- Table of Contents
-
- H3C S5500-SI Series Ethernet Switches Command Manual-Release 1205-(V1.03)
- 00-1Cover
- 01-Login Command
- 02-Basic System Configuration and Maintenance Command
- 03-File System Management Command
- 04-VLAN Command
- 05-QinQ-BPDU TUNNEL Command
- 06-Port Correlation Configuration Command
- 07-MAC Address Table Management Command
- 08-MSTP Commands
- 09-IP Address and Performance Command
- 10-IPv6 Configuration Command
- 11-Routing Overview Command
- 12-IPv4 Routing Command
- 13-IPv6 Routing Command
- 14-802.1x-HABP-MAC Authentication Command
- 15-AAA-RADIUS-HWTACACS Command
- 16-Multicast Protocol Command
- 17-ARP Command
- 18-DHCP Command
- 19-ACL Command
- 20-QoS Command
- 21-Port Mirroring Command
- 22-Cluster Command
- 23-SNMP-RMON Command
- 24-NTP Command
- 25-DNS Command
- 26-Information Center Command
- 27-NQA Command
- 28-SSH Terminal Service Command
- 29-UDP Helper Command
- 30-SSL-HTTPS Command
- 31-PKI Command
- 32-PoE-PoE Profile Command
- 33-Appendix
- Related Documents
-
Title | Size | Download |
---|---|---|
14-802.1x-HABP-MAC Authentication Command | 139 KB |
Table of Contents
Chapter 1 802.1x Configuration Commands
1.1 802.1x Configuration Commands
1.1.3 dot1x authentication-method
Chapter 2 HABP Configuration Commands
2.1 HABP Configuration Commands
Chapter 3 MAC Authentication Configuration Commands
3.1 MAC Authentication Configuration Commands
3.1.1 display mac-authentication
3.1.3 mac-authentication domain
3.1.4 mac-authentication timer
Chapter 1 802.1x Configuration Commands
1.1 802.1x Configuration Commands
1.1.1 display dot1x
Syntax
display dot1x [ sessions | statistics ] [ interface interface-list ]
View
Any view
Parameter
sessions: Displays 802.1x session information.
statistics: Displays 802.1x statistics.
interface interface-list: Ethernet interface list, in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1-10>, where &<1-10> indicates that you can specify up to 10 port ranges. A port range defined without the to interface-type interface-num portion comprises only one port.
Description
Use the display dot1x command to display 802.1x session information, statistics, or configuration information of specified or all ports.
Use the command with the sessions keyword or the statistics keyword to display the session information or related statistics information. Use the command with neither the sessions keyword nor the statistics keyword to display 802.1x configuration information.
Example
# Display 802.1x configuration information of interface GigabitEthernet 1/0/1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] display dot1x interface GigabitEthernet 1/0/1
Equipment 802.1X protocol is enabled
CHAP authentication is enabled
Configuration: Transmit Period 30 s, Handshake Period 15 s
Quiet Period 60 s, Quiet Period Timer is disabled
Supp Timeout 30 s, Server Timeout 100 s
The maximal retransmitting times 32
Total maximum 802.1x1X user resource number is 1024
Total current used 802.1x1X resource number is 0
GigabitEthernet1/0/1 is link-up
802.1X protocol is disabled
Handshake is disabled
The port is a(n) authenticator
Authenticate Authentication Mode is autoAuto
Port Control Type is Mac-based
Guest VLAN: 0
Max number of on-line user number users is 256
EAPOL Packet: Tx 0, Rx 0
Send EAP Request/Identity Packet : 0
EAP Request/Challenge Packet: 0
EAP Success Packet: 0, Fail Packet: 0
Received EAPOL Start Packet : 0
EAPOL LogOff Packet: 0
EAP Response/Identity Packet : 0
EAP Response/Challenge Packet: 0
Error Packet: 0
EAPOL Packet: Tx 0, Rx 0
Sent EAP Request/Identity Packets : 0
EAP Request/Challenge Packets: 0
EAP Success Packets: 0, Fail Packets: 0
Received EAPOL Start Packets : 0
EAPOL LogOff Packets: 0
EAP Response/Identity Packets : 0
EAP Response/Challenge Packets: 0
Error Packets: 0
Controlled User(s) amount to 0
Table 1-1 Descriptions on the fields of the display dot1x command
Field |
Description |
Equipment 802.1X protocol is enabled |
Indicates whether 802.1x is enabled |
CHAP authentication is enabled |
Indicates whether CHAP authentication is enabled |
Transmit Period |
Value of the identity request timeout timer |
Handshake Period |
Value of the handshake timer |
Quiet Period |
Value of the quiet timer |
Quiet Period Timer is disable |
Indicates whether the quiet timer is enabled |
Supp Timeout |
Value of the password request timeout timer |
Server Timeout |
Value of the authentication server timeout timer |
The maximal retransmitting times |
Maximum number of attempts for the authenticator to send authentication requests to the accessing user |
Total maximum 802.1x user resource number |
Total maximum number of accessing users |
Total current used 802.1x resource number |
