- Table of Contents
-
- H3C S7500 Series Command Manual(Release 3100 Series)-(V1.04)
- 00-1Cover
- 01-CLI Commands
- 02-Login Commands
- 03-Configuration File Management Commands
- 04-VLAN Commands
- 05-Extended VLAN Application Commands
- 06-IP Address-IP Performance-IPX Commands
- 07-GVRP Commands
- 08-QinQ Commands
- 09-Port Basic Configuration Commands
- 10-Link Aggregation Commands
- 11-Port Isolation Commands
- 12-Port Binding Commands
- 13-DLDP Commands
- 14-MAC Address Table Commands
- 15-MSTP Commands
- 16-Routing Protocol Commands
- 17-Multicast Commands
- 18-802.1x Commands
- 19-AAA-RADIUS-HWTACACS-EAD Commands
- 20-Traffic Accounting Commands
- 21-VRRP-HA Commands
- 22-ARP Commands
- 23-DHCP Commands
- 24-ACL Commands
- 25-QoS Commands
- 26-Mirroring Commands
- 27-Cluster Commands
- 28-PoE Commands
- 29-UDP-Helper Commands
- 30-SNMP-RMON Commands
- 31-NTP Commands
- 32-SSH Terminal Service Commands
- 33-File System Management Commands
- 34-FTP and TFTP Commands
- 35-Information Center Commands
- 36-DNS Commands
- 37-System Maintenance and Debugging Commands
- 38-HWPing Commands
- 39-RRPP Commands
- 40-NAT-Netstream-Policy Routing Commands
- 41-Telnet Protection Commands
- 42-Hardware-Dependent Software Configuration Commands
- 43-Appendix
- Related Documents
-
Title | Size | Download |
---|---|---|
18-802.1x Commands | 164 KB |
Table of Contents
Chapter 1 802.1x Configuration Commands
1.1 802.1x Configuration Commands
1.1.3 dot1x authentication-method
1.1.12 dot1x retry-version-max
Chapter 2 HABP Configuration Commands
2.1 HABP Configuration Commands
Chapter 1 802.1x Configuration Commands
1.1 802.1x Configuration Commands
1.1.1 display dot1x
Syntax
display dot1x [ sessions | statistics ] [ interface interface-list ]
View
Any view
Parameters
sessions: Displays information about 802.1x sessions.
statistics: Displays the statistics of 802.1x.
interface: Displays the 802.1x-related information about a specified port.
interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-name [ to interface- name] & < 1-10 >. The interface-name argument is the port index of an Ethernet port and can be specified in this form: interface-name = { interface-type interface-num }, where interface-type specifies the type of an Ethernet port and interface-num identifies the number of the port. “&<1-10>” means that up to 10 port indexes/port index lists can be provided.
Description
Use the display dot1x command to display 802.1x-related information, such as configuration information, operation information (session information), and statistics.
By default, this command displays all 802.1x-related information on each port.
When the interface-list argument is not provided, this command displays 802.1x-related information on all ports. The output information can be used to verify 802.1 x-related configurations and to troubleshoot.
Related commands: reset dot1x statistics, dot1x, dot1x retry, dot1x max-user, dot1x port-control, dot1x port-method, dot1x timer.
