This chapter describes H3C implementation of WLAN authentication. WLAN authentication performs MAC-based network access control for WLAN clients to ensure access security.

WLAN authentication includes 802.1X authentication, MAC authentication, and OUI authentication.

Application scenarios

The authenticator authenticates the client to control access to the WLAN. As shown in Figure 1, either the AC or AP can be specified as the authenticator by using the client-security authentication-location command.

Figure 1 Network diagram

802.1X authentication

802.1X uses Extensible Authentication Protocol (EAP) to transport authentication information for the client, the authenticator, and the authentication server.

802.1X defines EAP over LAN (EAPOL) for passing EAP packets between the client and the authenticator over a WLAN. Between the authenticator and the authentication server, 802.1X delivers authentication information by using one of the following methods:

· Encapsulates EAP packets in RADIUS by using EAP over RADIUS (EAPOR), as described in "EAP relay."

· Extracts authentication information from the EAP packets and encapsulates the information in standard RADIUS packets, as described in "EAP termination."

For information about EAP packet encapsulation, see Security Configuration Guide.

802.1X authentication initiation

Both the client and the authenticator can initiate 802.1X authentication.

· Client initiation—After the client is associated with the authenticator, it sends an EAPOL-Start packet to the authenticator to initiate 802.1X authentication.

· Authenticator initiation—After the client is associated with the authenticator, the authenticator sends an EAP-Request/Identity packet to initiate the authentication. The authenticator retransmits the packet if no response has been received within the client timeout timer.

802.1X authentication process

The authenticator uses EAP relay or EAP termination to communicate with the RADIUS server.

EAP relay

In this mode, the authenticator uses EAPOR packets to send authentication information to the RADIUS server. The RADIUS server must support the EAP-Message and Message-Authenticator attributes, and must use the same authentication method as the client. For the authenticator, you only need to use the dot1x authentication-method eap command to enable EAP relay.

Figure 2 shows the basic 802.1X authentication process in EAP relay mode. In this example, EAP-MD5 is used.

NOTE:

If the AP is specified as the authenticator, it uses the same authentication process as Figure 2 except that the AP handles the EAP and RADIUS packets.

Figure 2 802.1X authentication process in EAP relay mode

The following steps describe the 802.1X authentication process:

1. When a user launches the 802.1X client and enters a registered username and password, the 802.1X client sends an EAPOL-Start packet to the authenticator.

For information about the client and AP association, see "Configuring WLAN security."

2. The authenticator responds with an EAP-Request/Identity packet to request for the username.

3. The client sends the username in an EAP-Response/Identity packet to the authenticator.

4. The authenticator relays the EAP-Response/Identity packet in a RADIUS Access-Request packet to the authentication server.

5. The authentication server uses the username in the RADIUS Access-Request to search its user database. If a matching entry is found, the server uses a randomly generated challenge (EAP-Request/MD5-challenge) to encrypt the password in the entry. Then, the server sends the challenge in a RADIUS Access-Challenge packet to the authenticator.

6. The authenticator transmits the EAP-Request/MD5-Challenge packet to the client.

7. The client uses the received challenge to encrypt the password, and sends the encrypted password in an EAP-Response/MD5-Challenge packet to the authenticator.

8. The authenticator relays the EAP-Response/MD5-Challenge packet in a RADIUS Access-Request packet to the authentication server.

9. The authentication server compares the received encrypted password with the encrypted password it generated at step 5. If the two passwords are identical, the server considers the client valid and sends a RADIUS Access-Accept packet to the authenticator.

10. Upon receiving the RADIUS Access-Accept packet, the authenticator allows the client to access the network.

11. After the client comes online, the authenticator periodically sends handshake requests to examine whether the client is still online.

12. Upon receiving a handshake request, the client returns a response. If the client fails to return a response after a number of consecutive handshake attempts (two by default), the authenticator logs off the client. This handshake mechanism enables timely release of the network resources used by 802.1X clients that have abnormally gone offline.

13. The client sends an EAPOL-Logoff packet to request a logoff from the authenticator.

14. In response to the EAPOL-Logoff packet, the authenticator sends an EAP-Failure packet to the client.

EAP termination

In this mode, the authenticator performs the following operations:

1. Terminates the EAP packets received from the client.

2. Encapsulates the client authentication information in standard RADIUS packets.

3. Uses PAP or CHAP to communicate with the RADIUS server.

Figure 3 shows the basic 802.1X authentication process in EAP termination mode. In this example, CHAP authentication is used.

NOTE:

If the AP is specified as the authenticator, it uses the same authentication process as Figure 3 except that the AP handles the EAP and RADIUS packets.

Figure 3 802.1X authentication process in EAP termination mode

In EAP termination mode, the authentication device rather than the authentication server generates an MD5 challenge for password encryption. The authentication device then sends the MD5 challenge together with the username and encrypted password in a standard RADIUS packet to the RADIUS server.

MAC authentication

MAC authentication controls network access by authenticating source MAC addresses. The feature does not require any client software. Clients do not have to enter usernames or passwords for network access. The authenticator initiates a MAC authentication process when it detects an unknown source MAC address. If the MAC address passes authentication, the client can access authorized network resources. If the authentication fails, the authenticator marks the MAC address as a silent MAC address and rejects the client's access.

User account policies

User accounts are required for identifying clients. MAC authentication supports the following user account policies:

· One MAC-based user account for each client. The authenticator uses the unknown source MAC addresses in packets as the usernames and passwords of clients for MAC authentication.

· One shared user account for all clients. You specify one username and password, which are not necessarily a MAC address, for all MAC authentication clients on the authenticator. The username is a case-sensitive string of 1 to 55 characters which cannot include the at sign (@). The password can be a plaintext string of 1 to 63 characters or ciphertext string of 1 to 117 characters.

Authentication methods

You can perform MAC authentication on the authenticator (local authentication) or through a RADIUS server.

RADIUS authentication:

· MAC-based accounts—The authenticator sends the source MAC address of the packet as the username and password to the RADIUS server for authentication.

· A shared account—The authenticator sends the shared account username and password to the RADIUS server for authentication.

Local authentication:

· MAC-based accounts—The authenticator uses the source MAC address of the packet as the username and password to search the local account database for a match.

