Configuring 802.1x Access

Procedure

1. Choose Network > 802.1x > 802.1x.
2. Click Add to configure 802.1x access.

   • Wired access

     Parameter	Description
     Interface Name	Select an interface to which 802.1x authentication applies. The interface must be a Layer-2 Ethernet interface.
     Access Mode	Set an access mode for multiple access users: Individual: Each user who accesses the interface is authenticated. They can access the network only upon authentication successes. The logout of one user does not affect other users. Shared: Only the first access user is authenticated. If authentication succeeds, subsequent users who access through the same interface can directly access the network without being authenticated. If the first user logs out, the following users will be logged out. This access mode applies to scenarios with low security requirements.
     Max. Access Users	If the access mode is Individual, you can set the maximum number of users who can access one interface. This limit prevents malicious users on one interface from occupying too many resources, which affects the login of users from other interfaces.
     Authentication Domain Type	By default, the FW assigns users to specific authentication domains based on the domain names in their user names (character string after the at sign @). If a user name does not carry any domain name, the FW authenticates the user in the default authentication domain. The FW can also control the use of authentication domains by specifying authentication domain types: Default: If you do not want to use default as the default authentication domain, you can specify another default authentication domain. If a user name does not carry any domain name, the FW authenticates the user in the configured default authentication domain. Mandatory: The FW authenticates users in a specific authentication domain regardless of whether user names contain domain names. This mechanism prevents malicious users from logging in through the local interface by forging domain names. In addition, you can configure mandatory authentication domains to specify different authentication domains for users who access through different interfaces. Mandatory authentication domains improve 802.1x access security.
     Authentication Domain	Select the authentication domain name corresponding to the default or mandatory authentication domain. The authentication domain must allow 802.1x access and have been configured with RADIUS server authentication or local authentication. For details, see Configuring 802.1x User Authentication.
     Authentication Type	Set an 802.1x access authentication type. The mode of interaction between the FW and authentication server varies with authentication types. EAP: EAP relay mode. The FW does not parse the received EAP packets but encapsulates them into RADIUS packets. This mechanism is called EAP over Radius (EAPoR). This authentication mode simplifies FW processing and supports various EAP authentication methods, such as MD5-Challenge, EAP-TLS, and PEAP. However, the RADIUS server is required to support corresponding authentication methods. CHAP and PAP: EAP termination mode. The FW directly parses EAP packets, encapsulates user authentication information into a RADIUS packet, and sends the packet to the RADIUS server for authentication. This authentication mode is applicable since mainstream RADIUS servers support PAP and CHAP authentication and server update is unnecessary. However, FW processing is complex, and the client supports only the MD5-Challenge EAP authentication method. PAP is a two-way handshake authentication protocol. It transmits passwords in plain text format in RADIUS packets. Therefore, PAP is insecure. CHAP is a three-way handshake authentication protocol. It authenticates user identities by exchanging challenge messages between the client and server. Therefore, CHAP is securer than PAP. The processing capability of the RADIUS server determines whether EAP termination or EAP relay is used. If the RADIUS server has a higher processing capability and can parse a large number of EAP packets before authentication, the EAP relay mode is recommended. If the RADIUS server has a processing capability not good enough to parse a large number of EAP packets and complete authentication, the EAP termination mode is recommended and the FW parses EAP packets for the RADIUS server. When the authentication packet processing method is configured, ensure that the client and server both support this method; otherwise, the users cannot pass authentication. NOTE: If RADIUS authentication is used, the authentication mode for 802.1x users can be EAP relay or EAP termination. If AAA local authentication is used, the authentication mode for 802.1x users can only be set to EAP termination. Terminals such as laptop computers support EAP termination mode only after having third-party clients installed. If the 802.1x client uses the MD5 encryption mode, the user authentication mode on the device can be set to EAP or CHAP; if the 802.1x client uses the PEAP authentication mode, the authentication mode on the device can be set to EAP. If 802.1x users on an interface have gone online, changing the user authentication mode in the 802.1x access profile bound to the interface will make the online 802.1x users go offline.

3. Click OK.