Examples
# Display 802.1x-related configuration information.
<H3C> display dot1x
Equipment 802.1X protocol is enabled
CHAP authentication is enabled
DHCP-launch is disabled
Proxy trap checker is disabled
Proxy logoff checker is disabled
Guest Vlan is disabled
Configuration: Transmit Period 30 s, Handshake Period 15 s
ReAuth Period 003600 s
Quiet Period 60 s, Quiet Period Timer is disabled
Supp Timeout 30 s, Server Timeout 100 s
Interval between version requests is 30s
maximal request times for version information is 3
The maximal retransmitting times 2
Total maximum 802.1x user resource number is 4096
Total current used 802.1x resource number is 0
GigabitEthernet2/0/1 is link-up
802.1X protocol is disabled
Proxy trap checker is disabled
Proxy logoff checker is disabled
Guest Vlan is disabled
Version-Check is disabled
The port is a(n) authenticator
Authenticate Mode is auto
Port Control Type is Mac-based
ReAuthenticate is disabled
Max on-line user number is 1024
……
(Display omitted here)
Table 1-1 Description on the fields of the display dot1x command
Field |
Description |
Equipment 802.1X protocol is enabled |
802.1x protocol (802.1x for short) is enabled |
CHAP authentication is enabled |
CHAP authentication is enabled |
DHCP-launch is disabled |
With DHCP enabled, the switch will trigger 802.1x authentication when a user runs DHCP to apply an IP address dynamically. |
Proxy trap checker is disabled |
Whether to check a supplicant system that logs in through the proxy server: l Disable means the switch does not send Trap packets when it detects that a supplicant system logs in through the proxy server. l Enable means the switch sends Trap packets when it detects that a supplicant system logs in through the proxy server. |
Proxy logoff checker is disabled |
Whether to check a supplicant system that logs in through the proxy server: l Disable means the switch does not disconnect a supplicant system when it detects that the latter logs in through the proxy server. l Enable means the switch disconnects a supplicant system when it detects that the latter logs in through the proxy server. |
Guest Vlan is disabled |
The Guest VLAN function is disabled |
Transmit Period |
Setting of the transmission period timer (the tx-period) |
Handshake Period |
Setting of the handshake period timer (the handshake-period) |
ReAuth Period |
Setting of the 802.1x re-authentication timer (the reauth-period) |
Quiet Period |
Setting of the quiet period timer (the quiet-period) |
Quiet Period Timer is disabled |
The quiet period timer is disabled |
Supp Timeout |
Setting of the supplicant timeout timer (supp-timeout) |
Server Timeout |
Setting of the server-timeout timer (server-timeout) |
Interval between version requests |
Client version request timeout timer |
maximal request times for version information |
The maximum number of retry times that the switch will resend the version request packet to a supplicant system |
The maximal retransmitting times |
The maximum number of retry times that the switch will resend the authentication request packet to a supplicant system |
Total maximum 802.1x user resource number |
The maximum number of 802.1x users that a switch can accommodate |
Total current used 802.1x resource number |
The number of online supplicant systems |
GigabitEthernet2/0/1 is link-up |
The GigabitEthernet 2/0/1 port is in up state |
802.1X protocol is disabled |
802.1x is disabled on the port |
Proxy trap checker is disabled |
Whether to check a supplicant system that logs in through the proxy server: l Disable means the switch does not detect a supplicant system that logs in through the proxy server. l Enable means the switch sends Trap packets when it detects that a supplicant system logs in through the proxy server. |
Proxy logoff checker is disabled |
Whether to check a supplicant system that logs in through the proxy server: l Disable means the switch does not detect a supplicant system that logs in through the proxy server. l Enable means the switch disconnects a supplicant system when it detects that the latter logs in through the proxy server. |
Guest Vlan is disabled |
The Guest VLAN function is disabled |
Version-Check is disabled |
The client version check function is disabled |
The port is a(n) authenticator |
The port acts as an authenticator |
Authenticate Mode is auto |
The port access control mode is auto |
Port Control Type is Mac-based |
The port access control method is MAC-based. That is, supplicant systems are authenticated based on their MAC addresses |
Max on-line user number |
The maximum number of online users that the port can accommodate |
… |
Information omitted here |
1.1.2 dot1x
Syntax
dot1x [ interface interface-list ]
undo dot1x [ interface interface-list ]
View
System view, Ethernet port view
Parameters
interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-name [ to interface- name] & < 1-10 >. The interface-name argument is the port index of an Ethernet port and can be specified in this form: interface-name = { interface-type interface-num }, where interface-type specifies the type of a port and interface-num identifies the port number. "&<1-10>" means that up to 10 port indexes/port index lists can be provided,
Description
Use the dot1x command to enable 802.1x globally or for the specified Ethernet ports.
Use the undo dot1x command to disable 802.1x globally or for the specified Ethernet ports.
By default, 802.1x is disabled globally and also on all ports
When being executed in system view, the dot1x command enables 802.1x globally if you do not provide the interface-list argument. And if you specify the interface-list argument, the command enables 802.1x for the specified Ethernet ports.
When being executed in Ethernet port view, this command enables 802.1x for the current Ethernet port only. In this case, the interface-list argument is not needed.
You can perform 802.1x-related configurations (globally or on the specified ports) either before or after 802.1x is enabled. If you do not perform other 802.1x-related configurations before enabling 802.1x globally, the switch adopts default 802.1x settings.
802.1x-related configurations take effect on a port only after 802.1x is enabled both globally and on the port.
Configurations of 8021.x and the maximum number of MAC addresses that can be learnt are mutually exclusive. And if you configure the maximum number of MAC addresses that can be learnt for a port, 802.1x is unavailable to it.
