802.1X configuration commands 1

display dot1x· 1

dot1x· 4

dot1x authentication-method· 5

dot1x auth-fail vlan· 6

dot1x cops 7

dot1x domain-delimiter 8

dot1x guest-vlan· 8

dot1x handshake· 10

dot1x handshake secure· 10

dot1x mandatory-domain· 11

dot1x max-user 12

dot1x multicast-trigger 13

dot1x port-control 14

dot1x port-method· 15

dot1x quiet-period· 16

dot1x re-authenticate· 16

dot1x retry· 17

dot1x supp-proxy-check· 18

dot1x timer 19

dot1x unicast-trigger 21

reset dot1x statistics 21

 

display dot1x

Syntax

display dot1x [ sessions | statistics ] [ interface interface-list ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

sessions: Displays 802.1X session information.

statistics: Displays 802.1X statistics.

interface interface-list: Specifies an Ethernet port list, which can contain multiple Ethernet ports. The interface-list argument is in the format of interface-list = { interface-type interface-number [ to interface-type interface-number ] } & <1-10>, where interface-type represents the port type, interface-number represents the port number, and & <1-10> means that you can provide up to 10 ports or port ranges. The start port number must be smaller than the end number and the two ports must be the same type.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display dot1x command to display information about 802.1X.

If you specify neither the sessions keyword nor the statistics keyword, the command displays all information about 802.1X, including session information, statistics, and configurations.

Related commands: reset dot1x statistics, dot1x, dot1x retry, dot1x max-user, dot1x port-control, dot1x port-method, and dot1x timer.

Examples

# Display all information about 802.1X.

<Sysname> display dot1x

Equipment 802.1X protocol is enabled

 CHAP authentication is enabled

 Proxy trap checker is disabled

 Proxy logoff checker is enabled

 Configuration: Transmit Period   30 s,  Handshake Period       15 s

                Quiet Period      60 s,  Quiet Period Timer is disabled

                Supp Timeout      30 s,  Server Timeout        100 s

                The maximal retransmitting times    2

 The maximum 802.1X users resource number is 1024 per slot

 Total current used 802.1X resource number is 1

 GigabitEthernet2/1/1  is link-down

   802.1X protocol is enabled

   Proxy trap checker is   disabled

   Proxy logoff checker is disabled

   Handshake is enabled

   802.1X unicast-trigger is enabled

The port is an authenticator

   Authentication Mode is Auto

   Port Control Type is Mac-based

   802.1X Multicast-trigger is enabled

   Mandatory authentication domain: NOT configured

   Guest VLAN: 4

   Max number of on-line users is 1024

   EAPOL Packet: Tx 1087, Rx 986

   Sent EAP Request/Identity Packets : 943

        EAP Request/Challenge Packets: 60

        EAP Success Packets: 29, Fail Packets: 55

   Received EAPOL Start Packets : 60

            EAPOL LogOff Packets: 24

            EAP Response/Identity Packets : 724

            EAP Response/Challenge Packets: 54

            Error Packets: 0

1. Authenticated user : MAC address: 0015-e9a6-7cfe

   Controlled User(s) amount to 1

Table 1 Output description

Field	Description
Equipment 802.1X protocol is enabled	Specifies whether 802.1X is enabled globally
CHAP authentication is enabled	Specifies whether CHAP authentication is enabled
Proxy trap checker is disabled	Specifies whether the device sends a trap when detecting that a user is accessing the network through a proxy
Proxy logoff checker is disabled	Specifies whether the device logs off the user when detecting that the user is accessing the network through a proxy
Transmit Period	Username request timeout timer in seconds
Handshake Period	Handshake timer in seconds
Quiet Period	Quiet timer in seconds
Quiet Period Timer is disabled	Status of the quiet timer. In this example, the quiet timer is enabled.
Supp Timeout	Client timeout timer in seconds
Server Timeout	Server timeout timer in seconds
The maximal retransmitting times	Maximum number of attempts for sending an authentication request to a client
The maximum 802.1X user resource number per slot	Maximum number of concurrent 802.1X user per card
Total current used 802.1X resource number	Total number of online 802.1X users
GigabitEthernet2/1/1 is link-down	Status of the port. In this example, GigabitEthernet 2/1/1 is down.
802.1X protocol is enabled	Specifies whether 802.1X is enabled on the port
Proxy trap checker is disabled	Specifies whether the port sends a trap when detecting that a user is accessing the network through a proxy
Proxy logoff checker is disabled	Specifies whether the port logs off the user when detecting the user is accessing the networking through a proxy
Handshake is disabled	Specifies whether handshake is enabled on the port
802.1X unicast-trigger is disabled	Specifies whether unicast trigger is enabled on the port.
The port is an authenticator	Role of the port
Authenticate Mode is Auto	Authorization state of the port
Port Control Type is Mac-based	Access control method of the port
802.1X Multicast-trigger is enabled	Specifies whether the 802.1X multicast-trigger function is enabled
Mandatory authentication domain	Mandatory authentication domain on the port
Guest VLAN	802.1X guest VLAN configured on the port. NOT configured is displayed if no guest VLAN is configured.
Max number of on-line users	Maximum number of concurrent 802.1X users on the port
EAPOL Packet	Number of sent (Tx) and received (Rx) EAPOL packets
Sent EAP Request/Identity Packets	Number of sent EAP-Request/Identity packets
EAP Request/Challenge Packets	Number of sent EAP-Request/Challenge packets
EAP Success Packets	Number of sent EAP Success packets
Fail Packets	Number of sent EAP-Failure packets
Received EAPOL Start Packets	Number of received EAPOL-Start packets
EAPOL LogOff Packets	Number of received EAPOL-LogOff packets
EAP Response/Identity Packets	Number of received EAP-Response/Identity packets
EAP Response/Challenge Packets	Number of received EAP-Response/Challenge packets
Error Packets	Number of received error packets
Authenticated user	User that has passed 802.1X authentication
Controlled User(s) amount	Number of authenticated users on the port

