Chapter 1
802.1x Configuration Commands
Syntax
display dot1x [ sessions | statistics ] [ interface interface-list
]
View
Any view
Parameter
sessions:
Displays information about 802.1x sessions.
statistics:
Displays the statistics of 802.1x.
interface:
Displays the 802.1x-related information about a specified port.
interface-list:
Ethernet port list. You can specify multiple Ethernet
ports by providing this argument in the form of interface-list = { interface-name
[ to interface- name] & < 1-10 >. The interface-name
argument is the port index of an Ethernet port and can be specified in this
form: interface-name = { interface-type interface-num },
where interface-type specifies the type of an Ethernet port and interface-num
identifies the number of the port. “&<1-10>” means that
up to 10 port indexes/port index lists can be provided.
Description
Use the display dot1x command to
display 802.1x-related information, such as configuration information,
operation information (session information), and statistics.
By default, this command displays all
802.1x-related information on each port.
When the interface-list argument is
not provided, this command displays 802.1x-related information on all ports.
The output information can be used to verify 802.1 x-related configurations and
to troubleshoot.
Related command: reset dot1x statistics,
dot1x, dot1x retry, dot1x max-user, dot1x port-control,
dot1x port-method, and dot1x timer.
Example
# Display 802.1x-related configuration
information.
<H3C> display dot1x
Equipment 802.1X protocol is enabled
CHAP authentication is enabled
DHCP-launch is disabled
Proxy trap checker is disabled
Proxy logoff checker is disabled
Guest Vlan is disabled
Configuration: Transmit Period 30
s, Handshake Period 15 s
ReAuth Period
003600 s
Quiet Period
60 s, Quiet Period Timer is disabled
Supp Timeout
30 s, Server Timeout 100 s
Interval between
version requests is 30s
maximal request times
for version information is 3
The maximal
retransmitting times 2
Total maximum 802.1x user resource
number is 4096
Total current used 802.1x resource
number is 0
GigabitEthernet1/0/1 is link-up
802.1X protocol is disabled
Proxy trap checker is disabled
Proxy logoff checker is disabled
Guest Vlan is disabled
Version-Check is disabled
The port is a(n) authenticator
Authenticate Mode is auto
Port Control Type is Mac-based
ReAuthenticate is disabled
Max on-line user number is 1024
……
(Display omitted here)
Table 1-1 Description on the fields of
the display dot1x command
|
Field
|
Description
|
|
Equipment 802.1X protocol is enabled
|
802.1x protocol (802.1x for short) is
enabled
|
|
CHAP authentication is enabled
|
CHAP authentication is enabled
|
|
DHCP-launch is disabled
|
With DHCP enabled, the switch will
trigger 802.1x authentication when a user runs DHCP
to apply an IP address dynamically.
|
|
Proxy trap checker is disabled
|
Whether to check a supplicant system that
logs in through the proxy server:
l
Disable means the switch does not send Trap
packets when it detects that a supplicant system logs in through the proxy
server.
l
Enable means the switch sends Trap packets
when it detects that a supplicant system logs in through the proxy server.
|
|
Proxy logoff checker is disabled
|
Whether to check a supplicant system that
logs in through the proxy server:
l
Disable means the switch does not disconnect a
supplicant system when it detects that the latter logs in through the proxy
server.
l
Enable means the switch disconnects a
supplicant system when it detects that the latter logs in through the proxy
server.
