Chapter 1
802.1x Configuration Commands
Syntax
display dot1x [ sessions | statistics ] [ interface interface-list
]
View
Any view
Parameter
sessions:
Displays the formation about 802.1x sessions.
statistics:
Displays the statistics information about 802.1x.
interface:
Display the 802.1x-related information about a specified port.
interface-list:
Ethernet port list. You can specify multiple Ethernet
ports by providing this argument in the form of interface-list = { interface-name
[ to interface- name] & < 1-10 >. The interface-name
argument is the port index of an Ethernet port and can be specified in this
form: interface-name = { interface-type interface-num },
in which, interface-type specifies the type of an Ethernet port and interface-num
identifies the number of the port. Note that the interface name after
the keyword to must have an interface-num that is greater than or
equal to that of the interface-name before to. “&<1-10>”
means that up to 10 port indexes/port index lists can be provided,
Description
Use the display dot1x command to
display 802.1x-related information, such as configuration information,
operation information (session information), and statistics.
When the interface-list argument is
not provided, this command displays 802.1x-related information on all ports.
The output information can be used to verify 802.1 x-related configurations and
to troubleshoot.
Related commands: reset dot1x statistics,
dot1x, dot1x retry, dot1x max-user, dot1x port-control,
dot1x port-method, and dot1x timer.
Example
# Display 802.1x-related configuration information.
<H3C> display dot1x
Equipment 802.1X protocol is enabled
CHAP authentication is enabled
DHCP-launch is enabled
Proxy trap checker is disabled
Proxy logoff checker is disabled
Configuration: Transmit Period
30 s, Handshake Period 15 s
Quiet Period
60 s, Quiet Period Timer is disabled
Supp Timeout
30 s, Server Timeout 100 s
Interval between
version requests is 30s
Maximal request times
for version information is 3
The maximal
retransmitting times 2
Total maximum 802.1x user resource
number is 1024
Total current used 802.1x resource
number is 1
Ethernet1/0/1 is link-down
802.1X protocol is disabled
Proxy trap checker is disabled
Proxy logoff checker is disabled
Version-Check is disabled
The port is an authenticator
Authentication Mode is Auto
Port Control Type is Mac-based
Max number of on-line users is 256
Authentication Success: 0, Failed:
0
EAPOL Packets: Tx 0, Rx 0
Sent EAP Request/Identity Packets
: 0
EAP Request/Challenge
Packets: 0
Received EAPOL Start Packets : 0
EAPOL LogOff Packets: 0
EAP Response/Identity
Packets : 0
EAP Response/Challenge
Packets: 0
Error Packets: 0
Controlled User(s) amount to 0
Ethernet1/0/2 is link-down
802.1X protocol is disabled
Proxy trap checker is disabled
Proxy logoff checker is disabled
Version-Check is disabled
The port is an authenticator
Authentication Mode is Auto
Port Control Type is Mac-based
Max number of on-line users is 256
Authentication Success: 0, Failed:
0
EAPOL Packets: Tx 0, Rx 0
Sent EAP Request/Identity Packets
: 0
EAP Request/Challenge
Packets: 0
Received EAPOL Start Packets : 0
EAPOL LogOff Packets: 0
EAP Response/Identity
Packets : 0
EAP Response/Challenge
Packets: 0
Error Packets: 0
Controlled User(s) amount to 0
Ethernet1/0/3
……
Table 1-1 Description on the fields of the display dot1x command
|
Field
|
Description
|
|
Equipment 802.1X protocol is enabled
|
802.1x protocol (802.1x for short) is
enabled on the switch.
|
|
CHAP authentication is enabled
|
CHAP authentication is enabled.
|
|
DHCP-launch is enabled
|
The switch is configured here to authenticate
a supplicant system when the latter applies for a dynamic IP address through
DHCP. You can also specify not to authenticate supplicant systems when the
latter apply for dynamic IP addresses through DHCP.
|
|
Proxy trap checker is disabled
|
The proxy trap checker is disabled here,
which means the switch does not send Trap packets when it detects that a supplicant system logs in through a proxy.
It can also be configured as enabled, in which case the switch sends Trap
packets when it detects that a supplicant system logs in through a proxy.
|
|
Proxy logoff checker is disabled
|
The proxy logoff checker is disabled here,
which means that a switch does not disconnect a supplicant system when it
detects that the latter logs in through a proxy. It can also be configured as
enabled, in which case the switch disconnects a supplicant system when it
detects that the latter logs in through a proxy.
|
|
Transmit Period
|
Setting of the Transmission period timer
(the tx-period)
|
|
Handshake Period
|
Setting of the handshake period timer (the
handshake-period)
|
|
Quiet Period
|
Setting of
the quiet period timer (the quiet-period)
|
|
Quiet Period Timer is disabled
|
The quiet
period timer is disabled here. It can also be configured as enabled when
necessary.
|
|
Supp Timeout
|
Setting of
the supplicant timeout timer (supp-timeout)
|
|
Server Timeout
|
Setting of
the server-timeout timer (server-timeout)
|
|
The maximal retransmitting times
|
The
maximum number of times that a switch can send authentication request packets
to a supplicant system
|
|
Total maximum 802.1x user resource number
|
The
maximum number of 802.1x users that a switch can accommodate
|
|
Total current used 802.1x resource number
|
The number
of online supplicant systems
|
|
Ethernet1/0/1 is link-down
|
Ethernet1/0/1
port is in down state.
|
|
802.1X protocol is disabled
|
802.1x is
disabled on the port
|
|
Proxy trap checker is disabled
|
The proxy
trap checker is disabled here. It can also be configured as enabled, in which
case the switch sends Trap packets when it detects that a supplicant system
logs in through a proxy.
|
|
Proxy logoff checker is disabled
|
The proxy
logoff checker is disabled here. It can also be configured as enabled, in
which case the switch disconnects a supplicant system when it detects that
the latter logs in through a proxy.
|
|
Version-Check is disabled
|
The client
version checking function is disabled here. It can also be configured as enabled,
in which case the switch checks client version.
|
|
The port is an authenticator
|
The port acts
as an authenticator system.
|
|
Authentication Mode is Auto
|
The port
access control mode is Auto.
|
|
Port Control Type is Mac-based
|
The port
access control method is MAC-based. That is, supplicant systems are authenticated
based on their MAC addresses.
|
|
Max number of on-line users
|
The
maximum number of online users that the port can accommodate
|
|
…
|
Information
omitted here
|
Syntax
dot1x [ interface interface-list ]
undo dot1x [ interface interface-list ]
View
System view/Ethernet port view
Parameter
interface-list:
Ethernet port list. You can specify multiple Ethernet
ports by providing this argument in the form of interface-list = { interface-name
[ to interface- name] & < 1-10 >. The interface-name
argument is the port index of an Ethernet port and can be specified in this
form: interface-name = { interface-type interface-num },
in which, interface-type specifies the type of a port and interface-num
identifies the port number. Note that the interface name after the keyword
to must have an interface-num that is greater than or equal to
that of the interface-name before to. &<1-10> means
that up to 10 port indexes/port index lists can be provided,
Description
Use the dot1x command to enable
802.1x globally or for specified Ethernet ports.
Use the undo dot1x command to
disable 802.1x globally or for specified Ethernet ports.
By default, 802.1x is disabled globally and
also on all ports
When being executed in system view, the dot1x
command enables 802.1x globally if you do not provide the interface-list
argument. And if you specify the interface-list argument, the command
enables 802.1x for the specified Ethernet ports. When being executed in
Ethernet port view, this command enables 802.1x for the current Ethernet port
only. In this case, the interface-list argument is not needed.
You can perform 802.1x-related
configurations (globally or on specified ports) either before or after 802.1x
is enabled. If you do not previously perform other 802.1x-related
configurations when enabling 802.1x globally, the switch adopts the default
802.1x settings.
802.1x-related configurations take effect on
a port only after 802.1x is enabled both globally and on the port.
Configurations of 8021.x and the maximum
number of MAX addresses that can be learnt are mutually exclusive. This means
that when 802.1x is enabled for a port, it cannot also have the maximum number
of MAX addresses to be learned configured at the same time. And if you configure
the maximum number of MAX addresses that can be learnt for a port, 802.1x is
unavailable to it.
Related command: display dot1x.