 

dot1x

Syntax

In system view:

dot1x [ interface interface-list ]

undo dot1x [ interface interface-list ]

In Ethernet interface view:

dot1x

undo dot1x

View

System view, Ethernet interface view

Default level

2: System level

Parameters

interface interface-list: Specifies a port list, which can contain multiple ports. The interface-list argument is in the format of interface-list = { interface-type interface-number [ to interface-type interface-number ] } & <1-10>, where interface-type represents the port type, interface-number represents the port number, and & <1-10> means that you can provide up to 10 ports or port ranges. The start port number must be smaller than the end number and the two ports must be of the same type.

Description

Use the dot1x command in system view to enable 802.1X globally.

Use the undo dot1x command in system view to disable 802.1X globally.

Use the dot1x interface command in system view or the dot1x command in interface view to enable 802.1X for specified ports.

Use the undo dot1x interface command in system view or the undo dot1x command in interface view to disable 802.1X for specified ports.

By default, 802.1X is neither enabled globally nor enabled for any port.

802.1X must be enabled both globally in system view and for the intended ports in system view or interface view. Otherwise, it does not function.

You can configure 802.1X parameters either before or after enabling 802.1X.

Related commands: display dot1x.

Examples

# Enable 802.1X for ports GigabitEthernet 2/1/1, and GigabitEthernet 2/1/5 to GigabitEthernet 2/1/7.

<Sysname> system-view

[Sysname] dot1x interface GigabitEthernet 2/1/1 GigabitEthernet 2/1/5 to GigabitEthernet 2/1/7

Or

<Sysname> system-view

[Sysname] interface GigabitEthernet 2/1/1

[Sysname-GigabitEthernet2/1/1] dot1x

[Sysname-GigabitEthernet2/1/1] quit

[Sysname] interface GigabitEthernet 2/1/5

[Sysname-GigabitEthernet2/1/5] dot1x

[Sysname-GigabitEthernet2/1/5] quit

[Sysname] interface GigabitEthernet 2/1/6

[Sysname-GigabitEthernet2/1/6] dot1x

[Sysname-GigabitEthernet2/1/6] quit

[Sysname] interface GigabitEthernet 2/1/7

[Sysname-GigabitEthernet2/1/7] dot1x

# Enable 802.1X globally.

<Sysname> system-view

[Sysname] dot1x

dot1x authentication-method

Syntax

dot1x authentication-method { chap | eap | pap }

undo dot1x authentication-method

View

System view

Default level

2: System level

Parameters

chap: Sets the access device to perform Extensible Authentication Protocol (EAP) termination and use the Challenge Handshake Authentication Protocol (CHAP) to communicate with the RADIUS server.

eap: Sets the access device to relay EAP packets, and supports any of the EAP authentication methods to communicate with the RADIUS server.

pap: Sets the access device to perform EAP termination and use the Password Authentication Protocol (PAP) to communicate with the RADIUS server.

Description

Use the dot1x authentication-method command to specify an EAP message handling method.

Use the undo dot1x authentication-method command to restore the default.

By default, the network access device performs EAP termination and uses CHAP to communicate with the RADIUS server.

The network access device relays or terminates EAP packets:

1.      In EAP termination mode, the access device re-encapsulates and sends the authentication data from the client in standard RADIUS packets to the RADIUS server, and performs either CHAP or PAP authentication with the RADIUS server. In this mode the RADIUS server supports only MD5-Challenge EAP authentication, and “username+password” EAP authentication initiated by an iNode client.

