Chapter 1
802.1x Configuration Commands
Syntax
display dot1x [ sessions | statistics ] [ interface interface-list
]
View
Any view
Parameter
sessions:
Displays the information about 802.1x sessions.
statistics:
Displays the statistics on 802.1x.
interface:
Display the 802.1x-related information about a specified port.
interface-list: Ethernet port list. You can specify multiple Ethernet ports by
providing this argument in the form of interface-list = { interface-name
[ to interface- name] } & < 1-10 >. The interface-name
argument is the port index of an Ethernet port and can be specified in this
form: interface-name = { interface-type interface-num },
in which, interface-type specifies the type of an Ethernet port and interface-num
is the number of the port. Note that the interface name after the keyword
to must have an interface-num that is greater than or equal to
that of the interface-name before to. The string “&<1-10>”
means that up to 10 port indexes/port index lists can be provided.
Description
Use the display dot1x command to
display 802.1x-related information, such as configuration information,
operation information (session information), and statistics.
When the interface-list argument is
not provided, this command displays 802.1x-related information about all the ports.
The output information can be used to verify 802.1 x-related configurations and
to troubleshoot.
Related command: reset dot1x statistics,
dot1x, dot1x retry, dot1x max-user, dot1x port-control,
dot1x port-method, and dot1x timer.
Example
# Display 802.1x-related information.
<H3C> display dot1x
Equipment 802.1X protocol is enabled
CHAP authentication is enabled
DHCP-launch is enabled
Proxy trap checker is disabled
Proxy logoff checker is disabled
Configuration: Transmit Period
30 s, Handshake Period 15 s
Quiet Period
60 s, Quiet Period Timer is disabled
Supp Timeout
30 s, Server Timeout 100 s
Interval between
version requests is 30s
Maximal request times
for version information is 3
The maximal
retransmitting times 2
Total maximum 802.1x user resource
number is 1024
Total current used 802.1x resource
number is 1
Ethernet1/0/1 is link-down
802.1X protocol is disabled
Proxy trap checker is disabled
Proxy logoff checker is disabled
Version-Check is disabled
The port is an authenticator
Authentication Mode is Auto
Port Control Type is Mac-based
Max number of on-line users is 256
Authentication Success: 0, Failed:
0
EAPOL Packets: Tx 0, Rx 0
Sent EAP Request/Identity Packets
: 0
EAP Request/Challenge Packets:
0
Received EAPOL Start Packets : 0
EAPOL LogOff Packets: 0
EAP Response/Identity
Packets : 0
EAP Response/Challenge
Packets: 0
Error Packets: 0
Controlled User(s) amount to 0
Ethernet1/0/2 is link-down
802.1X protocol is disabled
Proxy trap checker is disabled
Proxy logoff checker is disabled
Version-Check is disabled
The port is an authenticator
Authentication Mode is Auto
Port Control Type is Mac-based
Max number of on-line users is 256
Authentication Success: 0, Failed:
0
EAPOL Packets: Tx 0, Rx 0
Sent EAP Request/Identity Packets
: 0
EAP Request/Challenge
Packets: 0
Received EAPOL Start Packets : 0
EAPOL LogOff Packets: 0
EAP Response/Identity
Packets : 0
EAP Response/Challenge
Packets: 0
Error Packets: 0
Controlled User(s) amount to 0
Ethernet1/0/3
……
Table 1-1 Description on the fields of
the display dot1x command
|
Field
|
Description
|
|
Equipment 802.1X protocol is enabled
|
802.1x protocol (802.1x for short) is
enabled on the switch.
|
|
CHAP authentication is enabled
|
CHAP authentication is enabled.
|
|
DHCP-launch is disabled
|
DHCP-triggered.802.1x authentication is
disabled.
|
|
Proxy trap checker is disabled
|
Whether or not to send Trap packets when
detecting a supplicant system logs in through a proxy.
l
Disable means the switch does not send Trap
packets when it detects that a supplicant system logs in through a proxy.
l
Enable means the switch sends Trap packets when
it detects that a supplicant system logs in through a proxy.
|
|
Proxy logoff checker is disabled
|
Whether or not to disconnect a supplicant
system when detecting it logs in through a proxy.
l
Disable means the switch does not disconnect a
supplicant system when it detects that the latter logs in through a proxy.
l
Enable means the switch disconnects a
supplicant system when it detects that the latter logs in through a proxy.
|
|
Transmit Period
|
Setting of the Transmission period timer
(the tx-period)
|
|
Handshake Period
|
Setting of the handshake period timer (the
handshake-period)
|
|
Quiet Period
|
Setting of
the quiet period timer (the quiet-period)
|
|
Quiet Period Timer is disabled
|
The quiet
period timer is disabled here. It can also be configured as enabled when
necessary.
|
|
Supp Timeout
|
Setting of
the supplicant timeout timer (supp-timeout)
|
|
Server Timeout
|
Setting of
the server-timeout timer (server-timeout)
|
|
The maximal retransmitting times
|
The
maximum number of times that a switch can send authentication request packets
to a supplicant system
|
|
Total maximum 802.1x user resource number
|
The
maximum number of 802.1x users that a switch can accommodate
|
|
Total current used 802.1x resource number
|
The number
of online supplicant systems
|
|
Ethernet1/0/1 is link-up
|
Ethernet1/0/1
port is up.
|
|
802.1X protocol is disabled
|
802.1x is
disabled on the port
|
|
Proxy trap checker is disabled
|
Whether or
not to send Trap packets when detecting a supplicant system in logging in
through a proxy.
l
Disable means the switch does not send Trap
packets when it detects that a supplicant system logs in through a proxy.
l
Enable means the switch sends Trap packets
when it detects that a supplicant system logs in through a proxy.
|
|
Proxy logoff checker is disabled
|
Whether or
not to disconnect a supplicant system when detecting it in logging in through
a proxy.
l
Disable means the switch does not disconnect a
supplicant system when it detects that the latter logs in through a proxy.
l
Enable means the switch disconnects a
supplicant system when it detects that the latter logs in through a proxy.
|
|
Version-Check is disabled
|
Whether or
not the client version checking function is enabled:
l
Disable means the switch does not checks
client version.
l
Enable means the switch checks client version.
|
|
The port is an authenticator
|
The port acts
as an authenticator system.
|
|
Authentication Mode is Auto
|
The port
access control mode is Auto.
|
|
Port Control Type is Mac-based
|
The port
access control method is MAC-based. That is, supplicant systems are authenticated
based on their MAC addresses.
|
|
Max number of on-line users
|
The
maximum number of online users that the port can accommodate
|
|
…
|
Information
omitted here
|
Syntax
dot1x [ interface interface-list ]
undo dot1x [ interface interface-list ]
View
System view, Ethernet port view
Parameter
interface-list: Ethernet port list. You can specify multiple Ethernet ports by
providing this argument in the form of interface-list = { interface-name
[ to interface- name] } & < 1-10 >. The interface-name
argument is the port index of an Ethernet port and can be specified in this
form: interface-name = { interface-type interface-num },
in which, interface-type specifies the type of a port and interface-num
is the port number. Note that the interface name after the keyword to
must have an interface-num that is greater than or equal to that of the interface-name
before to. &<1-10> means that up to 10 port indexes/port index
lists can be provided.
Description
Use the dot1x command to enable
802.1x globally or for specified Ethernet ports.
Use the undo dot1x command to
disable 802.1x globally or for specified Ethernet ports.
By default, 802.1x is disabled globally and
also on all ports.
When being executed in system view, the dot1x
command enables 802.1x globally if you do not provide the interface-list
argument. And if you specify the interface-list argument, the command
enables 802.1x for the specified Ethernet ports. When being executed in
Ethernet port view, this command enables 802.1x for the current Ethernet port
only. In this case, the interface-list argument is not needed.
You can perform 802.1x-related
configurations (globally or on specified ports) before or after 802.1x is
enabled. If you do not previously perform other 802.1x-related configurations
when enabling 802.1x globally, the switch adopts the default 802.1x settings.
802.1x-related configurations take effect on
a port only after 802.1x is enabled both globally and on the port.
Configurations of 8021.x and the maximum
number of MAX addresses that can be learnt are mutually exclusive. That is, when
802.1x is enabled for a port, it cannot also have the maximum number of MAX
addresses to be learned configured at the same time. Conversely, if you
configure the maximum number of MAX addresses that can be learnt for a port,
802.1x is unavailable to it.
Related command: display dot1x.
Example
# Enable 802.1x for Ethernet1/0/1 port.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] dot1x interface Ethernet 1/0/1
# Enable 802.1x globally.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] dot1x
Syntax
dot1x authentication-method { chap | pap | eap }
undo dot1x authentication-method
View
System view
Parameter
chap:
Authenticates using challenge handshake authentication protocol (CHAP).
pap: Authenticates
using password authentication protocol (PAP).
eap:
Authenticates using extensible authentication protocol (EAP).
Description
Use the dot1x authentication-method
command to set the 802.1x authentication method.
Use the undo dot1x authentication-method
command to revert to the default 802.1x authentication method.
The default 802.1x authentication method is
CHAP.
PAP applies a two-way handshaking procedure.
In this method, passwords are transmitted in plain text.
CHAP applies a three-way handshaking
procedure. In this method, user names are transmitted rather than passwords. Therefore
this method is safer.
In EAP authentication, a switch authenticates
supplicant systems by encapsulating 802.1x authentication information in EAP
packets and sending the packets to the RADIUS server, instead of converting the
packets into RADIUS packets before forwarding to the RADIUS server. You can use
EAP authentication in one of the four sub-methods: PEAP, EAP-TLS, EAP-TTLS and
EAP-MD5.
Related command: display dot1x.
When the current
device operates as the authentication server, EAP authentication is
unavailable.
Example
# Specify the authentication method to be PAP.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] dot1x authentication-method pap
1.1.4 dot1x dhcp-launch
Syntax
dot1x dhcp-launch
undo dot1x dhcp-launch
View
System view
Parameter
None
Description
Use the dot1x dhcp-launch command to
specify an 802.1x-enabled switch to launch the process to authenticate a
supplicant system when the supplicant system applies for a dynamic IP address through
DHCP.
Use the undo dot1x dhcp-launch
command to disable an 802.1x-enabled switch from authenticating a supplicant
system when the supplicant system applies for a dynamic IP address through DHCP.
By default, an 802.1x-enabled switch does
not authenticate a supplicant system when the latter applies for a dynamic IP
address through DHCP.
Related command: display dot1x.
Example
# Configure to authenticate a supplicant
system when it applies for a dynamic IP address through DHCP.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] dot1x dhcp-launch
1.1.5 dot1x
guest-vlan
Syntax
dot1x guest-vlan vlan-id [ interface interface-list ]
undo dot1x guest-vlan vlan-id [ interface interface-list ]
View
System view, Ethernet port view
Parameter
vlan-id:
VLAN ID of a Guest VLAN, in the range 1 to 4094.
interface-list: Ethernet port list. You can specify multiple ports by providing
this argument in the form of interface-list = { interface-name [ to
interface- name] } & < 1-10 >. The interface-name
argument is the port index of a port and can be specified in this form: interface-name
= { interface-type interface-num }, in which, interface-type
specifies the type of a port and interface-num is the port number. Note
that the interface name after the keyword to must have an interface-num
that is greater than or equal to that of the interface-name before to.
&<1-10>means that up to 10 port indexes/port index lists can be
provided.
Description
Use the dot1x guest-vlan command to
enable the Guest VLAN function for specified ports.
Use the undo dot1x guest-vlan
command to disable the Guest VLAN function for specified ports.
When being executed in system view,
l
If you do not provide the interface-list argument,
these two commands apply to all the ports of the switch.
l
If you specify the interface-list
argument, these two commands apply to the specified ports.
When being executed in Ethernet port view,
these two commands apply to the current Ethernet port only. In this case, the interface-list
argument is not needed.
Caution:
l
The Guest VLAN function is available only when
the switch operates in the port-based authentication mode.
l
Only one Guest VLAN can be configured on a
switch.
l
The Guest VLAN function is unavailable when the dot1x dhcp-launch command is executed on
the switch, because the switch does not send authentication request packets in
this case.
Example
# Configure the switch to operate in the port-based
authentication mode.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] dot1x port-method portbased
# Enable the Guest VLAN function for all the
ports.
[H3C] dot1x guest-vlan 1
Syntax
dot1x max-user
user-number [ interface interface-list ]
undo dot1x max-user
[ interface interface-list ]
View
System view, Ethernet port view
Parameter
user-number:
Maximum number of users a port can accommodate, in the range 1 to 256.
By default, a port can accommodate up to
256 users.
interface-list: Ethernet port list. You can specify multiple ports by providing
this argument in the form of interface-list = { interface-name [ to
interface- name] } & < 1-10 >. The interface-name
argument is the port index of a port and can be specified in this form: interface-name
= { interface-type interface-num }, in which, interface-type
specifies the type of a port and interface-num is the port number. Note
that the interface name after the keyword to must have an interface-num
that is greater than or equal to that of the interface-name before to.
&<1-10>means that up to 10 port indexes/port index lists can be
provided.
Description
Use the dot1x max-user
command to set the maximum number of users an Ethernet port can accommodate.
Use the undo dot1x max-user
command to revert to the default maximum user number.
When being executed in system view, these
two commands apply to all the ports of the switch if you do not provide the interface-list
argument. And if you specify the interface-list argument, these two commands
apply to the specified ports.
When being executed in Ethernet port view,
these two commands apply to the current port only. In this case, the interface-list
argument is not needed.
Related command: display dot1x.
Example
# Configure the maximum number of users
that Ethernet1/01 port can accommodate to be 32.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] dot1x max-user 32 interface Ethernet 1/0/1
Syntax
dot1x port-control
{ auto | authorized-force | unauthorized-force } [ interface
interface-list ]
undo dot1x port-control
[ interface interface-list ]
View
System view, Ethernet port view
Parameter
auto: Specifies
to operate in auto access control mode. When a port operates in this
mode, all the unauthenticated hosts connected to it are unauthorized. In this
case, only EAPoL packets can be exchanged between the switch and the hosts. And
the hosts connected to the port are authorized to access the network resources
after the hosts pass the authentication. Normally, a port operates in this
mode.
authorized-force: Specifies to operate in authorized-force access control
mode. When a port operates in this mode, all the hosts connected to it can
access the network resources without being authenticated.
unauthorized-force: Specifies to operate in unauthorized-force access control
mode. When a port operates in this mode, the hosts connected to it cannot
access the network resources.
interface-list: Ethernet port list. You can specify multiple Ethernet ports by
providing this argument in the form of interface-list = { interface-name
[ to interface- name] } & < 1-10 >. The interface-name
argument is the port index of an Ethernet port and can be specified in this
form: interface-name = { interface-type interface-num },
in which, interface-type specifies the type of a port and interface-num
is the port number. Note that the interface name after the keyword to
must have an interface-num that is greater than or equal to that of the interface-name
before the to keyword. &<1-10> means that up to 10 port
indexes/port index lists can be provided.
Description
Use the dot1x port-control
command to specify the access control method for specified Ethernet ports.
Use the undo dot1x port-control
command to revert to the default access control method.
The default access control method is auto.
Use the dot1x port-control command
to configure the access control method for specified 802.1x-enabled ports.
When being executed in system view, these
two commands apply to all the ports of the switch if you do not provide the interface-list
argument. And if you specify the interface-list argument, these commands
apply to the specified ports.
When being executed in Ethernet port view,
these two commands apply to the current Ethernet port only. In this case, the interface-list
argument is not needed.
Related command: display dot1x.
Example
# Specify Ethernet1/0/1 port to operate in unauthorized-force
access control mode.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] dot1x port-control unauthorized-force interface Ethernet
1/0/1
1.1.8 dot1x port-method
Syntax
dot1x port-method
{ macbased | portbased } [ interface interface-list
]
undo dot1x port-method
[ interface interface-list ]
View
System view, Ethernet port view
Parameter
macbased: Performs
MAC address-based authentication.
portbased: Performs
port-based authentication.
interface-list: Ethernet port list. You can specify multiple Ethernet ports by
providing this argument in the form of interface-list = { interface-name
[ to interface- name] } & < 1-10 >. The interface-name
argument is the port index of an Ethernet port and can be specified in this
form: interface-name = { interface-type interface-num },
in which, interface-type specifies the type of a port and interface-num
is the port number. Note that the interface name after the keyword to
must have an interface-num that is greater than or equal to that of the interface-name
before the to keyword. &<1-10> means that up to 10 port
indexes/port index lists can be provided.
By default, users are authenticated by MAC
addresses.
Description
Use the dot1x port-method
command to specify the access control method for specified Ethernet ports.
Use the undo dot1x port-method
command to revert to the default access control method.
These two commands specify the way the uses
are authenticated. If you specify to authenticate users by MAC addresses (that
is, executing the dot1x port-method command with the macbased
keyword specified), all the users connected to the specified Ethernet ports are
authenticated separately. And if an online user logs off, others are not
affected.
If you specify to authenticate supplicant
systems by port numbers (that is, executing the dot1x port-method
command with the portbased keyword specified), all the users connected
to a specified Ethernet port are able to access the network without being
authenticated if a user among them passes the authentication. And when the user
logs off, the network is inaccessible to all other supplicant systems either.
