09-Security Command Reference

HomeSupportResource CenterH3C S6520X-HI[EI][SI] & S6520-SI & S5560X-HI & S5000-EI & MS4600 Switch Series Command References-R63xx-6W10109-Security Command Reference
03-MAC authentication commands
Title Size Download
03-MAC authentication commands 242.18 KB

Contents

MAC authentication commands· 1

display mac-authentication· 1

display mac-authentication connection· 5

display mac-authentication mac-address· 8

mac-authentication· 9

mac-authentication access-user log enable· 10

mac-authentication authentication-method· 11

mac-authentication carry user-ip· 12

mac-authentication critical vlan· 14

mac-authentication critical vsi 15

mac-authentication critical-voice-vlan· 15

mac-authentication domain· 16

mac-authentication guest-vlan· 17

mac-authentication guest-vlan auth-period· 18

mac-authentication guest-vlan re-authenticate· 19

mac-authentication guest-vsi 20

mac-authentication guest-vsi auth-period· 21

mac-authentication guest-vsi re-authenticate· 22

mac-authentication host-mode multi-vlan· 23

mac-authentication mac-range-account 23

mac-authentication max-user 25

mac-authentication offline-detect enable· 25

mac-authentication offline-detect mac-address· 26

mac-authentication parallel-with-dot1x· 28

mac-authentication re-authenticate· 29

mac-authentication re-authenticate server-unreachable keep-online· 29

mac-authentication server-recovery online-user-sync· 30

mac-authentication timer (interface view) 31

mac-authentication timer (system view) 33

mac-authentication unauthenticated-user aging enable· 35

mac-authentication user-name-format 36

reset mac-authentication access-user 37

reset mac-authentication critical vlan· 38

reset mac-authentication critical vsi 39

reset mac-authentication critical-voice-vlan· 39

reset mac-authentication guest-vlan· 40

reset mac-authentication guest-vsi 40

reset mac-authentication statistics· 41

 


MAC authentication commands

display mac-authentication

Use display mac-authentication to display MAC authentication settings and statistics.

Syntax

display mac-authentication [ interface interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies a port by its type and number. If the specified port is not enabled with MAC authentication, this command displays only global MAC authentication information.

Usage guidelines

If you do not specify any parameters, this command displays all MAC authentication information including the global settings, port-specific settings, MAC authentication statistics, and online user statistics.

Examples

# Display all MAC authentication settings and statistics.

<Sysname> display mac-authentication

 Global MAC authentication parameters:

   MAC authentication                  : Enabled

   Authentication method               : PAP

   Username format                     : MAC address in lowercase(xxxxxxxxxxxx)

           Username                    : mac

           Password                    : Not configured

   MAC range accounts                  : 2

          MAC address          Mask                 Username

          2222-0000-0000       ffff-0000-0000       user1

          4444-0000-0000       ffff-0000-0000       user1

 

   Offline detect period               : 300 s

   Quiet period                        : 60 s

   Server timeout                      : 100 s

   Reauth period                       : 3600 s

   User aging period for critical VLAN : 1000 s

   User aging period for critical VSI  : 1000 s

   User aging period for guest VLAN    : 1000 s

   User aging period for guest VSI     : 1000 s

   Temporary user aging period         : 60 s

   Authentication domain               : Not configured, use default domain

 Online MAC-auth wired users           : 1

 

 Silent MAC users:

          MAC address       VLAN ID  From port               Port index

          0001-0000-0001    100      XGE1/0/2                21

 

 Ten-GigabitEthernet1/0/1  is link-up

   MAC authentication               : Enabled

   Carry User-IP                    : Disabled

   Authentication domain            : Not configured

   Auth-delay timer                 : Enabled

   Auth-delay period                : 60 s

   Periodic reauth                  : Enabled

       Reauth period                : 120 s

   Re-auth server-unreachable       : Logoff

   Guest VLAN                       : 100

   Guest VLAN reauthentication      : Enabled

     Guest VLAN auth-period         : 150 s

   Critical VLAN                    : Not configured

   Critical voice VLAN              : Disabled

   Host mode                        : Multiple VLAN

   Offline detection                : Enabled

   Authentication order             : Parallel

   User aging                       : Enabled

   Server-recovery online-user-sync : Enabled

 

   Guest VSI                        : Not configured

   Guest VSI reauthentication       : Enabled

     Guest VSI auth-period          : 30 s

   Critical VSI                     : Not configured

   Auto-tag feature                 : Disabled

   VLAN tag configuration ignoring  : Disabled

   Max online users                 : 4294967295

   Authentication attempts          : successful 2, failed 3

   Current online users             : 1

          MAC address       Auth state

          0001-0000-0000    Authenticated

          0001-0000-0001    Unauthenticated

 

Table 1 Command output

Field

Description

MAC authentication

Whether MAC authentication is enabled globally.

Authentication method

Authentication method for MAC authentication: CHAP or PAP.

Username format

Global user account policy: MAC-based or shared.

·     If MAC-based accounts are used, this field displays the format settings for the username. For example, MAC address in lowercase(xxxxxxxxxxxx) indicates that the MAC address is in hexadecimal notation without hyphens, and letters are in lower case.

·     If a shared account is used, this field displays Fixed account.

Username

Username for MAC authentication.

·     If MAC-based accounts are used, this field displays mac.

·     If a shared account is used, this field displays the username of the shared account for MAC authentication users. By default, the username is mac.

Password

Password for MAC authentication.

·     If the MAC address of each user is used as the password or if a shared account is used but no password is configured, this field displays Not configured.

·     If a password is configured, this field displays a string of asterisks (******).

MAC range accounts

MAC authentication user accounts specific to MAC address ranges.

MAC address

MAC address.

Mask

MAC address mask. A MAC address and a mask together specify a MAC address range.

Username

Username for the users in the MAC address range.

Offline detect period

Offline detect timer.

Quiet period

Quiet timer.

Server timeout

Server timeout timer.

Reauth period

Periodic MAC reauthentication timer in seconds.

User aging period for critical VLAN

Aging timer in seconds for users in critical VLANs.

User aging period for critical VSI

Aging timer in seconds for users in critical VSIs.

User aging period for guest VLAN

Aging timer in seconds for users in guest VLANs.

User aging period for guest VSI

Aging timer in seconds for users in guest VSIs.

Temporary user aging period

Aging timer in seconds for temporary MAC authentication users.

This field is supported only in Release 6320 and later.

Authentication domain

MAC authentication domain specified in system view.

If no authentication domain is specified in system view, this field displays Not configured, use default domain.

Online MAC-auth wired users

Number of wired online MAC authentication users, including users that have passed MAC authentication and users that are performing MAC authentication.

Silent MAC users

Information about silent MAC addresses, including MAC addresses that have failed MAC authentication and MAC addresses that have been assigned the blackhole MAC attribute from the RADIUS server.

MAC address

Silent MAC address.

VLAN ID

ID of the VLAN to which the silent MAC address belongs.

From port

Name of the port that marks the MAC address as a silent MAC address.

Port index

Index of the port that marks the MAC address as a silent MAC address.

Ten-GigabitEthernet1/0/1 is link-up

Status of the link on Ten-GigabitEthernet 1/0/1. In this example, the link is up.

MAC authentication

Status of MAC authentication on the port:

·     Enabled.

·     Enabled (but NOT effective). This value is displayed if MAC authentication is enabled when the device does not have available ACL resources.

·     Disabled.

Carry User-IP

Whether user IP addresses are included in MAC authentication requests.

Authentication domain

MAC authentication domain specified for the port.

Auth-delay timer

Whether MAC authentication delay is enabled on the port.

Auth-delay period

MAC authentication delay timer.

Periodic reauth

Whether periodic MAC reauthentication is enabled on the port.

Reauth period

Periodic MAC reauthentication timer on the port.

Re-auth server-unreachable

Action taken when no server is reachable for MAC reauthentication:

·     Logoff—Logs off online MAC authentication users.

·     Online—Keeps MAC authenticated users online.

Guest VLAN

MAC authentication guest VLAN configured on the port.

If no MAC authentication guest VLAN is configured, this field displays Not configured.

Guest VLAN reauthentication

Status of guest VLAN reauthentication in MAC authentication, which is Enabled or Disabled.

Guest VLAN auth-period

Authentication interval for users in the MAC authentication guest VLAN on the port.

Critical VLAN

MAC authentication critical VLAN configured on the port.

If no MAC authentication critical VLAN is configured, this field displays Not configured.