· A shared account—The authenticator uses the shared account username and password to search the local account database for a match.

For more information about configuring local authentication and RADIUS authentication, see Security Configuration Guide.

OUI authentication

OUI authentication examines the OUIs in the MAC addresses of clients. A client passes OUI authentication if the client's OUI matches one of the OUIs configured for the authenticator.

NOTE:

An OUI is a 24-bit number that uniquely identifies a vendor, manufacturer, or organization. In MAC addresses, the first three octets are the OUI.

Authentication modes

Authentication mode	Working mechanism
bypass (the default)	Does not perform authentication.
dot1x	Performs 802.1X authentication only.
mac	Performs MAC authentication only.
mac-or-dot1x	Performs MAC authentication first, and then 802.1X authentication. If the client passes MAC authentication, 802.1X authentication is not performed.
dot1x-or-mac	Performs 802.1X authentication first, and then MAC authentication. If the client passes 802.1X authentication, MAC authentication is not performed.
oui-or-dot1x	Performs OUI authentication first, and then 802.1X authentication. If the client passes OUI authentication, 802.1X authentication is not performed.

Intrusion protection

When the authenticator detects an association request from a client that fails authentication, intrusion protection is triggered. The feature takes one of the following predefined actions on the BSS where the request is received:

· temporary-block (default)—Adds the source MAC address of the request to the blocked MAC address list and drops the request packet. The client at a blocked MAC address cannot establish connections with the AP within a period. To set the period, use the client-security intrusion-protection timer temporary-block command.

· service-stop—Stops the BSS where the request is received until the BSS is enabled manually on the radio interface.

· temporary-service-stop—Stops the BSS where the request is received for a period. To set the period, use the client-security intrusion-protection timer temporary-service-stop command.

NOTE:

Intrusion protection action is not supported in bypass mode.

WLAN VLAN manipulation

VLAN authorization

You can specify authorization VLANs for a WLAN client to control the client's access to network resources. When the client passes 802.1X or MAC authentication, the authentication server assigns the authorization VLAN information to the authenticator. When the device acts as the authenticator, it can resolve server-assigned VLANs of the following formats:

· VLAN ID.

· VLAN name.

The VLAN name represents the VLAN description on the access device.

· VLAN group name.

For more information about VLAN groups, see Layer 2—LAN Switching Configuration Guide.

· Combination of VLAN IDs and VLAN names.

In the string, some VLANs are represented by their IDs, and some VLANs are represented by their names.

If the server assigns a group of VLANs, the access device selects and assigns a VLAN according to the VLAN ID format. Table 1 describes the VLAN selection and assignment rules for a group of authorization VLANs.

Table 1 VLAN selection and assignment for a group of authorization VLANs

Types of authorized VLANs	VLAN selection and assignment rules
· VLANs by IDs · VLANs by names	The device selects the VLAN with the lowest ID from the group of VLANs.
VLAN group name	1. The device selects the VLAN that has the fewest number of online users. 2. If multiple VLANs have the same number of online 802.1X users, the device selects the VLAN with the lowest ID.

Types of authorized VLANs

VLAN selection and assignment rules

· VLANs by IDs

· VLANs by names

The device selects the VLAN with the lowest ID from the group of VLANs.

VLAN group name

1. The device selects the VLAN that has the fewest number of online users.

2. If multiple VLANs have the same number of online 802.1X users, the device selects the VLAN with the lowest ID.

NOTE:

The device converts VLAN names and VLAN group names into VLAN IDs before it assigns a VLAN to the client.

The device fails VLAN authorization for a client in the following situations:

· The device fails to resolve the authorization VLAN information.

· The server assigns a VLAN name to the device, but the device does not have any VLAN using the name.

· The server assigns a VLAN group name to the device, but the VLAN group does not exist or the VLAN group has not been assigned any VLANs.

Authorization VLAN information is used to control data forwarding, so they must be assigned by the device that forwards data traffic. VLAN assignment can be local VLAN assignment or remote VLAN assignment depending on whether the authenticator and the forwarding device are the same device.

· Local VLAN assignment—The authenticator and the forwarding device are the same device. After the authenticator obtains the authorization VLAN information, it resolves the information and assigns the VLAN.

· Remote VLAN assignment—The authenticator and the forwarding device are different devices. After the authenticator obtains the authorization VLAN information, it sends the information to the remote forwarding device. The forwarding device then resolves the information and assigns the VLAN.

For more information about VLANs, see Layer 2—LAN Switching Configuration Guide.

Auth-Fail VLAN

The WLAN Auth-Fail VLAN accommodates clients that have failed WLAN authentication because of the failure to comply with the organization security strategy. For example, the VLAN accommodates clients that have entered wrong passwords or usernames. The Auth-Fail VLAN does not accommodate WLAN clients that have failed authentication for authentication timeouts or network connection problems.

Clients in the Auth-Fail VLAN can access a limited set of network resources.

The authenticator reauthenticates a client in the Auth-Fail VLAN at the interval of 30 seconds.

· If the client passes the reauthentication, the authenticator assigns the client to the authorization VLAN. If no authorization VLAN is configured, the client is assigned to the initial VLAN.

· If the client fails the reauthentication, the client is still in the Auth-Fail VLAN.

Clients that use RSNA cannot be assigned to the Auth-Fail VLAN after they fail 802.1X authentication. The authenticator directly logs off the clients.

The Auth-Fail VLAN feature takes precedence over intrusion protection. When a client fails authentication, the Auth-Fail VLAN setting applies first. If no Auth-Fail VLAN is configured, the intrusion protection feature takes effect. If neither feature is configured, the authenticator directly logs off the client.

Using WLAN authentication with other features

ACL assignment

You can specify an ACL for an 802.1X client to control the client's access to network resources. After the client passes authentication, the authentication server assigns the ACL to the client for filtering traffic for this client. The authentication server can be on the local device that acts as the authenticator or on a RADIUS server. In either case, you must configure rules for the ACL on the authenticator. If the AP acts as the authenticator, you must configure the ACL rules on the AC.

To change the access control criteria for the client, you can use one of the following methods:

· Modify the ACL rules on the authenticator.

· Specify another ACL for the client on the authentication server.

