Chapter 1 MAC
Address Authentication Configuration Commands
1.1.1 display
mac-authentication
Syntax
display mac-authentication [ interface interface-list ]
View
Any view
Parameters
interface interface-list:
List of Ethernet ports. You can specify multiple Ethernet ports by providing
this argument in the form of interface-list = { interface-type
interface-number [ to interface-type interface-number ] }
&<1-10>, where &<1-10> means that you can provide up to 10
port indexes/port index ranges for this argument.
Description
Use the display mac-authentication command
to display information about MAC address authentication.
Examples
# Display the global information about MAC
address authentication.
<Sysname> display
mac-authentication
Mac address authentication is
Enabled.
Authentication mode is
UsernameAsMacAddress
Usernameformat:with-hyphen lowercase
Fixed password:not configured
Offline detect period is
300s
Quiet period is 60
second(s).
Server response timeout
value is 100s
Guest VLAN re-authenticate
period is 30s
Max allowed user number is
1024
Current user number amounts
to 1
Current domain: not
configured, use default domain
Silent Mac User info:
MAC ADDR From
Port Port Index
0016-e0be-e201 Ethernet1/0/2
1(vlan:1)
--- 1 silent mac
address(es) found. ---
Ethernet1/0/1 is link-up
MAC address authentication is Enabled
max-auth-num is 256
Guest VLAN is 2
Authenticate success: 1, failed: 0
Current online user number is 1
MAC ADDR Authenticate
state AuthIndex
000d-88f8-4e71
MAC_AUTHENTICATOR_SUCCESS 0
……(The following is omitted)
Table 1-1 Description on the fields of
the display mac-authentication command
|
Field
|
Description
|
|
Mac address authentication is Enabled
|
MAC address authentication is enabled.
|
|
Authentication mode
|
Username type used in the MAC address authentication:
l
UsernameFixed: Uses the fixed username for
authentication.
l
UsernameAsMacAddress: Uses the MAC address of
a user as the username for authentication.
The default is the MAC address
(UsernameAsMacAddress).
|
|
Fixed password
|
Meaning of this field varies by the username
type for MAC address authentication:
l
If the username type is MAC address, this
field indicates whether to use a fixed password for authentication. By
default, this field is not configured, which means using the MAC address of a
user as the password for authentication.
l
If the username type is fixed username, this
field indicates whether a fixed password is configured. By default, this
field is not configured, which means the password is null.
|
|
Fixed password
|
Password used in the fixed mode, which is
not configured by default.
|
|
Offline detect period
|
Offline detect timer, which sets the time
interval to check whether a user goes offline and defaults to 300 seconds.
|
|
Quiet period
|
Quiet timer sets the quiet period. A
switch goes through a quiet period if a user fails to pass the MAC address authentication.
The default value is 60 seconds.
|
|
Server response timeout value
|
Server timeout timer, which sets the timeout
time for the connection between a switch and the RADIUS server. By default,
it is 100 seconds.
|
|
Guest VLAN re-authenticate period
|
Re-authenticate timer, which sets the
time interval to reauthenticate the users in the Guest VLAN and defaults to
30 seconds.
|
|
Max allowed user number
|
The maximum number of users supported by
the switch. It is 1,024 by default.
|
|
Current user number amounts to
|
The current number of users
|
|
Current domain
|
The current domain. It is not configured
by default.
|
|
Silent Mac User info
|
The
information about the silent user. When the user fails to pass MAC address
authentication because of inputting error user name and password, the switch
sets the user to be in quiet state. During quiet period, the switch does not process
the authentication request of this user.
|
|
Ethernet1/0/1 is link-up
|
The link
connected to Ethernet1/0/1 port is up.
|
|
MAC address authentication is Enabled
|
MAC
address authentication is enabled for Ethernet1/0/1 port.
|
|
max-auth-num
|
Maximum
number of MAC address authentication users that the port can accommodate
|
|
Guest VLAN
|
Guest VLAN
of the port
|
|
Authenticate success: 1, failed: 0
|
Statistics
of the MAC address authentications performed on the port, including the numbers
of successful and failed authentication operations.
|
|
Current online user number
|
The number
of the users current access the network through the port
|
|
MAC ADDR
|
Peer MAC address
|
|
Authenticate state
|
The state
of the users accessing the network through the port, which can be:
l
MAC_AUTHENTICATOR_CONNECTING: Connecting
l
MAC_AUTHENTICATOR_SUCCESS: Authentication
passed
l
MAC_AUTHENTICATOR_FAILURE: Fail to pass
authentication
l
MAC_AUTHENTICATOR_LOGOFF: Offline
|
|
AuthIndex
|
Index of the current MAC address with
regard to the authentication port
|
Syntax
mac-authentication
undo mac-authentication
View
System view, Ethernet port view
Parameters
None
Description
Use the mac-authentication
command to enable MAC address authentication globally or on the current port.
