Installation manual

ManualsBrandsQuidway ManualsComputer equipmentS3000-EI Series

201

202

203

204

205

206

207

208

209

210

Operation Manual - Security

Quidway S3000-EI Series Ethernet Switches Chapter 1

802.1x Configuration

Huawei Technologies Proprietary

1-7

DIUS server must support

CHAP authenticat authentication (switch send authentication

information to RADIUS server in the form of EAP packets directly and RADIUS server

F d EAP-MD5 methods are available on the

z : The client and RADIUS server check in EAP-TLS approach mutually

the security certificate authority of the other’s, to guarantee the validity of the

certificates and prevent data from being illegally used.

provide integrity protection,

sh identity

ation method for 802.1x user

must support PAP authentication), CHAP authentication (RA

ion), EAP relay

ust support EAP authentication).

or EAP authentication, PEAP, EAP-TLS an

witch:

EAP-TLS

z PEAP: As a kind of EAP protocol, protected EAP (PEAP) first establishes an

encrypted transport layer security (TLS) channel to

and then initiates a new type of EAP negotiation, to accompli

authentication to the client.

If you want to enable PEAP, EAP-TLS or EAP-MD5 authentication method on an

Ethernet switch, you only need to use the command dot1x authentication-method

eap to enable EAP authentication.

Perform the following configurations in system view.

Table 1-7 Configuring the authentic

Operation Command

Configure authentication method for

802.1x

{ |

user

dot1x authentication-method chap

pap | eap }

R store the default authentication

thod for 802.1x user

undo dot1x authentication-method

By d

1.2.8 Enablin N

enticated for maximum times, the switch adds this

s performed when the user

of the Guest VLAN visits the resources within this Guest VLAN. However, if the user

, the requirements of

allowing unauth ers to access some resources ch as, the user

accesses some re alling 802.1x client, or the user upgrades 802.1x

P view or Ethernet port view.

efault, CHAP authentication is used for 802.1x user authentication.

g/Disabling Guest VLA

After the Guest VLAN function is enabled, the switch broadcasts active authentication

packets to all ports on which 802.1x are enabled. If there is still some ports do not return

response packets after being re-auth

ports into Guest VLAN. After that, no 802.1x authentication i

visits the outer resources, authentication is still needed. In this way

enticated us

sources without inst

are met, su

lient without authentication, and so on.

erform the following configuration in system