interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-name [ to interface- name] & < 1-10 >. The interface-name argument is the port index of an Ethernet port and can be specified in this form: interface-name = { interface-type interface-num }, where interface-type specifies the type of an Ethernet port and interface-num identifies the number of the port. “&<1-10>” means that up to 10 port indexes/port index lists can be provided.

Description

Use the display dot1x command to display 802.1x-related information, such as configuration information, operation information (session information), and statistics.

By default, this command displays all 802.1x-related information on each port.

When the interface-list argument is not provided, this command displays 802.1x-related information on all ports. The output information can be used to verify 802.1 x-related configurations and to troubleshoot.

Related commands: reset dot1x statistics, dot1x, dot1x retry, dot1x max-user, dot1x port-control, dot1x port-method, dot1x timer.

Examples

# Display 802.1x-related configuration information.

<H3C> display dot1x

Equipment 802.1X protocol is enabled

CHAP authentication is enabled

DHCP-launch is disabled

Proxy trap checker is disabled

Proxy logoff checker is disabled

Guest Vlan is disabled

Configuration: Transmit Period 30 s, Handshake Period 15 s

ReAuth Period 003600 s

Quiet Period 60 s, Quiet Period Timer is disabled

Supp Timeout 30 s, Server Timeout 100 s

Interval between version requests is 30s

maximal request times for version information is 3

The maximal retransmitting times 2

Total maximum 802.1x user resource number is 4096

Total current used 802.1x resource number is 0

GigabitEthernet2/0/1 is link-up

802.1X protocol is disabled

Proxy trap checker is disabled

Proxy logoff checker is disabled

Guest Vlan is disabled

Version-Check is disabled

The port is a(n) authenticator

Authenticate Mode is auto

Port Control Type is Mac-based

ReAuthenticate is disabled

Max on-line user number is 1024

……

(Display omitted here)

Table 1-1 Description on the fields of the display dot1x command

Field	Description
Equipment 802.1X protocol is enabled	802.1x protocol (802.1x for short) is enabled
CHAP authentication is enabled	CHAP authentication is enabled
DHCP-launch is disabled	With DHCP enabled, the switch will trigger 802.1x authentication when a user runs DHCP to apply an IP address dynamically.
Proxy trap checker is disabled	Whether to check a supplicant system that logs in through the proxy server: l Disable means the switch does not send Trap packets when it detects that a supplicant system logs in through the proxy server. l Enable means the switch sends Trap packets when it detects that a supplicant system logs in through the proxy server.
Proxy logoff checker is disabled	Whether to check a supplicant system that logs in through the proxy server: l Disable means the switch does not disconnect a supplicant system when it detects that the latter logs in through the proxy server. l Enable means the switch disconnects a supplicant system when it detects that the latter logs in through the proxy server.
Guest Vlan is disabled	The Guest VLAN function is disabled
Transmit Period	Setting of the transmission period timer (the tx-period)
Handshake Period	Setting of the handshake period timer (the handshake-period)
ReAuth Period	Setting of the 802.1x re-authentication timer (the reauth-period)
Quiet Period	Setting of the quiet period timer (the quiet-period)
Quiet Period Timer is disabled	The quiet period timer is disabled
Supp Timeout	Setting of the supplicant timeout timer (supp-timeout)
Server Timeout	Setting of the server-timeout timer (server-timeout)
Interval between version requests	Client version request timeout timer
maximal request times for version information	The maximum number of retry times that the switch will resend the version request packet to a supplicant system
The maximal retransmitting times	The maximum number of retry times that the switch will resend the authentication request packet to a supplicant system
Total maximum 802.1x user resource number	The maximum number of 802.1x users that a switch can accommodate
Total current used 802.1x resource number	The number of online supplicant systems
GigabitEthernet2/0/1 is link-up	The GigabitEthernet 2/0/1 port is in up state
802.1X protocol is disabled	802.1x is disabled on the port
Proxy trap checker is disabled	Whether to check a supplicant system that logs in through the proxy server: l Disable means the switch does not detect a supplicant system that logs in through the proxy server. l Enable means the switch sends Trap packets when it detects that a supplicant system logs in through the proxy server.
Proxy logoff checker is disabled	Whether to check a supplicant system that logs in through the proxy server: l Disable means the switch does not detect a supplicant system that logs in through the proxy server. l Enable means the switch disconnects a supplicant system when it detects that the latter logs in through the proxy server.
Guest Vlan is disabled	The Guest VLAN function is disabled
Version-Check is disabled	The client version check function is disabled
The port is a(n) authenticator	The port acts as an authenticator
Authenticate Mode is auto	The port access control mode is auto
Port Control Type is Mac-based	The port access control method is MAC-based. That is, supplicant systems are authenticated based on their MAC addresses
Max on-line user number	The maximum number of online users that the port can accommodate
…	Information omitted here

