802.1X Configuration

The IEEE 802.1X standard provides a framework that supports different authentication and authorization methods for network access for wired and wireless users. You configure 802.1X for Ethernet interfaces with this page. To configure 802.1X authentication for wireless interfaces, use the WLAN SSID Edit page. 802.1X is automatically enabled for a wireless interface when it is bound to an SSID.

To enable 802.1X and configure its parameters:

1. To enable 802.1X, select 802.1X Enable.

2. Select the 802.1X authentication behavior for ports:

• Force-unauthorized: Forces the port to ignore all 802.1X authentication attempts.

• Auto: Allows the port to process 802.1X authentication based on the 802.1X protocol. This option is the default.

3. Select the control mode for the security device:

• Virtual: MAC address of devices connected to the interface are authenticated. Packets from devices with unauthorized MAC addresses are dropped. This mode is the default for an interface.

• Interface: MAC addresses of devices connected to the interface are not authenticated. Use this option only if one trusted device is connected to the interface.

4. Specify the maximum number of simultaneous users allowed if the interface is set to virtual control mode. You can specify 1 through 256 users. The default value is 16 users. If you have configured the control mode to interface mode, you cannot configure the maximum number of simultaneous users.

5. Specify the number of seconds that elapse before the security device attempts reauthentication. The valid value range is 0 through 86400 seconds. The default value is 3600 seconds.

6. Select a predefined authentication server to be used for authentication for the interface. Select None if you do not want to specify an authentication server for the interface.

7. Specify the silent period, which is the amount of time the security device waits after authentication fails. During the silent period, the security device does not initiate or respond to any client authentication requests. By default, when authentication fails, the security device is silent for 5 seconds, and the authentication retry count resets to zero (0). The silent period is a value from 0 through 3600 seconds (1 hour).

8. To enable the retransmission of EAP requests to a client if it does not respond. By default, retransmission is enabled. Optionally, you can also configure the maximum number of EAP requests that are retransmitted and the time that elapses between retransmissions. If the maximum number of retransmissions is reached, the client’s authenticated session is terminated, and authentication fails.

9. Specify the time that elapses between EAP retransmissions. The valid value range is 10 through 600 seconds. The default value is 3 seconds.

10. Specify the maximum number of times of EAP retransmissions. The valid value range is 1 through 16. The default value is 3.

11. Click Apply to save your changes.