|
|
Guest Vlan is disabled
|
The Guest VLAN function is disabled
|
|
Transmit Period
|
Setting of the transmission period timer
(the tx-period)
|
|
Handshake Period
|
Setting of the handshake period timer
(the handshake-period)
|
|
ReAuth Period
|
Setting of
the 802.1x re-authentication timer (the reauth-period)
|
|
Quiet Period
|
Setting of
the quiet period timer (the quiet-period)
|
|
Quiet Period Timer is disabled
|
The quiet
period timer is disabled
|
|
Supp Timeout
|
Setting of
the supplicant timeout timer (supp-timeout)
|
|
Server Timeout
|
Setting of
the server-timeout timer (server-timeout)
|
|
Interval between version requests
|
Client
version request timeout timer
|
|
maximal request times for version
information
|
The
maximum number of retry times that the switch will resend the version request
packet to a supplicant system
|
|
The maximal retransmitting times
|
The
maximum number of retry times that the switch will resend the authentication
request packet to a supplicant system
|
|
Total maximum 802.1x user resource number
|
The
maximum number of 802.1x users that a switch can accommodate
|
|
Total current used 802.1x resource number
|
The number
of online supplicant systems
|
|
GigabitEthernet1/0/1
is link-up
|
The
GigabitEthernet 1/0/1 port is in up state
|
|
802.1X protocol is disabled
|
802.1x is
disabled on the port
|
|
Proxy trap checker is disabled
|
Whether to
check a supplicant system that logs in through the proxy server:
l
Disable means the switch does not detect a
supplicant system that logs in through the proxy server.
l
Enable means the switch sends Trap packets
when it detects that a supplicant system logs in through the proxy server.
|
|
Proxy logoff checker is disabled
|
Whether to
check a supplicant system that logs in through the proxy server:
l
Disable means the switch does not detect a
supplicant system that logs in through the proxy server.
l
Enable means the switch disconnects a supplicant
system when it detects that the latter logs in through the proxy server.
|
|
Guest Vlan is disabled
|
The Guest
VLAN function is disabled
|
|
Version-Check is disabled
|
The client
version check function is disabled
|
|
The port is a(n) authenticator
|
The port
acts as an authenticator
|
|
Authenticate Mode is auto
|
The port
access control mode is auto
|
|
Port Control Type is Mac-based
|
The port
access control method is MAC-based. That is, supplicant systems are
authenticated based on their MAC addresses
|
|
Max on-line user number
|
The
maximum number of online users that the port can accommodate
|
|
…
|
Information
omitted here
|
Syntax
dot1x [ interface interface-list ]
undo dot1x [ interface interface-list ]
View
System view, Ethernet port view
Parameter
interface-list: Ethernet port list. You can specify multiple Ethernet ports by
providing this argument in the form of interface-list = { interface-name
[ to interface- name] & < 1-10 >. The interface-name
argument is the port index of an Ethernet port and can be specified in this
form: interface-name = { interface-type interface-num },
where interface-type specifies the type of a port and interface-num
identifies the port number. "&<1-10>" means that up to 10 port
indexes/port index lists can be provided,
Description
Use the dot1x command to enable
802.1x globally or for the specified Ethernet ports.
Use the undo dot1x command to
disable 802.1x globally or for the specified Ethernet ports.
By default, 802.1x is disabled globally and
also on all ports
When being executed in system view, the dot1x
command enables 802.1x globally if you do not provide the interface-list
argument. And if you specify the interface-list argument, the command
enables 802.1x for the specified Ethernet ports.
When being executed in Ethernet port view,
this command enables 802.1x for the current Ethernet port only. In this case,
the interface-list argument is not needed.
You can perform 802.1x-related
configurations (globally or on the specified ports) either before or after
802.1x is enabled. If you do not perform other 802.1x-related configurations
before enabling 802.1x globally, the switch adopts default 802.1x settings.
802.1x-related configurations take effect on
a port only after 802.1x is enabled both globally and on the port.
Configurations of 8021.x and the maximum
number of MAC addresses that can be learnt are mutually exclusive. And if you
configure the maximum number of MAC addresses that can be learnt for a port,
802.1x is unavailable to it.
Related command: display dot1x.
Example
# Enable 802.1x for port Ethernet 3/0/1.
<H3C>system-view
System View: return to User View with
Ctrl+Z.