·           PAP transports usernames and passwords in clear text. The authentication method applies to scenarios that do not require high security. To use PAP, the client must be an H3C iNode 802.1X client.

·           CHAP transports username in plaintext and encrypted password over the network. It is more secure than PAP.

2.      In EAP relay mode, the access device relays EAP messages between the client and the RADIUS server. The EAP relay mode supports multiple EAP authentication methods, such as MD5-Challenge, EAP-TL, and PEAP. To use this mode, you must make sure that the RADIUS server supports the EAP-Message and Message-Authenticator attributes, and uses the same EAP authentication method as the client. If this mode is used, the user-name-format command configured in RADIUS scheme view does not take effect. For more information about the user-name-format command, see the chapter “RADIUS configuration commands.”

Local authentication supports PAP and CHAP.

If RADIUS authentication is used, you must configure the network access device to use the same authentication method (PAP, CHAP, or EAP) as the RADIUS server.

Related commands: display dot1x.

Examples

# Enable the access device to terminate EAP packets and perform PAP authentication with the RADIUS server.

<Sysname> system-view

[Sysname] dot1x authentication-method pap

dot1x auth-fail vlan

Syntax

dot1x auth-fail vlan authfail-vlan-id

undo dot1x auth-fail vlan

View

Ethernet interface view

Default level

2: System level

Parameters

authfail-vlan-id: Specifies the ID of the Auth-Fail VLAN for the port, in the range of 1 to 4094. The VLAN must already exist.

Descriptions

Use the dot1x auth-fail vlan command to configure an Auth-Fail VLAN for a port. An Auth-Fail VLAN accommodates users that have failed 802.1X authentication because of the failure to comply with the organization security strategy, such as using a wrong password.

Use the undo dot1x auth-fail vlan command to restore the default.

By default, no Auth-Fail VLAN is configured on a port.

You must enable 802.1X multicast trigger function for an Auth-Fail VLAN to take effect on a port that performs port-based access control.

When you change the access control method from port-based to MAC-based on a port that is in an Auth-Fail VLAN, the port is removed from the Auth-Fail VLAN.

To delete a VLAN that has been configured as an Auth-Fail VLAN, you must remove the Auth-Fail VLAN configuration first.

Related commands: dot1x and dot1x port-method.

Examples

# Configure VLAN 3 as the Auth-Fail VLAN for port GigabitEthernet 2/1/1.

<Sysname> system-view

[Sysname] interface GigabitEthernet 3/1/1

[Sysname-GigabitEthernet3/1/1] dot1x auth-fail vlan 3

dot1x cops

Syntax

dot1x cops cops-scheme-name

undo dot1x cops

View

System view

Default level

2: System level

Parameters

cops-scheme-name: COPS scheme name, a case-insensitive string of 1 to 32 characters. This COPS scheme must already exist.

Description

Use the dot1x cops command to specify a COPS scheme for 802.1X, so the device sends authorization requests to the policy server for 802.1X users.

Use the undo dot1x cops command to remove the reference.

By default, no COPS scheme is specified for 802.1X.

Before you specify a COPS scheme for 802.1X, make sure that the device has been configured with the PEP ID, and the COPS scheme has been configured with the PDP.

If you modify the COPS scheme being used by 802.1X, you must remove the COPS scheme from 802.1X and specify the COPS scheme again so the modification can take effect for 802.1X users.

Related commands: cops scheme.

Examples

# Configure 802.1X to reference COPS scheme cops1.

<Sysname> system-view

[Sysname] cops id 192.168.0.77

[Sysname] cops scheme cops1

[Sysname-cops-cops1] server ipv4 192.168.0.7 port 3288

[Sysname-cops-cops1] quit

[Sysname] dot1x cops cops1

dot1x domain-delimiter

Syntax

dot1x domain-delimiter string

undo dot1x domain-delimiter

View

System view

Default level

2: System level

Parameters

string: Specifies a set of 1 to 16 domain name delimiters for 802.1X users. No space is required between delimiters. Available delimiters include the at sign (@), backslash (/), and forward slash (\).

Description

Use the dot1x domain-delimiter command to specify a set of domain name delimiters supported by the access device. Any character in the configured set can be used as the domain name delimiter for 802.1X authentication users.

Use the undo dot1x domain-delimiter command to restore the default.

By default, the access device supports only the at sign (@) delimiter for 802.1X users.

The delimiter set you configured overrides the default setting. If @ is not included in the delimiter set, the access device will not support the 802.1X users that use @ as the domain name delimiter.

If a username string contains multiple configured delimiters, the leftmost delimiter is the domain name delimiter. For example, if you configure @, /, and \ as delimiters, the domain name delimiter for the username string 123/22\@abc is the forward slash (/).

The cut connection user-name user-name and display connection user-name user-name commands are not available for 802.1X users that use / or \ as the domain name delimiter. For more information about the two commands, see the chapter “AAA configuration commands.”

Examples

# Specify the characters @, /, and \ as domain name delimiters.

<Sysname> system-view

[Sysname] dot1x domain-delimiter @\/

dot1x guest-vlan

Syntax

In system view:

dot1x guest-vlan guest-vlan-id [ interface interface-list ]

undo dot1x guest-vlan [ interface interface-list ]

In interface view:

dot1x guest-vlan guest-vlan-id

undo dot1x guest-vlan

View

System view, Ethernet interface view

Default level

2: System level

Parameters

guest-vlan-id: Specifies the ID of the VLAN to be specified as the 802.1X guest VLAN, in the range of 1 to 4094. It must already exist.

interface interface-list: Specifies a port list. The interface-list argument is in the format of interface-list = { interface-type interface-number [ to interface-type interface-number ] } & <1-10>, where interface-type represents the port type, interface-number represents the port number, and & <1-10> means that you can provide up to 10 ports or port ranges. The start port number must be smaller than the end number and the two ports must be of the same type. If no interface is specified, you configure an 802.1X guest VLAN for all Layer 2 Ethernet ports.

Description

Use the dot1x guest-vlan command to configure an 802.1X guest VLAN for the specified or all ports.

Use the undo dot1x guest-vlan command to remove the 802.1X guest VLAN on the specified or all ports.

By default, no 802.1X guest VLAN is configured on a port.

You must enable 802.1X for an 802.1X guest VLAN to take effect.

To have the 802.1X guest VLAN take effect, complete the following tasks:

·           Enable 802.1X both globally and on the interface.

·           If the port performs port-based access control, enable the 802.1X multicast trigger function.

When you change the access control method from port-based to MAC-based on a port that is in a guest VLAN, the port is removed from the guest VLAN.

To delete a VLAN that has been configured as a guest VLAN, you must remove the guest VLAN configuration first.

Related commands: dot1x, dot1x port-method, and dot1x multicast-trigger; mac-vlan enable and display mac-vlan (Layer 2—LAN Switching Command Reference).

Examples

# Specify VLAN 999 as the 802.1X guest VLAN for port GigabitEthernet 2/1/1

<Sysname> system-view

[Sysname] dot1x guest-vlan 999 interface GigabitEthernet 2/1/1

# Specify VLAN 10 as the 802.1X guest VLAN for ports GigabitEthernet 2/1/2 to GigabitEthernet 2/1/5.

<Sysname> system-view

[Sysname] dot1x guest-vlan 10 interface GigabitEthernet 2/1/2 to GigabitEthernet 2/1/5

# Specify VLAN 7 as the 802.1X guest VLAN for all ports.

<Sysname> system-view

[Sysname] dot1x guest-vlan 7

# Specify VLAN 3 as the 802.1X guest VLAN for port GigabitEthernet 2/1/7.

<Sysname> system-view

[Sysname] interface GigabitEthernet 2/1/7

[Sysname-GigabitEthernet2/1/7] dot1x guest-vlan 3

dot1x handshake

Syntax

dot1x handshake

undo dot1x handshake

View

Ethernet Interface view

Default level

2: System level

Parameters

None

Description

Use the dot1x handshake command to enable the online user handshake function. The function enables the device to periodically send handshake messages to the client to check whether a user is online.

Use the undo dot1x handshake command to disable the function.

By default, the function is enabled.

The 802.1X proxy detection function depends on the online user handshake function. Enable handshake before enabling proxy detection and disable proxy detection before disabling handshake.

H3C recommends that you use the iNode client software to guarantee the normal operation of the online user handshake function.

Examples

# Enable the online user handshake function.

<Sysname> system-view

[Sysname] interface GigabitEthernet 2/1/4

[Sysname-GigabitEthernet2/1/4] dot1x handshake

dot1x handshake secure

Syntax

dot1x handshake secure

undo dot1x handshake secure

View

Ethernet Interface view

Default level

2: System level

Parameters

None

Description

Use the dot1x handshake secure command to enable the online user handshake security function. The function enables the device to prevent users from using illegal client software.

Use the undo dot1x handshake secure command to disable the function.

By default, the function is disabled.

The online user handshake security function is implemented based on the online user handshake function. To bring the security function into effect, make sure the online user handshake function is enabled.

H3C recommends you use the iNode client software and iMC server to guarantee the normal operation of the online user handshake security function.

Related commands: dot1x handshake.

