09-Security Command Reference

HomeSupportResource CenterSwitchesH3C S6300 Switch SeriesH3C S6300 Switch SeriesTechnical DocumentsCommandCommand ReferencesH3C S6300 Switch Series Command References-Release 243x-6W10009-Security Command Reference
03-MAC authentication commands
Title Size Download
03-MAC authentication commands 131.93 KB

MAC authentication commands

display mac-authentication

Use display mac-authentication to display MAC authentication settings and statistics. The output includes the global settings, port-specific settings, MAC authentication statistics, and online user statistics.

Syntax

display mac-authentication [ interface interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command displays all global and port-specific MAC authentication information.

Examples

# Display all MAC authentication settings and statistics.

<Sysname> display mac-authentication

Global MAC authentication parameters:

   MAC authentication     : Enabled

   User name format       : MAC address in lowercase(xxxxxxxxxxxx)

           Username       : mac

           Password       : Not configured

   Offline detect period  : 300 s

   Quiet period           : 60 s

   Server timeout         : 100 s

   Reauth period          : 3600 s

   Authentication domain  : Not configured, use default domain

 Max MAC-auth users       : 4294967295 per slot

 Online MAC-auth users    : 0

 

 Silent MAC users:

          MAC address       VLAN ID  From port               Port index

 

 Ten-GigabitEthernet1/0/1  is link-up

   MAC authentication         : Enabled

   Carry User-IP              : Enabled

   Authentication domain      : Not configured

   Auth-delay timer           : Disabled

   Periodic reauth            : Disabled

   Re-auth server-unreachable : Logoff

   Guest VLAN                 : Not configured

   Guest VLAN auth-period     : 30 s

   Critical VLAN              : Not configured

   Critical voice VLAN        : Disabled

   Host mode                  : Single VLAN

   Offline detection          : Enabled

   Authentication order       : Default

 

   Max online users           : 4294967295

   Authentication attempts    : successful 0, failed 0

   Current online users       : 0

          MAC address       Auth state

 

Table 1 Command output

Field

Description

MAC authentication

Whether MAC authentication is enabled globally.

Username format

User account type: MAC-based or shared.

·     If MAC-based accounts are used, this field displays the format settings for the username. For example, MAC address in lowercase(xxxxxxxxxxxx) indicates that the MAC address is in the hexadecimal notation without hyphens, and letters are in lower case.

·     If a shared account is used, this field displays Fixed account.

Username

Username for MAC authentication.

·     If MAC-based accounts are used, this field displays mac. The device uses the MAC address of each user as the username and password for MAC authentication.

·     If a shared account is used, this field displays the username of the shared account for MAC authentication users. By default, the username is mac.

Password

Password for MAC authentication.

·     If MAC-based accounts are used or if a shared account is used but no password is configured, this field displays Not configured.

·     If a shared account is used and a password is configured, this field displays a string of asterisks (******).

Offline detect period

Offline detect timer.

Quiet period

Quiet timer.

Server timeout

Server timeout timer.

Reauth period

Periodic MAC reauthentication timer in seconds.

Authentication domain

MAC authentication domain specified in system view.

If no authentication domain is specified in system view, this field displays Not configured, use default domain.

Max MAC-auth users

Maximum number of MAC authentication users each device supports.

Online MAC-auth users

Number of online MAC authentication users.

Silent MAC users

Information about silent MAC addresses.

MAC address

Silent MAC address.

VLAN ID

ID of the VLAN to which the silent MAC address belongs.

From port

Name of the port that marks the MAC address as a silent MAC address.

Port index

Index of the port that marks the MAC address as a silent MAC address.

Ten-GigabitEthernet1/0/1 is link-up

Status of the link on port Ten-GigabitEthernet 1/0/1. In this example, the link is up.

MAC authentication

Whether MAC authentication is enabled on the port.

Carry User-IP

Whether user IP addresses are included in MAC authentication requests.

Authentication domain

MAC authentication domain specified for the port.

Auth-delay timer

Status of MAC authentication delay:

·     Enabled.