Related commands: display dot1x.
Examples
# Enable 802.1x for port Ethernet 3/0/1.
<H3C>system-view
System View: return to User View with Ctrl+Z.
[H3C] dot1x interface Ethernet 3/0/1
# Enable 802.1x globally.
<H3C>system-view
System View: return to User View with Ctrl+Z.
[H3C] dot1x
1.1.3 dot1x authentication-method
Syntax
dot1x authentication-method { chap | pap | eap }
undo dot1x authentication-method
View
System view
Parameters
chap: Uses CHAP authentication.
pap: Uses PAP authentication.
eap: Uses EAP authentication.
Description
Use the dot1x authentication-method command to set an 802.1x authentication method.
Use the undo dot1x authentication-method command to restore the default.
By default, CHAP authentication is used.
PAP uses a two-way handshaking process that transfers password in plain text format.
CHAP uses a three-way handshaking process that transfers only user names over the network, not passwords. Therefore this method is safer and more confidential.
EAP authentication means that a switch sends 802.1x authentication information directly to the RADIUS server in EAP packets, without the need to convert them into RADIUS packets in advance. EAP authentication is the prerequisite of implementing one of the three authentication methods: PEAP, EAP-TLS, and EAP-MD5.
Note that the implementation of PAP, CHAP or EAP authentication needs the support of the RADIUS server.
Related commands: display dot1x.
Examples
# Specify the authentication method for 802.1x users to be PAP.
<H3C>system-view
System View: return to User View with Ctrl+Z.
[H3C] dot1x authentication-method pap
1.1.4 dot1x dhcp-launch
Syntax
dot1x dhcp-launch
undo dot1x dhcp-launch
View
System view
Parameters
None
Description
Use the dot1x dhcp-launch command to configure an 802.1x-enabled switch to authenticate a supplicant system when the supplicant system applies for a dynamic IP address through DHCP.
Use the undo dot1x dhcp-launch command to disable the function.
By default, an 802.1x-enabled switch does not authenticate a supplicant system when the latter applies for a dynamic IP address through DHCP.
Related commands: display dot1x.
Examples
# Specify to authenticate a supplicant system when it applies for a dynamic IP address through DHCP.
<H3C>system-view
System View: return to User View with Ctrl+Z.
[H3C] dot1x dhcp-launch
1.1.5 dot1x guest-vlan
Syntax
dot1x guest-vlan vlan-id [ interface interface-list ]
undo dot1x guest-vlan [ interface interface-list ]
View
System view, Ethernet port view
Parameters
vlan-id: ID of a Guest VLAN, in the range from 1 to 4,094.
interface-list: List of Ethernet ports, expressed as interface-list = { interface-name [ to interface-name ] } & < 1-10 >. The interface-name argument is the port index of a port and can be specified in this form: interface-name = { interface-type interface-num }, where interface-type specifies the type of a port and interface-num identifies the port number. "&<1-10>" means that up to 10 port indexes/port index lists can be provided.
Description
Use the dot1x guest-vlan command to enable the Guest VLAN function for the specified ports.
Use the undo dot1x guest-vlan command to disable the Guest VLAN function for specified ports.
When being executed in system view, these two commands apply to all Ethernet ports of the switch if you do not provide the interface-list argument. And if you specify the interface-list argument, these commands apply to the specified Ethernet ports.
When being executed in Ethernet port view, these two commands apply to the current Ethernet port only. In this case, the interface-list argument is not needed.
Caution:
l The Guest VLAN function is available only when the switch operates in a port-based authentication mode.
l Only one Guest VLAN can be configured for each switch.
l The Guest VLAN function is unavailable when the dot1x dhcp-launch command is configured on the switch, because the switch does not send authentication request packets.
Related commands: name, vlan-assignment-mode.
Examples
# Specify the authentication method to be port-based authentication.
<H3C>system-view
System View: return to User View with Ctrl+Z.
[H3C] dot1x port-method portbased
# Enable the Guest VLAN function for all ports.
[H3C] dot1x guest-vlan 1
1.1.6 dot1x max-user
Syntax
dot1x max-user user-number [ interface interface-list ]
undo dot1x max-user [ interface interface-list ]
View
System view, Ethernet port view
Parameters
user-number: Maximum number of users a port can accommodate, ranging from 1 to 1024. The default number is 1024.
interface-list: List of Ethernet ports, expressed as interface-list = { interface-name [ to interface-name ] } & < 1-10 >. The interface-name argument specifies the port index of an Ethernet port and can be specified in this form: interface-name = { interface-type interface-num }, where interface-type specifies the type of a port and interface-num identifies the port number. "&<1-10>" means that up to 10 port indexes/port index lists can be provided.