For more information about ACLs, see ACL and QoS Configuration Guide.

User profile assignment

You can specify a user profile for an 802.1X client to control the client's access to network resources. After the client passes 802.1X authentication, the authentication server assigns the user profile to the client for filtering traffic. The authentication server can be on the local device that acts as the authenticator or on a RADIUS server. In either case, you must configure the user profile on the authenticator. If the AP acts as the authenticator, you must configure the user profile on the AC.

To change the client's access permissions, you can use one of the following methods:

· Modify the user profile configuration on the authenticator.

· Specify another user profile for the client on the authentication server.

For more information about user profiles, see Security Configuration Guide.

BYOD access control

This feature allows the RADIUS server to push different register pages and assign different authorization attributes to clients on different endpoint devices.

NOTE:

This feature supports only IMC servers to act as the RADIUS server at the current version.

The following process illustrates the BYOD access control for a WLAN client that passes 802.1X or MAC authentication:

1. The authenticator performs the following operations:

a. Obtains the Option 55 attribute from DHCP packets.

b. Delivers the Option 55 attribute to the RADIUS server.

On an IMC server, the Option 55 attribute will be delivered to UAM.

2. The BYOD-capable RADIUS server performs the following operations:

a. Uses the Option 55 attribute to identify endpoint device information including endpoint type, operating system, and vendor.

b. Sends a register page and assigns authorization attributes to the client according to the device information.

Configuring WLAN authentication

This chapter describes authenticator configuration for WLAN authentication.

Configuration prerequisites

Before you configure WLAN authentication, complete the following tasks:

· Configure an ISP domain and AAA scheme (local or RADIUS authentication) for WLAN clients.

· If local authentication is used, create local user accounts on the device (including usernames and passwords) and set the service type to lan-access.

· If RADIUS authentication is used, make sure the device and the RADIUS server can reach each other, and create user accounts on the RADIUS server. If you are using MAC-based accounts for MAC authentication clients, make sure the username and password for each account are the same as the MAC address of each client.

For more information, see Security Configuration Guide.

WLAN authentication configuration task list

Tasks at a glance
· (Optional.) Configuring global WLAN authentication parameters ¡ Setting OUIs for OUI authentication ¡ Specifying 802.1X-supported domain name delimiters ¡ Enabling EAP relay or EAP termination for 802.1X ¡ Setting the maximum number of 802.1X authentication request attempts ¡ Setting the 802.1X authentication timers ¡ Configuring the MAC authentication user account format ¡ Specifying a global MAC authentication domain ¡ Setting the MAC authentication server timeout timer
· Configuring service-specific WLAN authentication parameters ¡ (Required.) Setting the authentication mode ¡ (Optional.) Specifying an EAP mode for 802.1X authentication ¡ (Optional.) Specifying the authenticator for WLAN clients ¡ (Optional.) Ignoring 802.1X or MAC authentication failures ¡ (Optional.) Configuring a WLAN Auth-Fail VLAN ¡ (Optional.) Ignoring authorization information from the server ¡ (Optional.) Enabling the authorization-fail-offline feature ¡ (Optional.) Configuring intrusion protection ¡ (Optional.) Configuring the online user handshake feature ¡ (Optional.) Specifying an 802.1X authentication domain ¡ (Optional.) Setting the maximum number of concurrent 802.1X clients ¡ (Optional.) Enabling the periodic online user reauthentication feature ¡ (Optional.) Setting the maximum number of concurrent MAC authentication clients ¡ (Optional.) Specifying a service-specific MAC authentication domain

Tasks at a glance

· (Optional.) Configuring global WLAN authentication parameters

¡ Setting OUIs for OUI authentication

¡ Specifying 802.1X-supported domain name delimiters

¡ Enabling EAP relay or EAP termination for 802.1X

¡ Setting the maximum number of 802.1X authentication request attempts

¡ Setting the 802.1X authentication timers

¡ Configuring the MAC authentication user account format

¡ Specifying a global MAC authentication domain

¡ Setting the MAC authentication server timeout timer

· Configuring service-specific WLAN authentication parameters

¡ (Required.) Setting the authentication mode

¡ (Optional.) Specifying an EAP mode for 802.1X authentication

¡ (Optional.) Specifying the authenticator for WLAN clients

¡ (Optional.) Ignoring 802.1X or MAC authentication failures

¡ (Optional.) Configuring a WLAN Auth-Fail VLAN

¡ (Optional.) Ignoring authorization information from the server

¡ (Optional.) Enabling the authorization-fail-offline feature

¡ (Optional.) Configuring intrusion protection

¡ (Optional.) Configuring the online user handshake feature

¡ (Optional.) Specifying an 802.1X authentication domain

¡ (Optional.) Setting the maximum number of concurrent 802.1X clients

¡ (Optional.) Enabling the periodic online user reauthentication feature

¡ (Optional.) Setting the maximum number of concurrent MAC authentication clients

¡ (Optional.) Specifying a service-specific MAC authentication domain

Configuring global WLAN authentication parameters

Setting OUIs for OUI authentication

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Set OUI values for OUI authentication.	port-security oui index index-value mac-address oui-value	By default, no OUI value is set for OUI authentication. This step is required only for the oui-then-dot1x mode. You can set multiple OUIs. The device supports a maximum of 16 OUIs.

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Set OUI values for OUI authentication.

port-security oui index index-value mac-address oui-value

By default, no OUI value is set for OUI authentication.

This step is required only for the oui-then-dot1x mode.

You can set multiple OUIs. The device supports a maximum of 16 OUIs.

Specifying 802.1X-supported domain name delimiters

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Specify a set of domain name delimiters for 802.1X clients.	dot1x domain-delimiter string	By default, only the at sign (@) delimiter is supported. For more information about this command, see Security Command Reference.

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Specify a set of domain name delimiters for 802.1X clients.

dot1x domain-delimiter string

By default, only the at sign (@) delimiter is supported.

For more information about this command, see Security Command Reference.

Enabling EAP relay or EAP termination for 802.1X

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable EAP relay or EAP termination.	dot1x authentication-method { chap \| eap \| pap }	By default, the device performs EAP termination and uses CHAP to communicate with the RADIUS server. Specify the eap keyword to enable EAP relay. Specify the chap or pap keyword to enable CHAP-enabled or PAP-enabled EAP termination. For more information about this command, see Security Command Reference.