Example
# Enable 802.1x for Ethernet1/0/1 port.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] dot1x interface Ethernet 1/0/1
# Enable 802.1x globally.
[H3C] dot1x
Syntax
dot1x authentication-method { chap | pap | eap }
undo dot1x authentication-method
View
System view
Parameter
chap:
Authenticates with the help of challenge handshake authentication protocol
(CHAP).
pap: Authenticates
with the help of password authentication protocol (PAP).
eap:
Authenticates with the help of extensible authentication protocol (EAP).
Description
Use the dot1x authentication-method
command to set the 802.1x authentication method.
Use the undo dot1x authentication-method
command to revert to the default 802.1x authentication method.
The default 802.1x authentication method is
CHAP.
PAP applies a two-way handshaking procedure.
In this method, passwords are transmitted in plain text.
CHAP applies a three-way handshaking
procedure. In this method, user names are transmitted rather than passwords. Therefore
this method is safer.
In an EAP authentication method, a switch
sends 802.1x authentication information directly to the RADIUS server in EAP
packets, instead of having to convert them into RADIUS packets before
forwarding to the RADIUS server. EAP authentication can be realized in one of
the four sub-methods: PEAP, EAP-TLS, EAP-TTLS and EAP-MD5.
Related command: display dot1x.
Example
# Specify the authentication method to be PAP.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] dot1x authentication-method pap
1.1.4 dot1x dhcp-launch
Syntax
dot1x dhcp-launch
undo dot1x dhcp-launch
View
System view
Parameter
None
Description
Use the dot1x dhcp-launch command to
specify an 802.1x-enqbled switch to launch the process to authenticate a
supplicant system when the supplicant system applies for a dynamic IP address through
DHCP.
Use the undo dot1x dhcp-launch command
to disable an 802.1x-enqbled switch from authenticating a supplicant system
when the supplicant system applies for a dynamic IP address through DHCP.
By default, an 802.1x-enabled switch does
not authenticate a supplicant system when the latter applies for a dynamic IP
address through DHCP.
Related command: display dot1x.
Example
# Configure to authenticate a supplicant
system when it applies for a dynamic IP address through DHCP.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] dot1x dhcp-launch
1.1.5 dot1x
guest-vlan
Syntax
dot1x guest-vlan vlan-id [ interface interface-list ]
undo dot1x guest-vlan [ interface interface-list ]
View
System view, Ethernet port view
Parameter
vlan-id:
VLAN ID of a Guest VLAN, in the range from 1 to 4,094.
interface-list: Ethernet
port list. You can specify multiple ports by providing
this argument in the form of interface-list = { interface-name [ to
interface- name] & < 1-10 >. The interface-name
argument is the port index of a port and can be specified in this form: interface-name
= { interface-type interface-num }, in which, interface-type
specifies the type of a port and interface-num identifies the port
number. Note that the interface name after the keyword to must
have an interface-num that is greater than or equal to that of the interface-name
before to. &<1-10>means that up to 10 port indexes/port index
lists can be provided.
Description
Use the dot1x guest-vlan command to enable
the Guest VLAN function for specified ports.
Use the undo dot1x guest-vlan
command to disable the Guest VLAN function for specified ports.
When being executed in system view, these
two commands apply to all ports of the switch if you do not provide the interface-list
argument. And if you specify the interface-list argument, these two
commands apply to the specified Ethernet ports.
When being executed in Ethernet port view,
these two commands apply to the current Ethernet port only. In this case, the interface-list
argument is not needed.
Related commands: name, vlan-assignment-mode.
Caution:
l
The Guest VLAN function is available only when
the switch operates in a port-based authentication mode.
l
Only one Guest VLAN can be configured for each
switch.
l
The Guest VLAN function is unavailable when the dot1x dhcp-launch command is configured
on the switch, because the switch does not send authentication request packets.
Example
# Specify the authentication method to be
port-based authentication.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] dot1x port-method portbased
# Enable the Guest VLAN function for all
ports.
