This feature may not be available on all platforms. Please check your system's actual page if your device delivers this feature.
802.1X is a standard defined by IEEE for Port-based Network Access Control. It uses Layer-2 based authentication (protocol: EAPOL, Extensible Authentication Protocol over LAN) to verify the legality of the users accessing the network through LAN. Before authentication, the security device only allows the 802.1X message to pass through the port. After authentication, all of the normal traffic can pass through.
The AAA servers for 802.1x are Local server and Radius server. Other types of AAA servers like AD or LDAP server do not support 802.1x.
The authenticating process is the same with other authentication, please refer to Authentication.
A complete configuration for 802.1x authentication includes the following points:
- Prerequisite: Before configuration, you should already have the AAA server you want (only local or Radius server is supported for 802.1x). The AAA server has been added in the firewall system (refer to AAA server), and the interface
or VLANfor authentication has been bound to a security zone (refer to interface or VLAN).
- Configuration key steps:
- Creating a 802.1x profile.
- Creating a security policy to allow accessing.
- In the user's PC, modify the network adapter's properties: If the computer is connected to the 802.1x interface, this computer should enable its authentication function on its LAN port (right click LAN and select Properties, in the prompt, under the <Authentication> tab, select MD5-Challenge or Microsoft: Protected EAP (PEAP), and click OK to confirm.)
Creating 802.1x Profile
To create a 802.1x profile, take the following steps:
- Select Network > 802.1X > 802.1X.
- Click New and a prompt appears.Under the Basic tab and Advanced tab, enter values
Basic Configuration 802.1x Name Enter a name for the 802.1x profile Interface Select the interface for 802.1x authentication. It should be a Layer-2 interface or a VLANinterface. AAA Server Select the AAA server for 802.1x authentication. It should be a local server or a Radius server. Access Mode Select an access mode. If you select Port and one of the clients connected to 802.1x interface has passed authentication, all clients can access the Internet. If you select MAC, every client must pass authentication before using Internet. Advanced Configuration Port authorized
If you select Auto, system will allow users who have successfully passed authentication to connect to network;
If you select Force-unauthorized, system will disable the authorization of the port; as a result, no client can connect to the port, so there is no way to connect to the network.
Re-auth period Enter a time period as the re-authentication time. After a user has successfully connected to the network, system will automatically re-auth the user's credentials. The range is from 0 to 65535 seconds. If the value is set to 0, this function is disabled. Quiet period If the authentication fails, it will take a moment before system can process the authenticating request from the same client again. The range is 0 to 65535 seconds, and the default value is 60 seconds. If this value is set to 0, system will not wait, and will immediately process the request from the same client. Retries Specifies a number for retry times. If the authentication system does not receive any response from the client, system will try to require user's credentials again. When system has tried for the specified times, it will stop trying. The range is 1 to 10 times, and the default is 2 times. Sever timeout Specifies a server timeout value. The authenticator transmits the client's credentials to the authentication server. If the server does not answer the authenticator within a specified time, the authenticator will resend request to the authentication server. The range is 1 to 65535 seconds, the default value is 30 seconds. Client timeout When the authenticator sends a request to ask the client to submit his/her username, the client needs to respond within a specified period. If the client does not respond before timeout, system will resend the authentication request message. The range is 1 to 65535 seconds, and the default value is 30 seconds.
- Click OK.
802.1x Global Configuration
Global parameters apply to all 802.1x profiles.
To configure global parameters, take the following steps:
- Select Network > 802.1X > Global Configuration.
- Disable: If you select Disable, one account can only login from one client simultaneously.
Then, when you want to kick off the old login user, you should select Replace; if you want to disallow new login user, select Refuse.
- Enable: If you select Enable, different clients can use one account to login.
If you do not limit the login client number, select Unlimited; if you want to set up a maximum login number, select Max attempts and enter a value for maximum user client number.
- Click OK.
|Maximum Users||The maximum user client number for a authentication port.|
You may choose to allow or disable one account to login from different clients.
|Re-Auth time||Specify a time for authentication timeout value. If the client does not respond within the timeout period, the client will be required to re-enter its credentials. The range is 180 to 86400 seconds, the default value is 300 seconds.|
Viewing Online Users
To view which authenticated users are online:
- Select Network > 802.1X > Online user.
- The page will show all online users. You can set up filters to view results that match your conditions.