When being executed in system view, these
two commands apply to all the ports of the switch if you do not provide the interface-list
argument. And if you specify the interface-list argument, these commands
apply to the specified ports. When being executed in Ethernet port view, these
two commands apply to the current Ethernet port only. In this case, the interface-list
argument is not needed.
Related command: display dot1x.
Example
# Specify to authenticate users connected
to Ethernet1/0/1 port by port numbers.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] dot1x port-method portbased
interface Ethernet 1/0/1
Syntax
dot1x quiet-period
undo dot1x quiet-period
View
System view
Parameter
None
Description
Use the dot1x quiet-period
command to enable the quiet-period timer.
Use the undo dot1x quiet-period
command to disable the quiet-period timer.
When a user fails to pass the
authentication, the authenticator system (such as a H3C series Ethernet switch)
will stay quiet for a period (determined by the quiet-period timer) before it
performs another authentication. During the quiet period, the authenticator
system performs no 802.1x authentication.
By default, the quiet-period timer is
disabled.
Related commands: display dot1x, dot1x
timer.
Example
# Enable the quiet-period timer.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] dot1x quiet-period
Syntax
dot1x retry
max-retry-value
undo dot1x retry
View
System view
Parameter
max-retry-value: Maximum number of times that a switch sends authentication request
packets to a user. This argument ranges from 1 to 10.
Description
Use the dot1x retry command
to specify the maximum number of times that a switch sends authentication
request packets to a user.
Use the undo dot1x retry
command to revert to the default value.
By default, a switch sends authentication
request packets to a user for up to 2 times.
After a switch sends an authentication
request packet to a user, it sends another authentication request packet if it
does not receive response from the user after a specific period of time. The dot1x
retry command is used to set the maximum number of times that a switch
sends request packets to a user. If you set the number to 1, the switch only
sends request packets once, and 2 means that the switch sends request packets
for second time if no response comes back, and so on. This command applies to
all ports.
Related command: display dot1x.
Example
# Specify the maximum number of times that
the switch sends authentication request packets to be 9.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] dot1x retry 9
Syntax
dot1x retry-version-max max-retry-version-value
undo dot1x retry-version-max
View
System view
Parameter
max-retry-version-value: Maximum number of times that a switch sends version request
packets to a user. This argument ranges from 1 to 10.
Description
Use the dot1x retry-version-max
command to set the maximum number of times that a switch sends version request
packets to a user.
Use the undo dot1x retry-version-max
command to revert to the default value.
By default, a switch sends version request
packets to a user for up to 3 times.
After a switch sends a version request
packet to a user, it sends another version request packet if it does receive
response from the user after a specific period of time (as determined by the client
version request timer). When the number set by this command has reached and
there is still no response from the user, the switch continues the following
authentication procedures without sending version requests. This command
applies to all the ports with the version checking function enabled.
Related commands: display dot1x, dot1x
timer.
Example
# Configure the maximum number of times
that the switch sends version request packets to be 6.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] dot1x retry-version-max 6
1.1.12 dot1x supp-proxy-check
Syntax
dot1x supp-proxy-check
{ logoff | trap } [ interface interface-list
]
undo dot1x supp-proxy-check { logoff | trap } [ interface
interface-list ]
View
System view, Ethernet port view
Parameter
logoff: Disconnects
a user upon detecting it logging in through a proxy or through multiple network
adapters.
trap: Sends Trap packets upon detecting a user logging in through a proxy
or through multiple network adapters.
interface-list: Ethernet port list. You can specify multiple Ethernet ports by
providing this argument in the form of interface-list = { interface-name
[ to interface- name] } & < 1-10 >. The interface-name
argument is the port index of an Ethernet port and can be specified in this
form: interface-name = { interface-type interface-num },
in which, interface-type specifies the type of a port and interface-num
is the port number. Note that the interface name after the keyword to
must have an interface-num that is greater than or equal to that of the interface-name
before the to keyword. &<1-10> means that up to 10 port
indexes/port index lists can be provided.
Description
Use the dot1x supp-proxy-check
command to enable 802.1x proxy checking for specified ports.
Use the undo dot1x supp-proxy-check
command to disable 802.1x proxy checking for specified ports.
By default, 802.1x proxy checking is
disabled on all Ethernet ports.
When being executed in system view, the
configurations performed by these two commands are global if you do not specify
the interface-list argument. And if you specify the interface-list
argument, these two commands apply to the specified Ethernet ports. When being
executed in Ethernet port view, these two commands apply to the current port
only. In this case, the interface-list argument is not needed.
The proxy checking function takes effect on
a port only when the function is enabled both globally and on the port.
802.1x proxy checking checks for:
l
Users logging in through proxies
l
Users logging in through IE proxies
l
Whether or not a user logs in through multiple
network adapters (that is, when the user attempts to log in, it contains more
than one active network adapters.)
A switch can optionally take the following
actions in response to any of the above three cases:
l
Disconnects the user and sends Trap packets, which
can be achieved by using the dot1x supp-proxy-check logoff command.
l
Sends Trap packets without disconnecting the user,
which can be achieved by using the dot1x supp-proxy-check trap command.
This function needs the cooperation of 802.1x
clients and the CAMS server:
l
Multiple network adapter checking, proxy
checking, and IE proxy checking are enabled on the 802.1x client.
l
The CAMS server is configured to disable the use
of multiple network adapters, proxies, and IE proxy.
By default, the use of multiple network
adapters, proxies, and IE proxy is allowed on 802.1x client. In this case, if
you configure the CAMS server to disable the use of multiple network adapters,
proxies, and IE proxy, it sends messages to the 802.1x client to ask the latter
to disable the use of multiple network adapters, proxies, and IE proxy after
the user passes the authentication.
l
The 802.1x proxy checking function needs the
cooperation of H3C's 802.1x client program.
l
The proxy checking function takes effect only after
it is enabled on the CAMS server and the client version checking function is
enabled on the switch (using the dot1x version-check command).
Related command: display dot1x.
Example
# Configure to disconnect the users
connected to Ethernet1/0/1 through Ethernet1/0/8 ports if they are detected logging
in through proxies.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] dot1x supp-proxy-check logoff
[H3C] dot1x supp-proxy-check logoff
interface Ethernet 1/0/1 to Ethernet 1/0/8
# Configure the switch to send Trap packets
if the users connected to Ethernet1/0/9 port is detected logging in through proxies.
[H3C] dot1x supp-proxy-check trap
[H3C] dot1x supp-proxy-check trap
interface Ethernet 1/0/9
Or
[H3C] dot1x supp-proxy-check trap
[H3C] interface Ethernet 1/0/9
[H3C-Ethernet1/0/9] dot1x
supp-proxy-check trap
Syntax
dot1x timer {
handshake-period handshake-period-value | quiet-period quiet-period-value
| tx-period tx-period-value | supp-timeout supp-timeout-value
| server-timeout server-timeout-value | ver-period ver-period-value
}
undo dot1x timer { handshake-period | quiet-period | tx-period
| supp-timeout | server-timeout | ver-period }
View
System view
Parameter
tx-period
tx-period-value: Sets the transmission timer. This
timer sets the tx-period and is triggered in two cases. The first case is when
the client requests for authentication. The switch sends a unicast request/identity
packet to a supplicant system and then triggers the transmission timer. The
switch sends another request/identity packet to the supplicant system if it
does not receive the reply packet from the supplicant system when this timer
times out. The second case is when the switch authenticates the 802.1x client
who cannot request for authentication actively. The switch sends multicast
request/identity packets periodically through the port enabled with 802.1x
function. In this case, this timer sets the interval to send the multicast
request/identity packets.
The tx-period-value argument ranges
from 10 to 120 (in seconds). By default, the transmission timer is set to 30seconds.
supp-timeout supp-timeout-value: Sets the supplicant
system timer. This timer sets the supp-timeout period and is triggered by the
switch after the switch sends a request/challenge packet to a supplicant system
(The packet is used to request the supplicant system for the MD5 encrypted
string.) The switch sends another request/challenge packet to the supplicant
system if the switch does not receive the response from the supplicant system
when this timer times out..
The supp-timeout-value argument ranges
from 10 to 120 (in seconds). By default, the supplicant system timer is set to
30 seconds.
server-timeout server-timeout-value: Sets the RADIUS
server timer. This timer sets the server-timeout period. After sending an
authentication request packet to the RADIUS server, a switch sends another
authentication request packet if it does not receive the response from the
RADIUS server when this timer times out.
The server-timeout-value argument
ranges from 100 to 300 (in seconds). By default, the RADIUS server timer is set
to 100 seconds.
handshake-period handshake-period-value: Sets the handshake
timer. This timer sets the handshake-period and is triggered after a supplicant
system passes the authentication. It sets the interval for a switch to send
handshake request packets to online users. If you set the number of retries to
N by using the dot1x retry command, an online user is considered offline
when the switch does not receive response packets from it in a period N times
of the handshake-period.
The handshake-period-value argument ranges
from 5 to 1,024 (in seconds). By default, the handshake timer is set to 15
seconds.
quiet-period quiet-period-value: Sets the quiet-period
timer. This timer sets the quiet-period. When a supplicant system fails to pass
the authentication, the switch quiets for the set period (set by the
quiet-period timer) before it processes another authentication request
re-initiated by the supplicant system.
The quiet-period-value argument
ranges from 10 to 120 (in seconds). By default, the quiet-period timer is set
to 60 seconds.
ver-period ver-period-value: Sets the client version
request timer. This timer sets the version period and is triggered after a
switch sends a version request packet. The switch sends another version request
packet if it does receive version response packets from the supplicant system
when the timer expires.
The ver-period-value argument ranges
from 1 to 30 (in seconds). By default, the client version request timer is set
to 30 seconds.
Description
Use the dot1x timer command
to set a specified 802.1x timer.
Use the undo dot1x timer
command to restore a specified 802.1x timer to the default setting.
During an 802.1x authentication process,
multiple timers are triggered to ensure that the supplicant systems, the authenticator
systems, and the Authentication servers interact with each other in an orderly way.
To make authentications being processed in the desired way, you can use the dot1x
timer command to set the timers as needed. This may be necessary in some
special situations or in tough network environments. Normally, the defaults are
recommended. (Note that some timers cannot be adjusted.)
Related command: display dot1x.
Example
# Set the RADIUS server timer to 150
seconds.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] dot1x timer server-timeout 150
Syntax
dot1x version-check [ interface interface-list ]
undo dot1x version-check [ interface interface-list ]
View
System view, Ethernet port view
Parameter
interface-list: Ethernet port list. You can specify multiple Ethernet ports by
providing this argument in the form of interface-list = { interface-name
[ to interface- name] } & < 1-10 >. The interface-name
argument is the port index of an Ethernet port and can be specified in this
form: interface-name = { interface-type interface-num },
in which, interface-type specifies the type of a port and interface-num
is the port number. Note that the interface name after the keyword to
must have an interface-num that is greater than or equal to that of the interface-name
before the to keyword. &<1-10> means that up to 10 port
indexes/port index lists can be provided.
Description
Use the dot1x version-check command
to enable 802.1x client version checking for specified Ethernet ports.
Use the undo dot1x version-check
command to disable 802.1x client version checking for specified Ethernet ports.
By default, 802.1x client version checking
is disabled on all the Ethernet ports.
When being executed in system view, these
two commands apply to all the ports of the switch if you do not provide the interface-list
argument. And if you specify the interface-list argument, these commands
apply to the specified ports. When being executed in Ethernet port view, these
two commands apply to the current Ethernet port only. In this case, the interface-list
argument is not needed.
Example
# Configure Ethernet1/0/1 port to check the
version of the 802.1x client upon receiving authentication packets.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] interface Ethernet 1/0/1
[H3C-Ethernet1/0/1] dot1x version-check
Syntax
reset dot1x statistics [ interface interface-list ]
View
User view
Parameter
interface-list: Ethernet port list. You can specify multiple Ethernet ports by
providing this argument in the form of interface-list = { interface-name
[ to interface- name] } & < 1-10 >. The interface-name
argument is the port index of an Ethernet port and can be specified in this
form: interface-name = { interface-type interface-num },
in which, interface-type specifies the type of a port and interface-num
is the port number. Note that the interface name after the keyword to
must have an interface-num that is greater than or equal to that of the interface-name
before the to keyword. &<1-10> means that up to 10 port
indexes/port index lists can be provided.
Description
Use the reset dot1x statistics
command to clear 802.1x-related statistics.
If the interface-list argument is
not specified, this command clears the global 802.1x statistics and the 802.1x
statistics on all the ports.
If the interface-list argument is
specified, this command clears the 802.1x statistics on the specified ports.
Related command: display dot1x.
Example
# Clear 802.1x statistics on Ethernet1/0/1
port.
<H3C> reset dot1x statistics interface Ethernet 1/0/1