Critical voice VLAN

Whether the MAC authentication critical voice VLAN feature is enabled on the port.

Host mode

MAC authentication VLAN mode for users moving from one VLAN to another on the port:

·     Single VLAN—Single-VLAN mode.

·     Multiple VLAN—Multi-VLAN mode.

Offline detection

Status of MAC authentication offline detection:

·     Enabled.

·     Disabled.

Authentication order

If parallel processing of MAC authentication and 802.1X authentication is disabled, this field displays Default.

If parallel processing of MAC authentication and 802.1X authentication is enabled, this field displays Parallel.

User aging

Status of the aging feature for unauthenticated MAC authentication users on a port:

·     Enabled.

·     Disabled.

Server-recovery online-user-sync

Status of online user synchronization for MAC authentication on the port:

·     Enabled.

·     Disabled.

Guest VSI

MAC authentication guest VSI configured on the port.

If no MAC authentication guest VSI is configured, this field displays Not configured.

Guest VSI reauthentication

Status of guest VSI reauthentication in MAC authentication, which is Enabled or Disabled.

Guest VSI auth-period

Authentication interval for users in the MAC authentication guest VSI on the port.

Critical VSI

MAC authentication critical VSI configured on the port.

If no MAC authentication critical VSI is configured, this field displays Not configured.

Auto-tag feature

This field is not supported in the current software version.

Status of the authorization VLAN auto-tag feature:

·     Enabled.

·     Disabled.

VLAN tag configuration ignoring

This field is not supported in the current software version.

Status of the ignore-config mode:

·     Enabled.

·     Disabled.

Max online users

Maximum number of concurrent online users allowed on the port.

Authentication attempts: successful 1, failed 0

MAC authentication statistics, including the number of successful and unsuccessful authentication attempts.

MAC address

MAC address of the online user.

Auth state

User status:

·     Authenticated—The user has passed MAC authentication.

·     Unauthenticated—The user has not passed MAC authentication.

 

display mac-authentication connection

Use display mac-authentication connection to display information about online MAC authentication users.

Syntax

display mac-authentication connection [ open ] [ interface interface-type interface-number | slot slot-number | user-mac mac-address | user-name user-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

open: Displays information only about MAC authentication users that use nonexistent usernames or incorrect passwords for network access in open authentication mode. If you do not specify this keyword, the command displays information about all online MAC authentication users.

interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command displays information about online MAC authentication users for all ports.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays information about online MAC authentication users for all member devices.

user-mac mac-address: Specifies an online MAC authentication user by its MAC address. The mac-address argument represents the MAC address of the user, in the form of H-H-H. If you do not specify an online MAC authentication user, this command displays all online MAC authentication user information.

user-name user-name: Specifies an online MAC authentication user by its username. The user name is a case-sensitive string of 1 to 55 characters, and it can include the domain name. If you do not specify an online MAC authentication user, this command displays all online MAC authentication user information.

Examples

# Display information about all online MAC authentication users.

<Sysname> display mac-authentication connection

Total connections: 1

Slot ID: 0

User MAC address: 0015-e9a6-7cfe

Access interface: Ten-GigabitEthernet1/0/1

Username: ias

User access state: Successful

Authentication domain: macusers

IPv4 address: 192.168.1.1

IPv6 address: 2000:0:0:0:1:2345:6789:abcd

Initial VLAN: 1

Authorization untagged VLAN: 100

Authorization tagged VLAN: N/A

Authorization VSI: N/A

Authorization ACL ID: 3001

Authorization user profile: N/A

Authorization CAR:

  Average input rate: 102400 bps

  Peak input rate: 204800 bps

  Average output rate: 102400 bps

  Peak output rate: 204800 bps

Authorization URL: N/A

Termination action: Radius-request

Session timeout period: 2 sec

Offline detection: 100 sec (server-assigned)

Online from: 2013/03/02  13:14:15

Online duration: 0h 2m 15s

Table 2 Command output

Field

Description

Total connections

Total number of online MAC authentication users.

User MAC address

MAC address of the user.

Access interface

Interface through which the user accesses the device.

User access state

Access state of the user:

·     Successful—The user passes MAC authentication and comes online.

·     Open—The user uses a nonexistent username or an incorrect password to come online in open authentication mode.

·     Temporary—The user has passed MAC authentication on a port operating in macAddressAndUserLoginSecureExt mode. This state is supported only in Release 6320 and later.

Authentication domain

MAC authentication domain to which the user belongs.

IPv4 address

IPv4 address of the user.

If no user IPv4 address is available, this field is not displayed.

IPv6 address

IPv6 address of the user.

If no user IPv6 address is available, this field is not displayed.

Initial VLAN

VLAN that holds the user before MAC authentication.

Authorization untagged VLAN

Untagged VLAN authorized to the user.

Authorization tagged VLAN

Tagged VLAN authorized to the user.

Authorization VSI

VSI authorized to the user.

Authorization ACL ID

ACL authorized to the user.

If the ACL authorization fails, this field displays (Not effective) after the ACL ID.

Authorization user profile

User profile authorized to the user.

Authorization CAR

Authorization CAR attributes assigned by the server.

·     Average input rate—Average rate of inbound traffic in bps.

·     Peak input rate—Peak rate of inbound traffic in bps.

·     Average output rate—Average rate of outbound traffic in bps.

·     Peak output rate—Peak rate of outbound traffic in bps.

If the device fails to assign the CAR attributes to the user, the Authorization CAR field displays (NOT effective).

If the server does not assign the peak rates, the peak rates by default are the same as the assigned average rates. In the current software version, the device does not support exclusive assignment of peak rates from the server.

If no authorization CAR attributes are assigned, this field displays N/A.

Authorization URL

Redirect URL authorized to the user.

Termination action

Action attribute assigned by the server to terminate the user session:

·     Default—Logs off the online authenticated user when the server-assigned session timeout timer expires. This attribute does not take effect when periodic MAC reauthentication is enabled and the periodic reauthentication timer is shorter than the server-assigned session timeout timer.

·     Radius-request—Reauthenticates the online user when the server-assigned session timeout timer expires, regardless of whether the periodic MAC reauthentication feature is enabled or not.

If the device performs local authentication, this field displays N/A.

Session timeout period

Session timeout timer assigned by the server.

Offline detection

Offline detection setting for the user:

·     Ignore (command-configured)—The device does not perform offline detection for the user. The setting is configured from the CLI.

·     timer (command-configured)—Represents the offline detect timer. The timer is configured from the CLI,

·     Ignore (server-assigned)—The device does not perform offline detection for the user. The setting is assigned by a RADIUS server.

·     timer (server-assigned)—Represents the offline detect timer. The timer is assigned by a RADIUS server.

Online from

Time from which the MAC authentication user came online.

Online duration

Online duration of the MAC authentication user.

 

display mac-authentication mac-address

Use display mac-authentication mac-address to display the MAC addresses of MAC authentication users in a type of MAC authentication VLAN or VSI.

Syntax

display mac-authentication mac-address { critical-vlan | critical-vsi | guest-vlan | guest-vsi } [ interface interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

critical-vlan: Specifies MAC authentication critical VLANs.

critical-vsi: Specifies MAC authentication critical VSIs.

guest-vlan: Specifies MAC authentication guest VLANs.

guest-vsi: Specifies MAC authentication guest VSIs.

interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command displays the MAC addresses of MAC authentication users in the specified type of MAC authentication VLAN or VSI on all ports.

Usage guidelines

The displayed MAC addresses and MAC address count might not include all MAC addresses if a large number of MAC authentication users are performing authentication frequently.

Examples

# Display the MAC addresses of MAC authentication users in the MAC authentication guest VLANs on all ports.

<Sysname> display mac-authentication mac-address guest-vlan

Total MAC addresses: 10

Interface: Ten-GigabitEthernet1/0/1        Guest VLAN: 3           Aging time: N/A

MAC addresses: 8

  0800-2700-9427    0800-2700-2341    0800-2700-2324    0800-2700-2351

  0800-2700-5627    0800-2700-2251    0800-2700-8624    0800-2700-3f51

 

Interface: Ten-GigabitEthernet1/0/2        Guest VLAN: 5            Aging time: 30 sec

MAC addresses: 2

  0801-2700-9427    0801-2700-2341 

# Display the MAC addresses of MAC authentication users in the MAC authentication guest VSIs on all ports.

<Sysname> display mac-authentication mac-address guest-vsi

Total MAC addresses: 10

Interface: Ten-GigabitEthernet1/0/3       Guest VSI: text-vsi   Aging time: N/A

MAC addresses: 8

  0800-2700-9427    0800-2700-2341    0800-2700-2324    0800-2700-2351

  0800-2700-5627    0800-2700-2251    0800-2700-8624    0800-2700-3f51

 

Interface: Ten-GigabitEthernet1/0/4        Guest VSI: text1-vsi   Aging time: 30 sec

MAC addresses: 2

  0801-2700-9427    0801-2700-2341

Table 3 Command output

Field

Description

Total MAC addresses

Total number of MAC addresses in the specified type of VLAN or VSI on the specified port or all ports.