·     Disabled.

Auth-delay period

MAC authentication delay timer.

Periodic reauth

Status of periodic MAC reauthentication:

·     Enabled.

·     Disabled.

Reauth period

Port-specific periodic MAC reauthentication timer in seconds.

Re-auth server-unreachable

Whether to log off online users or keep them online when no server is reachable for MAC reauthentication.

Guest VLAN

MAC authentication guest VLAN configured on the port.

If no MAC authentication guest VLAN is configured, this field displays Not configured.

Guest VLAN auth-period

Authentication interval for users in the MAC authentication guest VLAN on the port.

Critical VLAN

MAC authentication critical VLAN configured on the port.

If no MAC authentication critical VLAN is configured, this field displays Not configured.

Critical voice VLAN

Whether the MAC authentication critical voice VLAN is enabled on the port.

Host mode

If multi-VLAN mode is disabled, this field displays Single VLAN.

If multi-VLAN mode is enabled, this field displays Multiple VLAN.

Offline detection

Status of MAC authentication offline detection:

·     Enabled.

·     Disabled.

Authentication order

If parallel processing of MAC authentication and 802.1X authentication is disabled, this field displays Default.

If parallel processing of MAC authentication and 802.1X authentication is enabled, this field displays Parallel.

Max online users

Maximum number of concurrent online users allowed on the port.

Authentication attempts: successful 1, failed 0

MAC authentication statistics, including the number of successful and unsuccessful authentication attempts.

MAC address

MAC address of the online user.

Auth state

User status:

·     Authenticated—The user has passed MAC authentication.

·     Unauthenticated—The user failed MAC authentication.

 

display mac-authentication connection

Use display mac-authentication connection to display information about online MAC authentication users.

Syntax

display mac-authentication connection [ interface interface-type interface-number | slot slot-number | user-mac mac-address | user-name user-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command displays information about the online MAC authentication users on all ports.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify this option, the command displays the online MAC authentication users on all member devices.

user-mac mac-address: Specifies an online MAC authentication user by its MAC address. The mac-address argument represents the MAC address of the user, in the form of H-H-H.

user-name user-name: Specifies an online MAC authentication user by its username. The user name is a case-sensitive string of 1 to 55 characters, and it can include the domain name.

Examples

# Display information about all online MAC authentication users.

<Sysname> display mac-authentication connection

Slot ID: 1

User MAC address: 0015-e9a6-7cfe

Access interface: Ten-GigabitEthernet1/0/1

Username: ias

Authentication domain: aaa

Initial VLAN: 1

Authorization untagged VLAN: 100

Authorization tagged VLAN: N/A

Authorization ACL ID: 3001

Authorization user profile: N/A

Termination action: Radius-request

Session timeout period: 2 s

Online from: 2013/03/02  13:14:15

Online duration: 0h 2m 15s

 

Total 1 connection(s) matched.

Table 2 Command output

Field

Description

Slot ID

Member ID of a device.

User MAC address

MAC address of the user.

Access interface

Interface through which the user accesses the device.

Authentication domain

MAC authentication domain to which the user belongs.

Initial VLAN

VLAN that holds the user before MAC authentication.

Authorization untagged VLAN

Untagged VLAN authorized to the user.

Authorization tagged VLAN

Tagged VLAN authorized to the user.

Authorization ACL ID

ACL authorized to the user.

Authorization user profile

User profile authorized to the user.

Termination action

Action attribute assigned by the server when the session timeout timer expires.

The following server-assigned action attributes are available:

·     Default—Logs off the online authenticated user when the session timeout timer expires. This attribute does not take effect when periodic MAC reauthentication is enabled and the periodic reauthentication timer is shorter than the session timeout timer.

·     Radius-request—Reauthenticates the online user when the session timeout timer expires, regardless of whether the periodic MAC reauthentication feature is enabled or not.

If the device performs local authentication, this field displays N/A.

Session timeout period

Session timeout timer assigned by the server.

If the device performs local authentication, this field displays N/A.

