华为S3952交换机dot1x和mac绑定冲突问题

    华为S3952交换机，软件版本Version 3.10, Feature 1528L03，如果交换机的物理端口下配置了mac地址绑定，则会导致dot1x配置失效；虽然端口启用了dot1x，接入终端正常发起dot1x认证请求，dot1x认证不会成功，而且端口不受控，接入终端能够正常接入网络；只有将mac地址绑定配置删除，端口才会受控，才能正常进行dot1x认证，终端认证不通过则不允许接入网络。

   而且在上述情况下，先配置了mac静态绑定再配置dot1x，交换机没有任何提示，不够友好。反过来，如果先配置了dot1x，在配置mac绑定，则会提示mac地址已经存在，配置不上去，只有删除dot1x后，才能配置mac地址绑定。

   在进行华为S3952的802.1x测试的时候，物理端口初始配置如下

[S3952]disp cur int eth 1/0/42
#
interface Ethernet1/0/42
port access vlan 88
mac-address static 00e0-7023-6778 vlan 88
dot1x
description to-10.1.1.30
#
Return

   端口虽然启用了dot1x，但是端口不受控，下带终端可以正常通信，此时dot1x认证失败的

[S3952]ping 10.1.1.30
  PING 10.1.1.30: 56  data bytes, press CTRL_C to break
    Reply from 10.1.1.30: bytes=56 Sequence=1 ttl=61 time=34 ms
    Reply from 10.1.1.30: bytes=56 Sequence=2 ttl=61 time=22 ms
    Reply from 10.1.1.30: bytes=56 Sequence=3 ttl=61 time=21 ms
    Reply from 10.1.1.30: bytes=56 Sequence=4 ttl=61 time=21 ms
    Reply from 10.1.1.30: bytes=56 Sequence=5 ttl=61 time=20 ms
  --- 10.1.1.30 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 20/23/34 ms

   mac地址状态是静态配置

[S3952]disp mac-add interface eth 1/0/42
MAC ADDR        VLAN ID  STATE          PORT INDEX              AGING TIME(s)
00e0-7023-6778  88      Config static  Ethernet1/0/42          NOAGED
  ---  1 mac address(es) found on port Ethernet1/0/42 --- 

   删除mac静态配置

[S3952]int eth 1/0/42
[S3952-Ethernet1/0/42]undo  mac-address static 00e0-7023-6778 vlan 88

   此时终端ping不通了，说明端口处于受控状态

[S3952-Ethernet1/0/42]ping 10.1.1.30
  PING 10.1.1.30: 56  data bytes, press CTRL_C to break
    Request time out
    Request time out
    Request time out
    Request time out
    Request time out
  --- 10.1.1.30 ping statistics ---
    5 packet(s) transmitted
    0 packet(s) received
    100.00% packet loss                                                                                                           

   mac地址状态是学习

[S3952-Ethernet1/0/42]disp mac-add int eth 1/0/42
MAC ADDR        VLAN ID  STATE          PORT INDEX              AGING TIME(s)
00e0-7023-6778  88      Learned        Ethernet1/0/42          AGING
  ---  1 mac address(es) found on port Ethernet1/0/42 --- 

   过了一会，接入终端又能ping通了

[S3952-Ethernet1/0/42]ping 10.1.1.30         
  PING 10.1.1.30: 56  data bytes, press CTRL_C to break
    Reply from 10.1.1.30: bytes=56 Sequence=1 ttl=61 time=21 ms
    Reply from 10.1.1.30: bytes=56 Sequence=2 ttl=61 time=18 ms
    Reply from 10.1.1.30: bytes=56 Sequence=3 ttl=61 time=18 ms
    Reply from 10.1.1.30: bytes=56 Sequence=4 ttl=61 time=18 ms
    Reply from 10.1.1.30: bytes=56 Sequence=5 ttl=61 time=18 ms
  --- 10.1.1.30 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 18/18/21 ms

   原因是终端已经通过dot1x认证，所以才能ping通

[S3952-Ethernet1/0/42]disp dot1x sessions interface eth 1/0/42
Global 802.1X protocol is enabled
EAP authentication is enabled
Total maximum 802.1x user resource number is 1024
Total current used 802.1x resource number is 1
Ethernet1/0/42  is link-up
  802.1X protocol is enabled
  Proxy trap checker is disabled
  Proxy logoff checker is disabled
  Version-Check is disabled
1. Authenticated user : MAC address: 00e0-7023-6778
  Controlled User(s) amount to 1
[S3952-Ethernet1/0/42]
[S3952-Ethernet1/0/43]disp th
#
interface Ethernet1/0/43
port access vlan 88
dot1x
description to-[D288]-10.1.1.28
#
return
[S3952-Ethernet1/0/43]disp mac-address interface Ethernet 1/0/43
MAC ADDR        VLAN ID  STATE          PORT INDEX              AGING TIME(s)
00e0-7023-1434  88      Learned        Ethernet1/0/43          AGING
  ---  1 mac address(es) found on port Ethernet1/0/43 --- 

   先配置dot1x，再配置mac地址绑定，则会报错

[S3952-Ethernet1/0/43]mac-address static 00e0-7023-1434 vlan 88
This MAC Address already exists.
[S3952-Ethernet1/0/43]