Interface

Access port of MAC authentication users.

Type VLAN/VSI

VLAN or VSI that contains the MAC authentication users. The Type argument has the following values:

·     Critical VLAN.

·     Critical VSI.

·     Guest VLAN.

·     Guest VSI.

Aging time

MAC address aging time in seconds.

This field displays N/A if the MAC addresses do not age out.

MAC addresses

Number of matching MAC addresses on a port.

xxxx-xxxx-xxxx

MAC address.

 

Related commands

mac-authentication critical vlan

mac-authentication critical vsi

mac-authentication guest-vlan

mac-authentication guest-vsi

mac-authentication

Use mac-authentication to enable MAC authentication globally or on a port.

Use undo mac-authentication to disable MAC authentication globally or on a port.

Syntax

mac-authentication

undo mac-authentication

Default

MAC authentication is disabled globally or on any port.

Views

System view

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Usage guidelines

To use MAC authentication on a port, you must enable the feature both globally and on the port.

Examples

# Enable MAC authentication globally.

<Sysname> system-view

[Sysname] mac-authentication

# Enable MAC authentication on Ten-GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] mac-authentication

Related commands

display mac-authentication

mac-authentication access-user log enable

Use mac-authentication access-user log enable to enable MAC authentication user logging.

Use undo mac-authentication access-user log enable to disable MAC authentication user logging.

Syntax

mac-authentication access-user log enable [ failed-login | logoff | successful-login ] *

undo mac-authentication access-user log enable [ failed-login | logoff | successful-login ] *

Default

MAC authentication user logging is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

failed-login: Logs MAC authentication user login failures.

logoff: Logs MAC authentication user logoffs.

successful-login: Logs successful MAC authentication user logins.

Usage guidelines

To prevent excessive MAC authentication user log entries, use this feature only if you need to analyze abnormal MAC authentication user logins or logouts.

If you do not specify any parameters, this command enables all types of MAC authentication user logs.

Examples

# Enable logging MAC authentication user login failures.

<Sysname> system-view

[Sysname] mac-authentication access-user log enable failed-login

Related commands

info-center source maca logfile deny (Network Management and Monitoring Command Reference)

mac-authentication authentication-method

Use mac-authentication authentication-method to specify an authentication method for MAC authentication.

Use undo mac-authentication authentication-method to restore the default.

Syntax

mac-authentication authentication-method { chap | pap }

undo mac-authentication authentication-method

Default

The device uses PAP for MAC authentication.

Views

System view

Predefined user roles

network-admin

Parameters

chap: Configures the access device to use the Challenge Handshake Authentication Protocol (CHAP) to communicate with the RADIUS server.

pap: Configures the access device to use the Password Authentication Protocol (PAP) to communicate with the RADIUS server.

Usage guidelines

RADIUS-based MAC authentication supports the following authentication methods:

·     PAP—Transports usernames and passwords in plain text. The authentication method applies to scenarios that do not require high security.

·     CHAP—Transports usernames in plain text and passwords in encrypted form over the network. CHAP is more secure than PAP.

Examples

# Configure the device to use CHAP for MAC authentication.

<Sysname> system-view

[Sysname] mac-authentication authentication-method chap

Related commands

display mac-authentication

mac-authentication carry user-ip

Use mac-authentication carry user-ip to include user IP addresses in MAC authentication requests sent to an IMC server.

Use undo mac-authentication carry user-ip to restore the default.

Syntax

mac-authentication carry user-ip [ exclude-ip acl acl-number ]

undo mac-authentication carry user-ip

Default

A MAC authentication request does not include the user IP address.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Parameters

exclude-ip: Specifies an ACL-based filter to identify source IP addresses that can or cannot trigger MAC authentication.

acl acl-number: Specifies a basic ACL. The value range for the acl-number argument is 2000 to 2999.

Usage guidelines

IMPORTANT

IMPORTANT:

This command can only operate in conjunction with an IMC server.

 

To avoid IP conflicts that result from changes to static IP addresses, use this command on a port that has MAC authentication users with static IP addresses.

This command adds user IP addresses to the MAC authentication requests sent to the authentication server. When MAC authentication is triggered for a user, the device checks the user's IP address for invalidity.

·     If the IP address is valid, the device sends a MAC authentication request with the IP address included.

·     If the IP address is not a valid host IP address or the triggering packet does not contain an IP address, the device does not initiate MAC authentication.

·     If the packet is a DHCP packet with a source IP address of 0.0.0.0, the device sends a MAC authentication request without including the IP address. In this case, the IMC server does not examine the user IP address when it performs authentication.

Upon receipt of the authentication request that includes a user's IP address, the IMC server compares the user's IP and MAC addresses with its IP-MAC mappings.

·     If an exact match is found or if no match is found, the user passes MAC authentication. In the latter case, the server creates an IP-MAC mapping for the user.

·     If a mapping is found for the MAC address but the IP addresses do not match, the user fails the MAC authentication.

If the user host is configured with IPv6, the device might receive packets that contain an IPv6 link-local address, which starts with fe80. MAC authentication failure or incorrect MAC-IP binding will occur if this address is used in MAC authentication. To avoid these issues, configure a basic ACL to exclude the IPv6 IP addresses that start with fe80.

When you configure the ACL, follow these guidelines:

·     The specified ACL number represents an IPv4 ACL and an IPv6 ACL with the same number. For example, if the ACL number is 2000, you specify both IPv4 ACL 2000 and IPv6 ACL 2000. The IPv4 ACL and the IPv6 ACL will be used to process IPv4 packets and IPv6 packets, respectively.

·     Use permit rules to identify source IP addresses that are valid for MAC authentication. Use deny rules to identify source IP addresses that cannot trigger MAC authentication.

·     In the rules, only the action keyword (permit or deny) and the source IP match criterion can take effect.

·     As a best practice, configure a deny rule to exclude the IPv6 IP addresses that start with fe80 from triggering MAC authentication.

·     If you configure permit rules, add a deny all rule at the bottom of the ACL.

Do not use this command in conjunction with the mac-authentication guest-vlan or the mac-authentication guest-vsi command on a port. The device cannot perform MAC authentication for a user once that user is added to the MAC authentication guest VLAN or guest VSI.

Examples

# Include user IP addresses in MAC authentication requests on Ten-GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] mac-authentication carry user-ip

# Include user IP addresses in MAC authentication requests on Ten-GigabitEthernet 1/0/1 and deny users that use IPv6 link-local addresses from performing MAC authentication on the port.

<Sysname> system-view

[Sysname] acl ipv6 basic 2000

[Sysname-acl-ipv6-basic-2000] rule deny source fe80:0::0:0 16

[Sysname-acl-ipv6-basic-2000] quit

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] mac-authentication carry user-ip exclude-ip acl 2000

Related commands

mac-authentication

mac-authentication critical vlan

Use mac-authentication critical vlan to configure a MAC authentication critical VLAN on a port.

Use undo mac-authentication critical vlan to restore the default.

Syntax

mac-authentication critical vlan critical-vlan-id

undo mac-authentication critical vlan

Default

No MAC authentication critical VLAN exists on a port.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Parameters

critical-vlan-id: Specifies a VLAN as the MAC authentication critical VLAN. The value range for the VLAN ID is 1 to 4094. Make sure the VLAN has been created.

Usage guidelines

The MAC authentication critical VLAN accommodates users that have failed MAC authentication because all the servers in their ISP domains are unreachable. Users in the critical VLAN can access network resources in the critical VLAN.

You cannot specify a VLAN as both a super VLAN and a MAC authentication critical VLAN on a port. For more information about super VLANs, see Layer 2—LAN Switching Configuration Guide.

On a port, the MAC authentication critical VLAN configuration is mutually exclusive with the MAC authentication guest VSI and MAC authentication critical VSI settings.

The critical VLAN feature takes effect when MAC authentication is performed only through RADIUS servers. If a MAC authentication user fails local authentication after RADIUS authentication, the user is not assigned to the critical VLAN.

Before you delete a VLAN that has been set as a MAC authentication critical VLAN, use the undo mac-authentication critical vlan command to remove the critical VLAN configuration.

Examples

# Configure VLAN 100 as the MAC authentication critical VLAN on Ten-GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] mac-authentication critical vlan 100

Related commands

display mac-authentication

reset mac-authentication critical vlan

mac-authentication critical vsi

Use mac-authentication critical vsi to configure a MAC authentication critical VSI on a port.

Use undo mac-authentication critical vsi to restore the default.

Syntax

mac-authentication critical vsi critical-vsi-name [ url-user-logoff ]

undo mac-authentication critical vsi

Default

No MAC authentication critical VSI exists on a port.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Parameters

critical-vsi-name: Specifies the name of the MAC authentication critical VSI on the port, a case-sensitive string of 1 to 31 characters.

url-user-logoff: Logs off MAC authentication users that have been assigned authorization URLs on the port when the first user is assigned to the critical VSI. If you do not specify this keyword, the device keeps these MAC authentication users online until no packets are received from the users within the offline detect interval.

Usage guidelines

The MAC authentication critical VSI accommodates users that have failed MAC authentication because all the servers in their ISP domains are unreachable. Users in the critical VSI can access only network resources in the VXLAN associated with this VSI.

You can configure only one MAC authentication critical VSI on a port. The MAC authentication critical VSIs on different ports can be different.

On a port, the MAC authentication critical VSI configuration is mutually exclusive with the MAC authentication guest VLAN and MAC authentication critical VLAN settings.

Examples

# Configure VSI vpna as the MAC authentication critical VSI on Ten-GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] mac-authentication critical vsi vpna

Related commands

display mac-authentication

reset mac-authentication critical vsi

mac-authentication critical-voice-vlan

Use mac-authentication critical-voice-vlan to enable the MAC authentication critical voice VLAN feature on a port.

Use undo mac-authentication critical-voice-vlan to restore the default.

Syntax

mac-authentication critical-voice-vlan

undo mac-authentication critical-voice-vlan

Default

The MAC authentication critical voice VLAN feature is disabled on a port.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Usage guidelines

The MAC authentication critical voice VLAN on a port accommodates MAC authentication voice users that have failed authentication because none of the RADIUS servers in their ISP domain are reachable.

Before you enable the MAC authentication critical voice VLAN feature on the port, make sure the following requirements are met:

·     The port is configured with the voice VLAN.

To configure a voice VLAN on a port, use the voice-vlan enable command (see Layer 2—LAN Switching Command Reference).

·     LLDP is enabled both globally and on the port.

The device uses LLDP to identify voice users. For information about LLDP commands, see Layer 2—LAN Switching Command Reference.

·     A MAC authentication critical VLAN is configured on the port. This setting ensures that a voice user is assigned to the critical VLAN if it has failed authentication for unreachability of RADIUS servers before the device recognizes it as a voice user. If a MAC authentication critical VLAN is not available, the voice user might be logged off instead.

Examples

# Enable the MAC authentication critical voice VLAN feature on Ten-GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] mac-authentication critical-voice-vlan

Related commands

display mac-authentication

lldp enable (Layer 2—LAN Switching Command Reference)

lldp global enable (Layer 2—LAN Switching Command Reference)

reset mac-authentication critical-voice-vlan

voice-vlan enable (Layer 2—LAN Switching Command Reference)

mac-authentication domain

Use mac-authentication domain to specify a global or port-specific authentication domain.

Use undo mac-authentication domain to restore the default.

Syntax

mac-authentication domain domain-name

undo mac-authentication domain

Default

The system default authentication domain is used. For more information about the default authentication domain, see the domain default enable command in "AAA commands."

Views

System view

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Parameters

domain-name: Specifies the name of an ISP domain, a case-insensitive string of 1 to 255 characters.

Usage guidelines

The global authentication domain applies to all MAC authentication-enabled ports. An authentication domain specified in Layer 2 Ethernet interface view or Layer 2 aggregate interface view applies only to the port. You can specify different authentication domains on different ports.

A port chooses an authentication domain for MAC authentication users in the following order:

1.     Authentication domain specified on the port.

2.     Global authentication domain specified in system view.

3.     Default authentication domain.

Examples

# Specify ISP domain domain1 as the global MAC authentication domain.

<Sysname> system-view

[Sysname] mac-authentication domain domain1

# Specify ISP domain aabbcc as the MAC authentication domain on Ten-GigabitEthernet 1/0/1.

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] mac-authentication domain aabbcc

Related commands

display mac-authentication

domain default enable

mac-authentication guest-vlan

Use mac-authentication guest-vlan to configure a MAC authentication guest VLAN on a port.

Use undo mac-authentication guest-vlan to restore the default.

Syntax

mac-authentication guest-vlan guest-vlan-id

undo mac-authentication guest-vlan

Default

No MAC authentication guest VLAN exists on a port.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Parameters

guest-vlan-id: Specifies a VLAN as the MAC authentication guest VLAN. The value range for the VLAN ID is 1 to 4094. Make sure the VLAN has been created.

Usage guidelines

The MAC authentication guest VLAN accommodates users that have failed MAC authentication for any reason other than server unreachable. For example, the VLAN accommodates users with invalid passwords entered. You can deploy a limited set of network resources in the MAC authentication guest VLAN. For example, a software server for downloading software and system patches.

You cannot specify a VLAN as both a super VLAN and a MAC authentication guest VLAN on a port. For more information about super VLANs, see Layer 2—LAN Switching Configuration Guide.

On a port, the MAC authentication guest VLAN configuration is mutually exclusive with the MAC authentication guest VSI and MAC authentication critical VSI settings.

Before you delete a VLAN that has been set as a MAC authentication guest VLAN, use the undo mac-authentication guest-vlan command to remove the guest VLAN configuration.

Examples

# Configure VLAN 100 as the MAC authentication guest VLAN on Ten-GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] mac-authentication guest-vlan 100

Related commands

display mac-authentication

reset mac-authentication guest-vlan

mac-authentication guest-vlan auth-period

Use mac-authentication guest-vlan auth-period to set the interval at which the device authenticates users in the MAC authentication guest VLAN.

Use undo mac-authentication guest-vlan auth-period to restore the default.

Syntax

mac-authentication guest-vlan auth-period period-value

undo mac-authentication guest-vlan auth-period

Default

The device authenticates users in the MAC authentication guest VLAN every 30 seconds.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Parameters

period-value: Sets the authentication interval for users in the MAC authentication guest VLAN. The value range is 1 to 3600, in seconds.

Usage guidelines

For this command to take effect, you must use the mac-authentication guest-vlan re-authenticate command to enable guest VLAN reauthentication in MAC authentication.

As a best practice, set the reauthentication interval to a value greater than 30 seconds if the number of concurrent MAC authentication users on a port is likely to exceed 300.

Examples

# Set the authentication interval to 150 seconds for users in the MAC authentication guest VLAN on Ten-GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] mac-authentication guest-vlan auth-period 150

Related commands

display mac-authentication

mac-authentication guest-vlan

mac-authentication guest-vlan re-authenticate

mac-authentication guest-vlan re-authenticate

Use mac-authentication guest-vlan re-authenticate to enable the guest VLAN reauthentication feature of MAC authentication on a port.

Use undo mac-authentication guest-vlan re-authenticate to disable the guest VLAN reauthentication feature of MAC authentication on a port.

Syntax

mac-authentication guest-vlan re-authenticate

undo mac-authentication guest-vlan re-authenticate

Default

The guest VLAN reauthentication feature of MAC authentication is enabled on a port.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Usage guidelines

The guest VLAN reauthentication feature of MAC authentication enables the device to reauthenticate users in the MAC authentication guest VLAN on a port at reauthentication intervals.

Typically, you disable this feature to suppress excessive authentication failure log messages, which might occur when a network issue results in a large number of reauthentication failures.

If guest VLAN reauthentication is disabled on a port, the device does not reauthenticate users in the MAC authentication guest VLAN on the port. The guest VLAN users will stay in the guest VLAN until they age out. To configure the aging timer, use the mac-authentication timer user-aging guest-vlan aging-time-value command.

Examples

# Enable the guest VLAN reauthentication feature of MAC authentication on Ten-GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] mac-authentication guest-vlan re-authenticate

Related commands

display mac-authentication

mac-authentication guest-vlan

mac-authentication guest-vlan auth-period

mac-authentication timer

mac-authentication guest-vsi

Use mac-authentication guest-vsi to configure a MAC authentication guest VSI on a port.

Use undo mac-authentication guest-vsi to restore the default.

Syntax

mac-authentication guest-vsi guest-vsi-name

undo mac-authentication guest-vsi

Default

No MAC authentication guest VSI exists on a port.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Parameters

guest-vsi-name: Specifies the name of the MAC authentication guest VSI on the port, a case-sensitive string of 1 to 31 characters.

Usage guidelines

The MAC authentication guest VSI accommodates users that have failed MAC authentication for any reason other than server unreachable. For example, the VSI accommodates users with invalid passwords entered. You can deploy a limited set of network resources in the VXLAN that is associated with the guest VSI. For example, a software server for downloading software and system patches.

You can configure only one MAC authentication guest VSI on a port. The MAC authentication guest VSIs on different ports can be different.

On a port, the MAC authentication guest VSI configuration is mutually exclusive with the MAC authentication guest VLAN and MAC authentication critical VLAN settings.

Examples

# Configure VSI vpna as the MAC authentication guest VSI on Ten-GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] mac-authentication guest-vsi vpna

Related commands

display mac-authentication

reset mac-authentication guest-vsi

mac-authentication guest-vsi auth-period

Use mac-authentication guest-vsi auth-period to set the interval at which the device authenticates users in the MAC authentication guest VSI.

Use undo mac-authentication guest-vsi auth-period to restore the default.

Syntax

mac-authentication guest-vsi auth-period period-value

undo mac-authentication guest-vsi auth-period

Default

The device authenticates users in the MAC authentication guest VSI every 30 seconds.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Parameters

period-value: Sets the authentication interval for users in the MAC authentication guest VSI. The value range is 1 to 3600, in seconds.

Usage guidelines

For this command to take effect, you must use the mac-authentication guest-vsi re-authenticate command to enable guest VSI reauthentication in MAC authentication.

As a best practice, set the reauthentication interval to a value greater than 30 seconds if the number of concurrent MAC authentication users on a port is likely to exceed 300.

Examples

# Set the authentication interval to 150 seconds for users in the MAC authentication guest VSI on Ten-GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] mac-authentication guest-vsi auth-period 150

Related commands

display mac-authentication

mac-authentication guest-vsi

mac-authentication guest-vsi re-authenticate

mac-authentication guest-vsi re-authenticate

Use mac-authentication guest-vsi re-authenticate to enable the guest VSI reauthentication feature of MAC authentication on a port.

Use undo mac-authentication guest-vsi re-authenticate to disable the guest VSI reauthentication feature of MAC authentication on a port.

Syntax

mac-authentication guest-vsi re-authenticate

undo mac-authentication guest-vsi re-authenticate

Default

The guest VSI reauthentication feature of MAC authentication is enabled on a port.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Usage guidelines

The guest VSI reauthentication feature of MAC authentication enables the device to reauthenticate users in the MAC authentication guest VSI on a port at reauthentication intervals.

Typically, you disable this feature to suppress excessive authentication failure log messages, which might occur when a network issue results in a large number of reauthentication failures.

If guest VSI reauthentication is disabled on a port, the device does not reauthenticate users in the MAC authentication guest VSI on the port. The guest VSI users will stay in the guest VSI until they age out. To configure the aging timer, use the mac-authentication timer user-aging guest-vsi aging-time-value command.

Examples

# Enable the guest VSI reauthentication feature of MAC authentication on Ten-GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] mac-authentication guest-vsi re-authenticate

Related commands

display mac-authentication

mac-authentication guest-vsi

mac-authentication guest-vsi auth-period

mac-authentication timer

mac-authentication host-mode multi-vlan

Use mac-authentication host-mode multi-vlan to enable multi-VLAN mode for MAC authentication users on a port.

Use undo mac-authentication host-mode to restore the default.

Syntax

mac-authentication host-mode multi-vlan

undo mac-authentication host-mode

Default

MAC authentication operates in single-VLAN mode on a port.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Usage guidelines

To accommodate IP phone services or any other applications that are sensitive to delay or service interruption in a multi-VLAN environment, enable MAC authentication multi-VLAN mode.

In multi-VLAN mode, the port forwards traffic from a user in different VLANs without reauthentication if the user has been authenticated and come online in any VLAN on the port. Free of reauthentication, traffic from an online user can be sent in different VLANs without delay or service interruption.

Examples

# Enable MAC authentication multi-VLAN mode on Ten-GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] mac-authentication host-mode multi-vlan

Related commands

display mac-authentication

port-security mac-move permit

mac-authentication mac-range-account

Use mac-authentication mac-range-account to configure a username and password for MAC authentication users in a MAC address range.

Use undo mac-authentication mac-range-account to restore the default.

Syntax

mac-authentication mac-range-account mac-address mac-address mask { mask | mask-length } account name password { cipher | simple } string

undo mac-authentication mac-range-account { all | mac-address mac-address }

Default

No username or password is specifically configured for MAC authentication users in a MAC address range. The global user account policy applies to the users.

Views

System view

Predefined user roles

network-admin

Parameters

mac-address mac-address: Specifies a MAC address in the format of H-H-H.

mask mask: Specifies a MAC address mask, in the format of H-H-H. Make sure the most significant bits of the MAC address mask in binary format are consecutive 1s.

mask mask-length: Specifies a MAC address mask length, in the range of 1 to 48.

account name: Specifies a username. The name is a case-sensitive string of 1 to 55 characters, and cannot include the at sign (@).

password: Specifies the user password.

cipher: Specifies a password in encrypted form.

simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.

string: Specifies the password. Its plaintext form is a case-sensitive string of 1 to 63 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.

all: Specifies all MAC address ranges.

Usage guidelines

This command is supported only in Release 6312P01 and later.

Use this command to configure user account settings for users in a MAC address range (for example, users with a specific OUI). For users in the specified range, this command has higher priority than the mac-authentication user-name-format command.

You can configure a maximum of 16 MAC address ranges. However, you must make sure the MAC address ranges do not overlap.

If you configure user account settings multiple times for the same MAC address range, the most recent configuration overwrites the previous configuration.

The mac-authentication mac-range-account command applies only to unicast MAC addresses.

·     If you specify a MAC address range that contains only multicast MAC addresses, execution of this command will fail.

·     If you specify a MAC address range that contains both unicast and multicast MAC addresses, the command takes effect only on unicast MAC addresses.

The all-zero MAC address is invalid for MAC authentication. Users with the all-zero MAC address cannot pass MAC authentication.

Examples

# Configure a user account for MAC addresses that start with aaaa. Set the MAC address mask to ffff-0000-0000, the username to user1, and the password to 1234 in plaintext form.

<Sysname> system-view

[Sysname] mac-authentication mac-range-account mac-address aaaa-0000-0000 mask ffff-0000-0000 account user1 password simple 1234

Related commands

display mac-authentication

mac-authentication user-name-format

mac-authentication max-user

Use mac-authentication max-user to set the maximum number of concurrent MAC authentication users on a port.

Use undo mac-authentication max-user to restore the default.

Syntax

mac-authentication max-user max-number

undo mac-authentication max-user

Default

A port allows a maximum of 4294967295 concurrent MAC authentication users.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Parameters

max-number: Sets the maximum number of concurrent MAC authentication users on the port. The value range for this argument is 1 to 4294967295.

Usage guidelines

Set the maximum number of concurrent MAC authentication users on a port to prevent the system resources from being overused. When the maximum number is reached, the port denies subsequent MAC authentication users.

Examples

# Configure Ten-GigabitEthernet 1/0/1 to support a maximum of 32 concurrent MAC authentication users.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] mac-authentication max-user 32

Related commands

display mac-authentication

mac-authentication offline-detect enable

Use mac-authentication offline-detect enable to enable MAC authentication offline detection on a port.

Use undo mac-authentication offline-detect enable to disable MAC authentication offline detection.

Syntax

mac-authentication offline-detect enable

undo mac-authentication offline-detect enable

Default

MAC authentication offline detection is enabled on a port.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Usage guidelines

The MAC authentication offline detection feature monitors the online status of MAC authentication users. This feature uses an offline detect timer to set the interval that the device must wait for traffic from a user before the device determines that the user is idle. If the device has not received traffic from a user before the timer expires, the device logs off that user and requests the accounting server to stop accounting for the user.

To set the offline detect timer, use the mac-authentication timer command.

Examples

# Disable MAC authentication offline detection on Ten-GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] undo mac-authentication offline-detect enable

Related commands

mac-authentication timer

mac-authentication offline-detect mac-address

Use mac-authentication offline-detect mac-address to configure MAC authentication offline detection for a MAC authentication user.

