplicant timeout, the authentication session attempt
will expire. The switch will then use its quiet timeout and transmit timeout before accepting an authentica-
tion attempt or sending out an identity request.
To change the maximum number of requests sent to the supplicant during an authentication attempt, use
the max-req keyword with the
the max-req keyword with the
command. For example:
-> 802.1x 3/1 max-req 3
In this example, the maximum number of requests that will be sent is three.
Configuring the Number of Polling Retries
To change the number of times a device is polled for EAP frames to determine whether or not the device is
an 802.1x client, use the
an 802.1x client, use the
command. For example:
-> 802.1x 3/1 supp-polling retry 10
In this example, the maximum number of times a device is polled is set to 10. If no EAP frames are
received, the device is considered a non-supplicant, and any non-supplicant classification policies config-
ured for the port are applied to the device.
received, the device is considered a non-supplicant, and any non-supplicant classification policies config-
ured for the port are applied to the device.
To bypass 802.1x authentication and classify supplicants connected to the port as non-supplicants, set the
number of polling retries to zero:
number of polling retries to zero:
-> 802.1x 3/1 supp-polling retry 0
Note. Setting the number of polling retries to zero turns off 802.1x authentication for the port; all devices
(including supplicants) are then classified as non-supplicants. As a result, non-supplicant policies that use
MAC-based authentication are now applicable to supplicant devices, not just non-supplicant devices.
(including supplicants) are then classified as non-supplicants. As a result, non-supplicant policies that use
MAC-based authentication are now applicable to supplicant devices, not just non-supplicant devices.
Re-authenticating an 802.1X Port
An automatic reauthentication process may be enabled or disabled on any 802.1X port. The re-authentica-
tion is used to maintain the 802.1X connection (not to re-authenticate the user). The process is transparent
to the 802.1X supplicant. By default, re-authentication is not enabled on the port.
tion is used to maintain the 802.1X connection (not to re-authenticate the user). The process is transparent
to the 802.1X supplicant. By default, re-authentication is not enabled on the port.
To enable or disable re-authentication, use the reauthentication or no reauthentication keywords with
the
the
command. For example:
-> 802.1x 3/1 reauthentication
In this example, re-authentication will periodically take place on port 1 of slot 3.
The re-authperiod parameter may be used to configure the time that must expire before automatic re-
authentication attempts. For example:
authentication attempts. For example: