1.1.1 display
dot1x
Syntax
display dot1x [ sessions | statistics ] [ interface interface-list
]
View
Any view
Parameter
sessions:
Displays 802.1x session information.
statistics:
Displays 802.1x statistics.
interface interface-list: Ethernet interface list,
in the format of { interface-type interface-number [ to interface-type
interface-number ] }&<1-10>, where &<1-10> indicates
that you can specify up to 10 port ranges. A port range defined without the to
interface-type interface-num portion comprises only one port.
Description
Use the display dot1x command to display
802.1x session information, statistics, or configuration information of
specified or all ports.
Use the command with the sessions keyword or the statistics keyword to display the session information or related statistics
information. Use the command with neither the sessions keyword nor the statistics keyword to display 802.1x configuration information.
Example
# Display 802.1x configuration information
of interface GigabitEthernet 1/0/1.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] display dot1x interface
GigabitEthernet 1/0/1
Equipment 802.1X protocol is enabled
CHAP authentication is enabled
Configuration: Transmit Period 30
s, Handshake Period 15 s
Quiet Period 60
s, Quiet Period Timer is disabled
Supp Timeout 30
s, Server Timeout 100 s
The maximal
retransmitting times 32
Total maximum 802.1x1X user resource
number is 1024
Total current used 802.1x1X resource
number is 0
GigabitEthernet1/0/1 is link-up
802.1X protocol is disabled
Handshake is disabled
The port is a(n) authenticator
Authenticate Authentication Mode is
autoAuto
Port Control Type is Mac-based
Guest VLAN: 0
Max number of on-line user number users
is 256
EAPOL Packet: Tx 0, Rx 0
Send EAP Request/Identity Packet :
0
EAP Request/Challenge Packet: 0
EAP Success Packet: 0, Fail Packet:
0
Received EAPOL Start Packet : 0
EAPOL LogOff Packet: 0
EAP Response/Identity
Packet : 0
EAP Response/Challenge
Packet: 0
Error Packet: 0
EAPOL Packet: Tx 0, Rx 0
Sent EAP Request/Identity Packets
: 0
EAP Request/Challenge
Packets: 0
EAP Success Packets: 0, Fail
Packets: 0
Received EAPOL Start Packets : 0
EAPOL LogOff Packets: 0
EAP Response/Identity
Packets : 0
EAP Response/Challenge
Packets: 0
Error Packets: 0
Controlled User(s) amount to 0
Table 1-1
Descriptions on the fields of the display dot1x
command
|
Field
|
Description
|
|
Equipment 802.1X protocol is enabled
|
Indicates whether 802.1x is enabled
|
|
CHAP authentication is enabled
|
Indicates whether CHAP authentication
is enabled
|
|
Transmit Period
|
Value of the identity request timeout
timer
|
|
Handshake Period
|
Value of the handshake timer
|
|
Quiet Period
|
Value
of the quiet timer
|
|
Quiet Period Timer is disable
|
Indicates
whether the quiet timer is enabled
|
|
Supp Timeout
|
Value
of the password request timeout timer
|
|
Server Timeout
|
Value
of the authentication server timeout timer
|
|
The maximal retransmitting times
|
Maximum
number of attempts for the authenticator to send authentication requests to
the accessing user
|
|
Total maximum 802.1x user resource
number
|
Total
maximum number of accessing users
|
|
Total current used 802.1x resource
number
|
Total
number of online users
|
|
GigabitEthernet1/0/1 is link-up
|
Status
of port GigabitEthernet1/0/1
|
|
802.1X protocol is disabled
|
Indicates
whether 802.1x is enabled on the port
|
|
Handshake is disabled
|
Indicates
whether handshake is enabled
|
|
The port is a(n) authenticator
|
Role
of the port
|
|
Authenticate Mode is auto
|
Access
control mode for the port
|
|
Port Control Type is Mac-based
|
Access
control method for the port
|
|
Guest VLAN
|
Guest VLAN configured on the port. If
it is not configured, 0 will be displayed
|
|
Max number of on-line user numberusers
|
Maximum
number of accessing users on the port
|
|
EAPOL Packet: Tx 0, Rx 0
|
EAPOL
packet: transmitted 0, received 0.
|
|
Send EAP Request/Identity Packets :
EAP Request/Challenge Packets:
EAP Success Packet: 0, Fail Packets
|
Transmitted
EAP Request/Identity packets
Transmitted
EAP Request/Challenge packets
Transmitted
EAP Success packets, Fail packets
|
|
Received EAPOL Start Packets :
EAPOL LogOff Packets:
EAP Response/Identity Packets
:
EAP Response/Challenge Packets:
Error Packets:
|
Received
EAPOL Start packets
Received
EAPOL LogOff packets
Received
EAP Response/Identity packets
Received
EAP Response/Challenge packets
Received
invalid packets
|
|
Controlled User(s) amount to
|
Number
of controlled users on the port
|
Syntax
dot1x [ interface interface-list ]
undo dot1x [ interface interface-list ]
View
System view/Ethernet interface view
Parameter
interface interface-list: Ethernet interface list,
in the format of { interface-type interface-number [ to interface-type
interface-number ] }&<1-10>, where &<1-10> indicates
that you can specify up to 10 port ranges. A port range defined without the to
interface-type interface-num portion comprises only one port.
Description
Use the dot1x command in system view
to enable 802.1x globally.
Use the undo dot1x command in system
view to disable 802.1x globally.
Use the dot1x interface interface-list
command in system view or the dot1x command in Ethernet interface
view to enable 802.1x for specified ports.
Use the undo dot1x interface interface-list
command in system view or the undo dot1x command in Ethernet
interface view to disable 802.1x for specified ports.
By default, 802.1x is neither enabled
globally nor enabled for any port.
Note that:
l
802.1x must be enabled both globally in system
view and definitely for the intended ports in system view or Ethernet interface
view. Otherwise, it does not function.
l
You can configure 802.1x parameters either
before or after enabling 802.1x.
l
With 802.1x enabled on a port, you cannot
configure the maximum number of MAC addresses that the port can learn (by using
the mac-address max-mac-count command), and vice versa.
Related command: display dot1x.
Example
# Enable 802.1x for port GigabitEthernet1/0/2
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] dot1x interface GigabitEthernet
1/0/2
# Enable 802.1x globally.
[Sysname] dot1x
Syntax
dot1x authentication-method { chap | pap | eap }
undo dot1x authentication-method
View
System view
Parameter
chap:
Authenticates using CHAP.
pap:
Authenticates using PAP.
eap:
Authenticates using EAP.
Description
Use the dot1x authentication-method
command to set the 802.1x authentication method.
Use the undo dot1x authentication-method
command to restore the default.
By default, CHAP is used.
Note that:
l
Password authentication protocol (PAP), it transports
passwords in clear text.
l
Challenge handshake authentication protocol
(CHAP), it transports only usernames over the network. Compared with PAP, CHAP
provides better security.
l
EAP encapsulates 802.1x user information in EAP
packets, which are then encapsulated in the EAP attributes of RADIUS and sent
to the RADIUS server for authentication.
l
The RADIUS server must be configured accordingly
to support PAP, CHAP, or EAP authentication.
l
For local authentication, only PAP and CHAP are available.
Related command: display dot1x.
Example
# Set the 802.1x authentication method to
PAP.
<Sysname>system-view
System View: return to User View with
Ctrl+Z.
[Sysname] dot1x authentication-method
pap
Syntax
dot1x guest-vlan vlan-id [
interface interface-list ]
undo dot1x guest-vlan [ interface interface-list ]
View
System view/Ethernet port view
Parameter
vlan-id: ID
of the specified GuestVlan in a range of 1 to 4094.
interface interface-list: Ethernet interface list,
including many Ethernet interfaces represented in the format of interface-list
= { interface-type interface-number [ to interface-type
interface-number ] }&<1-10>, where interface-type specifies
interface type; interface-number specifies interface number. You can
enter the parameters before &<1-10> repeatedly up to 10 times.
Description
Use the dot1x guest-vlan command to
configure GuestVlan on a specified port.
Use the undo dot1x guest-vlan command
to remove GuestVlan on a specified port.
By default, GuestVlan is not configured on
a port.
Note that:
l
When using the command in system view, if you do
not specify the interface-list parameter, configure GuestVlan on all
ports; if you specify the interface-list parameter, configure GuestVlan
on an specified port. When using the command in Ethernet port view, you cannot
specify the interface-list parameter. Only GuestVlan on the current port
is configured.
l
To bring GuestVlan into effect, enable 802.1x.
l
GuestVlan can be configured successfully when
the mode of access control is set portbased on a port. But you cannot configure the mode of access control after
GuestVlan is configured on a port.
l
GuestVlan configuration takes effect only when
the mode of access control is set auto on a port.
l
Deleting the VLAN which is configured as GuestVlan
is prohibited.
Example
# In system view, configure VLAN 999 as the
GuestVlan of GigabitEthernet1/0/1.
<Sysname>system-view
System View: return to User View with
Ctrl+Z.
[Sysname] dot1x guest-vlan 999
interface GigabitEthernet1/0/1
# In system view, configure VLAN 10 as the GuestVlan
of GigabitEthernet1/0/1 to GigabitEthernet1/0/5.
<Sysname>system-view
System View: return to User View with
Ctrl+Z.
[Sysname] dot1x guest-vlan 10
interface GigabitEthernet 1/0/1 to GigabitEthernet 1/0/5
# In system view, configure VLAN 7 as the GuestVlan
of all ports.
<Sysname>system-view
System View: return to User View with
Ctrl+Z.
[Sysname] dot1x guest-vlan 7
# In Ethernet port view, configure VLAN 3
as the GuestVlan of GigabitEthernet1/0/7.
<Sysname>system-view
System View: return to User View with
Ctrl+Z.
[Sysname]interface Ethernet 1/0/7
[Sysname-Ethernet1/0/7] dot1x
guest-vlan 3
Syntax
dot1x handshake
undo dot1x handshake
View
Ethernet interface view
Parameter
None
Description
Use the dot1x handshake command to
enable the online user handshake function.
Use the undo dot1x handshake command
to disable the function.
By default, the function is enabled.
Example
# Enable online user handshake.
<Sysname>system-view
System View: return to User View with
Ctrl+Z.
[Sysname]interface GigabitEthernet
1/0/1
[Sysname-GigabitEthernet1/0/1] dot1x
handshake
# Disable online user handshake.
[Sysname-GigabitEthernet1/0/1] undo
dot1x handshake
Syntax
dot1x max-user
user-number [ interface interface-list ]
undo dot1x max-user
[ interface interface-list ]
View
System view/Ethernet interface view
Parameter
user-number:
Maximum number of accessing users, in the range 1 to 256. The default is 256
per port.
interface interface-list: Ethernet interface list,
in the format of { interface-type interface-number [ to interface-type
interface-number ] }&<1-10>, where &<1-10> indicates
that you can specify up to 10 port ranges. A port range defined without the to
interface-type interface-num portion comprises only one port.
Description
Use the dot1x max-user
command to set the maximum number of accessing users for specified or all
ports.
Use the undo dot1x max-user
command to restore the default.
If you perform a configuration in system
view and do not specify the interface-list argument, the configuration
applies to all ports. Configurations performed in Ethernet port view apply to
the current Ethernet port only and the interface-list argument is not
needed in this case.
Related command: display dot1x.
Example
# Set the maximum number of accessing users
to 32 for port GigabitEthernet1/0/1.
<Sysname>system-view
System View: return to User View with
Ctrl+Z.
[Sysname] dot1x max-user 32 interface
GigabitEthernet 1/0/1
Syntax
dot1x port-control
{ auto | authorized-force | unauthorized-force } [ interface
interface-list ]
undo dot1x port-control
[ interface interface-list ]
View
System view/Ethernet interface view
Parameter
auto: Places
the specified or all ports in the state of unauthorized initially to allow only
EAPOL frames to pass, and turns the ports to the state of authorized to allow
access to the network after the users pass authentication. This is the most
common choice.
authorized-force: Places the specified or all ports in the state of authorized,
allowing users of the ports to access the network without authentication.
unauthorized-force: Places the specified or all ports in the state of unauthorized,
denying any access requests from users of the ports.
interface interface-list: Ethernet interface list,
in the format of { interface-type interface-number [ to interface-type
interface-number ] }&<1-10>, where &<1-10> indicates
that you can specify up to 10 port ranges. A port range defined without the to
interface-type interface-num portion comprises only one port.
