interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet port and interface-number is the number of the port. The string “&<1-10>” means that up to 10 port lists can be provided.

Description

Use the display dot1x command to display 802.1x-related information, such as configuration information, operation information (session information), and statistics.

When the interface-list argument is not provided, this command displays 802.1x-related information about all the ports.

The output information can be used to verify 802.1 x-related configurations and to troubleshoot.

Related commands: reset dot1x statistics, dot1x, dot1x retry, dot1x max-user, dot1x port-control, dot1x port-method, dot1x timer.

Examples

# Display 802.1x-related information.

<Sysname> display dot1x

Global 802.1X protocol is enabled

CHAP authentication is enabled

DHCP-launch is disabled

Handshake is enabled

Proxy trap checker is disabled

Proxy logoff checker is disabled

EAD Quick Deploy is enabled

Configuration: Transmit Period 30 s, Handshake Period 15 s

ReAuth Period 3600 s, ReAuth MaxTimes 2

Quiet Period 60 s, Quiet Period Timer is disabled

Supp Timeout 30 s, Server Timeout 100 s

Interval between version requests is 30s

Maximal request times for version information is 3

The maximal retransmitting times 2

EAD Quick Deploy configuration:

Url: http: //192.168.19.23

Free-ip: 192.168.19.0 255.255.255.0

Acl-timeout: 30 m

Total maximum 802.1x user resource number is 1024

Total current used 802.1x resource number is 1

GigabitEthernet1/0/1 is link-up

802.1X protocol is enabled

Proxy trap checker is disabled

Proxy logoff checker is disabled

Version-Check is disabled

The port is an authenticator

Authentication Mode is Auto

Port Control Type is Port-based

ReAuthenticate is disabled

Max number of on-line users is 256

Authentication Success: 4, Failed: 2

EAPOL Packets: Tx 7991, Rx 14

Sent EAP Request/Identity Packets : 7981

EAP Request/Challenge Packets: 0

Received EAPOL Start Packets : 5

EAPOL LogOff Packets: 1

EAP Response/Identity Packets : 4

EAP Response/Challenge Packets: 4

Error Packets: 0

1. Authenticated user : MAC address: 000d-88f6-44c1

Controlled User(s) amount to 1

GigabitEthernet1/0/2

……

Table 1-1 Description on the fields of the display dot1x command

Field	Description
Equipment 802.1X protocol is enabled	802.1x protocol (802.1x for short) is enabled on the switch.
CHAP authentication is enabled	CHAP authentication is enabled.
DHCP-launch is disabled	DHCP-triggered. 802.1x authentication is disabled.
Handshake is enabled	The online user handshaking function is enabled.
Proxy trap checker is disabled	Whether or not to send Trap packets when detecting a supplicant system logs in through a proxy. l Disable means the switch does not send Trap packets when it detects that a supplicant system logs in through a proxy. l Enable means the switch sends Trap packets when it detects that a supplicant system logs in through a proxy.
Proxy logoff checker is disabled	Whether or not to disconnect a supplicant system when detecting it logs in through a proxy. l Disable means the switch does not disconnect a supplicant system when it detects that the latter logs in through a proxy. l Enable means the switch disconnects a supplicant system when it detects that the latter logs in through a proxy.
EAD Quick Deploy is enabled	Quick EAD deployment is enabled.
Transmit Period	Setting of the Transmission period timer (the tx-period)
Handshake Period	Setting of the handshake period timer (the handshake-period)
ReAuth Period	Re-authentication interval
ReAuth MaxTimes	Maximum times of re-authentications
Quiet Period	Setting of the quiet period timer (the quiet-period)
Quiet Period Timer is disabled	The quiet period timer is disabled here. It can also be configured as enabled when necessary.
Supp Timeout	Setting of the supplicant timeout timer (supp-timeout)
Server Timeout	Setting of the server-timeout timer (server-timeout)
The maximal retransmitting times	The maximum number of times that a switch can send authentication request packets to a supplicant system
Url	URL for HTTP redirection
Free-ip	Free IP range that users can access before passing authentication
Acl-timeout	ACL timeout period
Total maximum 802.1x user resource number	The maximum number of 802.1x users that a switch can accommodate
Total current used 802.1x resource number	The number of online supplicant systems
GigabitEthernet1/0/1 is link-down	GigabitEthernet 1/0/1 port is down.
802.1X protocol is disabled	802.1x is disabled on the port
Proxy trap checker is disabled	Whether or not to send Trap packets when detecting a supplicant system in logging in through a proxy. l Disable means the switch does not send Trap packets when it detects that a supplicant system logs in through a proxy. l Enable means the switch sends Trap packets when it detects that a supplicant system logs in through a proxy.
Proxy logoff checker is disabled	Whether or not to disconnect a supplicant system when detecting it in logging in through a proxy. l Disable means the switch does not disconnect a supplicant system when it detects that the latter logs in through a proxy. l Enable means the switch disconnects a supplicant system when it detects that the latter logs in through a proxy.
Version-Check is disabled	Whether or not the client version checking function is enabled: l Disable means the switch does not checks client version. l Enable means the switch checks client version.
The port is an authenticator	The port acts as an authenticator system.
Authentication Mode is Auto	The port access control mode is Auto.
Port Control Type is Mac-based	The access control method of the port is MAC-based. That is, supplicant systems are authenticated based on their MAC addresses.
ReAuthenticate is disabled	802.1x re-authentication is disabled on the port.
Max number of on-line users	The maximum number of online users that the port can accommodate
…	Information omitted here