Online from

Time from which the MAC authentication user came online.

Online duration

Online duration of the MAC authentication user.

Total 1 connection(s) matched

Total number of online MAC authentication users.

 

mac-authentication

Use mac-authentication to enable MAC authentication globally or on a port.

Use undo mac-authentication to disable MAC authentication globally or on a port.

Syntax

mac-authentication

undo mac-authentication

Default

MAC authentication is not enabled globally or on any port.

Views

System view, Layer 2 Ethernet interface view

Predefined user roles

network-admin

Usage guidelines

To use MAC authentication on a port, you must enable the feature both globally and on the port.

Examples

# Enable MAC authentication globally.

<Sysname> system-view

[Sysname] mac-authentication

# Enable MAC authentication on port Ten-GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] mac-authentication

Related commands

display mac-authentication

mac-authentication carry user-ip

Use mac-authentication carry user-ip to include user IP addresses in MAC authentication requests sent to an IMC server.

Use undo mac-authentication carry user-ip to restore the default.

Syntax

mac-authentication carry user-ip

undo mac-authentication carry user-ip

Default

A MAC authentication request does not include the user IP address.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Usage guidelines

This command solves the IP conflict issue which might be caused by users' IP address modification. After you configure this command, users cannot pass MAC authentication if the IP and MAC information in the authentication requests do not match the users' IP-MAC mappings on the IMC server.

The IMC server selects the IP-MAC combination for a MAC authentication user to match in the following order:

1.     The IP and MAC addresses in the IMC platform user account associated with the MAC authentication user.

2.     The IP and MAC addresses that are included in the authentication request. If the server does not have an authenticated IP-MAC record for the user, it determines that the IP-MAC combination of the user is valid. The server will record the IP-MAC combination of the user. If the user IP address is changed at the next authentication, the user cannot pass authentication.

This command takes effect only on MAC authentication users that use static IP addresses. Users that obtain IP addresses through DHCP are not affected.

Do not configure this command together with the mac-authentication guest-vlan command on a port. If both commands are configured, users in the MAC authentication guest VLAN cannot perform a new round of authentication.

Examples

# Include user IP addresses in MAC authentication requests on Ten-GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] mac-authentication carry user-ip

Related commands

mac-authentication

mac-authentication critical vlan

Use mac-authentication critical vlan to specify the MAC authentication critical VLAN on a port.

Use undo mac-authentication critical vlan to restore the default.

Syntax

mac-authentication critical vlan critical-vlan-id

undo mac-authentication critical vlan

Default

No MAC authentication critical VLAN is specified on a port.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Parameters

critical-vlan-id: Specifies a VLAN as the MAC authentication critical VLAN. The value range for the VLAN ID is 1 to 4094. Make sure the VLAN has been created.

Usage guidelines

The MAC authentication critical VLAN accommodates users that fail MAC authentication because all the servers in their ISP domains are unreachable. Users in this critical VLAN can access a limited set of network resources.

The critical VLAN feature takes effect when MAC authentication is performed only through RADIUS servers. If a MAC authentication user fails local authentication after RADIUS authentication, the user is not assigned to the critical VLAN.

Before you delete a VLAN that has been set as a MAC authentication critical VLAN, use the undo mac-authentication critical vlan command to remove the critical VLAN configuration.

Examples

# Configure VLAN 100 as the MAC authentication critical VLAN on Ten-GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] mac-authentication critical vlan 100

Related commands

display mac-authentication

reset mac-authentication critical-vlan

mac-authentication critical-voice-vlan

Use mac-authentication critical-voice-vlan to enable the MAC authentication critical voice VLAN on a port.

Use undo mac-authentication critical-voice-vlan to restore the default.

Syntax

mac-authentication critical-voice-vlan

undo mac-authentication critical-voice-vlan

Default

The MAC authentication critical voice VLAN is disabled on a port.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Usage guidelines

The MAC authentication critical voice VLAN on a port accommodates MAC authentication voice users that have failed authentication because none of the RADIUS servers in their ISP domain are reachable.

