interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet port and interface-number is the number of the port. The string “&<1-10>” means that up to 10 port lists can be provided.

Description

Use the display dot1x command to display 802.1x-related information, such as configuration information, operation information (session information), and statistics.

When the interface-list argument is not provided, this command displays 802.1x-related information about all the ports. The output information can be used to verify 802.1 x-related configurations and to troubleshoot.

Related command: reset dot1x statistics, dot1x, dot1x retry, dot1x max-user, dot1x port-control, dot1x port-method, and dot1x timer.

Example

# Display 802.1x-related information.

<Sysname> display dot1x

Global 802.1X protocol is enabled

CHAP authentication is enabled

DHCP-launch is disabled

Handshake is enabled

Proxy trap checker is disabled

Proxy logoff checker is disabled

EAD Quick Deploy is enabled

Configuration: Transmit Period 30 s, Handshake Period 15 s

ReAuth Period 3600 s, ReAuth MaxTimes 2

Quiet Period 60 s, Quiet Period Timer is disabled

Supp Timeout 30 s, Server Timeout 100 s

Interval between version requests is 30s

Maximal request times for version information is 3

The maximal retransmitting times 2

EAD Quick Deploy configuration:

Url: http: //192.168.19.23

Free-ip: 192.168.19.0 255.255.255.0

Acl-timeout: 30 m

Total maximum 802.1x user resource number is 1024

Total current used 802.1x resource number is 1

Ethernet1/0/1 is link-up

802.1X protocol is enabled

Proxy trap checker is disabled

Proxy logoff checker is disabled

Version-Check is disabled

The port is an authenticator

Authentication Mode is Auto

Port Control Type is Port-based

ReAuthenticate is disabled

Max number of on-line users is 256

Authentication Success: 4, Failed: 2

EAPOL Packets: Tx 7991, Rx 14

Sent EAP Request/Identity Packets : 7981

EAP Request/Challenge Packets: 0

Received EAPOL Start Packets : 5

EAPOL LogOff Packets: 1

EAP Response/Identity Packets : 4

EAP Response/Challenge Packets: 4

Error Packets: 0

1. Authenticated user : MAC address: 000d-88f6-44c1

Controlled User(s) amount to 1

Ethernet1/0/2

……

Table 1-1 Description on the fields of the display dot1x command

Field	Description
Equipment 802.1X protocol is enabled	802.1x protocol (802.1x for short) is enabled on the switch.
CHAP authentication is enabled	CHAP authentication is enabled.
DHCP-launch is disabled	DHCP-triggered. 802.1x authentication is disabled.
Handshake is enabled	The online user handshaking function is enabled.
Proxy trap checker is disabled	Whether or not to send Trap packets when detecting a supplicant system logs in through a proxy. l Disable means the switch does not send Trap packets when it detects that a supplicant system logs in through a proxy. l Enable means the switch sends Trap packets when it detects that a supplicant system logs in through a proxy.
Proxy logoff checker is disabled	Whether or not to disconnect a supplicant system when detecting it logs in through a proxy. l Disable means the switch does not disconnect a supplicant system when it detects that the latter logs in through a proxy. l Enable means the switch disconnects a supplicant system when it detects that the latter logs in through a proxy.
EAD Quick Deploy is enabled	Quick EAD deployment is enabled.
Transmit Period	Setting of the Transmission period timer (the tx-period)
Handshake Period	Setting of the handshake period timer (the handshake-period)
ReAuth Period	Re-authentication interval
ReAuth MaxTimes	Maximum times of re-authentications
Quiet Period	Setting of the quiet period timer (the quiet-period)
Quiet Period Timer is disabled	The quiet period timer is disabled here. It can also be configured as enabled when necessary.
Supp Timeout	Setting of the supplicant timeout timer (supp-timeout)
Server Timeout	Setting of the server-timeout timer (server-timeout)
The maximal retransmitting times	The maximum number of times that a switch can send authentication request packets to a supplicant system
Url	URL for HTTP redirection
Free-ip	Free IP range that users can access before passing authentication
Acl-timeout	ACL timeout period
Total maximum 802.1x user resource number	The maximum number of 802.1x users that a switch can accommodate
Total current used 802.1x resource number	The number of online supplicant systems
Ethernet1/0/1 is link-down	Ethernet 1/0/1 port is down.
802.1X protocol is disabled	802.1x is disabled on the port
Proxy trap checker is disabled	Whether or not to send Trap packets when detecting a supplicant system in logging in through a proxy. l Disable means the switch does not send Trap packets when it detects that a supplicant system logs in through a proxy. l Enable means the switch sends Trap packets when it detects that a supplicant system logs in through a proxy.
Proxy logoff checker is disabled	Whether or not to disconnect a supplicant system when detecting it in logging in through a proxy. l Disable means the switch does not disconnect a supplicant system when it detects that the latter logs in through a proxy. l Enable means the switch disconnects a supplicant system when it detects that the latter logs in through a proxy.
Version-Check is disabled	Whether or not the client version checking function is enabled: l Disable means the switch does not checks client version. l Enable means the switch checks client version.
The port is an authenticator	The port acts as an authenticator system.
Authentication Mode is Auto	The port access control mode is Auto.
Port Control Type is Mac-based	The access control method of the port is MAC-based. That is, supplicant systems are authenticated based on their MAC addresses.
ReAuthenticate is disabled	ReAuthenticate is disabled
Max number of on-line users	The maximum number of online users that the port can accommodate
…	Information omitted here