Examples

# Enable the online user handshake security function.

[Sysname] interface GigabitEthernet 3/1/4

[Sysname-GigabitEthernet3/1/4] port link-mode bridge

[Sysname-GigabitEthernet3/1/4] dot1x handshake secure

dot1x mandatory-domain

Syntax

dot1x mandatory-domain domain-name

undo dot1x mandatory-domain

View

Ethernet Interface view

Default level

2: System level

Parameters

domain-name: Specifies the ISP domain name, a case-insensitive string of 1 to 24 characters. The specified domain must already exist.

Description

Use the dot1x mandatory-domain command to specify a mandatory 802.1X authentication domain on a port.

Use the undo dot1x mandatory-domain command to remove the mandatory authentication domain.

By default, no mandatory authentication domain is specified.

When authenticating an 802.1X user trying to access the port, the system selects an authentication domain in the following order: the mandatory domain, the ISP domain specified in the username, and the default ISP domain.

To display or cut all 802.1X connections in a mandatory domain, use the display connection domain isp-name or cut connection domain isp-name command. The output of the display connection command without any parameters displays domain names input by users at login. For more information about the display connection command or the cut connection command, see the chapter “AAA configuration commands.”

Related commands: display dot1x.

Examples

# Configure the mandatory authentication domain my-domain for 802.1X users on GigabitEthernet 2/1/1.

<Sysname> system-view

[Sysname] interface GigabitEthernet3/1/1

[Sysname-GigabitEthernet3/1/1]dot1x mandatory my-domain

# After 802.1X user usera passes the authentication, execute the display connection command to display the user connection information on GigabitEthernet 2/1/1. For more information about the display connection command, see the chapter “AAA configuratio commands.”

[Sysname-GigabitEthernet3/1/1] display connection interface GigabitEthernet 3/1/1

slot:  3

Index=68  ,Username=usera@my-domian

IP=3.3.3.3

IPv6=N/A

MAC=0015-e9a6-7cfe

Total 1 connection(s) matched on slot 3.

Total 1 connection(s) matched.

dot1x max-user

Syntax

In system view:

dot1x max-user user-number [ interface interface-list ]

undo dot1x max-user [ interface interface-list ]

In Ethernet interface view:

dot1x max-user user-number

undo dot1x max-user

View

System view, Ethernet interface view

Default level

2: System level

Parameters

user-number: Specifies the maximum number of concurrent 802.1X users on a port.

interface interface-list: Specifies an Ethernet port list, which can contain multiple Ethernet ports. The interface-list argument is in the format of interface-list = { interface-type interface-number [ to interface-type interface-number ] } & <1-10>, where interface-type represents the port type, interface-number represents the port number, and & <1-10> means that you can provide up to 10 ports or port ranges. The start port number must be smaller than the end number and the two ports must be of the same type.

Description

Use the dot1x max-user command to set the maximum number of concurrent 802.1X users on a port.

Use the undo dot1x max-user command to restore the default.

By default, a port supports up to 1024 concurrent 802.1X users.

In system view:

·           If you do not specify the interface-list argument, the command applies to all ports.

·           If you specify the interface-list argument, the command applies to the specified ports.

In Ethernet port view, the interface-list argument is not available and the command applies to only the Ethernet port.

Related commands: display dot1x.

Examples

# Set the maximum number of concurrent 802.1X users on port GigabitEthernet 2/1/1 to 32.

<Sysname> system-view

[Sysname] dot1x max-user 32 interface GigabitEthernet 2/1/1

Or

<Sysname> system-view

[Sysname] interface GigabitEthernet 2/1/1

[Sysname-GigabitEthernet2/1/1] dot1x max-user 32

# Configure GigabitEthernet 2/1/2 through GigabitEthernet 2/1/5 each to support a maximum of 32 concurrent 802.1X users.

<Sysname> system-view

[Sysname] dot1x max-user 32 interface GigabitEthernet 2/1/2 to GigabitEthernet 2/1/5

dot1x multicast-trigger

Syntax

dot1x multicast-trigger

undo dot1x multicast-trigger

View

Ethernet interface view

Default level

2: System level

Parameters

None

Description

Use the dot1x multicast-trigger command to enable the 802.1X multicast trigger function. The device acts as the initiator and periodically multicasts EAP-Request/Identify packets to the clients.

Use the undo dot1x multicast-trigger command to disable the function.

By default, the multicast trigger function is enabled.

Related commands: display dot1x.