Total number of online users |
GigabitEthernet1/0/1 is link-up |
Status of port GigabitEthernet1/0/1 |
802.1X protocol is disabled |
Indicates whether 802.1x is enabled on the port |
Handshake is disabled |
Indicates whether handshake is enabled |
The port is a(n) authenticator |
Role of the port |
Authenticate Mode is auto |
Access control mode for the port |
Port Control Type is Mac-based |
Access control method for the port |
Guest VLAN |
Guest VLAN configured on the port. If it is not configured, 0 will be displayed |
Max number of on-line user numberusers |
Maximum number of accessing users on the port |
EAPOL Packet: Tx 0, Rx 0 |
EAPOL packet: transmitted 0, received 0. |
Send EAP Request/Identity Packets : EAP Request/Challenge Packets: EAP Success Packet: 0, Fail Packets |
Transmitted EAP Request/Identity packets Transmitted EAP Request/Challenge packets Transmitted EAP Success packets, Fail packets |
Received EAPOL Start Packets : EAPOL LogOff Packets: EAP Response/Identity Packets : EAP Response/Challenge Packets: Error Packets: |
Received EAPOL Start packets Received EAPOL LogOff packets Received EAP Response/Identity packets Received EAP Response/Challenge packets Received invalid packets |
Controlled User(s) amount to |
Number of controlled users on the port |
1.1.2 dot1x
Syntax
dot1x [ interface interface-list ]
undo dot1x [ interface interface-list ]
View
System view/Ethernet interface view
Parameter
interface interface-list: Ethernet interface list, in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1-10>, where &<1-10> indicates that you can specify up to 10 port ranges. A port range defined without the to interface-type interface-num portion comprises only one port.
Description
Use the dot1x command in system view to enable 802.1x globally.
Use the undo dot1x command in system view to disable 802.1x globally.
Use the dot1x interface interface-list command in system view or the dot1x command in Ethernet interface view to enable 802.1x for specified ports.
Use the undo dot1x interface interface-list command in system view or the undo dot1x command in Ethernet interface view to disable 802.1x for specified ports.
By default, 802.1x is neither enabled globally nor enabled for any port.
Note that:
l 802.1x must be enabled both globally in system view and definitely for the intended ports in system view or Ethernet interface view. Otherwise, it does not function.
l You can configure 802.1x parameters either before or after enabling 802.1x.
l With 802.1x enabled on a port, you cannot configure the maximum number of MAC addresses that the port can learn (by using the mac-address max-mac-count command), and vice versa.
Related command: display dot1x.
Example
# Enable 802.1x for port GigabitEthernet1/0/2
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] dot1x interface GigabitEthernet 1/0/2
# Enable 802.1x globally.
[Sysname] dot1x
1.1.3 dot1x authentication-method
Syntax
dot1x authentication-method { chap | pap | eap }
undo dot1x authentication-method
View
System view
Parameter
chap: Authenticates using CHAP.
pap: Authenticates using PAP.
eap: Authenticates using EAP.
Description
Use the dot1x authentication-method command to set the 802.1x authentication method.
Use the undo dot1x authentication-method command to restore the default.
By default, CHAP is used.
Note that:
l Password authentication protocol (PAP), it transports passwords in clear text.
l Challenge handshake authentication protocol (CHAP), it transports only usernames over the network. Compared with PAP, CHAP provides better security.
l EAP encapsulates 802.1x user information in EAP packets, which are then encapsulated in the EAP attributes of RADIUS and sent to the RADIUS server for authentication.
l The RADIUS server must be configured accordingly to support PAP, CHAP, or EAP authentication.
l For local authentication, only PAP and CHAP are available.
Related command: display dot1x.
Example
# Set the 802.1x authentication method to PAP.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] dot1x authentication-method pap
1.1.4 dot1x guest-vlan
Syntax
dot1x guest-vlan vlan-id [ interface interface-list ]
undo dot1x guest-vlan [ interface interface-list ]
View
System view/Ethernet port view
Parameter
vlan-id: ID of the specified GuestVlan in a range of 1 to 4094.
interface interface-list: Ethernet interface list, including many Ethernet interfaces represented in the format of interface-list = { interface-type interface-number [ to interface-type interface-number ] }&<1-10>, where interface-type specifies interface type; interface-number specifies interface number. You can enter the parameters before &<1-10> repeatedly up to 10 times.