[H3C] dot1x guest-vlan 1
Syntax
dot1x max-user
user-number [ interface interface-list ]
undo dot1x max-user
[ interface interface-list ]
View
System view, Ethernet port view
Parameter
user-number:
Maximum number of users a port can accommodate, ranging from 1 to 256. The
default number is 256.
interface-list: Ethernet port list. You can specify multiple Ethernet ports by
providing this argument in the form of interface-list = { interface-name
[ to interface- name] & < 1-10 >. The interface-name
argument is the port index of an Ethernet port and can be specified in this
form: interface-name = { interface-type interface-num },
in which, interface-type specifies the type of a port and interface-num
identifies the port number. Note that the interface name after the keyword
to must have an interface-num that is greater than or equal to
that of the interface-name before the to keyword. &<1-10>
means that up to 10 port indexes/port index lists can be provided,
Description
Use the dot1x max-user
command to set the maximum number of supplicant systems an Ethernet port can
accommodate.
Use the undo dot1x max-user
command to revert to the default maximum supplicant system number.
When being executed in system view, these
two commands apply to all Ethernet ports of the switch if you do not provide
the interface-list argument. And if you specify the interface-list
argument, these commands apply to the specified Ethernet ports.
When being executed in Ethernet port view,
these two commands apply to the current Ethernet port only. In this case, the interface-list
argument is not needed.
Related command: display dot1x.
Example
# Configure the maximum number of users
that Ethernet1/01 can accommodate to be 32.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] dot1x max-user 32 interface Ethernet 1/0/1
Syntax
dot1x port-control
{ auto | authorized-force | unauthorized-force } [ interface
interface-list ]
undo dot1x port-control
[ interface interface-list ]
View
System view, Ethernet port view
Parameter
auto: Specifies
to operate in auto access control mode. In this mode, a port is initialized
to take all users as unauthorized: it only allows EAPoL packets to pass through
and grants users no permission to network resources. Only after the users have
passed the authentication will the port classify them as authorized and allow them
access to the network resources, which is often the case.
authorized-force: Specifies to operate in authorized-force access control
mode. unauthorized-force: Specifies to operate in unauthorized-force
access control mode. Ports in this mode are constantly in unauthorized state.
Supplicant systems connected to them cannot access the network.
interface-list:
Ethernet port list. You can specify multiple Ethernet
ports by providing this argument in the form of interface-list = { interface-name
[ to interface- name] & < 1-10 >. The interface-name
argument is the port index of an Ethernet port and can be specified in this
form: interface-name = { interface-type interface-num }, in
which, interface-type specifies the type of a port and interface-num
identifies the port number. Note that the interface name after the keyword
to must have an interface-num that is greater than or equal to
that of the interface-name before the to keyword. &<1-10>
means that up to 10 port indexes/port index lists can be provided,
Description
Use the dot1x port-control
command to specify the access control method for specified Ethernet ports.
Use the undo dot1x port-control
command to revert to the default access control method.
The default access control method is auto.
Use the dot1x port-control command
to configure the access control method for specified 802.1x-enabled ports.
When being executed in system view, these
two commands apply to all Ethernet ports of the switch if you do not provide
the interface-list argument. And if you specify the interface-list
argument, these commands apply to the specified Ethernet ports.
When being executed in Ethernet port view,
these two commands apply to the current Ethernet port only. In this case, the interface-list
argument is not needed.
Related command: display dot1x.
Example
# Specify Ethernet1/0/1 port to operate in unauthorized-force
access control mode.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] dot1x port-control unauthorized-force interface
Ethernet 1/0/1
1.1.8 dot1x port-method
Syntax
dot1x port-method
{ macbased | portbased } [ interface interface-list
]
undo dot1x port-method
[ interface interface-list ]
View
System view, Ethernet port view
Parameter
macbased:
Authenticates supplicant systems by MAC addresses.
portbased:
Authenticates supplicant system by port numbers.
interface-list:
Ethernet port list. You can specify multiple Ethernet
ports by providing this argument in the form of interface-list = { interface-name
[ to interface- name] & < 1-10 >. The interface-name
argument is the port index of an Ethernet port and can be specified in this
form: interface-name = { interface-type interface-num },
in which, interface-type specifies the type of a port and interface-num
identifies the port number. &<1-10> means that up to 10 port
indexes/port index lists can be provided.
The default access control method is MAC
address-based. That is, the macbased keyword is specified by default.
Description
Use the dot1x port-method
command to specify the access control method for specified Ethernet ports.
Use the undo dot1x port-method
command to revert to the default access control method.