1.1.2 dot1x

Syntax

dot1x [ interface interface-list ]

undo dot1x [ interface interface-list ]

View

System view, Ethernet port view

Parameter

Description

Use the dot1x command to enable 802.1x globally or for specified Ethernet ports.

Use the undo dot1x command to disable 802.1x globally or for specified Ethernet ports.

By default, 802.1x is disabled globally and also on all ports.

In system view:

l If you do not provide the interface-list argument, the dot1x command enables 802.1x globally.

l If you specify the interface-list argument, the dot1x command enables 802.1x for the specified Ethernet ports.

In Ethernet port view, the interface-list argument is not available and the command enables 802.1x for only the current Ethernet port.

802.1x-related configurations take effect on a port only after 802.1x is enabled both globally and on the port.

& Note:

l Configurations of 8021.x and the maximum number of MAX addresses that can be learnt are mutually exclusive. That is, when 802.1x is enabled for a port, it cannot also have the maximum number of MAX addresses to be learned configured at the same time. Conversely, if you configure the maximum number of MAX addresses that can be learnt for a port, 802.1x is unavailable to it.

l If you enable 802.1x for a port, it is not available to add the port to an aggregation group. Meanwhile, if a port has been added to an aggregation group, it is prohibited to enable 802.1x for the port.

Related command: display dot1x.

Example

# Enable 802.1x for Ethernet1/0/1 port.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x interface Ethernet 1/0/1

# Enable 802.1x globally.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x

1.1.3 dot1x authentication-method

Syntax

dot1x authentication-method { chap | pap | eap }

undo dot1x authentication-method

View

System view

Parameter

chap: Authenticates using challenge handshake authentication protocol (CHAP).

pap: Authenticates using password authentication protocol (PAP).

eap: Authenticates using extensible authentication protocol (EAP).

Description

Use the dot1x authentication-method command to set the 802.1x authentication method.

Use the undo dot1x authentication-method command to revert to the default 802.1x authentication method.

The default 802.1x authentication method is CHAP.

PAP applies a two-way handshaking procedure. In this method, passwords are transmitted in plain text.

CHAP applies a three-way handshaking procedure. In this method, user names are transmitted rather than passwords. Therefore this method is safer.

In EAP authentication, a switch authenticates supplicant systems by encapsulating 802.1x authentication information in EAP packets and sending the packets to the RADIUS server, instead of converting the packets into RADIUS packets before forwarding to the RADIUS server. You can use EAP authentication in one of the four sub-methods: PEAP, EAP-TLS, EAP-TTLS and EAP-MD5.

Related command: display dot1x.

& Note:

When the current device operates as the authentication server, EAP authentication is unavailable.

Example

# Specify the authentication method to be PAP.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x authentication-method pap

1.1.4 dot1x dhcp-launch

Syntax

dot1x dhcp-launch

undo dot1x dhcp-launch

View

System view

Parameter

None

Description

Use the dot1x dhcp-launch command to specify an 802.1x-enabled switch to launch the process to authenticate a supplicant system when the supplicant system applies for a dynamic IP address through DHCP.