Description
Use the dot1x port-control
command to set the access control mode for specified or all ports.
Use the undo dot1x port-control
command to restore the default.
The default access control mode is auto.
Related command: display dot1x.
Example
# Set the access control mode of port GigabitEthernet1/0/1
to unauthorized-force.
<Sysname>system-view
System View: return to User View with
Ctrl+Z.
[Sysname] dot1x port-control
unauthorized-force interface GigabitEthernet 1/0/1
Syntax
dot1x port-method
{ macbased | portbased } [ interface interface-list
]
undo dot1x port-method
[ interface interface-list ]
View
System view/Ethernet interface view
Parameter
macbased: Specifies
to use the macbased authentication method. With this method, each user
of a port must be authenticated separately, and when an authenticated user goes
offline, no other users are affected.
portbased: Specifies
to use the portbased authentication method. With this method, after the
first user of a port passes authentication, all other users of the port can
access the network without authentication, and when the first user goes
offline, all other users get offline at the same time.
interface interface-list: Ethernet interface list,
in the format of { interface-type interface-number [ to interface-type
interface-number ] }&<1-10>, where &<1-10> indicates
that you can specify up to 10 port ranges. A port range defined without the to
interface-type interface-num portion comprises only one port.
Description
Use the dot1x port-method
command to set the access control method for specified or all ports.
Use the undo dot1x port-method
command to restore the default.
The default access control method is macbased.
Related command: display dot1x.
Example
# Set the access control method to portbased
for port GigabitEthernet1/0/1.
<Sysname>system-view
System View: return to User View with
Ctrl+Z.
[Sysname] dot1x port-method portbased
interface GigabitEthernet 1/0/1
Syntax
dot1x quiet-period
undo dot1x quiet-period
View
System view
Parameter
None
Description
Use the dot1x quiet-period
command to enable the quiet timer function.
Use the undo dot1x quiet-period
command to disable the function.
By default, the function is disabled.
After a supplicant fails the
authentication, the authenticator refuses further authentication requests from
the supplicant in the period specified by the quiet timer.
Related command: display dot1x, dot1x
timer.
Example
# Enable the quiet timer.
<Sysname>system-view
System View: return to User View with
Ctrl+Z.
[Sysname] dot1x quiet-period
Syntax
dot1x retry
max-retry-value
undo dot1x retry
View
System view
Parameter
max-retry-value: Maximum number of attempts for sending authentication requests to
an accessing user, in the range 1 to 10. The default is 2.
Description
Use the dot1x retry command
to set the maximum number of attempts for sending authentication requests to an
accessing user.
Use the undo dot1x retry
command to restore the default.
Note that:
l
When max-retry-value is set to 1, the authenticator
sends authentication requests to an accessing user only once. If no answer is
received, the authenticator will not send authentication requests again. When max-retry-value
is set to 2, the authenticator sends authentication requests again if it does
not receive an answer, and so on.
l
After the authenticator sends authentication
requests to an accessing user, if it does not receive an answer within the
specified period, which can be set by using the dot1x
timer tx-period tx-period-value or dot1x timer supp-timeout supp-timeout-value command, the authenticator determines
whether to send authentication requests to the accessing user based on the
value of max-retry-value.
l
This command applies to all the ports.
Related command: display dot1x.
Example
# Set the maximum number of attempts for
sending authentication requests to an accessing user as 9.
<Sysname>system-view
System View: return to User View with
Ctrl+Z.
[Sysname] dot1x retry 9
1.1.11 dot1x timer
Syntax
dot1x timer {
handshake-period handshake-period-value | quiet-period quiet-period-value
| tx-period tx-period-value | supp-timeout supp-timeout-value
| server-timeout server-timeout-value }
undo dot1x timer { handshake-period | quiet-period | tx-period
| supp-timeout | server-timeout }
View
System view
Parameter
handshake-period
handshake-period-value: Sets the handshake timer. After a supplicant passes
authentication, the authenticator sends to the supplicant handshake requests at
this interval to check whether the supplicant is online. The argument ranges
from 5 to 1024 seconds and defaults to 15 seconds.