1.1.2 dot1x

Syntax

dot1x [ interface interface-list ]

undo dot1x [ interface interface-list ]

View

System view, Ethernet port view

Parameters

Description

Use the dot1x command to enable 802.1x globally or for specified Ethernet ports.

Use the undo dot1x command to disable 802.1x globally or for specified Ethernet ports.

By default, 802.1x is disabled globally and also on all ports.

In system view:

l If you do not provide the interface-list argument, the dot1x command enables 802.1x globally.

l If you specify the interface-list argument, the dot1x command enables 802.1x for the specified Ethernet ports.

In Ethernet port view, the interface-list argument is not available and the command enables 802.1x for only the current Ethernet port.

802.1x-related configurations take effect on a port only after 802.1x is enabled both globally and on the port.

& Note:

l The settings of 802.1x and MAC address learning limit are mutually exclusive. Enabling 802.1x on a port will prevent you from setting the limit on MAC address learning on the port and vice versa.

l The settings of 802.1x and aggregation group member are mutually exclusive. Enabling 802.1x on a port will prevent you from adding the port to an aggregation group and vice versa.

Related commands: display dot1x.

Examples

# Enable 802.1x for GigabitEthernet 1/0/1.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x interface GigabitEthernet 1/0/1

# Enable 802.1x globally.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x

1.1.3 dot1x authentication-method

Syntax

dot1x authentication-method { chap | pap | eap }

undo dot1x authentication-method

View

System view

Parameters

chap: Authenticates using challenge handshake authentication protocol (CHAP).

pap: Authenticates using password authentication protocol (PAP).

eap: Authenticates using extensible authentication protocol (EAP).

Description

Use the dot1x authentication-method command to set the 802.1x authentication method.

Use the undo dot1x authentication-method command to revert to the default 802.1x authentication method.

The default 802.1x authentication method is CHAP.

PAP applies a two-way handshaking procedure. In this method, passwords are transmitted in plain text.

CHAP applies a three-way handshaking procedure. In this method, user names are transmitted rather than passwords. Therefore this method is safer.

In EAP authentication, a switch authenticates supplicant systems by encapsulating 802.1x authentication information in EAP packets and sending the packets to the RADIUS server, instead of converting the packets into RADIUS packets before forwarding to the RADIUS server. You can use EAP authentication in one of the four sub-methods: PEAP, EAP-TLS, EAP-TTLS and EAP-MD5.

Related commands: display dot1x.

& Note:

When the current device operates as the authentication server, EAP authentication is unavailable.

Examples

# Specify the authentication method to PAP.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x authentication-method pap

1.1.4 dot1x dhcp-launch

Syntax

dot1x dhcp-launch

undo dot1x dhcp-launch

View

System view

Parameters

None

Description

Use the dot1x dhcp-launch command to specify an 802.1x-enabled switch to launch the process to authenticate a supplicant system when the supplicant system applies for a dynamic IP address through DHCP.

Use the undo dot1x dhcp-launch command to disable an 802.1x-enabled switch from authenticating a supplicant system when the supplicant system applies for a dynamic IP address through DHCP.

By default, an 802.1x-enabled switch does not authenticate a supplicant system when the latter applies for a dynamic IP address through DHCP.

Related commands: display dot1x.