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enable EAP relay or EAP termination.

dot1x authentication-method { chap | eap | pap }

By default, the device performs EAP termination and uses CHAP to communicate with the RADIUS server.

Specify the eap keyword to enable EAP relay.

Specify the chap or pap keyword to enable CHAP-enabled or PAP-enabled EAP termination.

For more information about this command, see Security Command Reference.

NOTE:

If EAP relay mode is used, the user-name-format command configured in RADIUS scheme view does not take effect. The device sends the authentication data from the client to the server without any modification. For information about the user-name-format command, see Security Command Reference.

Setting the maximum number of 802.1X authentication request attempts

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Set the maximum number of attempts for sending an 802.1X authentication request.	dot1x retry max-retry-value	The default setting is 2. For more information about this command, see Security Command Reference.

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Set the maximum number of attempts for sending an 802.1X authentication request.

dot1x retry max-retry-value

The default setting is 2.

For more information about this command, see Security Command Reference.

Setting the 802.1X authentication timers

802.1X uses the following timers to control interactions with the client and the RADIUS server:

· Client timeout timer—Starts when the device sends an EAP-Request/MD5-Challenge packet to a client. If the device does not receive a response when this timer expires, it retransmits the request to the client. If the device has made the maximum transmission attempts without receiving a response, the client fails authentication. To set the maximum attempts, use the dot1x retry command.

· Server timeout timer—Starts when the device sends a RADIUS Access-Request packet to the authentication server. If the device does not receive a response when this timer expires, the device retransmits the request to the server.

· Handshake timer—Starts after a client passes authentication when the online user handshake is enabled. The device sends handshake messages to the client at every handshake interval. The device logs off the client if it does not receive any response from the client after the maximum handshake attempts. To set the maximum attempts, use the dot1x retry command.

· Periodic reauthentication timer—Starts after a client passes authentication when periodic online user reauthentication is enabled. The device reauthenticates the client at the configured interval. Any change to the timer takes effect only on clients that come online after the change.

In most cases, the default settings are sufficient. You can edit the timers, depending on the network conditions. The following are two examples:

· In a low-speed network, increase the client timeout timer.

· In a network with authentication servers of different performances, adjust the server timeout timer.

To set the 802.1X authentication timers:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Set the client timeout timer.	dot1x timer supp-timeout supp-timeout-value	The default setting is 30 seconds. For more information about this command, see Security Command Reference.
3. Set the server timeout timer.	dot1x timer server-timeout server-timeout-value	The default setting is 100 seconds. For more information about this command, see Security Command Reference.
4. Set the handshake timer.	dot1x timer handshake-period handshake-period-value	The default setting is 15 seconds. For more information about this command, see Security Command Reference.
5. Set the periodic reauthentication timer.	dot1x timer reauth-period reauth-period-value	The default setting is 3600 seconds. For more information about this command, see Security Command Reference.

Configuring the MAC authentication user account format

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure the MAC authentication user account format.	· Use one MAC-based user account for each client: mac-authentication user-name-format mac-address [ { with-hyphen \| without-hyphen } [ lowercase \| uppercase ] ] · Use one shared user account for all clients: mac-authentication user-name-format fixed [ account name ] [ password { cipher \| simple } password ]	By default, the device uses the MAC address of a client as the username and password for MAC authentication. The MAC address is in the hexadecimal notation without hyphens, and letters are in lower case. For more information about this command, see Security Command Reference.

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Configure the MAC authentication user account format.

· Use one MAC-based user account for each client:
mac-authentication user-name-format mac-address [ { with-hyphen | without-hyphen } [ lowercase | uppercase ] ]

· Use one shared user account for all clients:
mac-authentication user-name-format fixed [ account name ] [ password { cipher | simple } password ]

By default, the device uses the MAC address of a client as the username and password for MAC authentication. The MAC address is in the hexadecimal notation without hyphens, and letters are in lower case.

For more information about this command, see Security Command Reference.

Specifying a global MAC authentication domain

To implement different access policies for clients, you can specify ISP domains for MAC authentication clients globally or on a service template.

MAC authentication chooses an ISP domain for WLAN clients in the following order:

1. The domain specified on the service template.

2. The global MAC authentication domain specified in system view.

3. The default domain.

For information about ISP domains, see Security Configuration Guide.

To globally specify an ISP domain for MAC authentication clients:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Specify an ISP domain for MAC authentication clients.	mac-authentication domain domain-name	By default, no ISP domain is specified for MAC authentication clients in system view. For more information about this command, see Security Command Reference.

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Specify an ISP domain for MAC authentication clients.

mac-authentication domain domain-name

By default, no ISP domain is specified for MAC authentication clients in system view.

For more information about this command, see Security Command Reference.

Setting the MAC authentication server timeout timer

MAC authentication starts the server timeout timer when the device sends an authentication request to a RADIUS server. If the device does not receive any response from the RADIUS server within the timeout timer, the device regards the server unavailable. If the timer expires during MAC authentication, the client cannot access the network.

To set the MAC authentication server timeout timer:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Set the MAC authentication server timeout timer.	mac-authentication timer server-timeout server-timeout-value	The default setting is 100 seconds. For more information about this command, see Security Command Reference.

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Set the MAC authentication server timeout timer.

mac-authentication timer server-timeout server-timeout-value

The default setting is 100 seconds.

For more information about this command, see Security Command Reference.

Configuring service-specific WLAN authentication parameters

Setting the authentication mode

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Set the authentication mode for WLAN clients.	client-security authentication-mode { dot1x \| dot1x-then-mac \| mac \| mac-then-dot1x \| oui-then-dot1x }	By default, the bypass mode applies. The device does not perform authentication. Clients can access the device directly.

Specifying an EAP mode for 802.1X authentication

The EAP mode determines the EAP protocol provisions and packet format that the device uses to interact with clients.

802.1X supports the following EAP modes:

· extended—Requires the device to interact with clients according to the provisions and packet format defined by the H3C proprietary EAP protocol.