Use the undo dot1x dhcp-launch command to disable an 802.1x-enabled switch from authenticating a supplicant system when the supplicant system applies for a dynamic IP address through DHCP.

By default, an 802.1x-enabled switch does not authenticate a supplicant system when the latter applies for a dynamic IP address through DHCP.

Related command: display dot1x.

Example

# Configure to authenticate a supplicant system when it applies for a dynamic IP address through DHCP.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x dhcp-launch

1.1.5 dot1x guest-vlan

Syntax

dot1x guest-vlan vlan-id [ interface interface-list ]

undo dot1x guest-vlan [ interface interface-list ]

View

System view, Ethernet port view

Parameter

vlan-id: VLAN ID of a Guest VLAN, in the range 1 to 4094.

Description

Use the dot1x guest-vlan command to enable the Guest VLAN function for ports.

Use the undo dot1x guest-vlan command to disable the Guest VLAN function for ports.

After 802.1x and guest VLAN are properly configured on a port:

l If the switch receives no response from the port after sending EAP-Request/Identity packets to the port for the maximum number of times, the switch will add the port to the guest VLAN.

l Users in a guest VLAN can access the guest VLAN resources without 802.1x authentication. However, they have to pass the 802.1x authentication to access the external resources.

In system view,

l If you do not provide the interface-list argument, these two commands apply to all the ports of the switch.

l If you specify the interface-list argument, these two commands apply to the specified ports.

In Ethernet port view, the interface-list argument is not available and these two commands apply to only the current Ethernet port.

Caution:

l The Guest VLAN function is available only when the switch operates in the port-based authentication mode.

l Only one Guest VLAN can be configured on a switch.

l The Guest VLAN function is unavailable when the dot1x dhcp-launch command is executed on the switch, because the switch does not send authentication request packets in this case.

Example

# Configure the switch to operate in the port-based authentication mode.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x port-method portbased

# Enable the Guest VLAN function for all the ports.

[Sysname] dot1x guest-vlan 1

1.1.6 dot1x handshake

Syntax

dot1x handshake enable

undo dot1x handshake enable

View

System view

Parameter

None

Description

Use the dot1x handshake enable command to enable the online user handshaking function.

Use the undo dot1x handshake enable command to disable the online user handshaking function.

By default, the online user handshaking function is enabled.

Caution:

l To enable the proxy detecting function, you need to enable the online user handshaking function first.

l Handshaking packets need the support of the H3C-proprietary client. They are used to test whether or not a user is online.

l As clients that are not of H3C do not support the online user handshaking function, switches cannot receive handshaking acknowledgement packets from them in handshaking periods. To prevent users being falsely considered offline, you need to disable the online user handshaking function in this case.

Example

# Enable the online user handshaking function.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x handshake enable

1.1.7 dot1x handshake secure

Syntax

dot1x handshake secure

undo dot1x handshake secure

View

Ethernet port view

Parameter

None

Description

Use the dot1x handshake secure command to enable the handshaking packet secure function, preventing the device from attacks resulted from simulating clients.

Use the undo dot1x handshake secure command to disable the handshaking packet secure function.

By default, the handshaking packet secure function is disabled.

Caution:

For the handshaking packet secure function to take effect, the clients that enable the function need to cooperate with the authentication server. If either the clients or the authentication server does not support the function, disabling the handshaking packet secure function is needed.

Example

# Enable the handshaking packet secure function.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] interface Ethernet 1/0/1

[Sysname-Ethernet1/0/1] dot1x handshake secure

1.1.8 dot1x max-user

Syntax

dot1x max-user user-number [ interface interface-list ]

undo dot1x max-user [ interface interface-list ]

View

System view, Ethernet port view

Parameter

user-number: Maximum number of users a port can accommodate, in the range 1 to 256.

Description

Use the dot1x max-user command to set the maximum number of users an Ethernet port can accommodate.

Use the undo dot1x max-user command to revert to the default maximum user number.

By default, a port can accommodate up to 256 users.

In system view:

l If you do not provide the interface-list argument, these two commands apply to all the ports of the switch.

l If you specify the interface-list argument, these two commands apply to the specified ports.

In Ethernet port view, the interface-list argument is not available and the commands apply to only the current port.

Related command: display dot1x.