If you specify to authenticate supplicant
systems by MAC addresses (that is, the macbased keyword is specified),
all supplicant systems connected to the specified Ethernet ports are
authenticated separately. And if an online user logs off, others are not
affected.
If you specify to authenticate supplicant
systems by port numbers (that is, the portbased keyword is specified),
all supplicant systems connected to a specified Ethernet port are able to
access the network without being authenticated if a supplicant system among
them passes the authentication. And when the supplicant system logs off, the
network is inaccessible to all other supplicant systems either.
When being executed in system view, these
two commands apply to all Ethernet ports of the switch if you do not provide
the interface-list argument. And if you specify the interface-list
argument, these commands apply to the specified Ethernet ports. When being
executed in Ethernet port view, these two commands apply to the current
Ethernet port only. In this case, the interface-list argument is not
needed.
Related command: display dot1x.
Example
# Specify to authenticate supplicant
systems connected to Ethernet1/0/1 port by port numbers.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] dot1x port-method portbased
interface Ethernet 1/0/1
Syntax
dot1x quiet-period
undo dot1x quiet-period
View
System view
Parameter
None
Description
Use the dot1x quiet-period
command to enable the quiet-period timer.
Use the undo dot1x quiet-period
command to disable the quiet-period timer.
When a supplicant system fails to pass the
authentication, the authenticator system (such as a H3C Ethernet switch) will
stay quiet for a period (determined by the quiet-period timer) before it
performs another authentication. During the quiet period, the authenticator
system performs no 802.1x authentication.
By default, the quiet-period timer is
disabled.
Related commands: display dot1x, dot1x
timer.
Example
# Enable the quiet-period timer.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] dot1x quiet-period
Syntax
dot1x retry
max-retry-value
undo dot1x retry
View
System view
Parameter
max-retry-value: Maximum number of times that a switch sends authentication request
packets to online supplicant systems. This argument ranges from 1 to 10 and
defaults to 2.
Description
Use the dot1x retry command
to specify the maximum number of times that a switch will send authentication
request packets to supplicant systems.
Use the undo dot1x retry
command to revert to the default value.
The default value is 2 times.
Having sent authentication request packets to
a supplicant system, a switch will resend the packets if within a preset period
it still has not received any response from the supplicant system. The dot1x
retry command is used to set the maximum number of times that a switch
will resend the request packets. When set to 1, it means that the switch will
only send request packets once, and 2 represents that the switch will resend
the packets once if no response comes back, and so on. This command applies to
all ports.
Related command: display dot1x.
Example
# Specify the maximum number of times that
the switch will resend authentication request packets to be 9.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] dot1x retry 9
Syntax
dot1x retry-version-max max-retry-version-value
undo dot1x retry-version-max
View
System view
Parameter
max-retry-version-value: Maximum number of times that a switch will resend version request
packets to a supplicant system. This argument ranges from 1 to 10 and defaults
to 3.
Description
Use the dot1x retry-version-max
command to set the maximum number of times that a switch will resend version
request packets to a connected supplicant system.
Use the undo dot1x retry-version-max
command to revert to the default value.
Having sent a version request packet to the
supplicant system, the switch will resend the packet if within a preset period
(as determined by the client version timer) it still has not received any
response from the supplicant system. When the number set by this command has
reached and there is still no response from the supplicant system, the switch
will continue its following authentication without sending further version
requests. This command applies to all ports.
Related commands: display dot1x, dot1x
timer.
Example
# Configure the maximum number of times
that the switch will resend version request packets to be 6.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] dot1x retry-version-max 6
Syntax
dot1x supp-proxy-check
{ logoff | trap } [ interface interface-list
]
undo dot1x supp-proxy-check { logoff | trap } [ interface
interface-list ]
View
System view, Ethernet port view
Parameter
logoff: Disconnects
a supplicant system if it logs in through a proxy or through multiple network cards.
trap: Sends Trap packets if a supplicant system logs in through a proxy or
through multiple network cards.
interface-list:
Ethernet port list. You can specify multiple Ethernet ports
by providing this argument in the form of interface-list = { interface-name
[ to interface- name] & < 1-10 >. The interface-name
argument is the port index of an Ethernet port and can be specified in this
form: interface-name = { interface-type interface-num },
in which, interface-type specifies the type of a port and interface-num
identifies the port number. Note that the interface name after the keyword
to must have an interface-num that is greater than or equal to
that of the interface-name before the to keyword. &<1-10>
means that up to 10 port indexes/port index lists can be provided,
Description
Use the dot1x supp-proxy-check
command to enable proxy checking for specified ports.