Use undo mac-authentication offline-detect mac-address to restore the default.

Syntax

mac-authentication offline-detect mac-address mac-address { ignore | timer offline-detect-value [ check-arp-or-nd-snooping ] }

undo mac-authentication offline-detect mac-address mac-address

Default

The offline detection settings configured on access ports take effect and the offline detect timer set in system view is used.

Views

System view

Predefined user roles

network-admin

Parameters

mac-address: Specifies a MAC address in the format of H-H-H, excluding multicast, all-zero, and all-F MAC addresses.

ignore: Skips offline detection for the specified user.

timer offline-detect-value: Specifies the offline detect timer for the specified user. The value range is 60 to 2147483647 seconds.

check-arp-or-nd-snooping: Uses the ARP snooping or ND snooping table in offline detection to determine the offline state of the user.

Usage guidelines

Use this command to set offline detection parameters specific to a MAC authentication user. To have this command take effect, you must make sure MAC authentication offline detection is enabled on the user's access port. The user-specific offline detection settings take effect on the online users immediately after they are configured.

Use this command as follows:

·     Set an offline detect timer specific to a user and control whether to use the ARP snooping or ND snooping table to determine the offline state of the user.

¡     If the ARP snooping or ND snooping table is used, the device searches the ARP snooping or ND snooping table before it checks for traffic from the user within the detection interval. If a matching ARP snooping or ND snooping entry is found, the device resets the offline detect timer and the user stays online. If the offline detect timer expires because the device has not found a matching snooping entry for the user or received traffic from the user, the device disconnects the user.

¡     If the ARP or ND snooping table is not used, the device disconnects the user if it has not received traffic from that user before the offline detect timer expires.

When disconnecting the user, the device also notifies the RADIUS server (if any) to stop user accounting.

·     Skip offline detection for the user. You can choose this option if the user is a dumb terminal. A dumb terminal might fail to come online again after it is logged off by the offline detection feature.

The device uses the offline detection settings for a user in the following sequence:

1.     User-specific offline detection settings.

2.     Offline detection settings assigned to the user by the RADIUS server. The settings include the offline detect timer, use of the ARP or ND snooping table in offline detection, and whether to ignore offline detection.

3.     Port-based offline detection settings.

Examples

# Disable MAC authentication offline detection for the MAC authentication user with MAC address 000a-eb29-7511.

<Sysname> system-view

[Sysname] mac-authentication offline-detect mac-address 000a-eb29-7511 ignore

# Enable MAC authentication offline detection for the MAC authentication user with MAC address 000a-eb29-7511, and set the offline detect timer to 24 hours.

<Sysname> system-view

[Sysname] mac-authentication offline-detect mac-address 000a-eb29-7511 timer 86400

Related commands

display mac-authentication connection

mac-authentication offline-detect enable

mac-authentication timer (system view)

mac-authentication parallel-with-dot1x

Use mac-authentication parallel-with-dot1x to enable parallel processing of MAC authentication and 802.1X authentication on a port.

Use undo mac-authentication parallel-with-dot1x to restore the default.

Syntax

mac-authentication parallel-with-dot1x

undo mac-authentication parallel-with-dot1x

Default

Parallel processing of MAC authentication and 802.1X authentication is disabled on a port.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Usage guidelines

When you configure this command on a port, follow these restrictions and guidelines:

·     Make sure the port meets the following requirements:

¡     The port is configured with both 802.1X authentication and MAC authentication and performs MAC-based access control for 802.1X authentication.

¡     The port is enabled with the 802.1X unicast trigger.

·     For the port to perform MAC authentication before it is assigned to the 802.1X guest VLAN or guest VSI, use the dot1x guest-vlan-delay new-mac or dot1x guest-vsi-delay new-mac command to delay assigning the port to the 802.1X guest VLAN or guest VSI.

For information about the dot1x guest-vlan-delay new-mac or dot1x guest-vsi-delay new-mac command, see "802.1X commands."

·     Do not enable MAC authentication delay on the port. This operation will delay MAC authentication after 802.1X authentication is triggered.

·     To configure both 802.1X authentication and MAC authentication on the port, use one of the following methods:

¡     Enable the 802.1X and MAC authentication features separately on the port.

¡     Enable port security on the port. The port security mode must be userlogin-secure-or-mac or userlogin-secure-or-mac-ext.

For information about port security mode configuration, see port security in Security Configuration Guide.

Examples

# Enable parallel processing of MAC authentication and 802.1X authentication on Ten-GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] mac-authentication parallel-with-dot1x

Related commands

display mac-authentication

mac-authentication re-authenticate

Use mac-authentication re-authenticate to enable the periodic MAC reauthentication feature on a port.

Use undo mac-authentication re-authenticate to disable the periodic MAC reauthentication feature on a port.

Syntax

mac-authentication re-authenticate

undo mac-authentication re-authenticate

Default

The periodic MAC reauthentication feature is disabled on a port.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Usage guidelines

Periodic MAC reauthentication enables the access device to periodically authenticate online MAC authentication users on a port. This feature tracks the connection status of online users and updates the authorization attributes assigned by the server, such as the ACL and VLAN.

To set the periodic reauthentication timer, use the mac-authentication timer reauth-period command in system view or in Ethernet interface view.

If periodic reauthentication is triggered for a user while that user is waiting for online synchronization, the system performs online synchronization and does not perform reauthentication for the user.

Examples

# Enable the periodic MAC reauthentication feature on Ten-GigabitEthernet 1/0/1 and set the global periodic reauthentication timer to 1800 seconds.

<Sysname> system-view

[Sysname] mac-authentication timer reauth-period 1800

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] mac-authentication re-authenticate

Related commands

display mac-authentication

mac-authentication server-recovery online-user-sync

mac-authentication timer

mac-authentication re-authenticate server-unreachable keep-online

Use mac-authentication re-authenticate server-unreachable keep-online to enable the keep-online feature on a port.

Use undo mac-authentication re-authenticate server-unreachable to restore the default.

Syntax

mac-authentication re-authenticate server-unreachable keep-online

undo mac-authentication re-authenticate server-unreachable

Default

The keep-online feature is disabled on a port. The device logs off online MAC authentication users if no server is reachable for MAC reauthentication.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Usage guidelines

The keep-online feature keeps authenticated MAC authentication users online when no server is reachable for MAC reauthentication.

Examples

# Enable the keep-online feature for authenticated MAC authentication users on Ten-GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] mac-authentication re-authenticate server-unreachable keep-online

Related commands

display mac-authentication

mac-authentication server-recovery online-user-sync

Use mac-authentication server-recovery online-user-sync to enable online user synchronization for MAC authentication.

Use undo mac-authentication server-recovery online-user-sync to disable online user synchronization for MAC authentication.

Syntax

mac-authentication server-recovery online-user-sync

undo mac-authentication server-recovery online-user-sync

Default

Online user synchronization for MAC authentication is disabled. The device does not synchronize online MAC authentication user information on a port with a RADIUS server after the RADIUS server recovers from the unreachable state.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Usage guidelines

IMPORTANT

IMPORTANT:

This command takes effect only when the device uses an IMC RADIUS server to authenticate MAC authentication users.

To ensure that the RADIUS server maintains the same online MAC authentication user information as the device after the server state changes from unreachable to reachable, use this feature.

This feature synchronizes online MAC authentication user information between the device and the RADIUS server when the RADIUS server state is detected having changed from unreachable to reachable.

When synchronizing online MAC authentication user information on a port with the RADIUS server, the device initiates MAC authentication in turn for each authenticated online MAC authentication user to the RADIUS server.

If synchronization fails for an online user, the device logs off that user unless the failure occurs because the server has become unreachable again.

The amount of time required to complete online user synchronization increases as the number of online users grows. This might result in an increased delay for new MAC authentication users and users in the critical VLAN or VSI to authenticate or reauthenticate to the RADIUS server and come online.

To have this feature take effect, you must use it in conjunction with the RADIUS server status detection feature, which is configurable with the radius-server test-profile command. When you configure this feature, make sure the detection interval is shorter than the RADIUS server quiet timer configured by using the timer quiet command in RADIUS scheme view. The server state changes to active on expiration of the quiet timer regardless of its actual reachability. Setting a shorter detection interval than the quiet timer prevents the RADIUS server status detection feature from falsely reporting the server reachability.

For more information about the RADIUS server status detection feature, see AAA configuration in Security Configuration Guide.