· standard—Requires the device to interact with clients according to the provisions and packet format defined by the standard EAP protocol.

Perform this task only when an IMC server is used as the RADIUS server.

To specify an EAP mode for 802.1X authentication:

Step	Command	Remarks
4. Enter system view.	system-view	N/A
5. Enter service template view.	wlan service-template service-template-name	N/A
6. Specify an EAP mode for 802.1X authentication.	dot1x eap { extended \| standard }	By default, the EAP mode is standard for 802.1X authentication. Specify the extended keyword for iNode clients, and specify the standard keyword for other clients.

Specifying the authenticator for WLAN clients

You can specify the AC or AP to act as the authenticator to perform local or RADIUS-based authentication for WLAN clients.

For a successful authentication, the authenticator cannot be the AP if the AC is configured to forward client data traffic. For information about specifying the device for forwarding client data traffic, see "Configuring WLAN access."

To specify the authenticator for WLAN clients:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Specify the authenticator for WLAN clients.	client-security authentication-location { ac \| ap }	By default, the AC acts as the authenticator to authenticate WLAN clients.

Ignoring 802.1X or MAC authentication failures

Overview

This feature applies to the following clients:

· Clients that perform 802.1X authentication.

This feature enables the device to ignore the 802.1X authentication failures and allow clients that have failed 802.1X authentication to come online.

· Clients that perform both RADIUS-based MAC authentication and portal authentication.

Typically, a WLAN client must pass MAC authentication and portal authentication in turn to access network resources. The client provides username and password each time portal authentication is performed.

This feature simplifies the authentication process for a client as follows:

¡ If the RADIUS server already records the client's MAC authentication information, the client passes MAC authentication. The device allows the client to access network resources without performing portal authentication.

¡ If the RADIUS server does not record the client's MAC authentication information, the client fails MAC authentication. The device ignores the MAC authentication failures and performs portal authentication for the client. If the client passes portal authentication, it can access network resources. The MAC address of the portal authenticated client will be recorded as MAC authentication information on the RADIUS server. At the next authentication attempt, the client will pass MAC authentication and access network resources without performing portal authentication.

Configuration restrictions and guidelines

For RSN + 802.1X clients to roam to a new AP, do not configure this feature.

Configuration procedure

To configure the device to ignore 802.1X or MAC authentication failures:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Configure the device to ignore 802.1X or MAC authentication failures.	client-security ignore-authentication	By default, the device does not ignore the authentication failures for wireless clients that perform 802.1X authentication or perform RADIUS-based MAC authentication.

Configuring a WLAN Auth-Fail VLAN

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Configure a WLAN Auth-Fail VLAN.	client-security authentication fail-vlan vlan-id	By default, no WLAN Auth-Fail VLAN is configured. You can configure only on Auth-Fail VLAN on the service template.

Ignoring authorization information from the server

You can configure the device to ignore the authorization information received from the server (local or remote) after a client passes 802.1X or MAC authentication. Authorization information includes VLAN, ACL, and user profile.

To configure the device to ignore authorization information from the server:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Ignore the authorization information received from the authentication server.	client-security ignore-authorization	By default, authorization information received from the authentication server is used.

Enabling the authorization-fail-offline feature

The authorization-fail-offline feature logs off WLAN clients that fail ACL or user profile authorization.

A client fails ACL or user profile authorization in the following situations:

· The device or server fails to authorize the specified ACL or user profile to the client.

· The authorized ACL or user profile does not exist.

This feature does not apply to clients that fail VLAN authorization. The device logs off these clients directly.

To enable the authorization-fail-offline feature:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Enable the authorization-fail-offline feature.	client-security authorization-fail offline	By default, this feature is disabled. The device does not log off clients that fail ACL or user profile authorization, and it outputs system logs.

Configuring intrusion protection

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Enable the intrusion protection feature.	client-security intrusion-protection enable	By default, intrusion protection is disabled.
4. (Optional.) Configure the intrusion protection action.	client-security intrusion-protection action { service-stop \| temporary-block \| temporary-service-stop }	By default, temporary-block is used.
5. (Optional.) Set the blocking period for illegal clients.	client-security intrusion-protection timer temporary-block time	The default setting is 180 seconds.
6. (Optional.) Set the silence period during which the BSS remains disabled.	client-security intrusion-protection timer temporary-service-stop time	The default setting is 20 seconds.

Configuring the online user handshake feature

The online user handshake feature examines the connectivity status of online 802.1X clients. The device sends handshake messages to online clients at the interval specified by the dot1x timer handshake-period command. If the device does not receive any responses from an online client after it has made the maximum handshake attempts, the device sets the client to offline state.

The online user handshake security feature adds authentication information in the handshake messages. This feature can prevent illegal clients from forging legal 802.1X clients to exchange handshake messages with the device. With this feature, the device compares the authentication information in the handshake response message from a client with that assigned by the authentication server. If no match is found, the device logs off the client.

Configuration guidelines

When you configure the online user handshake security feature, follow these restrictions and guidelines:

· To use the online user handshake security feature, make sure the online user handshake feature is enabled.

· The online user handshake security feature protects only online authenticated 802.1X clients.

Configuration procedure

To configure the online user handshake feature:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Enable the online user handshake feature.	dot1x handshake enable	By default, this feature is disabled.
4. (Optional.) Enable the online user handshake security feature.	dot1x handshake secure enable	By default, this feature is disabled.

Specifying an 802.1X authentication domain

802.1X authentication chooses an ISP domain for WLAN clients in the following order:

· The domain specified on the service template.

· The domain specified by username.

· The default domain.

To specify an 802.1X authentication domain for a service template:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Specify an 802.1X authentication domain for the service template.	dot1x domain domain-name	By default, no 802.1X authentication domain is specified for the service template.

Setting the maximum number of concurrent 802.1X clients

When the maximum number of concurrent 802.1X clients is reached for a service template, new 802.1X clients are rejected.

To set the maximum number of concurrent 802.1X clients for a service template:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Set the maximum number of concurrent 802.1X clients for a service template.	dot1x max-user count	The default setting is 4096.

Enabling the periodic online user reauthentication feature

Periodic online user reauthentication tracks the connection status of online clients, and updates the authorization attributes assigned by the server. The attributes include the ACL, VLAN, and user profile-based QoS. The reauthentication interval is user configurable.