Examples

# Enable the multicast trigger function on interface GigabitEthernet 2/1/1.

<Sysname> system-view

[Sysname] interface GigabitEthernet 2/1/1

[Sysname-GigabitEthernet2/1/1] dot1x multicast-trigger

dot1x port-control

Syntax

In system view:

dot1x port-control { authorized-force | auto | unauthorized-force } [ interface interface-list ]

undo dot1x port-control [ interface interface-list ]

In Ethernet interface view:

dot1x port-control { authorized-force | auto | unauthorized-force }

undo dot1x port-control

View

System view, Ethernet interface view

Default level

2: System level

Parameters

authorized-force: Places the specified or all ports in authorized state, enabling users on the ports to access the network without authentication.

auto: Places the specified or all ports initially in unauthorized state to allow only EAPOL packets to pass, and after a user passes authentication, sets the port in authorized state to allow access to the network. You can use this option in most scenarios.

unauthorized-force: Places the specified or all ports in unauthorized state, denying any access requests from users on the ports.

interface interface-list: Specifies an Ethernet port list, which can contain multiple Ethernet ports. The interface-list argument is in the format of interface-list = { interface-type interface-number [ to interface-type interface-number ] } & <1-10>, where interface-type represents the port type, interface-number represents the port number, and & <1-10> means that you can provide up to 10 ports or port ranges. The start port number must be smaller than the end number and the two ports must be of the same type.

Description

Use the dot1x port-control command to set the authorization state for the specified or all ports.

Use the undo dot1x port-control command to restore the default.

The default port authorization state is auto.

In system view, if no interface-list argument is specified, the command applies to all ports.

Related commands: display dot1x.

Examples

# Set the authorization state of port GigabitEthernet 2/1/1 to unauthorized-force.

<Sysname> system-view

[Sysname] dot1x port-control unauthorized-force interface GigabitEthernet 2/1/1

Or

<Sysname> system-view

[Sysname] interface GigabitEthernet 2/1/1

[Sysname-GigabitEthernet2/1/1] dot1x port-control unauthorized-force

# Set the authorization state of ports GigabitEthernet 3/1/2 through GigabitEthernet 3/1/5 to unauthorized-force.

<Sysname> system-view

[Sysname] dot1x port-control unauthorized-force interface GigabitEthernet 3/1/2 to GigabitEthernet 3/1/5

dot1x port-method

Syntax

In system view:

dot1x port-method { macbased | portbased } [ interface interface-list ]

undo dot1x port-method [ interface interface-list ]

In Ethernet interface view:

dot1x port-method { macbased | portbased }

undo dot1x port-method

View

System view, Ethernet interface view

Default level

2: System level

Parameters

macbased: Uses MAC-based access control on a port to separately authenticate each user attempting to access the network. In this approach, when an authenticated user logs off, no other online users are affected.

portbased: Uses port-based access control on a port. In this approach, once an 802.1X user passes authentication on the port, any subsequent user can access the network through the port without authentication. When the authenticated user logs off, all other users are logged off.

interface interface-list: Specifies an Ethernet port list, which can contain multiple Ethernet ports. The interface-list argument is in the format of interface-list = { interface-type interface-number [ to interface-type interface-number ] } & <1-10>, where interface-type represents the port type, interface-number represents the port number, and & <1-10> means that you can provide up to 10 ports or port ranges for this argument. The start port number must be smaller than the end number and the two ports must be the same type.

Description

Use the dot1x port-method command to specify an access control method for the specified or all ports.

Use the undo dot1x port-method command to restore the default.

By default, MAC-based access control applies.

In system view, if no interface-list argument is specified, the command applies to all ports.

Related commands: display dot1x.

Examples

# Configure port GigabitEthernet 2/1/1 to implement port-based access control.

<Sysname> system-view

[Sysname] dot1x port-method portbased interface GigabitEthernet 2/1/1

Or

<Sysname> system-view

[Sysname] interface GigabitEthernet 2/1/1

[Sysname-GigabitEthernet2/1/1] dot1x port-method portbased

# Configure ports GigabitEthernet 3/1/2 through GigabitEthernet 3/1/5 to implement port-based access control.

<Sysname> system-view

[Sysname] dot1x port-method portbased interface GigabitEthernet 3/1/2 to GigabitEthernet 3/1/5

dot1x quiet-period

Syntax

dot1x quiet-period

undo dot1x quiet-period

View

System view

Default level

2: System level

Parameters

None

Description

Use the dot1x quiet-period command to enable the quiet timer. When a client fails 802.1X authentication, the device must wait a period of time before it can process authentication requests from the client.

Use the undo dot1x quiet-period command to disable the timer.

By default, the quiet timer is disabled.

Related commands: display dot1x and dot1x timer.

Examples

# Enable the quiet timer.

<Sysname> system-view

[Sysname] dot1x quiet-period

dot1x re-authenticate

Syntax

dot1x re-authenticate

undo dot1x re-authenticate

View

Ethernet interface view

Default level

2: System level

Parameters

None

Description

Use the dot1x re-authenticate command to enable the periodic online user re-authentication function.