Use the undo dot1x supp-proxy-check command
to disable proxy checking for specified ports.
By default, proxy checking is disabled for
all Ethernet ports.
802.1x proxy checking checks for:
l
Supplicant systems logging in through proxies
l
Supplicant systems logging in through IE proxies
l
Whether or not a supplicant system logs in
through multiple network cards (that is, when supplicant system attempts to log
in, it contains more than one active network cards)
A switch may take the following actions in response
to any of the above three cases:
l
Only disconnects the supplicant system but sends
no Trap packets (using the dot1x supp-proxy-check logoff command.)
l
Sends Trap packets without disconnecting the
supplicant system (using the dot1x supp-proxy-check trap command.)
This function needs the support of 802.1x
clients and CAMS:
l
The 802.1x supplicant system must be able to
detect whether the client uses multiple network cards, a proxy, or IE proxy;
l
CAMS has disabled the use of multiple network cards,
a proxy server, and an IE proxy server.
By default, an 802.1x supplicant system
enables the use of multiple network cards, proxies, or IE proxies. If CAMS has
these features disabled, it would notify the 802.1 supplicant system to have the
corresponding features disabled as well after the latter has successfully passed
the authentication.
l
The supplicant system proxy checking function
needs the support of H3C's 802.1x client program(iNode).
l
The supplicant system proxy checking function
takes effect only after it has been enabled on CAMS and the client version
checking function is enabled on the switch (using the dot1x version-check
command).
In system view, execution of the dot1x
supp-proxy-check command enables the supplicant system proxy checking
function for specified ports if the interface-list argument is provided;
otherwise it enables the function globally. In Ethernet port view, only the
current port can have the function enabled by executing the dot1x
supp-proxy-check command and the interface-list argument is not needed.
After enabling the proxy checking in system
view, you also need to enable this function on specific ports for the function
to take effect on these ports.
Related command: display dot1x.
Example
# Configure to disconnect any supplicant
system connected to Ethernet1/0/1 through Ethernet1/0/8 ports if it has been detected
logging in through a proxy.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] dot1x supp-proxy-check logoff
[H3C] dot1x supp-proxy-check logoff
interface Ethernet 1/0/1 to Ethernet 1/0/8
# Configure the switch to send Trap packets
if a supplicant system connected to Ethernet1/0/9 port is detected logging in
through a proxy.
[H3C] dot1x supp-proxy-check trap
[H3C] dot1x supp-proxy-check trap
interface Ethernet 1/0/9
Or
[H3C] dot1x supp-proxy-check trap
[H3C] interface Ethernet 1/0/9
[H3C-Ethernet1/0/9] dot1x
supp-proxy-check trap
Syntax
dot1x timer {
handshake-period handshake-period-value | quiet-period quiet-period-value
| tx-period tx-period-value | supp-timeout supp-timeout-value
| server-timeout server-timeout-value | ver-period ver-period-value
}
undo dot1x timer { handshake-period | quiet-period | tx-period
| supp-timeout | server-timeout | ver-period }
View
System view
Parameter
tx-period: Transmission
period timer, triggered when the switch sends a request/identity packet (for
user name, or user name and password) to the supplicant system. If within the period,
no authentication response packet has been sent back from the supplicant system,
the switch will resend the request/identity packet.
tx-period-value: Value of the transmission period timer, in seconds. This value can
range from 10 to 120 with a default value of 30.
supp-timeout:
Supplicant timeout timer,triggered when the switch sends a request/challenge packet
(for MD5 ciphered text) to the supplicant system. If within the period, no response
has been sent back from the supplicant system, the switch will resend the request/challenge
packet.
supp-timeout-value: Time interval of the authentication timer, in seconds. This value
can range from 10 to 120 with a default value of 30.
server-timeout: Server-timeout timer, if within the period, no response has been
sent back from the Authentication server, the switch will resend the request/Identity
packet.
server-timeout-value: Value of the server timeout timer, in seconds. This value can
range from 100 to 300 with a default value of 100.