[H3C] dot1x interface Ethernet 3/0/1
# Enable 802.1x globally.
<H3C>system-view
System View: return to User View with
Ctrl+Z.
[H3C] dot1x
Syntax
dot1x authentication-method { chap | pap | eap }
undo dot1x authentication-method
View
System view
Parameter
chap: Uses
CHAP authentication.
pap: Uses
PAP authentication.
eap: Uses
EAP authentication.
Description
Use the dot1x authentication-method
command to set an 802.1x authentication method.
Use the undo dot1x authentication-method
command to restore the default.
By default, CHAP authentication is used.
PAP uses a two-way handshaking process that
transfers password in plain text format.
CHAP uses a three-way handshaking process
that transfers only user names over the network, not passwords. Therefore this
method is safer and more confidential.
EAP authentication means that a switch
sends 802.1x authentication information directly to the RADIUS server in EAP
packets, without the need to convert them into RADIUS packets in advance. EAP
authentication is the prerequisite of implementing one of the three
authentication methods: PEAP, EAP-TLS, and EAP-MD5.
Note that the implementation of PAP, CHAP
or EAP authentication needs the support of the RADIUS server.
Related command: display dot1x.
Example
# Specify the authentication method for
802.1x users to be PAP.
<H3C>system-view
System View: return to User View with
Ctrl+Z.
[H3C] dot1x authentication-method pap
1.1.4 dot1x
dhcp-launch
Syntax
dot1x dhcp-launch
undo dot1x dhcp-launch
View
System view
Parameter
None
Description
Use the dot1x dhcp-launch command to
configure an 802.1x-enabled switch to authenticate a supplicant system when the
supplicant system applies for a dynamic IP address through DHCP.
Use the undo dot1x dhcp-launch
command to disable the function.
By default, an 802.1x-enabled switch does
not authenticate a supplicant system when the latter applies for a dynamic IP
address through DHCP.
Related command: display dot1x.
Example
# Specify to authenticate a supplicant system
when it applies for a dynamic IP address through DHCP.
<H3C>system-view
System View: return to User View with
Ctrl+Z.
[H3C] dot1x dhcp-launch
1.1.5 dot1x
guest-vlan
Syntax
dot1x guest-vlan vlan-id [ interface interface-list ]
undo dot1x guest-vlan [ interface interface-list ]
View
System view, Ethernet port view
Parameter
vlan-id: ID
of a Guest VLAN, in the range from 1 to 4,094.
interface-list: List of Ethernet ports, expressed as interface-list = { interface-name
[ to interface-name ] } & < 1-10 >. The interface-name
argument is the port index of a port and can be specified in this form: interface-name
= { interface-type interface-num }, where interface-type
specifies the type of a port and interface-num identifies the port
number. "&<1-10>" means that up to 10 port indexes/port
index lists can be provided.
Description
Use the dot1x guest-vlan command to
enable the Guest VLAN function for the specified ports.
Use the undo dot1x guest-vlan
command to disable the Guest VLAN function for specified ports.
When being executed in system view, these
two commands apply to all Ethernet ports of the switch if you do not provide
the interface-list argument. And if you specify the interface-list
argument, these commands apply to the specified Ethernet ports.
When being executed in Ethernet port view,
these two commands apply to the current Ethernet port only. In this case, the interface-list
argument is not needed.
Caution:
l
The Guest VLAN function is available only when
the switch operates in a port-based authentication mode.
l
Only one Guest VLAN can be configured for each
switch.
l
The Guest VLAN function is unavailable when the dot1x dhcp-launch command is configured
on the switch, because the switch does not send authentication request packets.
Related commands: name, vlan-assignment-mode.
Example
# Specify the authentication method to be
port-based authentication.
<H3C>system-view
System View: return to User View with
Ctrl+Z.
[H3C] dot1x port-method portbased
# Enable the Guest VLAN function for all
ports.
