interface interface-list: Ethernet interface list, in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1-10>, where &<1-10> indicates that you can specify up to 10 port ranges. A port range defined without the to interface-type interface-num portion comprises only one port.

Description

Use the display dot1x command to display 802.1x session information, statistics, or configuration information of specified or all ports.

Note that:

l If the sessions keyword is specified, the session information is displayed.

l If the statistics keyword is specified, the related statistics information is displayed.

l If neither the sessions keyword nor the statistics keyword is specified, the 802.1x configuration information is displayed.

Example

# Display the 802.1x configuration information.

<Sysname> display dot1x

Global 802.1X protocol is enabled

CHAP authentication is enabled

Proxy trap checker is disabled

Proxy logoff checker is disabled

Configuration: Transmit Period 30 s, Handshake Period 15 s

Quiet Period 60 s, Quiet Period Timer is disabled

Supp Timeout 30 s, Server Timeout 100 s

The maximal retransmitting times 2

Total maximum 802.1x user resource number is 1024

Total current used 802.1x resource number is 0

Ethernet1/0/1 is link-up

802.1X protocol is disabled

Proxy trap checker is disabled

Proxy logoff checker is disabled

Handshake is disabled

The port is a(n) authenticator

Authenticate Mode is auto

Port Control Type is Mac-based

Guest VLAN: 0

Max on-line user number is 256

EAPOL Packet: Tx 0, Rx 0

Send EAP Request/Identity Packet : 0

EAP Request/Challenge Packet: 0

EAP Success Packet: 0, Fail Packet: 0

Received EAPOL Start Packet : 0

EAPOL LogOff Packet: 0

EAP Response/Identity Packet : 0

EAP Response/Challenge Packet: 0

Error Packet: 0

Controlled User(s) amount to 0

Table 1-1 Descriptions on the fields of the display dot1x command

Field	Description
Equipment 802.1X protocol is enabled	Indicates whether 802.1x is enabled
CHAP authentication is enabled	Indicates whether CHAP authentication is enabled
Transmit Period	Value of the identity request timeout timer
Handshake Period	Value of the handshake timer
Quiet Period	Value of the quiet timer
Quiet Period Timer is disable	Indicates whether the quiet timer is enabled
Supp Timeout	Value of the password request timeout timer
Server Timeout	Value of the authentication server timeout timer
The maximal retransmitting times	Maximum number of attempts for the authenticator to send authentication requests to the accessing user
Total maximum 802.1x user resource number	Total maximum number of accessing users
Total current used 802.1x resource number	Total number of online users
Ethernet1/0/1 is link-up	The state of Ethernet1/0/1 is up
802.1X protocol is disabled	Indicates whether 802.1x is enabled on the port
Proxy trap checker is disabled	State of the proxy check function, which can be l Disable, in which the device does not send trap messages if it detects users logging in through proxies. l Enable, in which the device sends trap messages if it detects users logging in through proxies.
Proxy logoff checker is disabled	State of the proxy logoff function, which can be l Disable, in which the device does not disconnect users logging in through proxies. l Enable, in which the device disconnects users logging in through proxies.
Handshake is disabled	Indicates whether handshake is enabled
The port is a(n) authenticator	The port functions as an authenticator for the supplicants
Authenticate Mode is auto	Access control mode for the port
Port Control Type is Mac-based	Access control method for the port
Guest VLAN	Guest VLAN configured on the port. If it is not configured, 0 will be displayed
Max on-line user number	Maximum number of users the port can accommodate
EAPOL Packet: Tx 0, Rx 0	Statistics on EAPoL packets. “Tx 0” and “Rx 0” mean 0 EAPoL packets are transmitted, and 0 EAPoL packets are received.
Send EAP Request/Identity Packet : EAP Request/Challenge Packet: EAP Success Packet: 0, Fail Packet:	Transmitted EAP Request/Identity packets Transmitted EAP Request/Challenge packets Transmitted EAP Success packets, Fail packets
Received EAPOL Start Packet : EAPOL LogOff Packet: EAP Response/Identity Packet : EAP Response/Challenge Packet: Error Packet:	Received EAPOL Start packets Received EAPOL LogOff packets Received EAP Response/Identity packets Received EAP Response/Challenge packets Received invalid packets
Controlled User(s) amount to	Number of the controlled users connected to the port

1.1.2 dot1x

Syntax

dot1x [ interface interface-list ]

undo dot1x [ interface interface-list ]

View

System view, Ethernet interface view

Parameter

Description

Use the dot1x command in system view to enable 802.1x globally.