Use the undo dot1x re-authenticate command to disable the function.

By default, the periodic online user re-authentication function is disabled.

Periodic re-authentication enables the access device to periodically authenticate online 802.1X users on a port. This function tracks the connection status of online users and updates the authorization attributes assigned by the server, such as the VLAN.

You can use the dot1x timer reauth-period command to configure the interval for re-authentication.

Related commands: dot1x timer reauth-period.

Examples

# Enable the 802.1X periodic online user re-authentication function on GigabitEthernet 2/1/1 and set the periodic re-authentication interval to 1800 seconds.

<Sysname> system-view

[Sysname] dot1x timer reauth-period 1800

[Sysname] interface GigabitEthernet 3/1/1

[Sysname-GigabitEthernet3/1/1] dot1x re-authenticate

dot1x retry

Syntax

dot1x retry max-retry-value

undo dot1x retry

View

System view

Default level

2: System level

Parameters

max-retry-value: Specifies the maximum number of attempts for sending an authentication request to a client, in the range of 1 to 10.

Description

Use the dot1x retry command to set the maximum number of attempts for sending an authentication request to a client.

Use the undo dot1x retry command to restore the default.

By default, the device sends an authentication request to a client twice at most.

After the network access device sends an authentication request to a client, if the device receives no response from the client within the username request timeout timer (set with the dot1x timer tx-period tx-period-value command) or the client timeout timer (set with the dot1x timer supp-timeout supp-timeout-value command), the device retransmits the authentication request. The network access device stops retransmitting the request, if it has made the maximum number of request transmission attempts but still received no response.

This command applies to all ports of the device.

Related commands: display dot1x.

Examples

# Set the maximum number of attempts for sending an authentication request to a client as 9.

<Sysname> system-view

[Sysname] dot1x retry 9

dot1x supp-proxy-check

Syntax

In system view:

dot1x supp-proxy-check { logoff | trap } [ interface interface-list ]

undo dot1x supp-proxy-check { logoff | trap } [ interface interface-list ]

In Ethernet interface view:

dot1x supp-proxy-check { logoff | trap }

undo dot1x supp-proxy-check { logoff | trap }

View

System view, Ethernet interface view

Default level

2: System level

Parameters

logoff: Logs off a user accessing the network through a proxy.

trap: Sends a trap to the network management system when a user is detected accessing the network through a proxy.

interface interface-list: Specifies an Ethernet port list, which can contain multiple Ethernet ports. The interface-list argument is in the format of interface-list = { interface-type interface-number [ to interface-type interface-number ] } & <1-10>, where interface-type represents the port type, interface-number represents the port number, and & <1-10> means that you can provide up to 10 ports or port ranges. The start port number must be smaller than the end number and the two ports must be of the same type.

Description

Use the dot1x supp-proxy-check command to enable the proxy detection function and set the processing method on the specified ports or all ports.

Use the undo dot1x supp-proxy-check command to disable the function on the specified ports or all ports.

By default, the proxy detection function is disabled. Users can use an authenticated 802.1X client as a network access proxy to bypass monitoring and accounting.

This function requires the cooperation of the iNode client software.

In system view:

·           If you do not specify the interface-list argument, the command applies to all ports.

·           If you specify the interface-list argument, the command applies to the specified ports.

In Ethernet port view, the interface-list argument is not available and the command applies to only the Ethernet port.

The proxy detection function must be enabled both globally in system view and for the intended ports in system view or Ethernet interface view. Otherwise, it does not work.

Related commands: display dot1x.

Examples

# Configure ports GigabitEthernet 3/1/1 to 3/1/8 to log off users accessing the network through a proxy.

<Sysname> system-view

[Sysname] dot1x supp-proxy-check logoff

[Sysname] dot1x supp-proxy-check logoff interface GigabitEthernet 3/1/1 to GigabitEthernet 3/1/8

# Configure port GigabitEthernet 3/1/9 to send a trap when a user is detected accessing the network through a proxy.

<Sysname> system-view

[Sysname] dot1x supp-proxy-check trap

[Sysname] dot1x supp-proxy-check trap interface GigabitEthernet 3/1/9

Or

<Sysname> system-view

[Sysname] dot1x supp-proxy-check trap

[Sysname] interface GigabitEthernet 3/1/9

[Sysname-GigabitEthernet3/1/9] port link-mode bridge

[Sysname-GigabitEthernet3/1/9] dot1x supp-proxy-check trap

dot1x timer

Syntax

dot1x timer { handshake-period handshake-period-value | quiet-period quiet-period-value | reauth-period reauth-period-value | server-timeout server-timeout-value | supp-timeout supp-timeout-value | tx-period tx-period-value }

undo dot1x timer { handshake-period | quiet-period | reauth-period | server-timeout | supp-timeout | tx-period }