1.1.2 dot1x

Syntax

dot1x [ interface interface-list ]

undo dot1x [ interface interface-list ]

View

System view, Ethernet port view

Parameters

interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-name [ to interface- name] & < 1-10 >. The interface-name argument is the port index of an Ethernet port and can be specified in this form: interface-name = { interface-type interface-num }, where interface-type specifies the type of a port and interface-num identifies the port number. "&<1-10>" means that up to 10 port indexes/port index lists can be provided,

Description

Use the dot1x command to enable 802.1x globally or for the specified Ethernet ports.

Use the undo dot1x command to disable 802.1x globally or for the specified Ethernet ports.

By default, 802.1x is disabled globally and also on all ports

When being executed in system view, the dot1x command enables 802.1x globally if you do not provide the interface-list argument. And if you specify the interface-list argument, the command enables 802.1x for the specified Ethernet ports.

When being executed in Ethernet port view, this command enables 802.1x for the current Ethernet port only. In this case, the interface-list argument is not needed.

You can perform 802.1x-related configurations (globally or on the specified ports) either before or after 802.1x is enabled. If you do not perform other 802.1x-related configurations before enabling 802.1x globally, the switch adopts default 802.1x settings.

802.1x-related configurations take effect on a port only after 802.1x is enabled both globally and on the port.

Configurations of 8021.x and the maximum number of MAC addresses that can be learnt are mutually exclusive. And if you configure the maximum number of MAC addresses that can be learnt for a port, 802.1x is unavailable to it.

Related commands: display dot1x.

Examples

# Enable 802.1x for port Ethernet 3/0/1.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] dot1x interface Ethernet 3/0/1

# Enable 802.1x globally.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] dot1x

1.1.3 dot1x authentication-method

Syntax

dot1x authentication-method { chap | pap | eap }

undo dot1x authentication-method

View

System view

Parameters

chap: Uses CHAP authentication.

pap: Uses PAP authentication.

eap: Uses EAP authentication.

Description

Use the dot1x authentication-method command to set an 802.1x authentication method.

Use the undo dot1x authentication-method command to restore the default.

By default, CHAP authentication is used.

PAP uses a two-way handshaking process that transfers password in plain text format.

CHAP uses a three-way handshaking process that transfers only user names over the network, not passwords. Therefore this method is safer and more confidential.

EAP authentication means that a switch sends 802.1x authentication information directly to the RADIUS server in EAP packets, without the need to convert them into RADIUS packets in advance. EAP authentication is the prerequisite of implementing one of the three authentication methods: PEAP, EAP-TLS, and EAP-MD5.

Note that the implementation of PAP, CHAP or EAP authentication needs the support of the RADIUS server.

Related commands: display dot1x.

Examples

# Specify the authentication method for 802.1x users to be PAP.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] dot1x authentication-method pap

1.1.4 dot1x dhcp-launch

Syntax

dot1x dhcp-launch

undo dot1x dhcp-launch

View

System view

Parameters

None

Description

Use the dot1x dhcp-launch command to configure an 802.1x-enabled switch to authenticate a supplicant system when the supplicant system applies for a dynamic IP address through DHCP.

Use the undo dot1x dhcp-launch command to disable the function.

By default, an 802.1x-enabled switch does not authenticate a supplicant system when the latter applies for a dynamic IP address through DHCP.

Related commands: display dot1x.

Examples

# Specify to authenticate a supplicant system when it applies for a dynamic IP address through DHCP.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] dot1x dhcp-launch

1.1.5 dot1x guest-vlan

Syntax

dot1x guest-vlan vlan-id [ interface interface-list ]

undo dot1x guest-vlan [ interface interface-list ]

View

System view, Ethernet port view

Parameters

vlan-id: ID of a Guest VLAN, in the range from 1 to 4,094.

interface-list: List of Ethernet ports, expressed as interface-list = { interface-name [ to interface-name ] } & < 1-10 >. The interface-name argument is the port index of a port and can be specified in this form: interface-name = { interface-type interface-num }, where interface-type specifies the type of a port and interface-num identifies the port number. "&<1-10>" means that up to 10 port indexes/port index lists can be provided.