Use the undo dot1x command in system view to disable 802.1x globally.

Use the dot1x interface interface-list command in system view or the dot1x command in Ethernet interface view to enable 802.1x for specified ports.

Use the undo dot1x interface interface-list command in system view or the undo dot1x command in Ethernet interface view to disable 802.1x for specified ports.

By default, 802.1x is neither enabled globally nor enabled for any port.

Note that:

l When executed in system view, the dot1x command enables 802.1x globally (if the interface interface-list keyword-argument combination is not specified) or for specific ports (if the interface interface-list parameter keyword-argument combination is specified).

l When executed in Ethernet port view, the dot1x command enables 802.1x on the current port only. In this case, the interface interface-list keyword-argument combination is not required.

l You can configure global 802.1x parameters or 802.1x parameters for specified ports either before or after enabling 802.1x. These 802.1x-related parameters not configured previously adopt the default values when you enable 802.1x globally.

l 802.1x configuration takes effect on a port only when 802.1x is enabled both globally and for the port.

Related command: display dot1x.

Example

# Enable 802.1x for Ethernet1/0/1

<Sysname> system-view

[Sysname] dot1x interface Ethernet 1/0/1

# Enable 802.1x globally.

<Sysname> system-view

[Sysname] dot1x

1.1.3 dot1x authentication-method

Syntax

dot1x authentication-method { chap | pap | eap }

undo dot1x authentication-method

View

System view

Parameter

chap: Authenticates using CHAP.

pap: Authenticates using PAP.

eap: Authenticates using EAP.

Description

Use the dot1x authentication-method command to set the 802.1x authentication method.

Use the undo dot1x authentication-method command to restore the default.

By default, CHAP is used.

Note that:

l Password authentication protocol (PAP), it transports passwords in clear text.

l Challenge handshake authentication protocol (CHAP), it transports only usernames over the network. Compared with PAP, CHAP provides better security.

l EAP encapsulates 802.1x user information in EAP packets, which are then encapsulated in the EAP attributes of RADIUS and sent to the RADIUS server for authentication.

l The RADIUS server must be configured accordingly to support PAP, CHAP, or EAP authentication.

l For local authentication, only PAP and CHAP are available.

Related command: display dot1x.

Example

# Set the 802.1x authentication method to PAP.

<Sysname>system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x authentication-method pap

1.1.4 dot1x guest-vlan

Syntax

dot1x guest-vlan vlan-id [ interface interface-list ]

undo dot1x guest-vlan [ interface interface-list ]

View

System view, Ethernet port view

Parameter

vlan-id: ID of the specified GuestVLAN in a range of 1 to 4094.

interface interface-list: Ethernet interface list, including many Ethernet interfaces represented in the format of interface-list = { interface-type interface-number [ to interface-type interface-number ] }&<1-10>, where interface-type specifies interface type; interface-number specifies interface number. You can enter the parameters before &<1-10> repeatedly up to 10 times.

Description

Use the dot1x guest-vlan command to specify the GuestVLAN for specified ports.

Use the undo dot1x guest-vlan command to remove GuestVLAN configuration.

By default, GuestVLAN is not configured on a port.

Note that:

l When executed in system view, these two commands apply to all the ports. Otherwise, the commands apply to the ports identified by the interface-list argument.

l When executed in Ethernet port view, these two commands apply to the current port only. In this case, the interface-list argument is not required.

l To bring GuestVLAN into effect, enable 802.1x.

l GuestVLAN can be configured successfully when the mode of access control is set portbased on a port. But you cannot configure the mode of access control after GuestVLAN is configured on a port.

l GuestVLAN configuration takes effect only when the mode of access control is set auto on a port.

l GuestVLAN takes effect on access ports only.

l A VLAN operating as a GuestVlan cannot be removed.