[H3C] dot1x guest-vlan 1
Syntax
dot1x max-user
user-number [ interface interface-list ]
undo dot1x max-user
[ interface interface-list ]
View
System view, Ethernet port view
Parameter
user-number:
Maximum number of users a port can accommodate, ranging from 1 to 1024. The
default number is 1024.
interface-list: List of Ethernet ports, expressed as interface-list = { interface-name
[ to interface-name ] } & < 1-10 >. The interface-name
argument specifies the port index of an Ethernet port and can be specified in
this form: interface-name = { interface-type interface-num
}, where interface-type specifies the type of a port and interface-num
identifies the port number. "&<1-10>" means that up to 10
port indexes/port index lists can be provided.
Description
Use the dot1x max-user
command to set the maximum number of users an Ethernet port can accommodate.
Use the undo dot1x max-user
command to restore the default.
When being executed in system view, these
two commands apply to all Ethernet ports of the switch if you do not provide
the interface-list argument. And if you specify the interface-list
argument, these commands apply to the specified Ethernet ports.
When being executed in Ethernet port view,
these two commands apply to the current Ethernet port only. In this case, the interface-list
argument is not needed.
Related command: display dot1x.
Example
# Configure the maximum number of users
that Ethernet 3/01 can accommodate to be 32.
<H3C>system-view
System View: return to User View with
Ctrl+Z.
[H3C] dot1x max-user 32 interface Ethernet 3/0/1
Syntax
dot1x port-control
{ auto | authorized-force | unauthorized-force } [ interface
interface-list ]
undo dot1x port-control
[ interface interface-list ]
View
System view, Ethernet port view
Parameter
auto:
Specifies to operate in auto access control mode. In this mode, a port
is initialized as unauthorized: it only allows EAPoL packets to pass through
and grants users no permission to network resources. Only after the users have
passed the authentication will the port that the users connect to transfer in
authorized state, and allow them access to the network resources, which is
often the case.
authorized-force: Specifies to operate in authorized-force access control
mode. Ports in this mode are usually in authorized state. Supplicant systems
connected to them are allowed to access the network without authentication.
unauthorized-force: Specifies to operate in unauthorized-force access control
mode. Ports in this mode are constantly in unauthorized state. Supplicant
systems connected to them are not allowed to access the network.
interface-list:
Ethernet port list. You can specify multiple Ethernet
ports by providing this argument in the form of interface-list = { interface-name
[ to interface- name] & < 1-10 >. The interface-name
argument is the port index of an Ethernet port and can be specified in this
form: interface-name = { interface-type interface-num },
where interface-type specifies the type of a port and interface-num
identifies the port number. "&<1-10>" means that up to 10
port indexes/port index lists can be provided.
Description
Use the dot1x port-control command
to specify the access control method for the specified Ethernet ports.
Use the undo dot1x port-control
command to restore the default.
The default access control method is auto.
When being executed in system view, these
two commands apply to all Ethernet ports of the switch if you do not provide
the interface-list argument. And if you specify the interface-list
argument, these commands apply to the specified Ethernet ports.
When being executed in Ethernet port view,
these two commands apply to the current Ethernet port only. In this case, the interface-list
argument is not needed.
Related command: display dot1x.
Example
# Configure Ethernet 3/0/1 to operate in unauthorized-force
access control mode.
<H3C>system-view
System View: return to User View with
Ctrl+Z.
[H3C] dot1x port-control unauthorized-force interface
Ethernet 3/0/1
1.1.8 dot1x port-method
Syntax
dot1x port-method
{ macbased | portbased } [ interface interface-list
]
undo dot1x port-method
[ interface interface-list ]
View
System view, Ethernet port view
Parameter
macbased:
Authenticates supplicant systems by MAC addresses.
portbased:
Authenticates supplicant systems by port numbers.
interface-list:
Ethernet port list. You can specify multiple Ethernet
ports by providing this argument in the form of interface-list = { interface-name
[ to interface- name] & < 1-10 >. The interface-name
argument is the port index of an Ethernet port and can be specified in this
form: interface-name = { interface-type interface-num },
where interface-type specifies the type of a port and interface-num
identifies the port number. "&<1-10>" means that up to 10
port indexes/port index lists can be provided.