Description
Use the dot1x max-user command to set the maximum number of users an Ethernet port can accommodate.
Use the undo dot1x max-user command to restore the default.
When being executed in system view, these two commands apply to all Ethernet ports of the switch if you do not provide the interface-list argument. And if you specify the interface-list argument, these commands apply to the specified Ethernet ports.
When being executed in Ethernet port view, these two commands apply to the current Ethernet port only. In this case, the interface-list argument is not needed.
Related commands: display dot1x.
Examples
# Configure the maximum number of users that Ethernet 3/01 can accommodate to be 32.
<H3C>system-view
System View: return to User View with Ctrl+Z.
[H3C] dot1x max-user 32 interface Ethernet 3/0/1
1.1.7 dot1x port-control
Syntax
dot1x port-control { auto | authorized-force | unauthorized-force } [ interface interface-list ]
undo dot1x port-control [ interface interface-list ]
View
System view, Ethernet port view
Parameters
auto: Specifies to operate in auto access control mode. In this mode, a port is initialized as unauthorized: it only allows EAPoL packets to pass through and grants users no permission to network resources. Only after the users have passed the authentication will the port that the users connect to transfer in authorized state, and allow them access to the network resources, which is often the case.
authorized-force: Specifies to operate in authorized-force access control mode. Ports in this mode are usually in authorized state. Supplicant systems connected to them are allowed to access the network without authentication.
unauthorized-force: Specifies to operate in unauthorized-force access control mode. Ports in this mode are constantly in unauthorized state. Supplicant systems connected to them are not allowed to access the network.
interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-name [ to interface- name] & < 1-10 >. The interface-name argument is the port index of an Ethernet port and can be specified in this form: interface-name = { interface-type interface-num }, where interface-type specifies the type of a port and interface-num identifies the port number. "&<1-10>" means that up to 10 port indexes/port index lists can be provided.
Description
Use the dot1x port-control command to specify the access control method for the specified Ethernet ports.
Use the undo dot1x port-control command to restore the default.
The default access control method is auto.
When being executed in system view, these two commands apply to all Ethernet ports of the switch if you do not provide the interface-list argument. And if you specify the interface-list argument, these commands apply to the specified Ethernet ports.
When being executed in Ethernet port view, these two commands apply to the current Ethernet port only. In this case, the interface-list argument is not needed.
Related commands: display dot1x.
Examples
# Configure Ethernet 3/0/1 to operate in unauthorized-force access control mode.
<H3C>system-view
System View: return to User View with Ctrl+Z.
[H3C] dot1x port-control unauthorized-force interface Ethernet 3/0/1
1.1.8 dot1x port-method
Syntax
dot1x port-method { macbased | portbased } [ interface interface-list ]
undo dot1x port-method [ interface interface-list ]
View
System view, Ethernet port view
Parameters
macbased: Authenticates supplicant systems by MAC addresses.
portbased: Authenticates supplicant systems by port numbers.
interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-name [ to interface- name] & < 1-10 >. The interface-name argument is the port index of an Ethernet port and can be specified in this form: interface-name = { interface-type interface-num }, where interface-type specifies the type of a port and interface-num identifies the port number. "&<1-10>" means that up to 10 port indexes/port index lists can be provided.
The default access control method is MAC address-based.
Description
Use the dot1x port-method command to specify the access control method for the specified Ethernet ports.
Use the undo dot1x port-method command to restore the default.
If you specify to authenticate supplicant systems by MAC addresses, all supplicant systems connected to the specified Ethernet ports need to be authenticated separately. And if an online supplicant system logs off, others are not affected.
If you specify to authenticate supplicant systems by port numbers, all supplicant systems connected to the specified Ethernet ports are able to access the network without being authenticated if a supplicant system among them passes the authentication. And when the supplicant system logs off, the network is inaccessible to all other supplicant systems either.
When being executed in system view, these two commands apply to all Ethernet ports of the switch if you do not provide the interface-list argument. And if you specify the interface-list argument, these commands apply to the specified Ethernet ports. When being executed in Ethernet port view, these two commands apply to the current Ethernet port only. In this case, the interface-list argument is not needed.