Examples

# Enable online user synchronization for MAC authentication on Ten-GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] mac-authentication server-recovery online-user-sync

Related commands

display mac-authentication

radius-server test-profile

timer quiet (RADIUS scheme view)

mac-authentication timer (interface view)

Use mac-authentication timer to configure a MAC authentication timer on a port.

Use undo mac-authentication timer to restore the default of a MAC authentication timer.

Syntax

mac-authentication timer { auth-delay auth-delay-time | reauth-period reauth-period-value }

undo mac-authentication timer { auth-delay | reauth-period }

Default

No MAC authentication delay timer is set on a port. MAC authentication delay is disabled. MAC authentication starts immediately after it is triggered by a user packet.

No periodic MAC reauthentication timer is set on a port. The port uses the global periodic MAC reauthentication timer.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Parameters

auth-delay auth-delay-time: Sets the delay time for MAC authentication in seconds. The value range is 1 to 180.

reauth-period reauth-period-value: Sets the port-specific periodic MAC reauthentication timer in seconds. The value range is 60 to 7200.

Usage guidelines

When both 802.1X authentication and MAC authentication are enabled on a port, you can delay MAC authentication so that 802.1X authentication is preferentially triggered. If no 802.1X authentication is triggered or if 802.1X authentication fails within the delay period, the port continues to process MAC authentication.

Do not set the port security mode to mac-else-userlogin-secure or mac-else-userlogin-secure-ext when you want to use MAC authentication delay. The delay does not take effect on a port in either of the two modes. For more information about port security modes, see "Port security commands."

The device reauthenticates online MAC authentication users on a port at the specified periodic reauthentication interval if the port is enabled with periodic MAC reauthentication. To enable periodic MAC reauthentication on a port, use the mac-authentication re-authenticate command.

A change to the port-specific periodic reauthentication timer applies to online users only after the old timer expires.

The device selects a periodic reauthentication timer for MAC reauthentication in the following order:

1.     Server-assigned reauthentication timer.

2.     Port-specific reauthentication timer.

3.     Global reauthentication timer.

4.     Default reauthentication timer.

Examples

# Enable MAC authentication delay on Ten-GigabitEthernet 1/0/1 and set the delay time to 10 seconds.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] mac-authentication timer auth-delay 10

Related commands

display mac-authentication

port-security port-mode

mac-authentication timer (system view)

Use mac-authentication timer to configure a MAC authentication timer.

Use undo mac-authentication timer to restore the default of a MAC authentication timer.

Syntax

mac-authentication timer { offline-detect offline-detect-value | quiet quiet-value | reauth-period reauth-period-value | server-timeout server-timeout-value | temporary-user-aging aging-time-value | user-aging { critical-vlan | critical-vsi | guest-vlan | guest-vsi } aging-time-value }

undo mac-authentication timer { offline-detect | quiet | reauth-period | server-timeout | temporary-user-aging | user-aging { critical-vlan | critical-vsi | guest-vlan | guest-vsi } }

Default

The following MAC authentication timers apply:

·     The offline detect timer is 300 seconds.

·     The quiet timer is 60 seconds.

·     The global periodic MAC reauthentication timer is 3600 seconds.

·     The server timeout timer is 100 seconds.

·     The aging timer for temporary MAC authentication users is 60 seconds.

·     User aging timer for a type of MAC authentication VLAN or VSI: 1000 seconds.

Views

System view

Predefined user roles

network-admin

Parameters

offline-detect offline-detect-value: Sets the offline detect timer. The value range is 60 to 2147483647 seconds.

quiet quiet-value: Sets the quiet timer. The value range is 1 to 3600 seconds.

reauth-period reauth-period-value: Sets the global periodic MAC reauthentication timer. The value range is 60 to 7200 seconds.

server-timeout server-timeout-value: Sets the server timeout timer. The value range is 100 to 300 seconds.

temporary-user-aging aging-time-value: Sets the aging timer for temporary MAC authentication users. The value range for the aging-time-value argument is 60 to 2147483647 seconds. This option is supported only in Release 6320 and later.

user-aging: Sets the user aging timer for a type of MAC authentication VLAN or VSI.

critical-vlan: Specifies MAC authentication critical VLANs.

critical-vsi: Specifies MAC authentication critical VSIs.

guest-vlan: Specifies MAC authentication guest VLANs.

guest-vsi: Specifies MAC authentication guest VSIs.

aging-time-value: Sets the user aging timer. The value range is 60 to 2147483647 seconds.

Usage guidelines

MAC authentication uses the following timers:

·     Offline detect timer—Sets the interval that the device must wait for traffic from a user before the device determines that the user is idle. If the device has not received traffic from a user before the timer expires, the device logs off that user and requests the accounting server to stop accounting for the user. This timer takes effect only when the MAC authentication offline detection feature is enabled.

As a best practice, set the MAC address aging timer to the same value as the offline detect timer. This operation prevents a MAC authenticated user from being logged off within the offline detect interval because of MAC address entry expiration.

·     Quiet timer—Sets the interval that the device must wait before the device can perform MAC authentication for a user that has failed MAC authentication. All packets from the MAC address are dropped during the quiet time. This quiet mechanism prevents repeated authentication from affecting system performance.

·     Periodic MAC reauthentication timer—Sets the interval at which the device reauthenticates online MAC authentication users on a port if the port is enabled with periodic MAC reauthentication. A change to the global periodic reauthentication timer applies to online users only after the old timer expires.

·     Server timeout timer—Sets the interval that the device waits for a response from a RADIUS server before the device determines that the RADIUS server is unavailable. If the timer expires during MAC authentication, the user fails MAC authentication.

To avoid forced logoff before the server timeout timer expires, set the server timeout timer to a value that is lower than or equal to the product of the following values:

¡     The maximum number of RADIUS packet transmission attempts set by using the retry command in RADIUS scheme view.

¡     The RADIUS server response timeout timer set by using the timer response-timeout command in RADIUS scheme view.

For information about setting the maximum number of RADIUS packet transmission attempts and the RADIUS server response timeout timer, see AAA configuration in Security Configuration Guide.

·     Aging timer for temporary MAC authentication users (temporary-user-aging)—Sets the aging timer for temporary MAC authentication users. This timer starts when a user passes MAC authentication on a port operating in macAddressAndUserLoginSecureExt mode. If the device has not received 802.1X protocol packets from the MAC authenticated user on that port before the timer expires, the device determines that the user has failed authentication. Then, the device logs off the user. For more information about the port security mode, see port security configuration is Security Configuration Guide. This timer is supported only in Release 6320 and later.

·     User aging timer (user-aging)—Sets the user aging timer for a type of MAC authentication VLAN or VSI.

If you enable user aging for unthenticated MAC authentication user, you can set a user aging timer for MAC authentication critical or guest VLANs or VSIs. The user aging timer for a type of MAC authentication VLAN or VSI determines how long a user can stay in that type of VLAN or VSI.

For more information about how user aging operates, see the usage guidelines for the mac-authentication unauthenticated-user aging enable command.

Do not set the user aging timer for users in MAC authentication guest VLANs or VSIs to a multiple of the authentication interval for them. If you do so, the aging timer will not take effect. The authentication interval for MAC authentication users in a guest VLAN or VSI is configurable with the mac-authentication guest-vlan auth-period command or the mac-authentication guest-vsi auth-period command, respectively.

Examples

# Set the server timeout timer to 150 seconds.

<Sysname> system-view

[Sysname] mac-authentication timer server-timeout 150

Related commands

display mac-authentication

mac-authentication guest-vlan auth-period

mac-authentication guest-vsi auth-period

mac-authentication unauthenticated-user aging enable

port-security port-mode

retry

timer response-timeout (RADIUS scheme view)

mac-authentication unauthenticated-user aging enable

Use mac-authentication unauthenticated-user aging enable to enable unauthenticated MAC authentication user aging.

Use undo mac-authentication unauthenticated-user aging enable to disable unauthenticated MAC authentication user aging.

Syntax

mac-authentication unauthenticated-user aging enable

undo mac-authentication unauthenticated-user aging enable

Default

Unauthenticated MAC authentication user aging is enabled.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Usage guidelines

Unauthenticated MAC authentication user aging applies to users added to a MAC authentication guest or critical VLAN or VSI because they have not been authenticated or have failed authentication.

When a user in one of those VLANs or VSIs ages out, the device removes the user from the VLAN or VSI and deletes the MAC address entry for the user from the access port.

For users in one of those VLANs or VSIs on one port to be authenticated successfully and come online on another port, enable this feature. In any other scenarios, disable this feature as a best practice.