The default access control method is MAC address-based.
Description
Use the dot1x port-method
command to specify the access control method for the specified Ethernet ports.
Use the undo dot1x port-method
command to restore the default.
If you specify to authenticate supplicant systems
by MAC addresses, all supplicant systems connected to the specified Ethernet
ports need to be authenticated separately. And if an online supplicant system
logs off, others are not affected.
If you specify to authenticate supplicant
systems by port numbers, all supplicant systems connected to the specified
Ethernet ports are able to access the network without being authenticated if a
supplicant system among them passes the authentication. And when the supplicant
system logs off, the network is inaccessible to all other supplicant systems
either.
When being executed in system view, these
two commands apply to all Ethernet ports of the switch if you do not provide
the interface-list argument. And if you specify the interface-list
argument, these commands apply to the specified Ethernet ports. When being
executed in Ethernet port view, these two commands apply to the current
Ethernet port only. In this case, the interface-list argument is not
needed.
Related command: display dot1x.
Example
# Specify to implement port-based
authentication on the supplicant systems connected to Ethernet 3/0/1.
<H3C>system-view
System View: return to User View with
Ctrl+Z.
[H3C] dot1x port-method portbased
interface Ethernet 3/0/1
Syntax
dot1x quiet-period
undo dot1x quiet-period
View
System view
Parameter
None
Description
Use the dot1x quiet-period
command to enable the quiet-period timer.
Use the undo dot1x quiet-period
command to disable the quiet-period timer.
When a supplicant system fails to pass the
authentication, the authenticator system (such as an H3C Ethernet switch) will
stay quiet for a period of time (determined by the quiet-period timer) before
it performs another authentication. During the quiet period, the authenticator
system performs no 802.1x authentication.
By default, the quiet-period timer is
disabled.
Related commands: display dot1x, dot1x
timer.
Example
# Enable the quiet-period timer.
<H3C>system-view
System View: return to User View with
Ctrl+Z.
[H3C] dot1x quiet-period
Syntax
dot1x re-authenticate [ interface interface-list ]
undo dot1x re-authenticate [ interface interface-list ]
View
System view, Ethernet port view
Parameter
interface-list: List of Ethernet ports, expressed as interface-list = { interface-name
[ to interface-name ] } & < 1-10 >. The interface-name
argument specifies the port index of an Ethernet port and can be specified in
this form: interface-name = { interface-type interface-num
}, where interface-type specifies the type of a port and interface-num
identifies the port number. "&<1-10>" means that up to 10
port indexes/port index lists can be provided.
Description
Use the dot1x re-authenticate command
to enable 802.1x re-authentication on the specified ports or on all
Authenticator ports of the switch.
Use the undo dot1x re-authenticate command
to disable 802.1x re-authentication on the specified ports or on all
Authenticator ports of the switch.
By default, 802.1x re-authentication is
disabled on all ports.
When being executed in system view, these
two commands apply to all Ethernet ports of the switch if you do not provide
the interface-list argument. And if you specify the interface-list
argument, these commands apply to the specified Ethernet ports.
When being executed in Ethernet port view,
these two commands apply to the current Ethernet port only. In this case, the interface-list
argument is not needed.
802.1x must be enabled globally and on the
current port before 802.1x re-authentication is enabled on a port.
Example
# Enable 802.1x re-authentication on
Ethernet 3/0/1.
<H3C>system-view
System View: return to User View with
Ctrl+Z.