Related commands: display dot1x.
Examples
# Specify to implement port-based authentication on the supplicant systems connected to Ethernet 3/0/1.
<H3C>system-view
System View: return to User View with Ctrl+Z.
[H3C] dot1x port-method portbased interface Ethernet 3/0/1
1.1.9 dot1x quiet-period
Syntax
dot1x quiet-period
undo dot1x quiet-period
View
System view
Parameters
None
Description
Use the dot1x quiet-period command to enable the quiet-period timer.
Use the undo dot1x quiet-period command to disable the quiet-period timer.
When a supplicant system fails to pass the authentication, the authenticator system (such as an H3C Ethernet switch) will stay quiet for a period of time (determined by the quiet-period timer) before it performs another authentication. During the quiet period, the authenticator system performs no 802.1x authentication.
By default, the quiet-period timer is disabled.
Related commands: display dot1x, dot1x timer.
Examples
# Enable the quiet-period timer.
<H3C>system-view
System View: return to User View with Ctrl+Z.
[H3C] dot1x quiet-period
1.1.10 dot1x re-authenticate
Syntax
dot1x re-authenticate [ interface interface-list ]
undo dot1x re-authenticate [ interface interface-list ]
View
System view, Ethernet port view
Parameters
interface-list: List of Ethernet ports, expressed as interface-list = { interface-name [ to interface-name ] } & < 1-10 >. The interface-name argument specifies the port index of an Ethernet port and can be specified in this form: interface-name = { interface-type interface-num }, where interface-type specifies the type of a port and interface-num identifies the port number. "&<1-10>" means that up to 10 port indexes/port index lists can be provided.
Description
Use the dot1x re-authenticate command to enable 802.1x re-authentication on the specified ports or on all Authenticator ports of the switch.
Use the undo dot1x re-authenticate command to disable 802.1x re-authentication on the specified ports or on all Authenticator ports of the switch.
By default, 802.1x re-authentication is disabled on all ports.
When being executed in system view, these two commands apply to all Ethernet ports of the switch if you do not provide the interface-list argument. And if you specify the interface-list argument, these commands apply to the specified Ethernet ports.
When being executed in Ethernet port view, these two commands apply to the current Ethernet port only. In this case, the interface-list argument is not needed.
802.1x must be enabled globally and on the current port before 802.1x re-authentication is enabled on a port.
Examples
# Enable 802.1x re-authentication on Ethernet 3/0/1.
<H3C>system-view
System View: return to User View with Ctrl+Z.
[H3C] interface Ethernet 3/0/1
[H3C-Ethernet3/0/1] dot1x re-authenticate
1.1.11 dot1x retry
Syntax
dot1x retry max-retry-value
undo dot1x retry
View
System view
Parameters
max-retry-value: Maximum number of retry times that a switch will resend the authentication request packet to a supplicant system. This argument ranges from 1 to 10 and defaults to 2.
Description
Use the dot1x retry command to specify the maximum number of retry times that a switch will resend authentication request packets to supplicant systems.
Use the undo dot1x retry command to restore the default.
A switch will resend the packet if it still has not received any response from the supplicant system within a preset period after it sends an authentication request packet to a supplicant system.
The retry times of 1 means that the switch will send the request packet only once; the retry times of 2 means that the switch will resend the packet once if no response comes back, and so on. This command applies to all ports.
Related commands: display dot1x.
Examples
# Specify the maximum number of retry times that the switch will resend the authentication request packet to be 9.
<H3C>system-view
System View: return to User View with Ctrl+Z.
[H3C] dot1x retry 9
1.1.12 dot1x retry-version-max
Syntax
dot1x retry-version-max max-retry-version-value
undo dot1x retry-version-max
View
System view
Parameters
max-retry-version-value: Maximum number of retry times that a switch will resend the version request packet to a supplicant system. This argument ranges from 1 to 10.
Description
Use the dot1x retry-version-max command to set the maximum number of retry times that a switch will resend the version request packet to a connected supplicant system.
Use the undo dot1x retry-version-max command to restore the default.
By default, the switch can send a version request packet to a supplicant system up to three times repeatedly.
A switch will resend the packet if within a preset period (determined by the client version timer) it still has not received any response from the supplicant system after it sends a version request packet to a supplicant system. When the number set by this command has reached and there is still no response from the supplicant system, the switch will continue its following authentication without sending the version request packet. This command applies to all ports.