Example

# Configure VLAN 999 as the GuestVLAN of Ethernet1/0/1 in system view (assuming that VLAN 999 already exists).

<Sysname> system-view

[Sysname] dot1x guest-vlan 999 interface ethernet1/0/1

# Configure VLAN 10 as the GuestVLAN of Ethernet1/0/1 through Ethernet1/0/5 (assuming that VLAN 10 already exists).

<Sysname> system-view

[Sysname] dot1x guest-vlan 10 interface ethernet1/0/1 to ethernet1/0/5

# Configure VLAN 7 as the GuestVLAN of all the ports in system view (assuming that VLAN 7 already exists).

<Sysname> system-view

[Sysname] dot1x guest-vlan 7

# In Ethernet port view, configure VLAN 3 as the GuestVLAN of Ethernet1/0/7 (assuming that VLAN 3 already exists).

<Sysname> system-view

[Sysname] interface Ethernet 1/0/7

[Sysname-Ethernet1/0/7] dot1x guest-vlan 3

1.1.5 dot1x handshake

Syntax

dot1x handshake

undo dot1x handshake

View

Ethernet interface view

Parameter

None

Description

Use the dot1x handshake command to enable the online user handshake function.

Use the undo dot1x handshake command to disable the function.

By default, the function is enabled.

The proxy check function of 802.1x depends on the online user handshake function. So, make sure that the online user handshake function is enabled before enabling the proxy check function and the proxy check function is disabled before disabling the online user handshake function.

Example

# Enable online user handshake.

<Sysname> system-view

[Sysname] interface Ethernet 1/0/4

[Sysname-Ethernet1/0/4] dot1x handshake

# Disable online user handshake.

[Sysname-Ethernet1/0/4] undo dot1x handshake

1.1.6 dot1x max-user

Syntax

dot1x max-user user-number [ interface interface-list ]

undo dot1x max-user [ interface interface-list ]

View

System view, Ethernet interface view

Parameter

user-number: Maximum number of accessing users, in the range 1 to 256.

Description

Use the dot1x max-user command to set the maximum number of accessing users for specified or all ports.

Use the undo dot1x max-user command to restore the default.

The maximum number of accessing users on a port is 256 by default.

Note that:

l When executed in system view, these two commands apply to all the ports if you do not specify the interface-list argument. Otherwise, the commands apply to the ports identified by the interface-list argument.

l When executed in Ethernet port view, these two commands apply to the current port only. In this case, the interface-list argument is not required.

Related command: display dot1x.

Example

# Set the maximum number of accessing users to 32 for Ethernet1/0/1.

<Sysname> system-view

[Sysname] dot1x max-user 32 interface Ethernet 1/0/1

<Sysname> system-view

[Sysname] interface Ethernet 1/0/1

[Sysname-Ethernet1/0/1] dot1x max-user 32

1.1.7 dot1x port-control

Syntax

dot1x port-control { auto | authorized-force | unauthorized-force } [ interface interface-list ]

undo dot1x port-control [ interface interface-list ]

View

System view, Ethernet interface view

Parameter

auto: Places the specified or all ports in the state of unauthorized initially to allow only EAPOL frames to pass, and turns the ports to the state of authorized to allow access to the network after the users pass authentication. This is the most common choice.

authorized-force: Places the specified or all ports in the state of authorized, allowing users of the ports to access the network without authentication.

unauthorized-force: Places the specified or all ports in the state of unauthorized, denying any access requests from users of the ports.

Description

Use the dot1x port-control command to set the access control mode for specified or all ports.

Use the undo dot1x port-control command to restore the default.

The default access control mode is auto.

Note that:

l When executed in Ethernet port view, these two commands apply to the current port only. In this case, the interface-list argument is not required.

Related command: display dot1x.

Example

# Set the access control mode of Ethernet1/0/1 to unauthorized-force.

<Sysname> system-view

[Sysname] dot1x port-control unauthorized-force interface Ethernet 1/0/1

<Sysname> system-view

[Sysname] interface Ethernet 1/0/1

[Sysname-Ethernet1/0/1] dot1x port-control unauthorized-force

1.1.8 dot1x port-method

Syntax

dot1x port-method { macbased | portbased } [ interface interface-list ]

undo dot1x port-method [ interface interface-list ]

View

System view, Ethernet interface view

Parameter

macbased: Specifies to use the macbased authentication method. With this method, each user of a port must be authenticated separately, and when an authenticated user goes offline, no other users are affected.

portbased: Specifies to use the portbased authentication method. With this method, after the first user of a port passes authentication, all other users of the port can access the network without authentication, and when the first user goes offline, all other users get offline at the same time.

Description

Use the dot1x port-method command to set the access control method for specified or all ports.