[H3C] interface Ethernet 3/0/1
[H3C-Ethernet3/0/1] dot1x
re-authenticate
Syntax
dot1x retry
max-retry-value
undo dot1x retry
View
System view
Parameter
max-retry-value: Maximum number of retry times that a switch will resend the
authentication request packet to a supplicant system. This argument ranges from
1 to 10 and defaults to 2.
Description
Use the dot1x retry command
to specify the maximum number of retry times that a switch will resend
authentication request packets to supplicant systems.
Use the undo dot1x retry
command to restore the default.
A switch will resend the packet if it still
has not received any response from the supplicant system within a preset period
after it sends an authentication request packet to a supplicant system.
The retry times of 1 means that the switch
will send the request packet only once; the retry times of 2 means that the
switch will resend the packet once if no response comes back, and so on. This
command applies to all ports.
Related command: display dot1x.
Example
# Specify the maximum number of retry times
that the switch will resend the authentication request packet to be 9.
<H3C>system-view
System View: return to User View with
Ctrl+Z.
[H3C] dot1x retry 9
Syntax
dot1x retry-version-max max-retry-version-value
undo dot1x retry-version-max
View
System view
Parameter
max-retry-version-value: Maximum number of retry times that a switch will resend the
version request packet to a supplicant system. This argument ranges from 1 to
10.
Description
Use the dot1x retry-version-max
command to set the maximum number of retry times that a switch will resend the
version request packet to a connected supplicant system.
Use the undo dot1x retry-version-max
command to restore the default.
By default, the switch can send a version
request packet to a supplicant system up to three times repeatedly.
A switch will resend the packet if within a
preset period (determined by the client version timer) it still has not
received any response from the supplicant system after it sends a version
request packet to a supplicant system. When the number set by this command has
reached and there is still no response from the supplicant system, the switch
will continue its following authentication without sending the version request
packet. This command applies to all ports.
Related commands: display dot1x, dot1x
timer.
Example
# Configure the maximum number of retry
times that the switch will resend the version request packet to be 6.
<H3C>system-view
System View: return to User View with
Ctrl+Z.
[H3C] dot1x retry-version-max 6
1.1.13 dot1x supp-proxy-check
Syntax
dot1x supp-proxy-check
{ logoff | trap } [ interface interface-list
]
undo dot1x supp-proxy-check { logoff | trap } [ interface
interface-list ]
View
System view, Ethernet port view
Parameter
logoff:
Disconnects the supplicant system if it logs in through the proxy server or
through multiple network cards.
trap: Sends Trap packets if a supplicant system logs in through the proxy
server or through multiple network cards.
interface-list:
Ethernet port list. You can specify multiple Ethernet
ports by providing this argument in the form of interface-list = { interface-name
[ to interface- name] & < 1-10 >. The interface-name
argument is the port index of an Ethernet port and can be specified in this
form: interface-name = { interface-type interface-num },
where interface-type specifies the type of a port and interface-num
identifies the port number. "&<1-10>" means that up to 10
port indexes/port index lists can be provided.
Description
Use the dot1x supp-proxy-check
command to configure the switch to check and control the users who log in
through the proxy server.
Use the undo dot1x supp-proxy-check
command to remove the configuration.
When being executed in system view, these
two commands apply to all Ethernet ports of the switch if you do not provide
the interface-list argument. And if you specify the interface-list
argument, these commands apply to the specified Ethernet ports.
When being executed in Ethernet port view,
these two commands apply to the current Ethernet port only. In this case, the interface-list
argument is not needed.
In system view, the configuration takes
effect only after you enable the proxy detection function globally and on the
specified ports.
Proxy detection checks:
l
Supplicant systems logging in through the proxy
server;
l
Supplicant systems logging in through the IE
proxy server;
l
Supplicant systems logging in through multiple
network cards (that is, when a supplicant system logs in, it contains more than
one active network card).
