No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


S12700 V200R011C10 Configuration Guide - User Access and Authentication

This document describes the working mechanisms, configuration procedures, and configuration examples of User Access and Authentication features, such as AAA, DAA, NAC, PPPoE, Policy Association, and IP session.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
(Optional) Configuring 802.1X-based Fast Deployment

(Optional) Configuring 802.1X-based Fast Deployment


In the 802.1X network deployment, if the 802.1X client software is downloaded and upgraded for each access user, the administrator has huge workload when there are a large number of access users. You can configure a free IP subnet and a redirect-to URL for a user to implement fast deployment of the 802.1X client.

Before the access user passes the 802.1X authentication, the user can access the network resources in the free IP subnet if the free IP subnet is configured. If the redirect-to URL is configured for the 802.1X authentication user and the user accesses a network with a browser, the device redirects the URL that the user attempts to access to the configured URL (for example, to the 802.1X client download web page). In this way, the web page preset by the administrator is displayed when the user starts the browser. The server that provides the redirect-to URL must be located in the free IP subnet of the user.

  • 802.1X authentication has been enabled globally and on an interface using the dot1x enable command.

  • To ensure that pre-connection users can be aged out normally, you need to run the dot1x timer free-ip-timeout command to set the aging time of authentication-free user entries.
  • After the free-ip function is configured, the guest VLAN, critical VLAN, and restrict VLAN are no longer effective.

  • The free IP subnet takes effect only when the interface authorization state is auto.

  • If a user who does not pass 802.1X authentication wants to obtain an IP address dynamically through the DHCP server, the network segment of the DHCP server needs to be configured to a free IP subnet so that the user can access the DHCP server.

  • After 802.1X users go offline, they are not allowed to access network resources on free IP subnets within a specified period to prevent malicious attacks.

  • After users succeed in 802.1X-based fast deployment, they can only access resources in the IP free subnets and some resources on the device.


  1. Run system-view

    The system view is displayed.

  2. Run dot1x free-ip ip-address { mask-length | mask-address }

    The free IP subnet is configured.

    By default, no free IP subnet is configured.

  3. (Optional) Run dot1x timer free-ip-timeout free-ip-time-value

    The aging time of authentication-free user entries is configured.

    By default, authentication-free user entries do not age.

  4. Run dot1x url url-string

    The redirect-to URL is configured in 802.1X authentication.

    By default, no redirect-to URL is configured in 802.1X authentication.

Updated: 2019-10-21

Document ID: EDOC1000178117

Views: 119063

Downloads: 55

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Previous Next