Description

Use the dot1x guest-vlan command to enable the Guest VLAN function for the specified ports.

Use the undo dot1x guest-vlan command to disable the Guest VLAN function for specified ports.

When being executed in Ethernet port view, these two commands apply to the current Ethernet port only. In this case, the interface-list argument is not needed.

Caution:

l The Guest VLAN function is available only when the switch operates in a port-based authentication mode.

l Only one Guest VLAN can be configured for each switch.

l The Guest VLAN function is unavailable when the dot1x dhcp-launch command is configured on the switch, because the switch does not send authentication request packets.

Related commands: name, vlan-assignment-mode.

Examples

# Specify the authentication method to be port-based authentication.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] dot1x port-method portbased

# Enable the Guest VLAN function for all ports.

[H3C] dot1x guest-vlan 1

1.1.6 dot1x max-user

Syntax

dot1x max-user user-number [ interface interface-list ]

undo dot1x max-user [ interface interface-list ]

View

System view, Ethernet port view

Parameters

user-number: Maximum number of users a port can accommodate, ranging from 1 to 1024. The default number is 1024.

interface-list: List of Ethernet ports, expressed as interface-list = { interface-name [ to interface-name ] } & < 1-10 >. The interface-name argument specifies the port index of an Ethernet port and can be specified in this form: interface-name = { interface-type interface-num }, where interface-type specifies the type of a port and interface-num identifies the port number. "&<1-10>" means that up to 10 port indexes/port index lists can be provided.

Description

Use the dot1x max-user command to set the maximum number of users an Ethernet port can accommodate.

Use the undo dot1x max-user command to restore the default.

When being executed in Ethernet port view, these two commands apply to the current Ethernet port only. In this case, the interface-list argument is not needed.

Related commands: display dot1x.

Examples

# Configure the maximum number of users that Ethernet 3/01 can accommodate to be 32.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] dot1x max-user 32 interface Ethernet 3/0/1

1.1.7 dot1x port-control

Syntax

dot1x port-control { auto | authorized-force | unauthorized-force } [ interface interface-list ]

undo dot1x port-control [ interface interface-list ]

View

System view, Ethernet port view

Parameters

auto: Specifies to operate in auto access control mode. In this mode, a port is initialized as unauthorized: it only allows EAPoL packets to pass through and grants users no permission to network resources. Only after the users have passed the authentication will the port that the users connect to transfer in authorized state, and allow them access to the network resources, which is often the case.

authorized-force: Specifies to operate in authorized-force access control mode. Ports in this mode are usually in authorized state. Supplicant systems connected to them are allowed to access the network without authentication.

unauthorized-force: Specifies to operate in unauthorized-force access control mode. Ports in this mode are constantly in unauthorized state. Supplicant systems connected to them are not allowed to access the network.

interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-name [ to interface- name] & < 1-10 >. The interface-name argument is the port index of an Ethernet port and can be specified in this form: interface-name = { interface-type interface-num }, where interface-type specifies the type of a port and interface-num identifies the port number. "&<1-10>" means that up to 10 port indexes/port index lists can be provided.

Description

Use the dot1x port-control command to specify the access control method for the specified Ethernet ports.

Use the undo dot1x port-control command to restore the default.

The default access control method is auto.

When being executed in Ethernet port view, these two commands apply to the current Ethernet port only. In this case, the interface-list argument is not needed.

Related commands: display dot1x.

Examples

# Configure Ethernet 3/0/1 to operate in unauthorized-force access control mode.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] dot1x port-control unauthorized-force interface Ethernet 3/0/1

1.1.8 dot1x port-method

Syntax

dot1x port-method { macbased | portbased } [ interface interface-list ]

undo dot1x port-method [ interface interface-list ]

View

System view, Ethernet port view

Parameters

macbased: Authenticates supplicant systems by MAC addresses.

portbased: Authenticates supplicant systems by port numbers.

interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-name [ to interface- name] & < 1-10 >. The interface-name argument is the port index of an Ethernet port and can be specified in this form: interface-name = { interface-type interface-num }, where interface-type specifies the type of a port and interface-num identifies the port number. "&<1-10>" means that up to 10 port indexes/port index lists can be provided.