Before you enable the MAC authentication critical voice VLAN on the port, make sure the following requirements are met:

·     The port is configured with the voice VLAN.

To configure a voice VLAN on a port, use the voice-vlan enable command (see Layer 2—LAN Switching Command Reference).

·     LLDP is enabled both globally and on the port.

The device uses LLDP to identify voice users. For information about LLDP commands, see Layer 2—LAN Switching Command Reference.

Examples

# Enable the MAC authentication critical voice VLAN on Ten-GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] mac-authentication critical-voice-vlan

Related commands

display mac-authentication

lldp enable (Layer 2—LAN Switching Command Reference)

lldp global enable (Layer 2—LAN Switching Command Reference)

reset mac-authentication critical-voice-vlan

voice-vlan enable (Layer 2—LAN Switching Command Reference)

mac-authentication domain

Use mac-authentication domain to specify a global or port-specific authentication domain.

Use undo mac-authentication domain to restore the default.

Syntax

mac-authentication domain domain-name

undo mac-authentication domain

Default

No authentication domain is specified for MAC authentication users. The system default authentication domain is used. For more information about the default authentication domain, see the domain default enable command in "AAA commands."

Views

System view, Layer 2 Ethernet interface view

Predefined user roles

network-admin

Parameters

domain-name: Specifies the name of an ISP domain, a case-insensitive string of 1 to 24 characters.

Usage guidelines

The global authentication domain applies to all MAC authentication-enabled ports. A port-specific authentication domain applies only to the port. You can specify different authentication domains on different ports.

A port chooses an authentication domain for MAC authentication users in the following order:

1.     Authentication domain specified on the port.

2.     Global authentication domain specified in system view.

3.     Default authentication domain.

Examples

# Specify domain domain1 as the global MAC authentication domain.

<Sysname> system-view

[Sysname] mac-authentication domain domain1

# Specify domain aabbcc as the MAC authentication domain on port Ten-GigabitEthernet 1/0/1.

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] mac-authentication domain aabbcc

Related commands

display mac-authentication

domain default enable

mac-authentication guest-vlan

Use mac-authentication guest-vlan to specify the MAC authentication guest VLAN on a port.

Use undo mac-authentication guest-vlan to restore the default.

Syntax

mac-authentication guest-vlan guest-vlan-id

undo mac-authentication guest-vlan

Default

No MAC authentication guest VLAN is specified on a port.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Parameters

guest-vlan-id: Specifies a VLAN as the MAC authentication guest VLAN. The value range for the VLAN ID is 1 to 4094. Make sure the VLAN has been created.

Usage guidelines

The MAC authentication guest VLAN accommodates MAC authentication users that have failed MAC authentication on the port. Users in the VLAN can access a limited set of network resources, such as a software server, to download antivirus software and system patches. If no MAC authentication guest VLAN is configured, the user that fails MAC authentication cannot access any network resources.

Before you delete a VLAN that has been set as a MAC authentication guest VLAN, use the undo mac-authentication guest-vlan command to remove the guest VLAN configuration.

Examples

# Configure VLAN 100 as the MAC authentication guest VLAN on port Ten-GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] mac-authentication guest-vlan 100

Related commands

display mac-authentication

reset mac-authentication guest-vlan

mac-authentication guest-vlan auth-period

Use mac-authentication guest-vlan auth-period to set the interval at which the device authenticates users in the MAC authentication guest VLAN.

Use undo mac-authentication guest-vlan auth-period to restore the default.

Syntax

mac-authentication guest-vlan auth-period period-value

undo mac-authentication guest-vlan auth-period

Default

The device authenticates users in the MAC authentication guest VLAN every 30 seconds.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Parameters

period-value: Specifies the authentication interval for users in the MAC authentication guest VLAN. The value range is 1 to 3600, in seconds.

Examples

# Set the authentication interval to 150 seconds for users in the MAC authentication guest VLAN on Ten-GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-Gigabitethernet1/0/1] mac-authentication guest-vlan auth-period 150

Related commands

display mac-authentication

mac-authentication guest-vlan

mac-authentication host-mode

Use mac-authentication host-mode multi-vlan to enable MAC authentication multi-VLAN mode on a port.

