Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 08-802.1X client commands | 54.07 KB |
802.1X client commands
The AP models and serial numbers in this document are used only as examples. Support for AP models and serial numbers depends on the AC model.
dot1x supplicant anonymous identify
Use dot1x supplicant anonymous identify to configure an 802.1X client anonymous identifier.
Use undo dot1x supplicant anonymous identify to restore the default.
Syntax
dot1x supplicant anonymous identify identifier
undo dot1x supplicant anonymous identify
Default
No 802.1X client anonymous identifier exists.
Views
AP provision view
Predefined user roles
network-admin
Parameters
identifier: Specifies an 802.1X client anonymous identifier, a case-sensitive string of 1 to 253 characters.
Usage guidelines
At the first authentication phase, packets sent to the authenticator are not encrypted. The use of an 802.1X client anonymous identifier prevents the 802.1X client username from being disclosed at the first phase. The 802.1X client-enabled device sends the anonymous identifier to the authenticator instead of the 802.1X client username. The 802.1X client username will be sent to the authenticator in encrypted packets at the second phase.
If no 802.1X client anonymous identifier is configured, the device sends the 802.1X client username in the first phase.
The configured 802.1X client anonymous identifier takes effect only if one of the following EAP authentication methods is used:
· PEAP-MSCHAPv2.
· PEAP-GTC.
· TTLS-MSCHAPv2.
· TTLS-GTC.
If the MD5-Challenge EAP authentication is used, the configured 802.1X client anonymous identifier does not take effect. The device uses the 802.1X client username at the first authentication phase.
Do not configure the 802.1X client anonymous identifier if the vendor-specific authentication server cannot identify anonymous identifiers.
Examples
# Configure the 802.1X client anonymous identifier as bbb for an AP.
<Sysname> system-view
[Sysname] wlan ap ap1
[Sysname-wlan-ap-ap1] provision
[Sysname-wlan-ap-ap1-prvs] dot1x supplicant anonymous identify bbb
Related commands
dot1x supplicant enable
dot1x supplicant username
dot1x supplicant eap-method
Use dot1x supplicant eap-method to specify an 802.1X client EAP authentication method.
Use undo dot1x supplicant eap-method to restore the default.
Syntax
dot1x supplicant eap-method { md5 | peap-gtc | peap-mschapv2 | ttls-gtc | ttls-mschapv2 }
undo dot1x supplicant eap-method
Default
The MD5-Challenge authentication is used as the 802.1X client EAP authentication method.
Views
AP provision view
Predefined user roles
network-admin
Parameters
md5: Specifies the MD5-challenge EAP authentication method.
peap-gtc: Specifies the PEAP-GTC EAP authentication method.
peap-mschapv2: Specifies the PEAP-MSCHAPv2 EAP authentication method
ttls-gtc: Specifies the TTLS-GTC EAP authentication method.
ttls-mschapv2: Specifies the TTLS-MSCHAPv2 EAP authentication method.
Usage guidelines
Make sure the specified 802.1X client EAP authentication method is supported by the authentication server.
Examples
# Specify PEAP-GTC as the 802.1X client EAP authentication method for an AP.
<Sysname> system-view
[Sysname] wlan ap ap1
[Sysname-wlan-ap-ap1] provision
[Sysname-wlan-ap-ap1-prvs] dot1x supplicant eap-method peap-gtc
Related commands
dot1x supplicant enable
dot1x supplicant enable
Use dot1x supplicant enable to enable the 802.1X client feature.
Use undo dot1x supplicant enable to disable the 802.1X client feature.
Syntax
dot1x supplicant enable
undo dot1x supplicant enable
Default
The 802.1X client feature is disabled.
Views
AP provision view
Predefined user roles
network-admin
Usage guidelines
Make sure you have configured 802.1X authentication on the authenticator before you use this command.
If the 802.1X client-enabled device is an AP that has online clients, disabling the 802.1X client feature will log off all the online clients.
Examples
# Enable the 802.1X client feature for an AP.
<Sysname> system-view
[Sysname] wlan ap ap1
[Sysname-wlan-ap-ap1] provision
[Sysname-wlan-ap-ap1-prvs] dot1x supplicant enable
dot1x supplicant password
Use dot1x supplicant password to set an 802.1X client password.
Use undo dot1x supplicant password to restore the default.
Syntax
dot1x supplicant password { cipher | simple } string
undo dot1x supplicant password
Default
No 802.1X client password exists.
Views
AP provision view
Predefined user roles
network-admin
Parameters
cipher: Specifies a password in encrypted form.
simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.
string: Specifies the password. Its plaintext form is a case-sensitive string of 1 to 127 characters. Its encrypted form is a case-sensitive string of 1 to 201 characters.
Examples
# Set the 802.1X client password to 123456 in plaintext form for an AP.
<Sysname> system-view
[Sysname] wlan ap ap1
[Sysname-wlan-ap-ap1] provision
[Sysname-wlan-ap-ap1-prvs] dot1x supplicant password simple 123456
Related commands
dot1x supplicant enable
dot1x supplicant username
Use dot1x supplicant username to configure an 802.1X client username.
Use undo dot1x supplicant username to restore the default.
Syntax
dot1x supplicant username username
undo dot1x supplicant username
Default
No 802.1X client username exists.
Views
AP provision view
Predefined user roles
network-admin
Parameters
username: Specifies the 802.1X client username, a case-sensitive string of 1 to 253 characters.
Usage guidelines
802.1X client usernames can include domain names. The supported domain name delimiters include the at sign (@), backslash (\), dot (.), and forward slash (/). Usernames that include domain names can use the format of username@domain-name, domain-name\username, username.domain-name, or username/domain-name.
If you want to use backslash (\) as the domain name delimiter, you must enter the escape character (\) along with the backslash (\) sign.
If a username string includes multiple configured delimiters, the device takes the rightmost delimiter in the username string as the domain name delimiter. For more information about the domain name delimiters, see the dot1x domain-delimiter command in "802.1X commands."
Examples
# Configure the 802.1X client username as aaa for an AP.
<Sysname> system-view
[Sysname] wlan ap ap1
[Sysname-wlan-ap-ap1] provision
[Sysname-wlan-ap-ap1-prvs] dot1x supplicant username aaa
Related commands
dot1x domain-delimiter