Related commands: display dot1x, dot1x timer.
Examples
# Configure the maximum number of retry times that the switch will resend the version request packet to be 6.
<H3C>system-view
System View: return to User View with Ctrl+Z.
[H3C] dot1x retry-version-max 6
1.1.13 dot1x supp-proxy-check
Syntax
dot1x supp-proxy-check { logoff | trap } [ interface interface-list ]
undo dot1x supp-proxy-check { logoff | trap } [ interface interface-list ]
View
System view, Ethernet port view
Parameters
logoff: Disconnects the supplicant system if it logs in through the proxy server or through multiple network cards.
trap: Sends Trap packets if a supplicant system logs in through the proxy server or through multiple network cards.
interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-name [ to interface- name] & < 1-10 >. The interface-name argument is the port index of an Ethernet port and can be specified in this form: interface-name = { interface-type interface-num }, where interface-type specifies the type of a port and interface-num identifies the port number. "&<1-10>" means that up to 10 port indexes/port index lists can be provided.
Description
Use the dot1x supp-proxy-check command to configure the switch to check and control the users who log in through the proxy server.
Use the undo dot1x supp-proxy-check command to remove the configuration.
When being executed in system view, these two commands apply to all Ethernet ports of the switch if you do not provide the interface-list argument. And if you specify the interface-list argument, these commands apply to the specified Ethernet ports.
When being executed in Ethernet port view, these two commands apply to the current Ethernet port only. In this case, the interface-list argument is not needed.
In system view, the configuration takes effect only after you enable the proxy detection function globally and on the specified ports.
Proxy detection checks:
l Supplicant systems logging in through the proxy server;
l Supplicant systems logging in through the IE proxy server;
l Supplicant systems logging in through multiple network cards (that is, when a supplicant system logs in, it contains more than one active network card).
A switch may take the following actions in response to any of the above three cases:
l Disconnects the supplicant system and sends Trap packets (using the dot1x supp-proxy-check logoff command).
l Sends only Trap packets without disconnecting the supplicant system (using the dot1x supp-proxy-check trap command).
This function needs the support of 802.1x clients and CAMS:
l 802.1x clients are capable of checking the supplicant system uses multiple network cards, proxy server, or IE proxy server;
l CAMS is capable of disabling multiple network cards, proxy server, or IE proxy server on supplicant systems.
By default, an 802.1x client disables the function of disabling multiple network adapters, proxy server, or IE proxy server. If CAMS enables the function, it will prompt the 802.1x client to enable the function after the supplicant system passes the authentication.
& Note:
l The proxy detection function needs the support of H3C's 802.1x client program (V1.29 or later version).
l The proxy detection function takes effect only after it has been enabled on CAMS and the client version checking function is enabled on the switch (using the dot1x version-check command).
Related commands: display dot1x.
Examples
# Configure to disconnect any supplicant systems that use proxy server and connect to Ethernet 3/0/1 through Ethernet 3/0/8 ports.
<H3C>system-view
System View: return to User View with Ctrl+Z.
[H3C] dot1x supp-proxy-check logoff
[H3C] dot1x supp-proxy-check logoff interface Ethernet 3/0/1 to Ethernet 3/0/8
# Configure the switch to send Trap packets if a supplicant system uses proxy server and connects to Ethernet 3/0/9.
[H3C] dot1x supp-proxy-check trap
[H3C] dot1x supp-proxy-check trap interface Ethernet 3/0/9
Or
[H3C] dot1x supp-proxy-check trap
[H3C] interface Ethernet 3/0/9
[H3C-Ethernet3/0/9] dot1x supp-proxy-check trap
1.1.14 dot1x timer
Syntax
dot1x timer { handshake-period handshake-period-value | reauth-period reauth-period-value | quiet-period quiet-period-value | tx-period tx-period-value | supp-timeout supp-timeout-value | server-timeout server-timeout-value | ver-period ver-period-value }
undo dot1x timer { handshake-period | reauth-period | quiet-period | tx-period | supp-timeout | server-timeout | ver-period }
View
System view
Parameters
handshake-period: Handshake period timer, triggered after a supplicant system has successfully passed the authentication. The switch will periodically resend a handshake request packet to check the supplicant system is still online at the interval of handshake period value. If the switch still has not received any response packet from the supplicant system in N retries (N is specified by the dot1x retry command), it will consider the supplicant system to be offline.
handshake-period-value: Value of the handshake period timer, in seconds. This value ranges from 1 to 1024 and defaults to 15.
