DES-7200 Configuration Guide Chapter 4 802.1x Configuration
4-40
Caution
In single-host authentication mode, it supports to renew acl when
reauthenticating. That is, acl takes effect when the authenticated user
sets acl on the server and reauthenticates.
The mac-based authentication mode does not support ACL update
when re-authenticating. That is to say, ACL of the authenticated user
can only be assigned once. The new acl is ignored and the original acl
remains if the acl changes when re-authenticating.
Supported acl type: extension type which can explain acl function on
our switch.
Execute the following command if you need to support dynamic acl
assignment on the server which is not authenticated by our company.
DES-7200#configure terminal
DES-7200(config)# radius vendor-specific extend
4.2.32 Configuring Dot1x MAC
Authentication Bypass
GUEST VLAN provides a method of network accessing without the 802.1x authentication
client, but this technology is unable to determine whether the access device is secure or
insecure. In some conditions, for the network management and security, although there is no
802.1x authentication client, the administrator still needs to control the validity of the access
device. MAB(MAC Authentication Bypass) provides a solution for this application.
With the MAB function enabled on the 802.1x authentication port, the authentication request
packets are sent continuously to the port and the client response is expected. If there is no
client response within the time of “tx-period*reauth-max”, the MAC address learned on the
802.1x authentication port will be monitored, and the authentication will be initiated by sending
the username(the learned MAC address) and keyword to the server. It determines whether the
learned MAC address is accessible to the network or not according to the returned
authentication result from the server.
To configure the MAB function, run the following commands:
Command Function
configure terminal
Enter the global configuration mode.
interface <interface-id>
Enter the interface configuration mode.
dot1x mac-auth-bypass
Set the dot1x MAC authentication bypass.
end
Return to the privileged mode.
Write
Save the configurations.
show running-config
Show all configurations.
Following example shows how to configure the MAB function.