Use undo mac-authentication host-mode to restore the default.

Syntax

mac-authentication host-mode multi-vlan

undo mac-authentication host-mode

Default

MAC authentication multi-VLAN mode is disabled on a port. When the port receives a packet sourced from an authenticated MAC address in a VLAN not matching the existing MAC-VLAN mapping, the device logs off and reauthenticates the user.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Usage guidelines

The MAC authentication multi-VLAN mode prevents an authenticated online user from service interruption caused by VLAN changes on a port. When the port receives a packet sourced from the user in a VLAN not matching the existing MAC-VLAN mapping, the device neither logs off the user nor reauthenticates the user. The device creates a new MAC-VLAN mapping for the user, and traffic transmission is not interrupted. The original MAC-VLAN mapping for the user remains on the device until it dynamically ages out. As a best practice, configure this feature on hybrid or trunk ports.

This feature improves transmission of data that is vulnerable to delay and interference. It is typically applicable to IP phone users.

Examples

# Enable MAC authentication multi-VLAN mode on Ten-GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] mac-authentication host-mode multi-vlan

Related commands

display mac-authentication

mac-authentication max-user

Use mac-authentication max-user to set the maximum number of concurrent MAC authentication users on a port.

Use undo mac-authentication max-user to restore the default.

Syntax

mac-authentication max-user user-number

undo mac-authentication max-user

Default

The maximum number of concurrent MAC authentication users on a port is 4294967295.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Parameters

user-number: Sets the maximum number of concurrent MAC authentication users on the port. The value range for this argument is 1 to 4294967295.

Examples

# Configure port Ten-GigabitEthernet 1/0/1 to support a maximum of 32 concurrent MAC authentication users.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] mac-authentication max-user 32

Related commands

display mac-authentication

mac-authentication offline-detect enable

Use mac-authentication offline-detect enable to enable MAC authentication offline detection on a port.

Use undo mac-authentication offline-detect enable to disable MAC authentication offline detection on a port.

Syntax

mac-authentication offline-detect enable

undo mac-authentication offline-detect enable

Default

MAC authentication offline detection is enabled on a port.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Examples

# Disable MAC authentication offline detection on Ten-GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] undo mac-authentication offline-detect enable

Related commands

mac-authentication timer

mac-authentication parallel-with-dot1x

Use mac-authentication parallel-with-dot1x to enable parallel processing of MAC authentication and 802.1X authentication on a port.

Use undo mac-authentication parallel-with-dot1x to restore the default.

Syntax

mac-authentication parallel-with-dot1x

undo mac-authentication parallel-with-dot1x

Default

Parallel processing of MAC authentication and 802.1X authentication is disabled on a port.

Views

Ethernet interface view

Predefined user roles

network-admin

Usage guidelines

When you configure this command on a port, follow these restrictions and guidelines:

·     Make sure the port meets the following requirements:

¡     The port is configured with both 802.1X authentication and MAC authentication and performs MAC-based access control for 802.1X authentication.

¡     The port is enabled with the 802.1X unicast trigger.

·     For the port to perform MAC authentication before it is assigned to the 802.1X guest VLAN, use the dot1x guest-vlan-delay new-mac command to delay assigning the port to the 802.1X guest VLAN.

For information about the dot1x guest-vlan-delay new-mac command, see "802.1X commands."

·     Do not enable MAC authentication delay on the port. This operation will delay MAC authentication after 802.1X authentication is triggered.

·     To configure both 802.1X authentication and MAC authentication on the port, use one of the following methods:

¡     Enable the 802.1X and MAC authentication features separately on the port.

¡     Enable port security on the port. The port security mode must be userlogin-secure-or-mac or userlogin-secure-or-mac-ext.

For information about port security mode configuration, see port security in Security Configuration Guide.