quiet-period quiet-period-value: Sets the quiet
timer. When a supplicant fails the authentication, the authenticator refuses
further authentication requests from the supplicant in the period specified by
the quiet timer. Note that this function is on a per-user basis. The argument
ranges from 10 to 120 seconds and defaults to 60 seconds.
tx-period tx-period-value: Sets identity request
timeout timer. Once an authenticator sends an EAP-Request/Identity frame to a
supplicant, it starts this timer. If this timer expires but it receives no
response from the supplicant, it retransmits the request. The argument ranges
from 10 to 120 seconds and defaults to 30 seconds.
supp-timeout supp-timeout-value: Sets the password
request timeout timer. Once an authenticator sends an EAP-Request/Challenge
frame to a supplicant, it starts this timer. If this timer expires but it
receives no response from the supplicant, it retransmits the request. The
argument ranges from 10 to 120 seconds and defaults to 30 seconds.
server-timeout server-timeout-value: Sets the
authentication server timeout timer. Once an authenticator sends a RADIUS
Access-Request packet to the authentication server, it starts this timer. If
this timer expires but it receives no response from the server, it retransmits
the request. The argument ranges from 100 to 300 seconds and defaults to 100
seconds.
Description
Use the dot1x timer command
to set 802.1x timers.
Use the undo dot1x timer
command to restore the defaults for the timers.
Several timers are used in the 802.1x
authentication process to guarantee that the accessing users, the
authenticators, and the RADIUS server interact with each other in a reasonable
manner. Some of the timers are configurable. This makes sense in some special
or extreme network environments. Normally, leave the defaults unchanged.
Related command: display dot1x.
Example
# Set the authentication server timeout
timer to 150 seconds.
<Sysname>system-view
System View: return to User View with
Ctrl+Z.
[Sysname] dot1x timer server-timeout
150
Syntax
reset dot1x statistics [ interface interface-list ]
View
User view
Parameter
interface interface-list: Ethernet interface list,
in the format of { interface-type interface-number [ to interface-type
interface-number ] }&<1-10>, where &<1-10> indicates
that you can specify up to 10 port ranges. A port range defined without the to
interface-type interface-num portion comprises only one port.
Description
Use the reset dot1x statistics
command to clear 802.1x statistics.
With the interface interface-list
argument specified, the command clears 802.1x statistics on the specified
ports. With the argument unspecified, the command clears global 802.1x
statistics and 802.1x statistics on all ports.
Related command: display dot1x.
Example
# Clear 802.1x statistics on port GigabitEthernet1/0/1.
<Sysname> reset dot1x
statistics interface GigabitEthernet1/0/1
3.1.1 display mac-authentication
Syntax
display mac-authentication [ interface interface-list ]
View
Any view
Parameter
interface interface-list: Ethernet interface list,
in the format of { interface-type interface-number [ to interface-type
interface-number ] }&<1-10>, where &<1-10> indicates
that you can specify up to 10 port ranges. A port range defined without the to
interface-type interface-num portion comprises only one port.
Description
Use the display mac-authentication command
to display the global MAC authentication information or the MAC authentication
information about specified interfaces.
Example
# Display the global MAC authentication
information.
<Sysname> display mac-authentication
MAC address authentication is enabled.
Offline detect period is
300s
Quiet period is 1
minute(s).
Server response timeout
value is 100s
Max allowed user number is
1024
Current user number amounts
to 0
Current domain: not
configured, use default domain
Silent Mac User info:
MAC ADDR From
Port Port Index
GigabitEthernet1/0/1 is link-up
MAC address authentication is
enabled
Authenticate success: 0, failed: 0
Current online user number is 0
MAC ADDR Authenticate
state AuthIndex
Table 3-1 Description on the fields of
the display mac-authentication command
|
Field
|
Description
|
|
MAC address authentication is enabled
|
Whether MAC
authentication is enabled
|
|
Offline detect period
|
Setting of the offline-detect timer
|
|
Quiet period
|
Setting of the quiet timer
|
|
Server response timeout value
|
Setting of the server timeout timer
|
|
Max allowed user number
|
Maximum number of users that the switch supports
|
|
Current user number amounts
|
Total number of online users passing MAC
authentication
|
|
Current domain
|
Currently used ISP domain
|
|
Silent Mac User info
|
Information on users who are kept silent
after failing MAC authentication
|
|
GigabitEthernet 1/0/1 is link-up
|
Status of the link on port GigabitEthernet
1/0/1
|
|
MAC address authentication is Enabled
|
Whether MAC authentication is enabled for
port GigabitEthernet 1/0/1
|
|
Authenticate success: 0, failed: 0
|
MAC authentication statistics, including
the numbers of times that authentication has succeeded and failed
|
|
Current online user number
|
Number of online users on the port
|
|
MAC ADDR
|
MAC address of a online user
|
|
Authenticate state
|
User status. Possible values are:
l
CONNECTING: The user is logging in.