Examples

# Disable unauthenticated MAC authentication user aging on Ten-GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] undo mac-authentication unauthenticated-user aging enable

Related commands

mac-authentication timer

mac-authentication user-name-format

Use mac-authentication user-name-format to configure the global user account policy for all MAC authentication users.

Use undo mac-authentication user-name-format to restore the default.

Syntax

mac-authentication user-name-format { fixed [ account name ] | mac-address [ { with-hyphen | without-hyphen } [ lowercase | uppercase ] ] } [ password { cipher | simple } string ]

undo mac-authentication user-name-format

Default

The MAC address of each user is used as both the username and password for MAC authentication. The MAC addresses are in hexadecimal notation without hyphens, and letters are in lower case.

Views

System view

Predefined user roles

network-admin

Parameters

fixed: Uses a shared account for all MAC authentication users.

account name: Specifies the username for the shared account. The name is a case-sensitive string of 1 to 55 characters, excluding the at sign (@). If you do not specify a username, the default name mac applies.

mac-address: Uses MAC-based user accounts for MAC authentication users.

with-hyphen: Includes hyphens in a MAC address, for example xx-xx-xx-xx-xx-xx.

without-hyphen: Excludes hyphens from a MAC address, for example, xxxxxxxxxxxx.

lowercase: Specifies letters in lower case.

uppercase: Specifies letters in upper case.

password: Specifies the user password. If you do not specify a password for MAC-based user accounts, the device uses the MAC address of each user in the specified format as the password. If you do not specify a password for the shared account, the shared account does not have a password.

cipher: Specifies a password in encrypted form.

simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.

string: Specifies the password. Its plaintext form is a case-sensitive string of 1 to 63 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.

Usage guidelines

If you specify the MAC-based user account format, the device uses the MAC address of a user as the username for MAC authentication of the user. This user account type ensures high authentication security. However, you must create on the authentication server a user account for each user, using the MAC address of the user as the username.

If you specify a shared user account, the device uses the specified username and password for MAC authentication of all users. Because all MAC authentication users use a single account for authentication, you only need to create one account on the authentication server. This user account type is suitable for trusted networks.

Examples

# Configure a shared account for MAC authentication users, and set the username to abc and password to plaintext string of xyz.

<Sysname> system-view

[Sysname] mac-authentication user-name-format fixed account abc password simple xyz

# Use the MAC address of each user as both the username and password for MAC authentication. The MAC addresses are in hexadecimal notation with hyphens, and letters are in upper case.

<Sysname> system-view

[Sysname] mac-authentication user-name-format mac-address with-hyphen uppercase

Related commands

display mac-authentication

reset mac-authentication access-user

Use reset mac-authentication access-user to log off MAC authentication users.

Syntax

reset mac-authentication access-user [ interface interface-type interface-number | mac mac-address | username username | vlan vlan-id | vsi vsi-name ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies a port by its type and number.

mac mac-address: Specifies a MAC authentication user by its MAC address. The mac-address argument is in the format of H-H-H.

username username: Specifies a MAC authentication user by its name. The username argument is a case-sensitive string of 1 to 253 characters.

vlan vlan-id: Specifies a VLAN by its VLAN ID. The value range for the vlan-id argument is 1 to 4094.

vsi vsi-name: Specifies a VSI by its name. The vsi-name argument is a case-sensitive string of 1 to 31 characters.

Usage guidelines

Use this command to log off the specified MAC authentication users and clear information about these users from the device. These users must perform MAC authentication to come online again.

If you specify a VSI, this command logs off a MAC authentication user if that user has passed authentication and its authorization VSI is the specified VSI.

If you specify a VLAN, this command logs off MAC authentication users in the specified VLAN. This command logs off the following MAC authentication users:

·     Users that have passed MAC authentication and have been assigned the specified VLAN as their authorization VLAN by the server.

·     Users that stay in the specified VLAN after they have passed MAC authentication, because they have not been assigned an authorization VLAN yet.

·     Users that are performing MAC authentication in the specified VLAN.

To identify the VLAN in which a user is staying, use the display mac-address command.

If you do not specify any parameters, the reset mac-authentication access-user command logs off all MAC authentication users on the device.

Examples

# Log off all MAC authentication users on Ten-GigabitEthernet 1/0/1.

<Sysname> reset mac-authentication access-user interface ten-gigabitethernet 1/0/1

Related commands

display mac-authentication connection

reset mac-authentication critical vlan

Use reset mac-authentication critical vlan to remove users from the MAC authentication critical VLAN on a port.

Syntax

reset mac-authentication critical vlan interface interface-type interface-number [ mac-address mac-address ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies a port by its type and number.

mac-address mac-address: Specifies a user by its MAC address. If you do not specify this option, the command removes all users from the MAC authentication critical VLAN on the port.

Examples

# Remove the user with MAC address 1-1-1 from the MAC authentication critical VLAN on Ten-GigabitEthernet 1/0/1.

<Sysname> reset mac-authentication critical vlan interface ten-gigabitethernet 1/0/1 mac-address 1-1-1

Related commands

display mac-authentication

mac-authentication critical vlan

reset mac-authentication critical vsi

Use reset mac-authentication critical vsi to remove users from the MAC authentication critical VSI on a port.

Syntax

reset mac-authentication critical vsi interface interface-type interface-number [ mac-address mac-address ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies a port by its type and number.

mac-address mac-address: Specifies a user by its MAC address. If you do not specify this option, the command removes all users from the MAC authentication critical VSI on the port.

Examples

# Remove the user with MAC address 1-1-1 from the MAC authentication critical VSI on Ten-GigabitEthernet 1/0/1.

<Sysname> reset mac-authentication critical vsi interface ten-gigabitethernet 1/0/1 mac-address 1-1-1

Related commands

display mac-authentication

mac-authentication critical vsi

reset mac-authentication critical-voice-vlan

Use reset mac-authentication critical-voice-vlan to remove MAC authentication users from the MAC authentication critical voice VLAN on a port.

Syntax

reset mac-authentication critical-voice-vlan interface interface-type interface-number [ mac-address mac-address ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies a port by its type and number.

mac-address mac-address: Specifies a user by its MAC address. If you do not specify this option, the command removes all users from the MAC authentication critical voice VLAN on the port.

Examples

# Remove the user with MAC address 1-1-1 from the MAC authentication critical voice VLAN on Ten-GigabitEthernet 1/0/1.

<Sysname> reset mac-authentication critical-voice-vlan interface ten-gigabitethernet 1/0/1 mac-address 1-1-1

Related commands

display mac-authentication

mac-authentication critical-voice-vlan

reset mac-authentication guest-vlan

Use reset mac-authentication guest-vlan to remove users from the MAC authentication guest VLAN on a port.

Syntax

reset mac-authentication guest-vlan interface interface-type interface-number [ mac-address mac-address ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies a port by its type and number.

mac-address mac-address: Specifies a user by its MAC address. If you do not specify this option, the command removes all users from the MAC authentication guest VLAN on the port.

Examples

# Remove the user with MAC address 1-1-1 from the MAC authentication guest VLAN on Ten-GigabitEthernet 1/0/1.

<Sysname> reset mac-authentication guest-vlan interface ten-gigabitethernet 1/0/1 mac-address 1-1-1

Related commands

display mac-authentication

mac-authentication guest-vlan

reset mac-authentication guest-vsi

Use reset mac-authentication guest-vsi to remove users from the MAC authentication guest VSI on a port.

Syntax

reset mac-authentication guest-vsi interface interface-type interface-number [ mac-address mac-address ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies a port by its type and number.

mac-address mac-address: Specifies a user by its MAC address. If you do not specify this option, the command removes all users from the MAC authentication guest VSI on the port.

Examples

# Remove the user with MAC address 1-1-1 from the MAC authentication guest VSI on Ten-GigabitEthernet 1/0/1.

<Sysname> reset mac-authentication guest-vsi interface ten-gigabitethernet 1/0/1 mac-address 1-1-1

Related commands

display mac-authentication

mac-authentication guest-vsi

reset mac-authentication statistics

Use reset mac-authentication statistics to clear MAC authentication statistics.

Syntax

reset mac-authentication statistics [ interface interface-type interface-number ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command clears both global and port-specific MAC authentication statistics.

Examples

# Clear MAC authentication statistics on Ten-GigabitEthernet 1/0/1.

<Sysname> reset mac-authentication statistics interface ten-gigabitethernet 1/0/1

Related commands

display mac-authentication