????華為S3952交換機疯攒，軟件版本Version 3.10, Feature 1528L03榄笙，如果交換機的物理端口下配置了mac地址綁定，則會導致dot1x配置失效掰烟；雖然端口啟用了dot1x伴嗡，接入終端正常發(fā)起dot1x認證請求急波，dot1x認證不會成功，而且端口不受控瘪校，接入終端能夠正常接入網(wǎng)絡澄暮；只有將mac地址綁定配置刪除，端口才會受控渣淤，才能正常進行dot1x認證赏寇，終端認證不通過則不允許接入網(wǎng)絡。

???而且在上述情況下价认，先配置了mac靜態(tài)綁定再配置dot1x嗅定，交換機沒有任何提示，不夠友好用踩。反過來渠退，如果先配置了dot1x，在配置mac綁定脐彩，則會提示mac地址已經存在碎乃，配置不上去，只有刪除dot1x后惠奸，才能配置mac地址綁定梅誓。

???在進行華為S3952的802.1x測試的時候，物理端口初始配置如下

[S3952]disp cur int eth 1/0/42
#
interface Ethernet1/0/42
port access vlan 88
mac-address static 00e0-7023-6778 vlan 88
dot1x
description to-10.1.1.30
#
Return

???端口雖然啟用了dot1x，但是端口不受控梗掰，下帶終端可以正常通信嵌言，此時dot1x認證失敗的

[S3952]ping 10.1.1.30
  PING 10.1.1.30: 56  data bytes, press CTRL_C to break
    Reply from 10.1.1.30: bytes=56 Sequence=1 ttl=61 time=34 ms
    Reply from 10.1.1.30: bytes=56 Sequence=2 ttl=61 time=22 ms
    Reply from 10.1.1.30: bytes=56 Sequence=3 ttl=61 time=21 ms
    Reply from 10.1.1.30: bytes=56 Sequence=4 ttl=61 time=21 ms
    Reply from 10.1.1.30: bytes=56 Sequence=5 ttl=61 time=20 ms
  --- 10.1.1.30 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 20/23/34 ms

???mac地址狀態(tài)是靜態(tài)配置

[S3952]disp mac-add interface eth 1/0/42
MAC ADDR        VLAN ID  STATE          PORT INDEX              AGING TIME(s)
00e0-7023-6778  88      Config static  Ethernet1/0/42          NOAGED
  ---  1 mac address(es) found on port Ethernet1/0/42 --- 

???刪除mac靜態(tài)配置

[S3952]int eth 1/0/42
[S3952-Ethernet1/0/42]undo  mac-address static 00e0-7023-6778 vlan 88

???此時終端ping不通了，說明端口處于受控狀態(tài)

[S3952-Ethernet1/0/42]ping 10.1.1.30
  PING 10.1.1.30: 56  data bytes, press CTRL_C to break
    Request time out
    Request time out
    Request time out
    Request time out
    Request time out
  --- 10.1.1.30 ping statistics ---
    5 packet(s) transmitted
    0 packet(s) received
    100.00% packet loss                                                                                                           

???mac地址狀態(tài)是學習

[S3952-Ethernet1/0/42]disp mac-add int eth 1/0/42
MAC ADDR        VLAN ID  STATE          PORT INDEX              AGING TIME(s)
00e0-7023-6778  88      Learned        Ethernet1/0/42          AGING
  ---  1 mac address(es) found on port Ethernet1/0/42 --- 

???過了一會及穗，接入終端又能ping通了

[S3952-Ethernet1/0/42]ping 10.1.1.30         
  PING 10.1.1.30: 56  data bytes, press CTRL_C to break
    Reply from 10.1.1.30: bytes=56 Sequence=1 ttl=61 time=21 ms
    Reply from 10.1.1.30: bytes=56 Sequence=2 ttl=61 time=18 ms
    Reply from 10.1.1.30: bytes=56 Sequence=3 ttl=61 time=18 ms
    Reply from 10.1.1.30: bytes=56 Sequence=4 ttl=61 time=18 ms
    Reply from 10.1.1.30: bytes=56 Sequence=5 ttl=61 time=18 ms
  --- 10.1.1.30 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 18/18/21 ms

???原因是終端已經通過dot1x認證摧茴，所以才能ping通

[S3952-Ethernet1/0/42]disp dot1x sessions interface eth 1/0/42
Global 802.1X protocol is enabled
EAP authentication is enabled
Total maximum 802.1x user resource number is 1024
Total current used 802.1x resource number is 1
Ethernet1/0/42  is link-up
  802.1X protocol is enabled
  Proxy trap checker is disabled
  Proxy logoff checker is disabled
  Version-Check is disabled
1. Authenticated user : MAC address: 00e0-7023-6778
  Controlled User(s) amount to 1
[S3952-Ethernet1/0/42]
[S3952-Ethernet1/0/43]disp th
#
interface Ethernet1/0/43
port access vlan 88
dot1x
description to-[D288]-10.1.1.28
#
return
[S3952-Ethernet1/0/43]disp mac-address interface Ethernet 1/0/43
MAC ADDR        VLAN ID  STATE          PORT INDEX              AGING TIME(s)
00e0-7023-1434  88      Learned        Ethernet1/0/43          AGING
  ---  1 mac address(es) found on port Ethernet1/0/43 --- 

???先配置dot1x，再配置mac地址綁定埂陆，則會報錯

[S3952-Ethernet1/0/43]mac-address static 00e0-7023-1434 vlan 88
This MAC Address already exists.
[S3952-Ethernet1/0/43]