handshake-period: Handshake period timer, triggered when the user has successfully
passed the authentication. It sets the time interval for the switch to resend
handshake request packets to check whether the user is still online. If after N
times (as specified by the dot1x retry command) of retries, the switch
still has not received any response packet from the supplicant system, it will
assume that the user is offline.
handshake-period-value: Value of the handshake timer, in seconds. This value can range
from 1 to 1,024 with a default value of 15.
quiet-period:
Quiet-period timer, triggered after the user has failed the authentication. After
the time (as specified by the quiet-period timer) has elapsed, the user can
resend the authentication request. During the period, the switch will perform
no authentication.
quiet-period-value: Value of the quiet-period timer, in seconds. This value can range
from 10 to 120 with a default value of 60.
ver-period: Client-version-checking
period timer, if within the period, no response packet has been sent back from
the supplicant system, the switch will resend the client version checking request
packet.
ver-period-value: Value of the client-version-checking period timer, in seconds.
This value can range from 1 to 30 with a default value of 30.
Description
Use the dot1x timer command
to set a specified 802.1x timer.
Use the undo dot1x timer
command to resume the default value of a specified 802.1x timer.
During an 802.1x authentication process,
multiple timers are triggered to ensure that the supplicant systems, the authenticator
systems, and the Authenticator servers interact with each other in an arranged
way. To make authentications being processed in a desired way, you can use the dot1x
timer command to set values for these timers as needed. This may be
necessary in certain situations or for some tough network environments.
Normally, the defaults are recommended. (Note that some timers cannot be adjusted.)
Related command: display dot1x.
Example
# Set the server-timeout to 150 seconds.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] dot1x timer server-timeout 150
Syntax
dot1x version-check [ interface interface-list ]
undo dot1x version-check [ interface interface-list ]
View
System view, Ethernet port view
Parameter
interface-list: Ethernet port list. You can specify multiple Ethernet ports by
providing this argument in the form of interface-list = { interface-name
[ to interface- name] & < 1-10 >. The interface-name
argument is the port index of an Ethernet port and can be specified in this
form: interface-name = { interface-type interface-num },
in which, interface-type specifies the type of a port and interface-num
identifies the port number. Note that the interface name after the keyword
to must have an interface-num that is greater than or equal to
that of the interface-name before the to keyword. &<1-10>
means that up to 10 port indexes/port index lists can be provided,
Description
Use the dot1x version-check command
to enable 802.1x client version checking for specified Ethernet ports.
Use the undo dot1x version-check
command to disable 802.1x client version checking for specified Ethernet ports.
By default, 802.1x client version checking
is disabled on all Ethernet ports.
In system view, execution of the dot1x
version-check command enables the client version checking function for specified
ports if the interface-list argument is specified, otherwise it enables
the function globally. In Ethernet port view, only the current port can have
their client version checking function enabled by executing this command and
the interface-list argument is not needed.
Example
# Configure Ethernet1/0/1 port to check the
version of the 802.1x client upon receiving authentication packets.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] interface Ethernet1/0/1
[H3C-Ethernet1/0/1] dot1x version-check
Syntax
reset dot1x statistics [ interface interface-list ]
View
User view
Parameter
interface-list:
Ethernet port list. You can specify multiple Ethernet
ports by providing this argument in the form of interface-list = { interface-name
[ to interface- name] & < 1-10 >. The interface-name
argument is the port index of an Ethernet port and can be specified in this
form: interface-name = { interface-type interface-num },
in which, interface-type specifies the type of a port and interface-num
identifies the port number. Note that the interface name after the keyword
to must have an interface-num that is greater than or equal to
that of the interface-name before the to keyword. &<1-10>
means that up to 10 port indexes/port index lists can be provided.
Description
Use the reset dot1x statistics
command to clear 802.1x-related statistics.
Use this command to reset 802.1x-related
statistics.
Execution of the reset dot1x statistics
command clears statistics globally and on all ports if the interface-list
argument is not provided, otherwise only resets statistics on ports specified
by the interface-list argument.
Related command: display dot1x.
Example
# Clear 802.1x-related statistics on
Ethernet1/0/1 port.
<H3C> reset dot1x statistics interface Ethernet 1/0/1