View

System view

Default level

2: System level

Parameters

handshake-period-value: Sets the handshake timer in seconds. It is in the range of 5 to 1024.

quiet-period-value: Sets the quiet timer in seconds. It is in the range of 10 to 120.

reauth-period-value: Sets the periodic re-authentication timer in seconds. It is in the range of 60 to 7200.

server-timeout-value: Sets the server timeout timer in seconds. It is in the range of 100 to 300.

supp-timeout-value: Sets the client timeout timer in seconds. It is in the range of 1 to 120.

tx-period-value: Sets the username request timeout timer in seconds. It is in the range of 10 to 120.

Description

Use the dot1x timer command to set 802.1X timers.

Use the undo dot1x timer command to restore the defaults.

By default, the handshake timer is 15 seconds, the quiet timer is 60 seconds, the periodic re-authentication timer is 3600 seconds, the server timeout timer is 100 seconds, the client timeout timer is 30 seconds, and the username request timeout timer is 30 seconds.

You can set the client timeout timer to a high value in a low-performance network, set the quiet timer to a high value in a vulnerable network or a low value for quicker authentication response, or adjust the server timeout timer to adapt to the performance of different authentication servers. In most cases, the default settings are sufficient.

The network device uses the following 802.1X timers:

·           Handshake timer (handshake-period)—Sets the interval at which the access device sends client handshake requests to check the online status of a client that has passed authentication. If the device receives no response after sending the maximum number of handshake requests, it considers that the client has logged off..

·           Quiet timer (quiet-period)—Starts when a client fails authentication. The access device must wait the time period before it can process the authentication attempts from the client.

·           Periodic re-authentication timer (reauth-period)—Sets the interval at which the network device periodically re-authenticates online 802.1X users. To enable periodic online user re-authentication on a port, use the dot1x re-authenticate command. The change to the periodic re-authentication timer does not apply to the users that are already online until the old timer expires.

·           Server timeout timer (server-timeout)—Starts when the access device sends a RADIUS Access-Request packet to the authentication server. If no response is received when this timer expires, the access device retransmits the request to the server.

·           Client timeout timer (supp-timeout)—Starts when the access device sends an EAP-Request/MD5 Challenge packet to a client. If no response is received when this timer expires, the access device retransmits the request to the client.

·           Username request timeout timer (tx-period)—Starts when the device sends an EAP-Request/Identity packet to a client in response to an authentication request. If the device receives no response before this timer expires, it retransmits the request. The timer also sets the interval at which the network device sends multicast EAP-Request/Identity packets to detect clients that cannot actively request authentication.

Related commands: display dot1x.

Examples

# Set the server timeout timer to 150 seconds.

<Sysname> system-view

[Sysname] dot1x timer server-timeout 150

dot1x unicast-trigger

Syntax

dot1x unicast-trigger

undo dot1x unicast-trigger

View

Ethernet interface view

Default level

2: System level

Parameters

None

Description

Use the dot1x unicast-trigger command to enable the 802.1X unicast trigger function.

Use the undo dot1x unicast-trigger command to disable the function.

By default, the unicast trigger function is disabled.

The unicast trigger function enables the network device to initiate 802.1X authentication when it receives a data frame from an unknown source MAC address. The device resends the packet if it receives no response within a period of time (set with the dot1x timer supp-timeout command). This process continues until the maximum number of retries (set with the dot1x retry command) is reached.

Related commands: display dot1x, dot1x timer supp-timeout, and dot1x retry.

Examples

# Enable the unicast trigger function for interface GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface GigabitEthernet 3/1/1

[Sysname-GigabitEthernet3/1/1] dot1x unicast-trigger

reset dot1x statistics

Syntax

reset dot1x statistics [ interface interface-list ]

View

User view

Default level

2: System level

Parameters

interface interface-list: Specifies an Ethernet port list, which can contain multiple Ethernet ports. The interface-list argument is in the format of interface-list = { interface-type interface-number [ to interface-type interface-number ] } & <1-10>, where interface-type represents the port type, interface-number represents the port number, and & <1-10> means that you can provide up to 10 ports or port ranges. The start port number must be smaller than the end number and the two ports must be of the same type.

Description

Use the reset dot1x statistics command to clear 802.1X statistics.

If a list of ports is specified, the command clears 802.1X statistics for all the specified ports. If no ports are specified, the command clears all 802.1X statistics.

Related commands: display dot1x.

Examples

# Clear 802.1X statistics on port GigabitEthernet 2/1/1.

<Sysname> reset dot1x statistics interface GigabitEthernet 2/1/1