Comware Based
cancel
Showing results for 
Search instead for 
Did you mean: 

How to keep dot1x session open/authenticated?

pattap
Regular Advisor

How to keep dot1x session open/authenticated?

Hi All

I'm trying to get dot1x working on Comware Software, Version 5.20.99

We have some old switches running comware 3 on which dot1x works fine.

The only thing I am missing on com5 to make the config complete is a command equivalent to dot1x dhcp-launch (not available on com5) or other command that would keep dot1x session open.

so for example, the client is being authenticated successfully for the first time, once he/she's logs off I want the dot1x to be still open if that makes sense

 

6 REPLIES
pattap
Regular Advisor

Re: How to keep dot1x session open/authenticated?

I found the below on H3C website, translated from Chinese

dot1x user-ip freeze command to configure 802.1X user IP address Freeze function, namely the port for the first time to obtain and save the 802.1X online user's IP after the address, will not end with the user IP address are changed and updated stored user IP address . undo dot1x user-ip freeze command to restore the default.

By default, the port for the first time to obtain and save the 802.1X online user's IP after an address, with the user IP address are changed and update the stored user IP address.

I think this is what I'm looking for, has anyone used this command? 

pattap
Regular Advisor

Re: How to keep dot1x session open/authenticated?

ok let's log it with HP then 

will update you curious souls if any 

sdide
Respected Contributor

Re: How to keep dot1x session open/authenticated?

I'm not totally sure what you need.

But if you don't what regular dot1x handshakes, you can disable them with 

undo dot1x handshake

Regards

 

 

Søren Dideriksen, Network Administrator
Region Midtjylland
pattap
Regular Advisor

Re: How to keep dot1x session open/authenticated?

There is an Juniper Oyessey client on PC's. What I need is the session to remain open once users logs off of their PCs.

With old 3com kit that was running comware 3 we needed to follow the below steps:

1. log onto a PC with local admin account 

2. authenticate against radius with oddyssey client 

3. Log off - the session would remain open at this point 

4. Any user allowed on RADIUS was able to log onto PC 

That procedure needed to be performed only once per PC 

But now as we try to replace the old kit with 3600 running com5 this doesn't work that way anymore.

after step 4 you won't be able to logi n back to PCs - unless with local admin

 

Also, 

sdide
Respected Contributor

Re: How to keep dot1x session open/authenticated?

Hi,

maybe you could post what switch-model exactly you're using (shouldn't really matter), but sometimes featuresets differ. and post all relevant dot1x configuration.

Maybe you're doing EAP termination, and not EAP relay?

To just relay, use

dot1x authentication-method {chap|pap}

Probably CHAP. By default the switch does termination.

Regards

Søren Dideriksen, Network Administrator
Region Midtjylland
pattap
Regular Advisor

Re: How to keep dot1x session open/authenticated?

switch is HP 3600-24-PoE+ v2 EI , software  Version 5.20.99, Release 2110P05

I use eap as per below

[TEST_HP_3600]dot1x authentication-method eap

this is straight from 3600 Security Guide:

"Specify the eap keyword to enable EAP
relay"

dot1x authentication-method
{ chap | eap | pap }

I aslo got some support from HP:

"Comware 5 has max session expire timer is 7200 second. It does not support “Session never expires” as per your requirement.

You can use below command to configure maximum periodic online user re-authentication function. 

dot1x re-authenticate

dot1x timer reauth-period “value”

Now I'm not sure whether you can do it from switch end?

If not I'd try changing setting on client itself