reauth-period: Re-authentication period timer. The switch will initialize 802.1x re-authentication when the re-authentication period timer times out.
reauth-period-value: Value of the re-authentication period timer, in seconds. This value ranges from 1 to 86400 and defaults to 3600.
quiet-period: Quiet-period timer, triggered after a supplicant system has failed the authentication. The switch will quiet for a period of time (set by the quiet-period timer) before it processes another authentication request initiated by the supplicant system.
quiet-period-value: Value of the quiet-period timer, in seconds. This value ranges from 10 to 120 and defaults to 60.
tx-period: Tx-period timer, triggered by the authenticator system in one of the following two cases: The first case is when a supplicant system requests for authentication. The switch sends a unicast request/identity packet to the supplicant system and then enables the transmission timer. The switch sends another request/identity packet to the supplicant system if the supplicant system does not send a reply packet to the switch when this timer times out. The second case is when the switch authenticates the 802.1x client who does not request for authentication actively. The switch sends multicast request/identity packets continuously through the port with 802.1x enabled at the interval of tx-period value.
tx-period-value: Value of the tx-period timer, in seconds. This value ranges from 10 to 120 and defaults to 30.
supp-timeout: Supplicant timeout timer, triggered when the switch sends a request/challenge packet (for MD5 ciphered text) to a supplicant system. The switch will resend the request/challenge packet to the supplicant system if the supplicant system has not responded when this timer times out.
supp-timeout-value: Value of the supp-timeout timer, in seconds. This value ranges from 10 to 120 and defaults to 30.
server-timeout: Server-timeout timer. The switch will resend the request/identity packet if the authentication server has not responded when this timer times out.
server-timeout-value: Value of the server timeout timer, in seconds. This value ranges from 100 to 300 and defaults to 100.
ver-period: Client-version-checking period timer. The switch will resend the client version checking request packet if the supplicant system has not responded when this timer times out.
ver-period-value: Value of the client-version-checking period timer, in seconds. This value ranges from 1 to 30 and defaults to 30.
Description
Use the dot1x timer command to set a specified 802.1x timer.
Use the undo dot1x timer command to restore the default.
During an 802.1x authentication process, multiple timers are triggered to ensure that the supplicant systems, the authenticator systems, and the authentication servers interact with each other orderly. You can use the dot1x timer command to modify parts of these timers as needed (others are not adjustable). This may be necessary in certain situations or demanding network environments. Normally, the defaults are recommended.
Related commands: display dot1x.
Examples
# Set the server-timeout timer of the authentication server to 150 seconds.
<H3C>system-view
System View: return to User View with Ctrl+Z.
[H3C] dot1x timer server-timeout 150
1.1.15 dot1x version-check
Syntax
dot1x version-check [ interface interface-list ]
undo dot1x version-check [ interface interface-list ]
View
System view, Ethernet port view
Parameters
interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-name [ to interface- name] & < 1-10 >. The interface-name argument is the port index of an Ethernet port and can be specified in this form: interface-name = { interface-type interface-num }, where interface-type specifies the type of a port and interface-num identifies the port number. "&<1-10>" means that up to 10 port indexes/port index lists can be provided.
Description
Use the dot1x version-check command to enable 802.1x client version checking for the specified Ethernet ports.
Use the undo dot1x version-check command to disable the function for the specified Ethernet ports.
By default, 802.1x client version checking is disabled on all Ethernet ports.
When being executed in system view, these two commands apply to all Ethernet ports of the switch if you do not provide the interface-list argument. And if you specify the interface-list argument, these commands apply to the specified Ethernet ports.
When being executed in Ethernet port view, these two commands apply to the current Ethernet port only. In this case, the interface-list argument is not needed.
Examples
# Check the version of the 802.1x client upon receiving authentication packets on Ethernet 3/0/1.
<H3C>system-view
System View: return to User View with Ctrl+Z.
[H3C] interface Ethernet 3/0/1
[H3C-Ethernet3/0/1] dot1x version-check
1.1.16 reset dot1x statistics
Syntax
reset dot1x statistics [ interface interface-list ]
View
User view
Parameters
interface-list: Ethernet port list. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-name [ to interface- name] & < 1-10 >. The interface-name argument is the port index of an Ethernet port and can be specified in this form: interface-name = { interface-type interface-num }, where interface-type specifies the type of a port and interface-num identifies the port number. "&<1-10>" means that up to 10 port indexes/port index lists can be provided.
