Configuration Guide Configuring 802.1X
In the WLAN-based 802.1X authentication scenario, the NAS sends the authentication server SNMP traps to notify the
online/offline status of users.
In the WLAN-based 802.1X authentication scenario, traffic monitoring can be enabled on a WLAN. That is, if the traffic
of an authenticated user is lower than the configured threshold within the specified period, the user will be forced offline
so that the authentication server can perform accounting in a timely manner.
802.1X allows the NAS to initiate accounting to the authentication server after obtaining user information from the
authentication client. In this way, user information of the authentication client can be transferred to the authentication
server. To ensure that the wired switch obtains user information from the authentication client in a timely manner and
initiate accounting to the authentication server, you can configure a timeout. If the NAS does not obtain any user
information within the timeout, it directly initiates accounting to the authentication server.
Some servers deliver the accounting update interval only upon users' first authentication attempts. After
re-authentication, users still use the accounting update interval configured on the NAS instead of that configured on the
authentication server. To ensure the NAS to send accounting update packets according to the accounting update
interval configured on the authentication server, you can configure users to always follow the accounting update interval
assigned by the authentication server upon the first authentication.
Notes
The multi-account function must be disabled if accounting is enabled. Otherwise, accounting may be inaccurate.
IP-based accounting is not required in two situations:
- IPv4 addresses and Ruijie Supplicant are deployed. This function is not required because Ruijie Supplicant can
upload the IPv4 addresses of users.
- Static IP addresses are deployed.
It is recommended that the SSID of the bypass WLAN be different from that of the 802.1X-based WLAN so that the
bypass WLAN services can be intuitively reflected. Moreover, when the WLAN needs to be switched due to server
inaccessibility, users can manually switch the SSID once. Since the supplicant generally has a memory of the SSID, the
SSID can be switched automatically in the future.
Since 802.1X users are only for encryption purposes, the authorization, e.g., ACL assignment and rate limit assignment,
to 802.1X users will not take effect. However, users need to pass Web authentication and be authorized to access the
network.
Configuration Steps
Enabling Multi-account Authentication with One MAC Address
(Optional) Run the dot1x multi-account enable command to allow the same MAC address to be used by multiple
accounts.
Enable multi-account authentication with one MAC address after 802.1X authentication is enabled on the NAS.
dot1x multi-account enable
To Next Page
Loading...
Need help?
General