Example

# Configure the maximum number of users that Ethernet1/01 port can accommodate to be 32.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x max-user 32 interface Ethernet 1/0/1

1.1.9 dot1x port-control

Syntax

dot1x port-control { auto | authorized-force | unauthorized-force } [ interface interface-list ]

undo dot1x port-control [ interface interface-list ]

View

System view, Ethernet port view

Parameter

auto: Specifies to operate in auto access control mode. When a port operates in this mode, all the unauthenticated hosts connected to it are unauthorized. In this case, only EAPoL packets can be exchanged between the switch and the hosts. And the hosts connected to the port are authorized to access the network resources after the hosts pass the authentication. Normally, a port operates in this mode.

authorized-force: Specifies to operate in authorized-force access control mode. When a port operates in this mode, all the hosts connected to it can access the network resources without being authenticated.

unauthorized-force: Specifies to operate in unauthorized-force access control mode. When a port operates in this mode, the hosts connected to it cannot access the network resources.

Description

Use the dot1x port-control command to specify the access control mode for specified Ethernet ports.

Use the undo dot1x port-control command to revert to the default access control mode.

The default access control mode is auto.

Use the dot1x port-control command to configure the access control mode for specified 802.1x-enabled ports.

In system view:

l If you do not provide the interface-list argument, these two commands apply to all the ports of the switch.

l If you specify the interface-list argument, these commands apply to the specified ports.

In Ethernet port view, the interface-list argument is not available and the commands apply to only the current Ethernet port.

Related command: display dot1x.

Example

# Specify Ethernet1/0/1 port to operate in unauthorized-force access control mode.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x port-control unauthorized-force interface Ethernet 1/0/1

1.1.10 dot1x port-method

Syntax

dot1x port-method { macbased | portbased } [ interface interface-list ]

undo dot1x port-method [ interface interface-list ]

View

System view, Ethernet port view

Parameter

macbased: Performs MAC address-based authentication.

portbased: Performs port-based authentication.

Description

Use the dot1x port-method command to specify the access control method for specified Ethernet ports.

Use the undo dot1x port-method command to revert to the default access control method.

By default, the access control method is macbased.

This command specifies the way in which the users are authenticated.

l If you specify to authenticate users by MAC addresses (that is, executing the dot1x port-method command with the macbased keyword specified), all the users connected to the specified Ethernet ports are authenticated separately. And if an online user logs off, others are not affected.

l If you specify to authenticate supplicant systems by port numbers (that is, executing the dot1x port-method command with the portbased keyword specified), all the users connected to a specified Ethernet port are able to access the network without being authenticated if a user among them passes the authentication. And when the user logs off, the network is inaccessible to all other supplicant systems either.

l Changing the access control method on a port by the dot1x port-method command will forcibly log out the online 802.1x users on the port.

In system view:

l If you do not provide the interface-list argument, these two commands apply to all the ports of the switch.

l If you specify the interface-list argument, these commands apply to the specified ports.

In Ethernet port view, the interface-list argument is not available and the commands apply to only the current Ethernet port.

Related command: display dot1x.

Example

# Specify to authenticate users connected to Ethernet1/0/1 port by port numbers.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x port-method portbased interface Ethernet 1/0/1

1.1.11 dot1x quiet-period

Syntax

dot1x quiet-period

undo dot1x quiet-period

View

System view

Parameter

None

Description

Use the dot1x quiet-period command to enable the quiet-period timer.

Use the undo dot1x quiet-period command to disable the quiet-period timer.

When a user fails to pass the authentication, the authenticator system (such as a H3C series Ethernet switch) will stay quiet for a period (determined by the quiet-period timer) before it performs another authentication. During the quiet period, the authenticator system performs no 802.1x authentication of the user.

By default, the quiet-period timer is disabled.

Related commands: display dot1x, dot1x timer.

Example

# Enable the quiet-period timer.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x quiet-period

1.1.12 dot1x retry

Syntax

dot1x retry max-retry-value

undo dot1x retry

View

System view

Parameter

max-retry-value: Maximum number of times that a switch sends authentication request packets to a user. This argument ranges from 1 to 10.

Description

Use the dot1x retry command to specify the maximum number of times that a switch sends authentication request packets to a user.

Use the undo dot1x retry command to revert to the default value.