Examples

# Enable parallel processing of MAC authentication and 802.1X authentication on Ten-GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] mac-authentication parallel-with-dot1x

Related commands

display mac-authentication

mac-authentication re-authenticate

Use mac-authentication re-authenticate to enable the periodic MAC reauthentication feature on a port.

Use undo mac-authentication re-authenticate to disable the periodic MAC reauthentication feature on a port.

Syntax

mac-authentication re-authenticate

undo mac-authentication re-authenticate

Default

The periodic MAC reauthentication feature is disabled on a port.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Usage guidelines

Periodic MAC reauthentication enables the access device to periodically authenticate online MAC authentication users on a port. This feature tracks the connection status of online users and updates the authorization attributes assigned by the server, such as the ACL and VLAN.

To set the periodic reauthentication timer, use the mac-authentication timer reauth-period command in system view or in Ethernet interface view.

Examples

# Enable the periodic MAC reauthentication feature on Ten-GigabitEthernet 1/0/1 and set the global periodic reauthentication timer to 1800 seconds.

<Sysname> system-view

[Sysname] mac-authentication timer reauth-period 1800

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] mac-authentication re-authenticate

mac-authentication re-authenticate server-unreachable keep-online

Use mac-authentication re-authenticate server-unreachable keep-online to enable the keep-online feature on a port. This feature keeps authenticated MAC authentication users online when no server is reachable for MAC reauthentication.

Use undo mac-authentication re-authenticate server-unreachable to restore the default.

Syntax

mac-authentication re-authenticate server-unreachable keep-online

undo mac-authentication re-authenticate server-unreachable

Default

The keep-online feature is disabled on a port. The device logs off online MAC authentication users if no server is reachable for MAC reauthentication.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Examples

# Enable the keep-online feature for authenticated MAC authentication users on Ten-GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] mac-authentication re-authenticate server-unreachable keep-online

Related commands

display mac-authentication

mac-authentication timer

Use mac-authentication timer to set the MAC authentication timers.

Use undo mac-authentication timer to restore the defaults.

Syntax

mac-authentication timer { offline-detect offline-detect-value | quiet quiet-value | reauth-period reauth-period-value | server-timeout server-timeout-value }

undo mac-authentication timer { offline-detect | quiet | reauth-period | server-timeout }

Default

The following MAC authentication timers apply:

·     The offline detect timer is 300 seconds.

·     The quiet timer is 60 seconds.

·     The global periodic MAC reauthentication timer is 3600 seconds.

·     The server timeout timer is 100 seconds.

Views

System view

Predefined user roles

network-admin

Parameters

offline-detect offline-detect-value: Specifies the offline detect timer in the range of 60 to 2147483647, in seconds.

quiet quiet-value: Specifies the quiet timer in the range of 1 to 3600, in seconds.

reauth-period reauth-period-value: Specifies the global periodic MAC reauthentication timer in the range of 60 to 7200, in seconds.

server-timeout server-timeout-value: Specifies the server timeout timer in the range of 100 to 300, in seconds.

Usage guidelines

MAC authentication uses the following timers:

·     Offline detect timer—Sets the interval that the device waits for traffic from a user before the device regards the user as idle. Whether the device logs off the user and requests to stop accounting for the user after the timer expires, depending on the status of the offline detection feature.

After you set the offline detect timer, assign the same value to the MAC address aging timer by using the mac-address timer command. This operation prevents a MAC authenticated user from being offline within the offline detect timer due to MAC address entry expiration.

·     Quiet timer—Sets the interval that the device must wait before the device can perform MAC authentication for a user that has failed MAC authentication. All packets from the MAC address are dropped during the quiet time. This quiet mechanism prevents repeated authentication from affecting system performance.

·     Global periodic MAC reauthentication timerSets the interval at which the device reauthenticates online MAC authentication users on a port if the port is enabled with periodic MAC reauthentication. A change to the global periodic reauthentication timer applies to online users only after the old timer expires. The device selects a periodic reauthentication timer for MAC reauthentication in the following order:

a.     Server-assigned reauthentication timer.

b.     Port-specific reauthentication timer.

c.     Global reauthentication timer.

d.     Default reauthentication timer.