The default access control method is MAC address-based.

Description

Use the dot1x port-method command to specify the access control method for the specified Ethernet ports.

Use the undo dot1x port-method command to restore the default.

If you specify to authenticate supplicant systems by MAC addresses, all supplicant systems connected to the specified Ethernet ports need to be authenticated separately. And if an online supplicant system logs off, others are not affected.

If you specify to authenticate supplicant systems by port numbers, all supplicant systems connected to the specified Ethernet ports are able to access the network without being authenticated if a supplicant system among them passes the authentication. And when the supplicant system logs off, the network is inaccessible to all other supplicant systems either.

When being executed in system view, these two commands apply to all Ethernet ports of the switch if you do not provide the interface-list argument. And if you specify the interface-list argument, these commands apply to the specified Ethernet ports. When being executed in Ethernet port view, these two commands apply to the current Ethernet port only. In this case, the interface-list argument is not needed.

Related commands: display dot1x.

Examples

# Specify to implement port-based authentication on the supplicant systems connected to Ethernet 3/0/1.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] dot1x port-method portbased interface Ethernet 3/0/1

1.1.9 dot1x quiet-period

Syntax

dot1x quiet-period

undo dot1x quiet-period

View

System view

Parameters

None

Description

Use the dot1x quiet-period command to enable the quiet-period timer.

Use the undo dot1x quiet-period command to disable the quiet-period timer.

When a supplicant system fails to pass the authentication, the authenticator system (such as an H3C Ethernet switch) will stay quiet for a period of time (determined by the quiet-period timer) before it performs another authentication. During the quiet period, the authenticator system performs no 802.1x authentication.

By default, the quiet-period timer is disabled.

Related commands: display dot1x, dot1x timer.

Examples

# Enable the quiet-period timer.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] dot1x quiet-period

1.1.10 dot1x re-authenticate

Syntax

dot1x re-authenticate [ interface interface-list ]

undo dot1x re-authenticate [ interface interface-list ]

View

System view, Ethernet port view

Parameters

Description

Use the dot1x re-authenticate command to enable 802.1x re-authentication on the specified ports or on all Authenticator ports of the switch.

Use the undo dot1x re-authenticate command to disable 802.1x re-authentication on the specified ports or on all Authenticator ports of the switch.

By default, 802.1x re-authentication is disabled on all ports.

When being executed in Ethernet port view, these two commands apply to the current Ethernet port only. In this case, the interface-list argument is not needed.

802.1x must be enabled globally and on the current port before 802.1x re-authentication is enabled on a port.

Examples

# Enable 802.1x re-authentication on Ethernet 3/0/1.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] interface Ethernet 3/0/1

[H3C-Ethernet3/0/1] dot1x re-authenticate

1.1.11 dot1x retry

Syntax

dot1x retry max-retry-value

undo dot1x retry

View

System view

Parameters

max-retry-value: Maximum number of retry times that a switch will resend the authentication request packet to a supplicant system. This argument ranges from 1 to 10 and defaults to 2.

Description

Use the dot1x retry command to specify the maximum number of retry times that a switch will resend authentication request packets to supplicant systems.

Use the undo dot1x retry command to restore the default.

A switch will resend the packet if it still has not received any response from the supplicant system within a preset period after it sends an authentication request packet to a supplicant system.

The retry times of 1 means that the switch will send the request packet only once; the retry times of 2 means that the switch will resend the packet once if no response comes back, and so on. This command applies to all ports.

Related commands: display dot1x.

Examples

# Specify the maximum number of retry times that the switch will resend the authentication request packet to be 9.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] dot1x retry 9

1.1.12 dot1x retry-version-max

Syntax

dot1x retry-version-max max-retry-version-value

undo dot1x retry-version-max

View

System view

Parameters

max-retry-version-value: Maximum number of retry times that a switch will resend the version request packet to a supplicant system. This argument ranges from 1 to 10.

Description

Use the dot1x retry-version-max command to set the maximum number of retry times that a switch will resend the version request packet to a connected supplicant system.

Use the undo dot1x retry-version-max command to restore the default.

By default, the switch can send a version request packet to a supplicant system up to three times repeatedly.