Description
Use the reset dot1x statistics command to clear 802.1x-related statistics.
If the interface-list argument is not specified, this command clears the 802.1X statistics on all ports. If the interface-list argument is specified, this command clears the 802.1X statistics on the specified ports.
Related commands: display dot1x.
Examples
# Clear 802.1x-related statistics on Ethernet 3/0/1.
<H3C> reset dot1x statistics interface Ethernet 3/0/1
Chapter 2 HABP Configuration Commands
2.1 HABP Configuration Commands
2.1.1 display habp
Syntax
display habp
View
Any view
Parameters
None
Description
Use the display habp command to display HABP configuration and status information.
Examples
# Display HABP configuration and status information.
<H3C> display habp
Global HABP information:
HABP Mode: Server
Sending HABP request packets every 20 seconds
Bypass VLAN: 2
Table 2-1 Description on the fields of the display habp command
Field |
Description |
HABP Mode |
HABP operation mode of the active switch: an HABP server or an HABP client |
Sending HABP request packets every 20 seconds |
Interval between sending HABP request packets |
Bypass VLAN |
ID(s) of the VLAN(s) in which HABP request packets are sent |
2.1.2 display habp table
Syntax
display habp table
View
Any view
Parameters
None
Description
Use the display habp table command to display the MAC address table maintained by HABP.
Examples
# Display the MAC address table maintained by HABP.
<H3C> display habp table
MAC Holdtime Receive Port
001f-3c00-0030 53 Ethernet2/0/1
Table 2-2 Description on the fields of the display habp table command
Field |
Description |
MAC |
MAC addresses listed in the MAC address table |
Holdtime |
Hold time of the entries in the MAC address table. An entry will be removed from the table if it has not been updated during the hold time. |
Receive Port |
Port that has learnt the MAC address |
2.1.3 display habp traffic
Syntax
display habp traffic
View
Any view
Parameters
None
Description
Use the display habp traffic command to display statistics of HABP packets.
Examples
# Display statistics of HABP packets.
<H3C> display habp traffic
HABP counters :
Packets output: 0, Input: 0
ID error: 0, Type error: 0, Version error: 0
Sent failed: 0
Table 2-3 Description on the fields of the display habp traffic command
Field |
Description |
Packets output |
Number of the HABP packets sent |
Input |
Number of the HABP packets received |
ID error |
Number of the HABP packets with wrong IDs |
Type error |
Number of the HABP packets in wrong types |
Version error |
Number of the HABP packets in wrong versions |
Sent failed |
Number of the HABP packets sent unsuccessfully |
2.1.4 habp enable
Syntax
habp enable
undo habp enable
View
System view
Parameters
None
Description
Use the habp enable command to enable HABP for a switch.
Use the undo habp enable command to disable HABP.
By default, HABP is enabled on a switch.
If an 802.1x-enabled switch does not have HABP enabled, it cannot manage the switches attached to it.
Examples
# Enable HABP.
<H3C> system-view
System View: return to User View with Ctrl+Z.
[H3C] habp enable
2.1.5 habp server vlan
Syntax
habp server vlan vlan-id
undo habp server
View
System view
Parameters
vlan-id: VLAN ID, ranging from 1 to 4,094.
Description
Use the habp server vlan command to configure a switch to operate as an HABP server and transmit HABP packets in the specified VLAN.
Use the undo habp server vlan command to restore the default.
By default, a switch operates as an HABP client.
To specify a switch to operate as an HABP server, you need to enable HABP (using the habp enable command) for the switch first. Even if HABP is not enabled, the 802.1x client can still configure the switch to work as an HABP client, but this command will not take effect.
Examples
# Configure the switch to operate as an HABP server and transmit HABP packets in VLAN 2.
<H3C> system-view
System View: return to User View with Ctrl+Z.
[H3C] habp server vlan 2
2.1.6 habp timer
Syntax
habp timer interval
undo habp timer
View
System view
Parameters
interval: Interval between sending HABP request packets, in the range of 5 to 600 seconds.
Description
Use the habp timer command to set the interval for a switch to send HABP request packets.
Use the undo habp timer command to restore the default.
The default interval for a switch to send HABP request packets is 20 seconds.
These two commands apply to the switches operating as HABP servers only.
Examples
# Specify to send HABP request packets once every 50 seconds.
<H3C> system-view
System View: return to User View with Ctrl+Z.
[H3C] habp timer 50