The server-assigned session timeout timer (Session-Timeout attribute) and termination action (Termination-Action attribute) can affect the periodic online user reauthentication feature. To display the server-assigned Session-Timeout and Termination-Action attributes, use the display dot1x connection command (see Security Command Reference).

· If the termination action is Default (logoff), periodic online user reauthentication on the device takes effect only when the periodic reauthentication timer is shorter than the session timeout timer.

· If the termination action is Radius-request, the periodic online user reauthentication configuration on the device does not take effect. The device reauthenticates the online 802.1X clients after the session timeout timer expires.

Support for the assignment of Session-Timeout and Termination-Action attributes depends on the server model.

To enable the periodic online user reauthentication feature:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Enable periodic online user reauthentication.	dot1x re-authenticate enable	By default, this feature is disabled.

Setting the maximum number of concurrent MAC authentication clients

When the maximum number of concurrent MAC authentication clients is reached for a service template, new MAC authentication clients are rejected.

To set the maximum number of concurrent MAC authentication clients for a service template:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Set the maximum number of concurrent MAC authentication clients for the service template.	mac-authentication max-user count	The default setting is 4096.

Specifying a service-specific MAC authentication domain

MAC authentication chooses an ISP domain for WLAN clients in the following order:

· The domain specified on the service template.

· The global MAC authentication domain specified in system view.

· The default domain.

To specify an ISP domain for MAC authentication clients on a service template:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter service template view.	wlan service-template service-template-name	N/A
3. Specify an ISP domain for MAC authentication clients.	mac-authentication domain domain-name	By default, no ISP domain is specified for MAC authentication clients.

Displaying and maintaining WLAN authentication settings

Execute display commands in any view and reset commands in user view.

Task	Command
Display online 802.1X client information.	display dot1x connection [ ap ap-name [ radio radio-id ] \| interface interface-type interface-number \| slot slot-number \| user-mac mac-address \| user-name name-string ]
Display 802.1X session connection information, statistics, or configuration information.	display dot1x [ sessions \| statistics ] [ ap ap-name [ radio radio-id ] \| interface interface-type interface-number ]
Display MAC authentication connections.	display mac-authentication connection [ ap ap-name [ radio radio-id ] \| interface interface-type interface-number \| slot slot-number \| user-mac mac-address \| user-name name-string ]
Display MAC authentication information.	display mac-authentication [ ap ap-name [ radio radio-id ] \| interface interface-type interface-number ]
Display blocked MAC address information.	display wlan client-security block-mac [ ap ap-name [ radio radio-id ] ]
Clear 802.1X statistics.	reset dot1x statistics [ ap ap-name [ radio radio-id ] \| interface interface-type interface-number ]
Clear MAC authentication statistics.	reset mac-authentication statistics [ ap ap-name [ radio radio-id ] \| interface interface-type interface-number ]

NOTE:

For more information about the display dot1x connection, display dot1x, reset dot1x statistics, display mac-authentication connection, display mac-authentication, and reset mac-authentication statistics commands, see Security Command Reference.

WLAN authentication configuration examples

802.1X CHAP local authentication configuration example

Network requirements

As shown in Figure 4, configure the AC to use CHAP to perform 802.1X local authentication for the client.

Figure 4 Network diagram

Configuration procedure

1. Configure 802.1X and the local client:

# Configure the AC to perform EAP termination and use CHAP.

<AC> system-view

[AC] dot1x authentication-method chap

# Add a local network access user with the username chap1 and the password 123456 in plain text.

[AC] local-user chap1 class network

[AC-luser-network-chap1] password simple 123456

# Set the service type to lan-access.

[AC-luser-network-chap1] service-type lan-access

[AC-luser-network-chap1] quit

2. Configure AAA methods for the ISP domain:

# Create an ISP domain named local.

[AC] domain local

# Configure the ISP domain to use local authentication, local authorization, and local accounting for LAN clients.

[AC-isp-local] authentication lan-access local

[AC-isp-local] authorization lan-access local

[AC-isp-local] accounting lan-access local

[AC-isp-local] quit

3. Configure a service template:

# Create a service template named wlas_local_chap.

[AC] wlan service-template wlas_local_chap

# Set the authentication mode to 802.1X.

[AC-wlan-st-wlas_local_chap] client-security authentication-mode dot1x

# Specify the ISP domain local for the service template.

[AC-wlan-st-wlas_local_chap] dot1x domain local

# Set the SSID to wlas_local_chap.

[AC-wlan-st-wlas_local_chap] ssid wlas_local_chap

# Enable the service template.

[AC-wlan-st-wlas_local_chap] service-template enable

[AC-wlan-st-wlas_local_chap] quit

4. Configure the manual AP ap1, and bind the service template to the AP radio:

# Create ap1, and specify the AP model and serial ID.

[AC] wlan ap ap1 model WA4320i-ACN

[AC-wlan-ap-ap1] serial-id 210235A1BSC123000050

# Configure channel 149 as the working channel for radio 1 of the AP, and enable radio 1.

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] channel 149

[AC-wlan-ap-ap1-radio-1] radio enable

# Bind the service template wlas_local_chap to radio 1.

[AC-wlan-ap-ap1-radio-1] service-template wlas_local_chap

[AC-wlan-ap-ap1-radio-1] quit

[AC-wlan-ap-ap1] quit

Verifying the configuration

# Verify the 802.1X configuration.

[AC] display wlan service-template

[AC] display dot1x

# Display the client connection information after an 802.1X client passes authentication.

[AC] display dot1x connection

802.1X EAP-PEAP RADIUS authentication configuration example

Network requirements

As shown in Figure 5, configure the AC to perform 802.1X RADIUS authentication for the client by using EAP-PEAP.

