Configuring online user handshake

About online user handshake

The online user handshake feature checks the connectivity status of online 802.1X users. The access device sends handshake requests (EAP-Request/Identity) to online users at the interval specified by the dot1x timer handshake-period command. If the device does not receive any EAP-Response/Identity packets from an online user after it has made the maximum handshake attempts, the device sets the user to offline state. To set the maximum handshake attempts, use the dot1x retry command.

Typically, the device does not reply to 802.1X clients' EAP-Response/Identity packets with EAP-Success packets. Some 802.1X clients will go offline if they do not receive the EAP-Success packets for handshake. To avoid this issue, enable the online user handshake reply feature.

If iNode clients are deployed, you can also enable the online user handshake security feature to check authentication information in the handshake packets from clients. This feature can prevent 802.1X users that use illegal client software from bypassing iNode security check, such as dual network interface cards (NICs) detection. If a user fails the handshake security checking, the device sets the user to the offline state.

Restrictions and guidelines

Procedure

  1. Enter system view.

    system-view

  2. (Optional.) Set the handshake timer.

    dot1x timer handshake-period handshake-period-value

    The default is 15 seconds.

  3. Enter interface view.

    interface interface-type interface-number

  4. Enable the online user handshake feature.

    dot1x handshake

    By default, the feature is enabled.

  5. (Optional.) Enable the online user handshake security feature.

    dot1x handshake secure

    By default, the feature is disabled.

  6. (Optional.) Enable the 802.1X online user handshake reply feature.

    dot1x handshake reply enable

    By default, the device does not reply to 802.1X clients' EAP-Response/Identity packets during the online handshake process.