l
SUCCESS: The user has passed the
authentication.
l
FAILURE: The user failed the authentication.
l
LOGOFF: The user has logged off.
|
|
AuthIndex
|
Authenticator Index
|
Syntax
mac-authentication [ interface interface-list ]
undo mac-authentication [ interface interface-list ]
View
System view/Ethernet port view
Parameter
interface interface-list: Ethernet interface list,
in the format of { interface-type interface-number [ to interface-type
interface-number ] }&<1-10>, where &<1-10> indicates
that you can specify up to 10 port ranges. A port range defined without the to
interface-type interface-num portion comprises only one port.
Description
Use the mac-authentication command in
system view to enable MAC authentication globally.
Use the undo mac-authentication
command in system view to disable MAC authentication globally.
Use the mac-authentication interface
interface-list command in system view or the mac-authentication
command in Ethernet port view to enable MAC authentication for specified ports.
Use the undo mac-authentication interface
interface-list command in system view or the undo mac-authentication
command in Ethernet port view to disable MAC authentication for specified
ports.
By default, MAC authentication is neither
enabled globally nor enabled for any port.
Note that:
l
MAC authentication must be enabled both globally
in system view and definitely for the intended ports in system view or Ethernet
interface view. Otherwise, it does not function.
l
You can configure MAC authentication parameters
either before or after enabling MAC authentication.
Example
# Enable MAC authentication for port GigabitEthernet
1/0/1.
<Sysname> system-view
[Sysname] mac-authentication
interface GigabitEthernet 1/0/1
# Enable MAC authentication globally.
[Sysname] mac-authentication
Syntax
mac-authentication domain isp-name
undo mac-authentication domain
View
System view
Parameter
isp-name:
ISP domain name, a string of 1 to 24 characters.
Description
Use the mac-authentication domain command
to specify the ISP domain for MAC authentication.
Use the undo mac-authentication domain command
to restore the default.
By default, the default ISP domain is used.
Example
# Specify the ISP domain for MAC
authentication to be Cams.
<Sysname> system-view
[Sysname] mac-authentication domain
Cams
Syntax
mac-authentication timer { offline-detect offline-detect-value |
quiet quiet-value | server-timeout server-timeout-value
}
undo mac-authentication timer { offline-detect | quiet |
server-timeout }
View
System view
Parameter
offline-detect offline-detect-value: Sets the
offline-detect timer, the interval at which the switch checks whether a user has
gone offline. Once detecting that a user has gone offline, the switch informs the
RADIUS server to stop accounting for the user. The argument ranges from 1 to
300 seconds and defaults to 300 seconds.
quiet quiet-value:
Sets the quiet timer. When a user fails the MAC authentication, the switch stays
quiet for a period specified by the quiet timer before initializing another
authentication of the user. Note that this function is on a per-user basis. The
argument ranges from 1 to 65,535 minutes and defaults to 1 minute.
server-timeout server-timeout-value: Sets the server timeout timer. During authentication of a user, if
the switch receives no response from the RADIUS server in this period, it
assumes that its connection to the RADIUS server has timed out and forbids the
user from accessing the network. The argument ranges from 1 to 300 seconds and
defaults to 100 seconds.
Description
Use the mac-authentication timer command
to set the MAC authentication timers.
Use the undo mac-authentication timer
command to restore the defaults.
Related command: display mac-authentication.
Example
# Set the server timeout timer to 150
seconds.
<Sysname> system-view
[Sysname] mac-authentication timer
server-timeout 150
