Got it
Enterprise
Community Forums Switches
The users can still obtai...

The users can still obtain IP addresses even if they fail to be authenticated

Created: Aug 26, 2019 07:52:06Latest reply: Aug 26, 2019 07:57:24 170 1 0 0
  Rewarded HiCoins: 0 (problem resolved)
display all floors #1

I have configured 802.1x authentication on the S6720. I find that computers can still obtain IP addresses if they fail to be authenticated. ( Although they can't access the Internet.)

Here is the related configuration on the switch, is there any error?

#

radius-server template rd1

radius-server authentication XX.XX.XX.XX 1812

radius-server accounting XX.XX.XX.XX 1813

radius-server shared-key cipher XXXXXX

radius-server authorization XX.XX.XX.XX shared-key cipher XXXXXX

#

aaa

domain do1

authentication-scheme radius

accounting-scheme radius

radius-server rd1

#

dot1x-access-profile name d1

authentication-profile name p1

dot1x-access-profile d1

access-domain do1 force

#

interface gigabitethernet 1/0/0

authentication-profile p1

#

  • x
  • convention:

I have this problem too (0) Favorite(0) Share Report
Previous: How to prevent users from configuring static IP addresses without permission
Next: Huawei industrial grade fiber Switches
Featured Answers

Best answer

(0) (0)
Popeye_Wang
Admin Created Aug 26, 2019 07:57:24 Helpful(0) Helpful(0)

Hi Hobbit,

It's normal. The pre-connection is enabled by default. If the device is not configured to grant network access rights to users in pre-connection or authentication failure state, users who fail to be authenticated remain in the pre-connection state by default. Because the device allows DHCP packets from pre-connection users to pass through, the users can still obtain IP addresses although they do not have any network access rights.

You can run the undo authentication pre-authen-access enable command to disable the function of keeping users who fail to be authenticated and do not have any network access rights in the pre-connection state. This configuration ensures that the users cannot obtain IP addresses.
View more
  • x
  • convention:
All Answers
Popeye_Wang
Popeye_Wang Admin Created Aug 26, 2019 07:57:24 Helpful(0) Helpful(0)

Hi Hobbit,

It's normal. The pre-connection is enabled by default. If the device is not configured to grant network access rights to users in pre-connection or authentication failure state, users who fail to be authenticated remain in the pre-connection state by default. Because the device allows DHCP packets from pre-connection users to pass through, the users can still obtain IP addresses although they do not have any network access rights.

You can run the undo authentication pre-authen-access enable command to disable the function of keeping users who fail to be authenticated and do not have any network access rights in the pre-connection state. This configuration ensures that the users cannot obtain IP addresses.
View more
  • x
  • convention:
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.

APP

Huawei Enterprise Support Community
Huawei Enterprise Support Community
Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.