Use the undo
mac-authentication command to disable MAC address authentication globally or
on the current port.
By default, MAC
address authentication is disabled both globally and on a port.
When being executed in system view, the mac-authentication
command enables MAC address authentication globally.
When being executed in Ethernet port view, the
mac-authentication command enables MAC address authentication on the
current port.
To make the MAC address authentication take
effect, you must enable MAC address authentication globally and on the relevant
ports.
You can configure MAC
address authentication on a port before enabling it globally. However, the
configuration will not take effect unless MAC address authentication is enabled
globally.
Examples
# Enable MAC address authentication
globally.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] mac-authentication
MAC-Authentication is enabled
globally.
# Enable MAC address authentication on port
Ethernet 1/0/1.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1]
mac-authentication
Syntax
mac-authentication interface interface-list
undo mac-authentication interface interface-list
View
System view
Parameters
interface-list: List of Ethernet ports. You can specify multiple Ethernet ports by
providing this argument in the form of interface-list = { interface-type interface-number [ to
interface-type interface-number ] } &<1-10>, where &<1-10> means that you can
provide up to 10 port indexes/port index ranges for this argument.
Description
Use the mac-authentication interface command
to enable the MAC address authentication for on the specified port(s).
Use the undo mac-authentication
interface command to disable the MAC address authentication for the specified
port(s).
By default, MAC address authentication is
disabled on a port.
l
This command is essential for MAC address
authentication to work on a port or on particular ports after MAC address
authentication is globally enabled.
l
You cannot configure the maximum number of
dynamic MAC address entries for a port (through the mac-address
max-mac-count command) with MAC address authentication enabled. Likewise,
you cannot enable the MAC address authentication feature on a port with a limit
of dynamic MAC addresses configured.
l
If you have enabled MAC address authentication
on a port, you cannot add the port to an aggregation group. If a port is
already added to an aggregation group, you cannot enable MAC address
authentication on the port.
Examples
# Enable MAC address authentication for
Ethernet1/0/1 port.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] mac-authentication
interface Ethernet 1/0/1
1.1.4 mac-authentication
authmode usernameasmacaddress
Syntax
mac-authentication authmode
usernameasmacaddress [ usernameformat {
with-hyphen | without-hyphen } ] { lowercase | uppercase }
| fixedpassword password ]
undo mac-authentication authmode usernameasmacaddress
[ usernameformat | fixedpassword ]
View
System view
Parameters
usernameformat: Specifies the input format of the username
and password.
with-hyphen:
Uses hyphened MAC addresses as usernames and passwords,
for example, 00-05-e0-1c-02-e3.
without-hyphen: Uses MAC addresses without hyphens as
usernames and passwords, for example, 0005e01c02e3.
lowercase:
Uses lowercase MAC addresses as usernames and passwords.
uppercase:
Uses uppercase MAC addresses as usernames and passwords.
fixedpassword password: Specifies the password for MAC
address authentication as the specified fixed password instead of user MAC
addresses. password is a string of 1 to 63 characters.
Description
Use the mac-authentication authmode usernameasmacaddress
command to set the username type for MAC address authentication to MAC
address and specify the username format.
Use the undo mac-authentication
authmode command to restore the default user name mode.
By default, the user name and password in MAC
address mode are used for MAC address authentication.
Examples
# Use the user name in MAC address mode for
MAC address authentication, requiring hyphened lowercase MAC addresses as the
usernames and passwords.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] mac-authentication authmode
usernameasmacaddress usernameformat with-hyphen lowercase
Syntax
mac-authentication authmode
usernamefixed
undo mac-authentication authmode
View
System view
Parameters
None
Description
Use the mac-authentication authmode
usernamefixed command to set the user name in fixed mode for MAC address
authentication.
Use the undo mac-authentication
authmode command to restore the default user name mode for MAC address
authentication.
By default, the MAC address mode is used.