Use the undo dot1x port-method command to restore the default.

The default access control method is macbased.

Note that:

l When executed in Ethernet port view, these two commands apply to the current port only. In this case, the interface-list argument is not required.

Related command: display dot1x.

Example

# Set the access control method to portbased for Ethernet1/0/1.

<Sysname> system-view

[Sysname] dot1x port-method portbased interface Ethernet 1/0/1

<Sysname> system-view

[Sysname] interface Ethernet 1/0/1

[Sysname-Ethernet1/0/1] dot1x port-method portbased

1.1.9 dot1x quiet-period

Syntax

dot1x quiet-period

undo dot1x quiet-period

View

System view

Parameter

None

Description

Use the dot1x quiet-period command to enable the quiet timer function.

Use the undo dot1x quiet-period command to disable the function.

By default, the function is disabled.

After a supplicant fails the authentication, the authenticator refuses further authentication requests from the supplicant in the period specified by the quiet timer.

Related command: display dot1x, dot1x timer.

Example

# Enable the quiet timer.

<Sysname>system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x quiet-period

1.1.10 dot1x retry

Syntax

dot1x retry max-retry-value

undo dot1x retry

View

System view

Parameter

max-retry-value: Maximum number of attempts for sending authentication requests to an accessing user, in the range 1 to 10. The default is 2.

Description

Use the dot1x retry command to set the maximum number of attempts for sending authentication requests to an accessing user.

Use the undo dot1x retry command to restore the default.

Note that:

l After the authenticator sends authentication requests to an accessing user, if it does not receive an answer within the specified period, which can be set by using the dot1x timer tx-period tx-period-value or dot1x timer supp-timeout supp-timeout-value command, the authenticator determines whether to send authentication requests to the accessing user based on the value of the max-retry-value argument.

l When the max-retry-value argument is set to 1, the authenticator sends authentication requests to an accessing user only once. If no answer is received, the authenticator will not send authentication requests again. When the max-retry-value argument is set to 2, the authenticator sends authentication requests once again if it does not receive an answer after sending the first authentication request, and so on.

l This command applies to all the ports.

Related command: display dot1x.

Example

# Set the maximum number of attempts for sending authentication requests to an accessing user as 9.

<Sysname>system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x retry 9

1.1.11 dot1x supp-proxy-check

Syntax

dot1x supp-proxy-check { logoff | trap } [ interface interface-list ]

undo dot1x supp-proxy-check { logoff | trap } [ interface interface-list ]

View

System view, Ethernet interface view

Parameter

logoff: Disconnects users logging in through proxies.

trap: Sends trap messages upon detecting users logging in through proxies.

interface interface-list: Specifies an Ethernet port list, which can contain multiple Ethernet ports. The interface-list argument is in the format of interface-list = { interface-type interface-number [ to interface-type interface-number ] } & <1-10>, where interface-type represents the port type, interface-number represents the port number, and & <1-10> means that you can provide up to 10 port indexes/port index lists for this argument.

Description

Use the dot1x supp-proxy-check command to enable detection and control for users logging in through proxies for specified or all ports.

Use the undo dot1x supp-proxy-check command to disable the function for specified or all ports.

By default, the function is disabled.

Note that:

l This function requires the cooperation of the 802.1x client program (iNode) developed by H3C, that is, the users to log in must run iNode (V1.29 or higher) firstly.

l When executed in system view, these two commands enables/disables the function globally if you do not specify the interface-list argument. Otherwise, the commands enables/disables the function for the ports identified by the interface-list argument.

l When executed in Ethernet port view, these two commands apply to the current port only. In this case, the interface-list argument is not required.

l This function takes effect on a port only when it is enabled both globally and on the port.

Related command: display dot1x.