A switch may take the following actions in response
to any of the above three cases:
l
Disconnects the supplicant system and sends Trap
packets (using the dot1x supp-proxy-check logoff command).
l
Sends only Trap packets without disconnecting
the supplicant system (using the dot1x supp-proxy-check trap command).
This function needs the support of 802.1x
clients and CAMS:
l
802.1x clients are capable of checking the
supplicant system uses multiple network cards, proxy server, or IE proxy
server;
l
CAMS is capable of disabling multiple network
cards, proxy server, or IE proxy server on supplicant systems.
By default, an 802.1x client disables the
function of disabling multiple network adapters, proxy server, or IE proxy
server. If CAMS enables the function, it will prompt the 802.1x client to
enable the function after the supplicant system passes the authentication.
l
The proxy detection function needs the support
of H3C's 802.1x client program (V1.29 or later version).
l
The proxy detection function takes effect only
after it has been enabled on CAMS and the client version checking function is
enabled on the switch (using the dot1x version-check command).
Related command: display dot1x.
Example
# Configure to disconnect any supplicant
systems that use proxy server and connect to Ethernet 3/0/1 through Ethernet
3/0/8 ports.
<H3C>system-view
System View: return to User View with
Ctrl+Z.
[H3C] dot1x supp-proxy-check logoff
[H3C] dot1x supp-proxy-check logoff
interface Ethernet 3/0/1 to Ethernet 3/0/8
# Configure the switch to send Trap packets
if a supplicant system uses proxy server and connects to Ethernet 3/0/9.
[H3C] dot1x supp-proxy-check trap
[H3C] dot1x supp-proxy-check trap
interface Ethernet 3/0/9
Or
[H3C] dot1x supp-proxy-check trap
[H3C] interface Ethernet 3/0/9
[H3C-Ethernet3/0/9] dot1x
supp-proxy-check trap
Syntax
dot1x timer {
handshake-period handshake-period-value | reauth-period reauth-period-value
| quiet-period quiet-period-value | tx-period tx-period-value
| supp-timeout supp-timeout-value | server-timeout server-timeout-value
| ver-period ver-period-value }
undo dot1x timer { handshake-period | reauth-period | quiet-period |
tx-period | supp-timeout | server-timeout | ver-period
}
View
System view
Parameter
handshake-period: Handshake period timer, triggered after a supplicant system has
successfully passed the authentication. The switch will periodically resend a
handshake request packet to check the supplicant system is still online at the
interval of handshake period value. If the switch still has not received any
response packet from the supplicant system in N retries (N is specified by the dot1x
retry command), it will consider the supplicant system to be offline.
handshake-period-value: Value of the handshake period timer, in seconds. This value ranges
from 1 to 1024 and defaults to 15.
reauth-period: Re-authentication period timer. The switch will initialize 802.1x
re-authentication when the re-authentication period timer times out.
reauth-period-value: Value of the re-authentication period timer, in seconds. This
value ranges from 1 to 86400 and defaults to 3600.
quiet-period:
Quiet-period timer, triggered after a supplicant system has failed the
authentication. The switch will quiet for a period of time (set by the
quiet-period timer) before it processes another authentication request
initiated by the supplicant system.
quiet-period-value: Value of the quiet-period timer, in seconds. This value ranges
from 10 to 120 and defaults to 60.
tx-period:
Tx-period timer, triggered by the authenticator system in one of the following
two cases: The first case is when a supplicant system requests for
authentication. The switch sends a unicast request/identity packet to the
supplicant system and then enables the transmission timer. The switch sends
another request/identity packet to the supplicant system if the supplicant
system does not send a reply packet to the switch when this timer times out.