Figure 5 Network diagram

Configuration procedure

1. Configure the AC:

a. Configure 802.1X and the RADIUS scheme:

# Configure the AC to use EAP relay to authenticate 802.1X clients.

<AC> system-view

[AC] dot1x authentication-method eap

# Create a RADIUS scheme.

[AC] radius scheme imcc

# Specify the primary authentication server and the primary accounting server.

[AC-radius-imcc] primary authentication 10.18.1.88 1812

[AC-radius-imcc] primary accounting 10.18.1.88 1813

# Set the shared key for secure communication with the server to 12345678 in plain text.

[AC-radius-imcc] key authentication simple 12345678

[AC-radius-imcc] key accounting simple 12345678

# Exclude domain names in the usernames sent to the RADIUS server.

[AC-radius-imcc] user-name-format without-domain

[AC-radius-imcc] quit

b. Configure AAA methods for the ISP domain:

# Create an ISP domain named imc.

[AC] domain imc

# Configure the ISP domain to use the RADIUS scheme imcc for authentication, authorization, and accounting of LAN clients.

[AC-isp-imc] authentication lan-access radius-scheme imcc

[AC-isp-imc] authorization lan-access radius-scheme imcc

[AC-isp-imc] accounting lan-access radius-scheme imcc

[AC-isp-imc] quit

c. Configure a service template:

# Create a service template named wlas_imc_peap.

[AC] wlan service-template wlas_imc_peap

# Set the authentication mode to 802.1X.

[AC-wlan-st-wlas_imc_peap] client-security authentication-mode dot1x

# Specify the ISP domain imc for the service template.

[AC-wlan-st-wlas_imc_peap] dot1x domain imc

# Set the SSID to wlas_imc_peap.

[AC-wlan-st-wlas_imc_peap] ssid wlas_imc_peap

# Set the AKM mode to 802.1X.

[AC-wlan-st-wlas_imc_peap] akm mode dot1x

# Set the CCMP cipher suite.

[AC-wlan-st-wlas_imc_peap] cipher-suite ccmp

# Enable the RSN-IE in the beacon and probe responses.

[AC-wlan-st-wlas_imc_peap] security-ie rsn

# Enable the service template.

[AC-wlan-st-wlas_imc_peap] service-template enable

[AC-wlan-st-wlas_imc_peap] quit

d. Configure the manual AP ap1, and bind the service template to an AP radio:

# Create ap1, and specify the AP model and serial ID.

[AC] wlan ap ap1 model WA4320i-ACN

[AC-wlan-ap-ap1] serial-id 210235A1BSC123000050

# Configure channel 149 as the working channel for radio 1 of the AP, and enable radio 1.

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] channel 149

[AC-wlan-ap-ap1-radio-1] radio enable

# Bind the service template wlas_imc_peap to radio 1.

[AC-wlan-ap-ap1-radio-1] service-template wlas_imc_peap

[AC-wlan-ap-ap1-radio-1] quit

[AC-wlan-ap-ap1] quit

2. Configure the RADIUS server:

In this example, the RADIUS server runs IMC PLAT 7.1 and IMC UAM 7.1, and the EAP-PEAP certificate has been installed.

# Add an access device:

a. Click the User tab.

b. From the navigation tree, select User Access Policy > Access Device Management > Access Device.

c. Click Add.

The Add Access Device page appears.

d. In the Access Configuration area, configure the following parameters, as shown in Figure 6:

- Enter 12345678 in the Shared Key and Confirm Shared Key fields.

- Use the default values for other parameters.

e. In the Device List area, click Select or Add Manually to add the device at 10.18.1.1 as an access device.

Figure 6 Adding an access device

英文增加接入设备图.jpg

f. Click OK.

# Add an access policy:

a. Click the User tab.

b. From the navigation tree, select User Access Policy > Access Policy.

c. Click Add.

d. On the Add Access Policy page, configure the following parameters, as shown in Figure 7:

- Enter dot1x in the Access Policy Name field.

- Select EAP for the Certificate Authentication field.

- Select EAP-PEAP Auth from the Certificate Type list, and select MS-CHAPV2 Auth from the Certificate Sub-Type list.

The certificate sub-type on the IMC server must be the same as the identity authentication method configured on the client.

Figure 7 Adding an access policy

英文增加接入策略.jpg

e. Click OK.

# Add an access service:

a. Click the User tab.

b. From the navigation tree, select User Access Policy > Access Service.

c. Click Add.

d. On the Add Access Service page, configure the following parameters, as shown in Figure 8:

- Enter dot1x in the Service Name field.

- Select dot1x from the Default Access Policy list.

Figure 8 Adding an access service

英文增加接入服务.jpg

e. Click OK.

# Add an access user:

a. Click the User tab.

b. From the navigation tree, select Access User > All Access Users.

The access user list appears.

c. Click Add.

The Add Access User page appears.

d. In the Access Information area, configure the following parameters, as shown in Figure 9:

- Click Select or Add User to associate the user with IMC Platform user user.

- Enter user in the Account Name field.

- Enter dot1x in the Password and Confirm Password fields.

e. In the Access Service area, select dot1x from the list.

Figure 9 Adding an access user account

f. Click OK.

3. Configure the WLAN client:

The WLAN client has been installed with the EAP-PEAP certificate.

To configure the WLAN client, perform the following tasks (details not shown):

¡ Select PEAP for identity authentication.

¡ Disable the client from verifying the server certificate.

¡ Disable the client from automatically using the Windows login name and password.

Verifying the configuration

1. On the client, verify that you can use username user and password dot1x to access the network. (Details not shown.)

2. On the AC, perform the following tasks to verify that the user has passed authentication and come online:

# Display online 802.1X client information.

[AC] display dot1x connection

Total connections: 1

User MAC address : 0023-8933-2090

AP name : ap1

Radio ID : 1

SSID : wlas_imc_peap

BSSID : 000f-e201-0003

User name : user

Authentication domain : imc

Authentication method : EAP

Initial VLAN : 1

Authorization VLAN : N/A

Authorization ACL number : N/A

Authorization user profile : N/A

Termination action : Default

Session timeout period : 6001 s

Online from : 2014/04/18 09:25:18

Online duration : 0h 1m 1s

# Display WLAN client information.

[AC] display wlan client

Total number of clients : 1

MAC address Username AP name RID IP address IPv6 address VLAN

0023-8933-2090 user ap1 1 10.18.1.100 1

RADIUS-based MAC authentication configuration example

Network requirements

As shown in Figure 10, configure the AC to use the RADIUS server to perform MAC authentication for the client.