A switch will resend the packet if within a preset period (determined by the client version timer) it still has not received any response from the supplicant system after it sends a version request packet to a supplicant system. When the number set by this command has reached and there is still no response from the supplicant system, the switch will continue its following authentication without sending the version request packet. This command applies to all ports.

Related commands: display dot1x, dot1x timer.

Examples

# Configure the maximum number of retry times that the switch will resend the version request packet to be 6.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] dot1x retry-version-max 6

1.1.13 dot1x supp-proxy-check

Syntax

dot1x supp-proxy-check { logoff | trap } [ interface interface-list ]

undo dot1x supp-proxy-check { logoff | trap } [ interface interface-list ]

View

System view, Ethernet port view

Parameters

logoff: Disconnects the supplicant system if it logs in through the proxy server or through multiple network cards.

trap: Sends Trap packets if a supplicant system logs in through the proxy server or through multiple network cards.

interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-name [ to interface- name] & < 1-10 >. The interface-name argument is the port index of an Ethernet port and can be specified in this form: interface-name = { interface-type interface-num }, where interface-type specifies the type of a port and interface-num identifies the port number. "&<1-10>" means that up to 10 port indexes/port index lists can be provided.

Description

Use the dot1x supp-proxy-check command to configure the switch to check and control the users who log in through the proxy server.

Use the undo dot1x supp-proxy-check command to remove the configuration.

When being executed in Ethernet port view, these two commands apply to the current Ethernet port only. In this case, the interface-list argument is not needed.

In system view, the configuration takes effect only after you enable the proxy detection function globally and on the specified ports.

Proxy detection checks:

l Supplicant systems logging in through the proxy server;

l Supplicant systems logging in through the IE proxy server;

l Supplicant systems logging in through multiple network cards (that is, when a supplicant system logs in, it contains more than one active network card).

A switch may take the following actions in response to any of the above three cases:

l Disconnects the supplicant system and sends Trap packets (using the dot1x supp-proxy-check logoff command).

l Sends only Trap packets without disconnecting the supplicant system (using the dot1x supp-proxy-check trap command).

This function needs the support of 802.1x clients and CAMS:

l 802.1x clients are capable of checking the supplicant system uses multiple network cards, proxy server, or IE proxy server;

l CAMS is capable of disabling multiple network cards, proxy server, or IE proxy server on supplicant systems.

By default, an 802.1x client disables the function of disabling multiple network adapters, proxy server, or IE proxy server. If CAMS enables the function, it will prompt the 802.1x client to enable the function after the supplicant system passes the authentication.

& Note:

l The proxy detection function needs the support of H3C's 802.1x client program (V1.29 or later version).

l The proxy detection function takes effect only after it has been enabled on CAMS and the client version checking function is enabled on the switch (using the dot1x version-check command).

Related commands: display dot1x.

Examples

# Configure to disconnect any supplicant systems that use proxy server and connect to Ethernet 3/0/1 through Ethernet 3/0/8 ports.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] dot1x supp-proxy-check logoff

[H3C] dot1x supp-proxy-check logoff interface Ethernet 3/0/1 to Ethernet 3/0/8

# Configure the switch to send Trap packets if a supplicant system uses proxy server and connects to Ethernet 3/0/9.

[H3C] dot1x supp-proxy-check trap

[H3C] dot1x supp-proxy-check trap interface Ethernet 3/0/9

[H3C] dot1x supp-proxy-check trap

[H3C] interface Ethernet 3/0/9

[H3C-Ethernet3/0/9] dot1x supp-proxy-check trap

1.1.14 dot1x timer

Syntax

dot1x timer { handshake-period handshake-period-value | reauth-period reauth-period-value | quiet-period quiet-period-value | tx-period tx-period-value | supp-timeout supp-timeout-value | server-timeout server-timeout-value | ver-period ver-period-value }

undo dot1x timer { handshake-period | reauth-period | quiet-period | tx-period | supp-timeout | server-timeout | ver-period }

View

System view

Parameters

handshake-period: Handshake period timer, triggered after a supplicant system has successfully passed the authentication. The switch will periodically resend a handshake request packet to check the supplicant system is still online at the interval of handshake period value. If the switch still has not received any response packet from the supplicant system in N retries (N is specified by the dot1x retry command), it will consider the supplicant system to be offline.