Examples

# Configure to authenticate a supplicant system when it applies for a dynamic IP address through DHCP.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x dhcp-launch

1.1.5 dot1x guest-vlan

Syntax

dot1x guest-vlan vlan-id [ interface interface-list ]

undo dot1x guest-vlan [ interface interface-list ]

View

System view, Ethernet port view

Parameters

vlan-id: VLAN ID of a guest VLAN, in the range 1 to 4094.

Description

Use the dot1x guest-vlan command to enable the guest VLAN function for ports.

Use the undo dot1x guest-vlan command to disable the guest VLAN function for ports.

After 802.1x and guest VLAN are properly configured on a port:

l If the switch receives no response from the port after sending EAP-Request/Identity packets to the port for the maximum number of times, the switch will add the port to the guest VLAN.

l Users in a guest VLAN can access the guest VLAN resources without 802.1x authentication. However, they have to pass the 802.1x authentication to access the external resources.

In system view,

l If you do not provide the interface-list argument, these two commands apply to all the ports of the switch.

l If you specify the interface-list argument, these two commands apply to the specified ports.

In Ethernet port view, the interface-list argument is not available and these two commands apply to only the current Ethernet port.

Caution:

l The guest VLAN function is available only when the switch operates in the port-based authentication mode.

l Only one guest VLAN can be configured on a switch.

l The guest VLAN function is unavailable when the dot1x dhcp-launch command is executed on the switch, because the switch does not send authentication request packets in this case.

Examples

# Configure the switch to operate in the port-based authentication mode.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x port-method portbased

# Enable the guest VLAN function for all the ports.

[Sysname] dot1x guest-vlan 1

1.1.6 dot1x handshake

Syntax

dot1x handshake enable

undo dot1x handshake enable

View

System view

Parameters

None

Description

Use the dot1x handshake enable command to enable the online user handshaking function.

Use the undo dot1x handshake enable command to disable the online user handshaking function.

By default, the online user handshaking function is enabled.

Caution:

l To enable the proxy detecting function, you need to enable the online user handshaking function first.

l With the support of H3C proprietary clients, handshaking packets can be used to test whether or not a user is online.

l As clients that are not of H3C do not support the online user handshaking function, switches cannot receive handshaking acknowledgement packets from them in handshaking periods. To prevent users being falsely considered offline, you need to disable the online user handshaking function in this case.

Examples

# Enable the online user handshaking function.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x handshake enable

1.1.7 dot1x handshake secure

Syntax

dot1x handshake secure

undo dot1x handshake secure

View

Ethernet port view

Parameters

None

Description

Use the dot1x handshake secure command to enable the handshaking packet protection function, protecting the device against attacks from fake clients.

Use the undo dot1x handshake secure command to disable the handshaking packet protection function.

By default, the handshaking packet protection function is disabled.

Caution:

The handshaking packet protection function requires the cooperation of the client and the authentication server. If either of the two ends does not support the function, you need to disable it on the other one.

Examples

# Enable the handshaking packet protection function.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] interface GigabitEthernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dot1x handshake secure

1.1.8 dot1x max-user

Syntax

dot1x max-user user-number [ interface interface-list ]

undo dot1x max-user [ interface interface-list ]

View

System view, Ethernet port view

Parameters

user-number: Maximum number of users a port can accommodate, in the range 1 to 256.

Description

Use the dot1x max-user command to set the maximum number of users an Ethernet port can accommodate.

Use the undo dot1x max-user command to revert to the default maximum user number.

By default, a port can accommodate up to 256 users.

In system view:

l If you do not provide the interface-list argument, these two commands apply to all the ports of the switch.

l If you specify the interface-list argument, these two commands apply to the specified ports.

In Ethernet port view, the interface-list argument is not available and the commands apply to only the current port.

Related commands: display dot1x.

Examples

# Configure the maximum number of users that GigabitEthernet 1/01 port can accommodate to be 32.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x max-user 32 interface GigabitEthernet 1/0/1

1.1.9 dot1x port-control

Syntax

dot1x port-control { auto | authorized-force | unauthorized-force } [ interface interface-list ]

undo dot1x port-control [ interface interface-list ]

View

System view, Ethernet port view

Parameters

auto: Specifies to operate in auto access control mode. When a port operates in this mode, all the unauthenticated hosts connected to it are unauthorized. In this case, only EAPoL packets can be exchanged between the switch and the hosts. And the hosts connected to the port are authorized to access the network resources after the hosts pass the authentication. Normally, a port operates in this mode.

authorized-force: Specifies to operate in authorized-force access control mode. When a port operates in this mode, all the hosts connected to it can access the network resources without being authenticated.

unauthorized-force: Specifies to operate in unauthorized-force access control mode. When a port operates in this mode, the hosts connected to it cannot access the network resources.