Example

# Specify Ethernet 1/0/1 through Ethernet 1/0/8 to disconnect the users logging in through proxies.

<Sysname> system-view

[Sysname] dot1x supp-proxy-check logoff

[Sysname] dot1x supp-proxy-check logoff interface ethernet 1/0/1 to ethernet 1/0/8

# Specify Ethernet 1/0/9 to send trap messages upon detecting users logging in through proxies.

<Sysname> system-view

[Sysname] dot1x supp-proxy-check trap

[Sysname] dot1x supp-proxy-check trap interface ethernet 1/0/9

<Sysname> system-view

[Sysname] dot1x supp-proxy-check trap

[Sysname] interface ethernet 1/0/9

[Sysname-Ethernet1/0/9] dot1x supp-proxy-check trap

1.1.12 dot1x timer

Syntax

dot1x timer { handshake-period handshake-period-value | quiet-period quiet-period-value | tx-period tx-period-value | supp-timeout supp-timeout-value | server-timeout server-timeout-value }

undo dot1x timer { handshake-period | quiet-period | tx-period | supp-timeout | server-timeout }

View

System view

Parameter

handshake-period handshake-period-value: Sets the handshake timer. After a supplicant passes authentication, the authenticator sends to the supplicant handshake requests at this interval to check whether the supplicant is online. The argument ranges from 5 to 1024 seconds and defaults to 15 seconds.

quiet-period quiet-period-value: Sets the quiet timer. When a supplicant fails the authentication, the authenticator refuses further authentication requests from the supplicant in the period specified by the quiet timer. Note that this function is on a per-user basis. The argument ranges from 10 to 120 seconds and defaults to 60 seconds.

tx-period tx-period-value: Sets identity request timeout timer. Once an authenticator sends an EAP-Request/Identity frame to a supplicant, it starts this timer. If this timer expires but it receives no response from the supplicant, it retransmits the request. The argument ranges from 10 to 120 seconds and defaults to 30 seconds.

supp-timeout supp-timeout-value: Sets the password request timeout timer. Once an authenticator sends an EAP-Request/Challenge frame to a supplicant, it starts this timer. If this timer expires but it receives no response from the supplicant, it retransmits the request. The argument ranges from 10 to 120 seconds and defaults to 30 seconds.

server-timeout server-timeout-value: Sets the authentication server timeout timer. Once an authenticator sends a RADIUS Access-Request packet to the authentication server, it starts this timer. If this timer expires but it receives no response from the server, it retransmits the request. The argument ranges from 100 to 300 seconds and defaults to 100 seconds.

Description

Use the dot1x timer command to set 802.1x timers.

Use the undo dot1x timer command to restore the defaults for the timers.

Several timers are used in the 802.1x authentication process to guarantee that the accessing users, the authenticators, and the RADIUS server interact with each other in a reasonable manner. Some of the timers are configurable. This makes sense in some special or extreme network environments. Normally, leave the defaults unchanged.

Related command: display dot1x.

Example

# Set the authentication server timeout timer to 150 seconds.

<Sysname>system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x timer server-timeout 150

1.1.13 reset dot1x statistics

Syntax

reset dot1x statistics [ interface interface-list ]

View

User view

Parameter

Description

Use the reset dot1x statistics command to clear 802.1x statistics.

Note that:

l With the interface interface-list parameter unspecified, the command clears global 802.1x statistics and 802.1x statistics on all ports.

l With the interface interface-list keyword-argument combination specified, the command clears 802.1x statistics on the specified ports.

Related command: display dot1x.

Example

# Clear 802.1x statistics on Ethernet1/0/1.

<Sysname> reset dot1x statistics interface Ethernet 1/0/1

Chapter 2 HABP Configuration Commands

2.1 HABP Configuration Commands

2.1.1 display habp

Syntax

display habp

View

Any view

Parameter

None

Description

Use the display habp command to display HABP configuration and status information.

Example

# Display HABP configuration and status information.

<Sysname> display habp

Global HABP information:

HABP Mode: Server

Sending HABP request packets every 20 seconds

Bypass VLAN: 2

Table 2-1 Description on the fields of the display habp command

Field	Description
HABP Mode	Indicates the HABP mode of the switch. A switch can operate as an HABP server (displayed as Server) or an HABP client (displayed as Client).
Sending HABP request packets every 20 seconds	HABP request packets are sent once in every 20 seconds.
Bypass VLAN	Indicates the ID(s) of the VLAN(s) to which HABP request packets are sent

2.1.2 display habp table

Syntax

display habp table

View

Any view

Parameter

None

Description

Use the display habp table command to display the MAC address table maintained by HABP.