handshake-period-value: Value of the handshake period timer, in seconds. This value ranges from 1 to 1024 and defaults to 15.

reauth-period: Re-authentication period timer. The switch will initialize 802.1x re-authentication when the re-authentication period timer times out.

reauth-period-value: Value of the re-authentication period timer, in seconds. This value ranges from 1 to 86400 and defaults to 3600.

quiet-period: Quiet-period timer, triggered after a supplicant system has failed the authentication. The switch will quiet for a period of time (set by the quiet-period timer) before it processes another authentication request initiated by the supplicant system.

quiet-period-value: Value of the quiet-period timer, in seconds. This value ranges from 10 to 120 and defaults to 60.

tx-period: Tx-period timer, triggered by the authenticator system in one of the following two cases: The first case is when a supplicant system requests for authentication. The switch sends a unicast request/identity packet to the supplicant system and then enables the transmission timer. The switch sends another request/identity packet to the supplicant system if the supplicant system does not send a reply packet to the switch when this timer times out. The second case is when the switch authenticates the 802.1x client who does not request for authentication actively. The switch sends multicast request/identity packets continuously through the port with 802.1x enabled at the interval of tx-period value.

tx-period-value: Value of the tx-period timer, in seconds. This value ranges from 10 to 120 and defaults to 30.

supp-timeout: Supplicant timeout timer, triggered when the switch sends a request/challenge packet (for MD5 ciphered text) to a supplicant system. The switch will resend the request/challenge packet to the supplicant system if the supplicant system has not responded when this timer times out.

supp-timeout-value: Value of the supp-timeout timer, in seconds. This value ranges from 10 to 120 and defaults to 30.

server-timeout: Server-timeout timer. The switch will resend the request/identity packet if the authentication server has not responded when this timer times out.

server-timeout-value: Value of the server timeout timer, in seconds. This value ranges from 100 to 300 and defaults to 100.

ver-period: Client-version-checking period timer. The switch will resend the client version checking request packet if the supplicant system has not responded when this timer times out.

ver-period-value: Value of the client-version-checking period timer, in seconds. This value ranges from 1 to 30 and defaults to 30.

Description

Use the dot1x timer command to set a specified 802.1x timer.

Use the undo dot1x timer command to restore the default.

During an 802.1x authentication process, multiple timers are triggered to ensure that the supplicant systems, the authenticator systems, and the authentication servers interact with each other orderly. You can use the dot1x timer command to modify parts of these timers as needed (others are not adjustable). This may be necessary in certain situations or demanding network environments. Normally, the defaults are recommended.

Related commands: display dot1x.

Examples

# Set the server-timeout timer of the authentication server to 150 seconds.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] dot1x timer server-timeout 150

1.1.15 dot1x version-check

Syntax

dot1x version-check [ interface interface-list ]

undo dot1x version-check [ interface interface-list ]

View

System view, Ethernet port view

Parameters

interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-name [ to interface- name] & < 1-10 >. The interface-name argument is the port index of an Ethernet port and can be specified in this form: interface-name = { interface-type interface-num }, where interface-type specifies the type of a port and interface-num identifies the port number. "&<1-10>" means that up to 10 port indexes/port index lists can be provided.

Description

Use the dot1x version-check command to enable 802.1x client version checking for the specified Ethernet ports.

Use the undo dot1x version-check command to disable the function for the specified Ethernet ports.

By default, 802.1x client version checking is disabled on all Ethernet ports.

When being executed in Ethernet port view, these two commands apply to the current Ethernet port only. In this case, the interface-list argument is not needed.

Examples

# Check the version of the 802.1x client upon receiving authentication packets on Ethernet 3/0/1.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] interface Ethernet 3/0/1

[H3C-Ethernet3/0/1] dot1x version-check

1.1.16 reset dot1x statistics

Syntax

reset dot1x statistics [ interface interface-list ]

View

User view

Parameters

interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-name [ to interface- name] & < 1-10 >. The interface-name argument is the port index of an Ethernet port and can be specified in this form: interface-name = { interface-type interface-num }, where interface-type specifies the type of a port and interface-num identifies the port number. "&<1-10>" means that up to 10 port indexes/port index lists can be provided.

Description

Use the reset dot1x statistics command to clear 802.1x-related statistics.

If the interface-list argument is not specified, this command clears the 802.1X statistics on all ports. If the interface-list argument is specified, this command clears the 802.1X statistics on the specified ports.