Examples
# Use the user name in fixed mode for MAC
address authentication.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] mac-authentication authmode
usernamefixed
Syntax
mac-authentication authpassword password
undo mac-authentication authpassword
View
System view
Parameters
password: Password
to be set, a string comprising 1 to 63 characters.
Description
Use the mac-authentication authpassword command
to set a password for MAC address authentication when the user name in fixed
mode is used.
Use the undo mac-authentication
authpassword command to cancel the configured password.
By default, no password is configured.
Examples
# Set the password to newmac.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] mac-authentication
authpassword newmac
Syntax
mac-authentication authusername username
undo mac-authentication authusername
View
System view
Parameters
username:
User name used in authentication, a string of 1 to 55 characters.
Description
Use the mac-authentication authusername
command to set a user name in fixed mode.
Use the undo mac-authentication
authusername command to restore the default user name.
By default, the user name in fixed mode is “mac”.
Examples
# Set the user name to vipuser in fixed
mode.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] mac-authentication
authusername vipuser
1.1.8 mac-authentication
domain
Syntax
mac-authentication domain isp-name
undo mac-authentication domain
View
System view
Parameters
isp-name: ISP
domain name, a string of 1 to 128 characters. Note that this argument cannot be
null and cannot contain these characters: “/”, “:”,
“*”, “?”, “<”, and “>”.
Description
Use the mac-authentication domain
command to configure an ISP domain for MAC address authentication.
Use the undo mac-authentication domain
command to restore the default ISP domain for MAC address authentication.
By default, no domain for MAC address
authentication is configured.
Use the “default domain” as the
ISP domain name.
Examples
# Configure the domain for MAC address
authentication to be aabbcc.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] mac-authentication domain aabbcc
Syntax
mac-authentication timer { offline-detect offline-detect-value |
quiet quiet-value | server-timeout server-timeout-value
}
undo mac-authentication timer { offline-detect | quiet |
server-timeout }
View
System view
Parameters
offline-detect-value: Offline detect timer (in seconds) setting. This argument ranges
from 1 to 65,535 and defaults to 300. The offline detect timer sets the time
interval for a switch to test whether a user goes offline.
quiet-value:
Quiet timer (in seconds) setting. This argument ranges from 1 to 3,600 and
defaults to 60. After a user fails to pass the authentication performed by a
switch, the switch quiets for a specific period (the quiet period) before it
authenticates the user again.
server-timeout-value: Server timeout timer setting (in seconds). This argument ranges
from 1 to 65,535 and defaults to 100. During authentication, the switch
prohibits a user from accessing the network if the connection between the switch
and the RADIUS server times out.
Description
Use the mac-authentication timer
command to configure the timers used in MAC address authentication.
Use the undo mac-authentication timer
command to restore a timer to its default setting.
Related commands: display
mac-authentication.
Examples
# Set the server timeout timer to 150
seconds.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] mac-authentication timer
server-timeout 150
Syntax
reset mac-authentication statistics [ interface interface-list ]
View
User view
Parameters
interface-list: List of Ethernet ports. You can specify multiple Ethernet ports by
providing this argument in the form of interface-list = { interface-type interface-number [ to
interface-type interface-number ] } &<1-10>, where &<1-10> means that you can provide
up to 10 port indexes/port index ranges for this argument.
Description
Use the reset mac-authentication command
to clear the MAC address authentication statistics. With the interface keyword
specified, the command clears the MAC address authentication statistics of the
specified port. Without this keyword, the command clears the global MAC address
authentication statistics.
Examples
# Clear the MAC address authentication statistics
for port Ethernet 1/0/1.
<Sysname> reset
mac-authentication statistics interface Ethernet 1/0/1
Syntax
mac-authentication guest-vlan vlan-id
undo mac-authentication guest-vlan
View
Ethernet port view
Parameters
vlan-id: ID
of the guest VLAN configured for the current port. This argument is in the
range of 1 to 4,094.
Description
Use the mac-authentication guest-vlan
command to configure a guest VLAN for the current port. If the client connected
to the port fails in the authentication, the port will be added to the guest
VLAN, and thus the users accessing the port can access network resources in the
guest VLAN.
Use the undo mac-authentication
guest-vlan command to remove the guest VLAN configuration for the port.
No guest VLAN is configured for a port by
default.