By default, a switch sends authentication request packets to a user for up to 2 times.

After a switch sends an authentication request packet to a user, it sends another authentication request packet if it does not receive response from the user after a specific period of time. If the switch still receives no response when the configured maximum number of authentication request transmission attempts is reached, it no long sends an authentication request packet to the user. This command applies to all ports.

Related command: display dot1x.

Example

# Specify the maximum number of times that the switch sends authentication request packets to be 9.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x retry 9

1.1.13 dot1x retry-version-max

Syntax

dot1x retry-version-max max-retry-version-value

undo dot1x retry-version-max

View

System view

Parameter

max-retry-version-value: Maximum number of times that a switch sends version request packets to a user. This argument ranges from 1 to 10.

Description

Use the dot1x retry-version-max command to set the maximum number of times that a switch sends version request packets to a user.

Use the undo dot1x retry-version-max command to revert to the default value.

By default, a switch sends version request packets to a user for up to 3 times.

After a switch sends a version request packet to a user, it sends another version request packet if it does receive response from the user after a specific period of time (as determined by the client version request timer). When the number set by this command has reached and there is still no response from the user, the switch continues the following authentication procedures without sending version requests. This command applies to all the ports with the version checking function enabled.

Related commands: display dot1x, dot1x timer.

Example

# Configure the maximum number of times that the switch sends version request packets to be 6.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x retry-version-max 6

1.1.14 dot1x re-authenticate

Syntax

dot1x re-authenticate [ interface interface-list ]

undo dot1x re-authenticate [ interface interface-list ]

View

System view/Ethernet port view

Parameter

Description

Use the dot1x re-authenticate command to enable 802.1x re-authentication on specific ports or on all ports of the switch.

Use the undo dot1x re-authenticate command to disable 802.1x re-authentication on specific ports or on all ports of the switch.

By default, 802.1x re-authentication is disabled on all ports.

In system view:

l If you do not specify the interface-list argument, this command will enable 802.1x re-authentication on all ports.

l If you specify the interface-list argument, the command will enable 802.1x on the specified ports.

In Ethernet port view, the interface-list argument is not available and 8021.x re-authentication is enabled on the current port only.

& Note:

802.1x must be enabled globally and on the current port before 802.1x re-authentication can be configured on a port.

Example

# Enable 802.1x re-authentication on port Ethernet 1/0/1.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x

802.1X is enabled globally.

[Sysname] interface Ethernet 1/0/1

[Sysname-Ethernet1/0/1] dot1x

802.1X is enabled on port Ethernet1/0/1 already.

[Sysname-Ethernet1/0/1] dot1x re-authenticate

Re-authentication is enabled on port Ethernet1/0/1

1.1.15 dot1x supp-proxy-check

Syntax

dot1x supp-proxy-check { logoff | trap } [ interface interface-list ]

undo dot1x supp-proxy-check { logoff | trap } [ interface interface-list ]

View

System view, Ethernet port view

Parameter

logoff: Disconnects a user upon detecting it logging in through a proxy or through multiple network adapters.

trap: Sends Trap packets upon detecting a user logging in through a proxy or through multiple network adapters.

Description

Use the dot1x supp-proxy-check command to enable 802.1x proxy checking for specified ports.

Use the undo dot1x supp-proxy-check command to disable 802.1x proxy checking for specified ports.

By default, 802.1x proxy checking is disabled on all Ethernet ports.

In system view:

l If you do not specify the interface-list argument, the configurations performed by these two commands are global.

l If you specify the interface-list argument, these two commands apply to the specified Ethernet ports.

In Ethernet port view, the interface-list argument is not available and the commands apply to only the current Ethernet port.

The proxy checking function takes effect on a port only when the function is enabled both globally and on the port.

802.1x proxy checking checks for:

l Users logging in through proxies

l Users logging in through IE proxies

l Whether or not a user logs in through multiple network adapters (that is, when the user attempts to log in, it contains more than one active network adapters.)

A switch can optionally take the following actions in response to any of the above three cases:

Table of Content

17-802.1x-System Guard Commands

Chapter 1 802.1x Configuration Commands

1.1.4 dot1x dhcp-launch

1.1.5 dot1x guest-vlan

1.1.10 dot1x port-method

1.1.14 dot1x re-authenticate