·     Server timeout timer—Sets the interval that the device waits for a response from a RADIUS server before the device regards the RADIUS server unavailable. If the timer expires during MAC authentication, the user cannot access the network.

Examples

# Set the server timeout timer to 150 seconds.

<Sysname> system-view

[Sysname] mac-authentication timer server-timeout 150

Related commands

display mac-authentication

mac-authentication timer auth-delay

Use mac-authentication timer auth-delay to enable MAC authentication delay and set the delay time.

Use undo mac-authentication timer auth-delay to restore the default.

Syntax

mac-authentication timer auth-delay time

undo mac-authentication timer auth-delay

Default

MAC authentication delay is disabled.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Parameters

time: Sets the delay time for MAC authentication in seconds. The value range is 1 to 180.

Usage guidelines

When both 802.1X authentication and MAC authentication are enabled on a port, you can delay MAC authentication so that 802.1X authentication is preferentially triggered. If no 802.1X authentication is triggered or if 802.1X authentication fails within the delay period, the port continues to process MAC authentication.

Do not set the port security mode to mac-else-userlogin-secure or mac-else-userlogin-secure-ext when you want to use MAC authentication delay. The delay does not take effect on a port in either of the two modes. For more information about port security modes, see "Port security commands."

Examples

# Enable MAC authentication delay on interface Ten-GigabitEthernet 1/0/1 and set the delay time to 10 seconds.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] mac-authentication timer auth-delay 10

Related commands

display mac-authentication

port-security port-mode

mac-authentication timer reauth-period

Use mac-authentication timer reauth-period to set the port-specific periodic MAC reauthentication timer.

Use undo mac-authentication timer reauth-period to restore the default.

Syntax

mac-authentication timer reauth-period reauth-period-value

undo mac-authentication timer reauth-period

Default

No port-specific periodic MAC reauthentication timer is set for MAC reauthentication.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Parameters

reauth-period-value: Specifies the port-specific periodic MAC reauthentication timer in seconds. The value range is 60 to 7200.

Usage guidelines

The device reauthenticates online MAC authentication users on a port at the specified periodic reauthentication interval if the port is enabled with periodic MAC reauthentication. To enable periodic MAC reauthentication on a port, use the mac-authentication re-authenticate command.

A change to the port-specific periodic reauthentication timer applies to online users only after the old timer expires.

The device selects a periodic reauthentication timer for MAC reauthentication in the following order:

1.     Server-assigned reauthentication timer.

2.     Port-specific reauthentication timer.

3.     Global reauthentication timer.

4.     Default reauthentication timer.

Examples

# Set the periodic MAC reauthentication timer to 90 seconds on Ten-GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] mac-authentication timer reauth-period 90

Related commands

display mac-authentication

mac-authentication user-name-format

Use mac-authentication user-name-format to configure the type of user accounts for MAC authentication users.

Use undo mac-authentication user-name-format to restore the default.

Syntax

mac-authentication user-name-format { fixed [ account name ] [ password { cipher | simple } password ] | mac-address [ { with-hyphen | without-hyphen } [ lowercase | uppercase ] ] }

undo mac-authentication user-name-format

Default

Each user's MAC address is used as the username and password for MAC authentication. A MAC address is in the hexadecimal notation without hyphens, and letters are in lower case.

Views

System view

Predefined user roles

network-admin

Parameters

fixed: Uses a shared account for all MAC authentication users.

account name: Specifies the username for the shared account. The name takes a case-sensitive string of 1 to 55 characters, excluding the at sign (@). If you do not specify a username, the default name mac applies.

password: Specifies the password for the shared user account:

cipher: Sets a ciphertext password.

simple: Sets a plaintext password.

password: Specifies the password. This argument is case sensitive.

·     If the simple keyword is specified, the password must be a string of 1 to 117 characters.