Related commands: display dot1x.

Examples

# Clear 802.1x-related statistics on Ethernet 3/0/1.

<H3C> reset dot1x statistics interface Ethernet 3/0/1

Chapter 2 HABP Configuration Commands

2.1 HABP Configuration Commands

2.1.1 display habp

Syntax

display habp

View

Any view

Parameters

None

Description

Use the display habp command to display HABP configuration and status information.

Examples

# Display HABP configuration and status information.

<H3C> display habp

Global HABP information:

HABP Mode: Server

Sending HABP request packets every 20 seconds

Bypass VLAN: 2

Table 2-1 Description on the fields of the display habp command

Field	Description
HABP Mode	HABP operation mode of the active switch: an HABP server or an HABP client
Sending HABP request packets every 20 seconds	Interval between sending HABP request packets
Bypass VLAN	ID(s) of the VLAN(s) in which HABP request packets are sent

2.1.2 display habp table

Syntax

display habp table

View

Any view

Parameters

None

Description

Use the display habp table command to display the MAC address table maintained by HABP.

Examples

# Display the MAC address table maintained by HABP.

<H3C> display habp table

MAC Holdtime Receive Port

001f-3c00-0030 53 Ethernet2/0/1

Table 2-2 Description on the fields of the display habp table command

Field	Description
MAC	MAC addresses listed in the MAC address table
Holdtime	Hold time of the entries in the MAC address table. An entry will be removed from the table if it has not been updated during the hold time.
Receive Port	Port that has learnt the MAC address

2.1.3 display habp traffic

Syntax

display habp traffic

View

Any view

Parameters

None

Description

Use the display habp traffic command to display statistics of HABP packets.

Examples

# Display statistics of HABP packets.

<H3C> display habp traffic

HABP counters :

Packets output: 0, Input: 0

ID error: 0, Type error: 0, Version error: 0

Sent failed: 0

Table 2-3 Description on the fields of the display habp traffic command

Field	Description
Packets output	Number of the HABP packets sent
Input	Number of the HABP packets received
ID error	Number of the HABP packets with wrong IDs
Type error	Number of the HABP packets in wrong types
Version error	Number of the HABP packets in wrong versions
Sent failed	Number of the HABP packets sent unsuccessfully

2.1.4 habp enable

Syntax

habp enable

undo habp enable

View

System view

Parameters

None

Description

Use the habp enable command to enable HABP for a switch.

Use the undo habp enable command to disable HABP.

By default, HABP is enabled on a switch.

If an 802.1x-enabled switch does not have HABP enabled, it cannot manage the switches attached to it.

Examples

# Enable HABP.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] habp enable

2.1.5 habp server vlan

Syntax

habp server vlan vlan-id

undo habp server

View

System view

Parameters

vlan-id: VLAN ID, ranging from 1 to 4,094.

Description

Use the habp server vlan command to configure a switch to operate as an HABP server and transmit HABP packets in the specified VLAN.

Use the undo habp server vlan command to restore the default.

By default, a switch operates as an HABP client.

To specify a switch to operate as an HABP server, you need to enable HABP (using the habp enable command) for the switch first. Even if HABP is not enabled, the 802.1x client can still configure the switch to work as an HABP client, but this command will not take effect.

Examples

# Configure the switch to operate as an HABP server and transmit HABP packets in VLAN 2.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] habp server vlan 2

2.1.6 habp timer

Syntax

habp timer interval

undo habp timer

View

System view

Parameters

interval: Interval between sending HABP request packets, in the range of 5 to 600 seconds.

Description

Use the habp timer command to set the interval for a switch to send HABP request packets.

Use the undo habp timer command to restore the default.

The default interval for a switch to send HABP request packets is 20 seconds.

These two commands apply to the switches operating as HABP servers only.

Examples

# Specify to send HABP request packets once every 50 seconds.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] habp timer 50

H3C S7500 Series Command Manual(Release 3100 Series)-(V1.04)

Chapter 1 802.1x Configuration Commands

1.1.4 dot1x dhcp-launch

1.1.5 dot1x guest-vlan

1.1.8 dot1x port-method

1.1.13 dot1x supp-proxy-check

2.1.1 display habp

Cloud & AI

InterConnect

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Resources

Partner Business Management

Company Information

News & Events

Contact Us