The system will re-authenticate users in
the guest VLAN at the interval configured by the mac-authentication timer
guest-vlan-reauth command. If the user of a port passes the authentication,
the port will leave the guest VLAN and return to the initial VLAN configured
for it.
Caution:
l
If more than one client are connected to a port,
you cannot configure a Guest VLAN for this port.
l
When a Guest VLAN is configured for a port, only
one MAC address authentication user can access the port. Even if you set the
limit on the number of MAC address authentication users to more than one, the configuration
does not take effect.
l
The undo vlan command cannot be used to
remove the VLAN configured as a Guest VLAN. If you want to remove this VLAN,
you must remove the Guest VLAN configuration for it. Refer to the VLAN module
in this manual for the description on the undo vlan command.
l
Only one Guest VLAN can be configured for a
port, and the VLAN configured as the Guest VLAN must be an existing VLAN.
Otherwise, the Guest VLAN configuration does not take effect. If you want to
change the Guest VLAN for a port, you must remove the current Guest VLAN and
then configure a new Guest VLAN for this port.
l 802.1x authentication cannot be enabled for a port configured with a
Guest VLAN.
l
The Guest VLAN function for MAC address
authentication does not take effect when port security is enabled.
Related commands: mac-authentication
timer guest-vlan-reauth.
Examples
# Configure VLAN 4 as the Guest VLAN for
Ethernet 1/0/1.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] mac-authentication
guest-vlan 4
Syntax
mac-authenticiaon intrusion-mode block-mac
enable
undo mac-authenticiaon intrusion-mode
block-mac enable
View
Ethernet port view
Parameter
None
Description
Use the mac-authenticiaon intrusion-mode
block-mac enable command to enable the quiet MAC function on a port. When this
function is enabled, the MAC address connected to this port will be set as a
quiet MAC address if its authentication fails. When this function is disabled,
the MAC address will not become quiet no matter whether the authentication is
failed.
Use the undo mac-authenticiaon
intrusion-mode block-mac enable command to disable the quiet MAC function
on a port.
By default, quiet MAC function is enabled
on a port.
Example
# Enable the quiet MAC function on port Ethernet
1/0/1.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] mac-authenticiaon
intrusion-mode block-mac enable
Syntax
mac-authentication max-auth-num user-number
undo mac-authentication max-auth-num
View
Ethernet port view
Parameters
user-name:
Maximum number of MAC address authentication users allowed to access a port.
This argument is in the range of 1 to 256.
Description
Use the mac-authentication max-auth-num
command to configure the maximum number of MAC address authentication users allowed
to access the port. After the number of access users has exceeded the
configured maximum number, the switch will not trigger MAC address
authentication for subsequent access users, and thus these subsequent access
users cannot access the network normally.
Use the undo mac-authentication
max-auth-num command to restore the maximum number of MAC address
authentication users allowed to access the port to the default value.
By default, the maximum number of MAC
address authentication users allowed to access a port is 256.
Caution:
l
If both the limit on the number of MAC address
authentication users and the limit on the number of users configured in the
port security function are configured for a port at the same time, the smaller
value of the two configured limits is adopted as the maximum number of MAC
address authentication users allowed to access this port. Refer to the Port
Security module in this manual for the description on the port security function.
l
You cannot configure the maximum number of MAC
address authentication users for a port if any user connected to this port is
online.
Examples
# Set the maximum number of MAC address
authentication users allowed to access Ethernet 1/0/2 to 100.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] interface Ethernet 1/0/2
[Sysname-Ethernet1/0/2]
mac-authentication max-auth-num 100
Syntax
mac-authentication timer
guest-vlan-reauth interval
undo mac-authentication timer
guest-vlan-reauth
View
System view
Parameters
interval:
Interval at which the switch re-authenticates users in guest VLANs. This
argument is in the range of 1 to 3,600 in seconds.
Description
Use the mac-authentication timer
guest-vlan-reauth command to configure the interval at which the switch
re-authenticates users in guest VLANs. If the user of a port passes the
authentication, the port will leave the guest VLAN and return to the initial
VLAN configured for it.
Use the undo mac-authentication timer
guest-vlan-reauth command to restore the re-authentication interval to the
default value.
The switch re-authenticates the users in guest
VLANs at the interval of 30 seconds by default.
Examples
# Configure the switch to re-authenticate
users in Guest VLANs at the interval of 60 seconds.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] mac-authentication timer
guest-vlan-reauth 60