·     If the cipher keyword is specified, the password must be a ciphertext string of 1 to 88 characters.

mac-address: Uses MAC-based user accounts for MAC authentication users. You can also specify the format of username and password by using the following keywords:

·     with-hyphen: Includes hyphens in the MAC address, for example xx-xx-xx-xx-xx-xx.

·     without-hyphen: Excludes hyphens from the MAC address, for example, xxxxxxxxxxxx.

·     lowercase: Enters letters in lower case.

·     uppercase: Enters letters in upper case.

Usage guidelines

If you specify the MAC-based user account, the device uses the MAC address of a user as the username and password for MAC authentication of the user. This user account type ensures high authentication security. However, you must create on the authentication server a user account for each user, using the MAC address of the user as both the username and password.

If you specify a shared user account, the device uses the specified username and password for MAC authentication of all users. Because all MAC authentication users use a single account for authentication, you only need to create one account on the authentication server. This user account type is suitable for trusted networks.

For security purposes, all passwords, including passwords configured in plain text, are saved in cipher text.

Examples

# Configure a shared account for MAC authentication users, set the username as abc and password as plaintext string of xyz.

<Sysname> system-view

[Sysname] mac-authentication user-name-format fixed account abc password simple xyz

# Use MAC-based user accounts for MAC authentication users. Each MAC address must be in the hexadecimal notation with hyphens, and letters are in upper case.

<Sysname> system-view

[Sysname] mac-authentication user-name-format mac-address with-hyphen uppercase

Related commands

display mac-authentication

reset mac-authentication critical-vlan

Use reset mac-authentication critical-vlan to remove users from the MAC authentication critical VLAN on a port.

Syntax

reset mac-authentication critical-vlan interface interface-type interface-number [ mac-address mac-address ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies a port by its type and number.

mac-address mac-address: Specifies a user by its MAC address.

Examples

# Remove the user with MAC address 1-1-1 from the MAC authentication critical VLAN on Ten-GigabitEthernet 1/0/1.

<Sysname> reset mac-authentication critical-vlan interface ten-gigabitethernet 1/0/1 mac-address 1-1-1

Related commands

display mac-authentication

mac-authentication critical vlan

reset mac-authentication critical-voice-vlan

Use reset mac-authentication critical-voice-vlan to remove MAC authentication users from the MAC authentication critical voice VLAN on a port.

Syntax

reset mac-authentication critical-voice-vlan interface interface-type interface-number [ mac-address mac-address ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies a port by its type and number.

mac-address mac-address: Specifies a user by its MAC address. If you do not specify this option, the command removes all users from the MAC authentication critical voice VLAN on the port.

Examples

# Remove the user with MAC address 1-1-1 from the MAC authentication critical voice VLAN on Ten-GigabitEthernet 1/0/1.

<Sysname> reset mac-authentication critical-voice-vlan interface ten-gigabitethernet 1/0/1 mac-address 1-1-1

Related commands

display mac-authentication

mac-authentication critical-voice-vlan

reset mac-authentication guest-vlan

Use reset mac-authentication guest-vlan to remove users from the MAC authentication guest VLAN on a port.

Syntax

reset mac-authentication guest-vlan interface interface-type interface-number [ mac-address mac-address ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies a port by its type and number.

mac-address mac-address: Specifies a user by its MAC address.

Examples

# Remove the user with MAC address 1-1-1 from the MAC authentication guest VLAN on Ten-GigabitEthernet 1/0/1.

<Sysname> reset mac-authentication guest-vlan interface ten-gigabitethernet 1/0/1 mac-address 1-1-1

Related commands

display mac-authentication

mac-authentication guest-vlan

reset mac-authentication statistics

Use reset mac-authentication statistics to clear MAC authentication statistics.

Syntax

reset mac-authentication statistics [ interface interface-type interface-number ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command clears all global and port-specific MAC authentication statistics.

Examples

# Clear MAC authentication statistics on port Ten-GigabitEthernet 1/0/1.

<Sysname> reset mac-authentication statistics interface ten-gigabitethernet 1/0/1

Related commands

display mac-authentication