Figure 10 Network diagram

Configuration procedure

Make sure the RADIUS server, AC, AP, and client can reach each other. (Details not shown.)

1. Configure the AC:

a. Configure the RADIUS scheme:

# Create a RADIUS scheme.

<AC> system-view

[AC] radius scheme imcc

# Specify the primary authentication server and the primary accounting server.

[AC-radius-imcc] primary authentication 10.18.1.88 1812

[AC-radius-imcc] primary accounting 10.18.1.88 1813

# Set the shared key for secure communication with the server to 12345678 in plain text.

[AC-radius-imcc] key authentication simple 12345678

[AC-radius-imcc] key accounting simple 12345678

# Exclude domain names in the usernames sent to the RADIUS server.

[AC-radius-imcc] user-name-format without-domain

[AC-radius-imcc] quit

b. Configure AAA methods for the ISP domain:

# Create an ISP domain named imc.

[AC] domain imc

# Configure the ISP domain to use the RADIUS scheme imcc for authentication, authorization, and accounting of LAN clients.

[AC-isp-imc] authentication lan-access radius-scheme imcc

[AC-isp-imc] authorization lan-access radius-scheme imcc

[AC-isp-imc] accounting lan-access radius-scheme imcc

[AC-isp-imc] quit

c. Specify the username 123 and the password aaa_maca in plain text for the account shared by MAC authentication clients.

[AC] mac-authentication user-name-format fixed account 123 password simple aaa_maca

d. Configure a service template:

# Create a service template named maca_imc.

[AC] wlan service-template maca_imc

# Set the SSID to maca_imc.

[AC-wlan-st-maca_imc] ssid maca_imc

# Set the authentication mode to MAC authentication.

[AC-wlan-st-maca_imc] client-security authentication-mode mac

# Specify the ISP domain imc for the service template.

[AC-wlan-st-maca_imc] mac-authentication domain imc

# Enable the service template.

[AC-wlan-st-maca_imc] service-template enable

[AC-wlan-st-maca_imc] quit

e. Configure the manual AP ap1, and bind the service template to an AP radio:

# Create a manual AP named ap1, and specify the AP model and serial ID.

[AC] wlan ap ap1 model WA4320i-ACN

[AC-wlan-ap-ap1] serial-id 210235A1BSC123000050

# Configure channel 149 as the working channel for radio 1 of the AP, and enable radio 1.

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] channel 149

[AC-wlan-ap-ap1-radio-1] radio enable

# Bind the service template maca_imc to radio 1.

[AC-wlan-ap-ap1-radio-1] service-template maca_imc

[AC-wlan-ap-ap1-radio-1] quit

[AC-wlan-ap-ap1] quit

2. Configure the RADIUS server:

In this example, the RADIUS server runs IMC PLAT 7.1 and IMC UAM 7.1.

# Add an access device:

a. Click the User tab.

b. From the navigation tree, select User Access Policy > Access Device Management > Access Device.

c. Click Add.

The Add Access Device page appears.

d. In the Access Configuration area, configure the following parameters, as shown in Figure 11:

- Enter 12345678 in the Shared Key and Confirm Shared Key fields.

- Use the default values for other parameters.

e. In the Device List area, click Select or Add Manually to add the device at 10.18.1.1 as an access device.

Figure 11 Adding an access device

英文增加接入设备图.jpg

f. Click OK.

# Add an access policy:

a. Click the User tab.

b. From the navigation tree, select User Access Policy > Access Policy.

c. Click Add.

d. On the Add Access Policy page, configure the following parameters, as shown in Figure 12:

- Enter aaa_maca in the Access Policy Name field.

- Use the default values for other parameters.

Figure 12 Adding an access policy

英文增加接入策略截图.jpg

e. Click OK.

# Add an access service:

a. Click the User tab.

b. From the navigation tree, select User Access Policy > Access Service.

c. Click Add.

d. On the Add Access Service page, configure the following parameters, as shown in Figure 13:

- Enter aaa_maca in the Service Name field.

- Select aaa_maca from the Default Access Policy list.

Figure 13 Adding an access service

英文增加接入服务截图.jpg

e. Click OK.

# Add an access user:

a. Click the User tab.

b. From the navigation tree, select Access User > All Access Users.

The access user list appears.

c. Click Add.

The Add Access User page appears.

d. In the Access Information area, configure the following parameters, as shown in Figure 14:

- Click Select or Add User to associate the user with IMC Platform user 123.

- Enter 123 in the Account Name field.

- Enter aaa_maca in the Password and Confirm Password fields.

e. In the Access Service area, select aaa_maca from the list.

Figure 14 Adding an access user account

f. Click OK.

Verifying the configuration

1. On the client, verify that you can use username 123 and password aaa_maca to access the network. (Details not shown.)

2. On the AC, perform the following tasks to verify that the user has passed authentication and come online:

# Display online MAC authentication client information.

[AC] display mac-authentication connection

Total connections: 1

User MAC address : 0023-8933-2098

AP name : ap1

Radio ID : 1

SSID : maca_imc

BSSID : 000f-e201-0001

User name : 123

Authentication domain : imc

Initial VLAN : 1

Authorization VLAN : N/A

Authorization ACL number : N/A

Authorization user profile : N/A

Termination action : Default

Session timeout period : 6001 s

Online from : 2014/04/17 17:21:12

Online duration : 0h 0m 30s

# Display WLAN client information.

[AC] display wlan client

Total number of clients : 1

MAC address Username AP name RID IP address IPv6 address VLAN

0023-8933-2098 123 ap1 1 10.18.1.100 1

02-WLAN

802.1X authentication

MAC authentication

Authentication methods

Configuring WLAN authentication

Setting OUIs for OUI authentication

Enabling EAP relay or EAP termination for 802.1X

Ignoring 802.1X or MAC authentication failures

Overview

Configuration restrictions and guidelines

Configuration procedure

Configuring the online user handshake feature

Configuration guidelines

Configuration procedure

Enabling the periodic online user reauthentication feature

Displaying and maintaining WLAN authentication settings

WLAN authentication configuration examples

Network requirements

Configuration procedure

Verifying the configuration

Verifying the configuration

Network requirements

Configuration procedure

Verifying the configuration

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us