Example

# Display the MAC address table maintained by HABP.

<Sysname> display habp table

MAC Holdtime Receive Port

001f-3c00-0030 53 Ethernet1/0/1

Table 2-2 Description on the fields of the display habp table command

Field	Description
MAC	MAC addresses listed in the HABP MAC address table.
Holdtime	Hold time of the entries in the HABP MAC address table, in seconds. The initial value is three times of the interval for sending HABP request packets. In this period, an address will be removed from the table if it has not been updated during the hold time.
Receive Port	The port from which a MAC address is learned

2.1.3 display habp traffic

Syntax

display habp traffic

View

Any view

Parameter

None

Description

Use the display habp traffic command to display statistics on HABP packets.

Example

# Display statistics on HABP packets.

<Sysname> display habp traffic

HABP counters :

Packets output: 0, Input: 0

ID error: 0, Type error: 0, Version error: 0

Sent failed: 0

Table 2-3 Description on the fields of the display habp traffic command

Field	Description
Packets output	Number of the HABP packets sent
Input	Number of the HABP packets received
ID error	Number of HABP packets with ID errors
Type error	Number of HABP packets with type errors
Version error	Number of HABP packets with version errors
Sent failed	Number of HABP packets that failed to be sent

2.1.4 habp enable

Syntax

habp enable

undo habp enable

View

System view

Parameter

None

Description

Use the habp enable command to enable HABP for a switch.

Use the undo habp enable command to disable HABP for a switch.

By default, HABP is enabled on a switch.

& Note:

To enable cluster and 802.1x (MAC authentication) on a device simultaneously, you need to enable HABP on the device first. Otherwise, the management device cannot manage the devices attached to it.

Example

# Enable HABP.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] habp enable

2.1.5 habp server vlan

Syntax

habp server vlan vlan-id

undo habp server

View

System view

Parameter

vlan-id: VLAN ID, ranging from 1 to 4,094.

Description

Use the habp server vlan command to configure a switch to operate as an HABP server and HABP packets to be broadcast in specified VLAN.

Use the undo habp server vlan command to revert to the default HABP mode.

By default, a switch operates as an HABP client.

To specify a switch to operate as an HABP server, you need to enable HABP (using the habp enable command) for the switch first. Even if HABP is not enabled, the client can still configure the switch to work as an HABP client, although this has no effect.

Example

# Specify the switch to operate as an HABP server and the HABP packets to be broadcast in VLAN 2.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] habp server vlan 2

2.1.6 habp timer

Syntax

habp timer interval-time

undo habp timer

View

System view

Parameter

interval: Interval (in seconds) to send HABP request packets. This argument ranges from 5 to 600.

Description

Use the habp timer command to set the interval for a switch to send HABP request packets.

Use the undo habp timer command to revert to the default interval.

The default interval for a switch to send HABP request packets is 20 seconds.

Use these two commands on switches operating as HABP servers only.

Example

# Configure the switch to send HABP request packets once in every 50 seconds <Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] habp timer 50

Chapter 3 MAC Authentication Configuration Commands

3.1 MAC Authentication Configuration Commands

3.1.1 display mac-authentication

Syntax

display mac-authentication [ interface interface-list ]

View

Any view

Parameter

Description

Use the display mac-authentication command to display the global MAC authentication information or the MAC authentication information about specified interfaces.

MAC authentication information includes: whether MAC address authentication is enabled, values of the current timers, the number of online users, quiet MAC addresses, and the status of MAC authentication on each port.

Example

# Display the global MAC authentication information.

<Sysname> display mac-authentication

MAC address authentication is enabled.

Offline detect period is 300s

Quiet period is 1 minute(s).

Server response timeout value is 100s

Max allowed user number is 1024

Current user number amounts to 0

Current domain is aa

Silent Mac User info:

MAC ADDR From Port Port Index

Ethernet1/0/1 is link-up

MAC address authentication is Enabled

Authenticate success: 0, failed: 0

Current online user number is 0

MAC ADDR Authenticate state AuthIndex

( Omitted)

Table 3-1 Description on the fields of the display mac-authentication command

Field	Description
MAC address authentication is enabled	Whether MAC authentication is enabled
Offline detect period	Setting of the offline-detect timer
Quiet period	Setting of the quiet timer
Server response timeout value	Setting of the server timeout timer
Max allowed user number	Maximum number of users that the switch supports
Current user number amounts	Total number of online users passing MAC authentication
Current domain is	Currently used ISP domain (the default domain is used by default)
Silent Mac User info	Information on users who are kept silent after failing MAC authentication
Ethernet 1/0/1 is link-up	Status of the link on Ethernet 1/0/1
MAC address authentication is Enabled	Whether MAC authentication is enabled for Ethernet 1/0/1
Authenticate success: 0, failed: 0	MAC authentication statistics, including the numbers of times that authentication has succeeded and failed
Current online user number	Number of online users on the port
MAC ADDR	MAC address of a online user
Authenticate state	User status. Possible values are: l CONNECTING: The user is logging in. l SUCCESS: The user has passed the authentication. l FAILURE: The user failed the authentication. l LOGOFF: The user has logged off.
AuthIndex	Authenticator Index