The second case is when the switch authenticates the 802.1x client who does not
request for authentication actively. The switch sends multicast
request/identity packets continuously through the port with 802.1x enabled at
the interval of tx-period value.
tx-period-value: Value of the tx-period timer, in seconds. This value ranges from
10 to 120 and defaults to 30.
supp-timeout:
Supplicant timeout timer, triggered when the switch sends a request/challenge
packet (for MD5 ciphered text) to a supplicant system. The switch will resend
the request/challenge packet to the supplicant system if the supplicant system
has not responded when this timer times out.
supp-timeout-value: Value of the supp-timeout timer, in seconds. This value ranges
from 10 to 120 and defaults to 30.
server-timeout: Server-timeout timer. The switch will resend the request/identity
packet if the authentication server has not responded when this timer times
out.
server-timeout-value: Value of the server timeout timer, in seconds. This value ranges
from 100 to 300 and defaults to 100.
ver-period:
Client-version-checking period timer. The switch will resend the client version
checking request packet if the supplicant system has not responded when this
timer times out.
ver-period-value: Value of the client-version-checking period timer, in seconds.
This value ranges from 1 to 30 and defaults to 30.
Description
Use the dot1x timer command
to set a specified 802.1x timer.
Use the undo dot1x timer
command to restore the default.
During an 802.1x authentication process,
multiple timers are triggered to ensure that the supplicant systems, the
authenticator systems, and the authentication servers interact with each other
orderly. You can use the dot1x timer command to modify parts of
these timers as needed (others are not adjustable). This may be necessary in
certain situations or demanding network environments. Normally, the defaults
are recommended.
Related command: display dot1x.
Example
# Set the server-timeout timer of the
authentication server to 150 seconds.
<H3C>system-view
System View: return to User View with
Ctrl+Z.
[H3C] dot1x timer server-timeout 150
Syntax
dot1x version-check [ interface interface-list ]
undo dot1x version-check [ interface interface-list ]
View
System view, Ethernet port view
Parameter
interface-list: Ethernet port list. You can specify multiple Ethernet ports by
providing this argument in the form of interface-list = { interface-name
[ to interface- name] & < 1-10 >. The interface-name
argument is the port index of an Ethernet port and can be specified in this
form: interface-name = { interface-type interface-num },
where interface-type specifies the type of a port and interface-num
identifies the port number. "&<1-10>" means that up to 10
port indexes/port index lists can be provided.
Description
Use the dot1x version-check command
to enable 802.1x client version checking for the specified Ethernet ports.
Use the undo dot1x version-check
command to disable the function for the specified Ethernet ports.
By default, 802.1x client version checking
is disabled on all Ethernet ports.
When being executed in system view, these
two commands apply to all Ethernet ports of the switch if you do not provide
the interface-list argument. And if you specify the interface-list
argument, these commands apply to the specified Ethernet ports.
When being executed in Ethernet port view,
these two commands apply to the current Ethernet port only. In this case, the interface-list
argument is not needed.
Example
# Check the version of the 802.1x client
upon receiving authentication packets on Ethernet 3/0/1.
<H3C>system-view
System View: return to User View with
Ctrl+Z.
[H3C] interface Ethernet 3/0/1
[H3C-Ethernet3/0/1] dot1x version-check
Syntax
reset dot1x statistics [ interface interface-list ]
View
User view
Parameter
interface-list:
Ethernet port list. You can specify multiple Ethernet
ports by providing this argument in the form of interface-list = { interface-name
[ to interface- name] & < 1-10 >. The interface-name
argument is the port index of an Ethernet port and can be specified in this
form: interface-name = { interface-type interface-num },
where interface-type specifies the type of a port and interface-num
identifies the port number. "&<1-10>" means that up to 10
port indexes/port index lists can be provided.
Description
Use the reset dot1x statistics
command to clear 802.1x-related statistics.
If the interface-list argument is
not specified, this command clears the 802.1X statistics on all ports. If the interface-list
argument is specified, this command clears the 802.1X statistics on the
specified ports.
Related command: display dot1x.
Example
# Clear 802.1x-related statistics on
Ethernet 3/0/1.
<H3C> reset dot1x statistics interface Ethernet 3/0/1