Description

Use the dot1x port-control command to specify the access control mode for specified Ethernet ports.

Use the undo dot1x port-control command to revert to the default access control mode.

The default access control mode is auto.

Use the dot1x port-control command to configure the access control mode for specified 802.1x-enabled ports.

In system view:

l If you do not provide the interface-list argument, these two commands apply to all the ports of the switch.

l If you specify the interface-list argument, these commands apply to the specified ports.

In Ethernet port view, the interface-list argument is not available and the commands apply to only the current Ethernet port.

Related commands: display dot1x.

Examples

# Specify GigabitEthernet 1/0/1 to operate in unauthorized-force access control mode.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x port-control unauthorized-force interface GigabitEthernet 1/0/1

1.1.10 dot1x port-method

Syntax

dot1x port-method { macbased | portbased } [ interface interface-list ]

undo dot1x port-method [ interface interface-list ]

View

System view, Ethernet port view

Parameters

macbased: Performs MAC-based authentication.

portbased: Performs port-based authentication.

Description

Use the dot1x port-method command to specify the access control method for specified Ethernet ports.

Use the undo dot1x port-method command to revert to the default access control method.

By default, the access control method is macbased.

This command specifies the way in which the users are authenticated.

l In MAC-based authentication mode, the users connected to the port are authenticated separately. Thus, log-off of a user will not affect other users.

l In port-based authentication mode, all the users connected to the port can access the network without being authenticated if a user among them passes the authentication. When the user logs off, the network is inaccessible to all other supplicant systems too.

l Changing the access control method on a port by the dot1x port-method command will forcibly log out the online 802.1x users on the port.

In system view:

l If you do not provide the interface-list argument, these two commands apply to all the ports of the switch.

l If you specify the interface-list argument, these commands apply to the specified ports.

In Ethernet port view, the interface-list argument is not available and the commands apply to only the current Ethernet port.

Related commands: display dot1x.

Examples

# Specify to authenticate users connected to GigabitEthernet 1/0/1 by port numbers.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x port-method portbased interface GigabitEthernet 1/0/1

1.1.11 dot1x quiet-period

Syntax

dot1x quiet-period

undo dot1x quiet-period

View

System view

Parameters

None

Description

Use the dot1x quiet-period command to enable the quiet-period timer.

Use the undo dot1x quiet-period command to disable the quiet-period timer.

When a user fails to pass the authentication, the authenticator system (such as a H3C series Ethernet switch) will stay quiet for a period (determined by the quiet-period timer) before it performs another authentication. During the quiet period, the authenticator system performs no 802.1x authentication of the user.

By default, the quiet-period timer is disabled.

Related commands: display dot1x, dot1x timer.

Examples

# Enable the quiet-period timer.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x quiet-period

1.1.12 dot1x retry

Syntax

dot1x retry max-retry-value

undo dot1x retry

View

System view

Parameters

max-retry-value: Maximum number of times that a switch sends authentication request packets to a user. This argument ranges from 1 to 10.

Description

Use the dot1x retry command to specify the maximum number of times that a switch sends authentication request packets to a user.

Use the undo dot1x retry command to revert to the default value.

By default, a switch sends authentication request packets to a user for up to 2 times.

After a switch sends an authentication request packet to a user, it sends another authentication request packet if it does not receive response from the user after a specific period of time. If the switch still receives no response when the configured maximum number of authentication request transmission attempts is reached, it stops sending requests to the user. This command applies to all ports.

Related commands: display dot1x.

Examples

# Specify the maximum number of times that the switch sends authentication request packets to be 9.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x retry 9

1.1.13 dot1x retry-version-max

Syntax

dot1x retry-version-max max-retry-version-value

undo dot1x retry-version-max

View

System view

Parameters

max-retry-version-value

Table of Contents

18-802.1x and System Guard Command

Chapter 1 802.1x Configuration Commands

1.1.4 dot1x dhcp-launch

1.1.5 dot1x guest-vlan

1.1.10 dot1x port-method