3.1.2 mac-authentication

Syntax

mac-authentication [ interface interface-list ]

undo mac-authentication [ interface interface-list ]

View

System view, Ethernet port view

Parameter

Description

Use the mac-authentication command to enable MAC authentication globally on the current device or for the specified ports.

Use the undo mac-authentication command to disable MAC authentication globally or for the specified ports.

By default, MAC authentication is neither enabled globally nor enabled for any port.

Note that:

l When executed in system view, the mac-authentication command enables MAC authentication globally if you do not specify the interface-list argument. Otherwise, the command enables MAC authentication on the ports identified by the interface-list argument.

l When executed in Ethernet port view, the mac-authentication command applies to the current port only. In this case, the interface-list argument is not required.

l You can configure global MAC authentication parameters or MAC authentication parameters for the specified ports either before or after enabling MAC authentication. These MAC authentication-related parameters not configured previously adopt the default values when you enable MAC authentication globally.

l The configuration to enable MAC authentication takes effect on a port only when it is enabled both globally and on the port.

Example

# Enable MAC authentication for GigabitEthernet 1/1/1.

<Sysname> system-view

[Sysname] mac-authentication interface GigabitEthernet 1/1/1

Mac-auth is enabled on port GigabitEthernet1/1/1.

<Sysname> system-view

[Sysname] interface GigabitEthernet 1/1/1

[Sysname- GigabitEthernet1/1/1] mac-authentication

Mac-auth is enabled on port GigabitEthernet1/1/1.

# Enable MAC authentication globally.

<Sysname> system-view

[Sysname] mac-authentication

Mac-auth is enabled globally.

3.1.3 mac-authentication domain

Syntax

mac-authentication domain isp-name

undo mac-authentication domain

View

System view

Parameter

isp-name: ISP domain name, a string of 1 to 24 characters.

Description

Use the mac-authentication domain command to specify the ISP domain for MAC authentication.

Use the undo mac-authentication domain command to restore the default.

By default, the default ISP domain is used.

Example

# Specify the ISP domain for MAC authentication to be Cams.

<Sysname> system-view

[Sysname] mac-authentication domain Cams

3.1.4 mac-authentication timer

Syntax

mac-authentication timer { offline-detect offline-detect-value | quiet quiet-value | server-timeout server-timeout-value }

undo mac-authentication timer { offline-detect | quiet | server-timeout }

View

System view

Parameter

offline-detect offline-detect-value: Sets the offline-detect timer, the interval at which the switch checks whether a user has gone offline. Once detecting that a user has gone offline, the switch informs the RADIUS server to stop accounting for the user. The argument ranges from 1 to 300 seconds and defaults to 300 seconds.

quiet quiet-value: Sets the quiet timer. When a user fails the MAC authentication, the switch stays quiet for a period specified by the quiet timer before initializing another authentication of the user. Note that this function is on a per-user basis. The argument ranges from 1 to 65,535 minutes and defaults to 1 minute.

server-timeout server-timeout-value: Sets the server timeout timer. During authentication of a user, if the switch receives no response from the RADIUS server in this period, it assumes that its connection to the RADIUS server has timed out and forbids the user from accessing the network. The argument ranges from 1 to 300 seconds and defaults to 100 seconds.

Description

Use the mac-authentication timer command to set the MAC authentication timers.

Use the undo mac-authentication timer command to restore the defaults.

Related command: display mac-authentication.

Example

# Set the server timeout timer to 150 seconds.

<Sysname> system-view

[Sysname] mac-authentication timer server-timeout 150

H3C S3610[S5510] Series Ethernet Switches Command Manual-Release 0001-(V1.02)

1.1.1 display dot1x

1.1.11 dot1x supp-proxy-check

2.1.1 display habp

3.1.1 display mac-authentication

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us