Configuring an 802.1X client anonymous identifier

At the first authentication phase, packets sent to the authenticator are not encrypted. The use of an 802.1X client anonymous identifier prevents the 802.1X client username from being disclosed at the first phase. The 802.1X client-enabled device sends the anonymous identifier to the authenticator instead of the 802.1X client username. The 802.1X client username will be sent to the authenticator in encrypted packets at the second phase.

If no 802.1X client anonymous identifier is configured, the device sends the 802.1X client username at the first authentication phase.

The configured 802.1X client anonymous identifier takes effect only if one of the following EAP authentication methods is used:

If the MD5-Challenge EAP authentication is used, the configured 802.1X client anonymous identifier does not take effect. The device uses the 802.1X client username at the first authentication phase.

Do not configure the 802.1X client anonymous identifier if the vendor-specific authentication server cannot identify anonymous identifiers.

To configure an 802.1X client anonymous identifier on an interface:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter Ethernet interface view.

interface interface-type interface-number

N/A

3. Configure an 802.1X client anonymous identifier.

dot1x supplicant anonymous identify identifier

By default, no 802.1X client anonymous identifier exists.