Description
Use the dot1x guest-vlan command to configure GuestVlan on a specified port.
Use the undo dot1x guest-vlan command to remove GuestVlan on a specified port.
By default, GuestVlan is not configured on a port.
Note that:
l When using the command in system view, if you do not specify the interface-list parameter, configure GuestVlan on all ports; if you specify the interface-list parameter, configure GuestVlan on an specified port. When using the command in Ethernet port view, you cannot specify the interface-list parameter. Only GuestVlan on the current port is configured.
l To bring GuestVlan into effect, enable 802.1x.
l GuestVlan can be configured successfully when the mode of access control is set portbased on a port. But you cannot configure the mode of access control after GuestVlan is configured on a port.
l GuestVlan configuration takes effect only when the mode of access control is set auto on a port.
l Deleting the VLAN which is configured as GuestVlan is prohibited.
Example
# In system view, configure VLAN 999 as the GuestVlan of GigabitEthernet1/0/1.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] dot1x guest-vlan 999 interface GigabitEthernet1/0/1
# In system view, configure VLAN 10 as the GuestVlan of GigabitEthernet1/0/1 to GigabitEthernet1/0/5.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] dot1x guest-vlan 10 interface GigabitEthernet 1/0/1 to GigabitEthernet 1/0/5
# In system view, configure VLAN 7 as the GuestVlan of all ports.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] dot1x guest-vlan 7
# In Ethernet port view, configure VLAN 3 as the GuestVlan of GigabitEthernet1/0/7.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname]interface Ethernet 1/0/7
[Sysname-Ethernet1/0/7] dot1x guest-vlan 3
1.1.5 dot1x handshake
Syntax
dot1x handshake
undo dot1x handshake
View
Ethernet interface view
Parameter
None
Description
Use the dot1x handshake command to enable the online user handshake function.
Use the undo dot1x handshake command to disable the function.
By default, the function is enabled.
Example
# Enable online user handshake.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname]interface GigabitEthernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dot1x handshake
# Disable online user handshake.
[Sysname-GigabitEthernet1/0/1] undo dot1x handshake
1.1.6 dot1x max-user
Syntax
dot1x max-user user-number [ interface interface-list ]
undo dot1x max-user [ interface interface-list ]
View
System view/Ethernet interface view
Parameter
user-number: Maximum number of accessing users, in the range 1 to 256. The default is 256 per port.
interface interface-list: Ethernet interface list, in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1-10>, where &<1-10> indicates that you can specify up to 10 port ranges. A port range defined without the to interface-type interface-num portion comprises only one port.
Description
Use the dot1x max-user command to set the maximum number of accessing users for specified or all ports.
Use the undo dot1x max-user command to restore the default.
If you perform a configuration in system view and do not specify the interface-list argument, the configuration applies to all ports. Configurations performed in Ethernet port view apply to the current Ethernet port only and the interface-list argument is not needed in this case.
Related command: display dot1x.
Example
# Set the maximum number of accessing users to 32 for port GigabitEthernet1/0/1.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] dot1x max-user 32 interface GigabitEthernet 1/0/1
1.1.7 dot1x port-control
Syntax
dot1x port-control { auto | authorized-force | unauthorized-force } [ interface interface-list ]
undo dot1x port-control [ interface interface-list ]
View
System view/Ethernet interface view
Parameter
auto: Places the specified or all ports in the state of unauthorized initially to allow only EAPOL frames to pass, and turns the ports to the state of authorized to allow access to the network after the users pass authentication. This is the most common choice.
authorized-force: Places the specified or all ports in the state of authorized, allowing users of the ports to access the network without authentication.
unauthorized-force: Places the specified or all ports in the state of unauthorized, denying any access requests from users of the ports.
interface interface-list: Ethernet interface list, in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1-10>, where &<1-10> indicates that you can specify up to 10 port ranges. A port range defined without the to interface-type interface-num portion comprises only one port.
Description
Use the dot1x port-control command to set the access control mode for specified or all ports.
Use the undo dot1x port-control command to restore the default.
The default access control mode is auto.
Related command: display dot1x.
Example
# Set the access control mode of port GigabitEthernet1/0/1 to unauthorized-force.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] dot1x port-control unauthorized-force interface GigabitEthernet 1/0/1
1.1.8 dot1x port-method
Syntax
dot1x port-method { macbased | portbased } [ interface interface-list ]
undo dot1x port-method [ interface interface-list ]
View
System view/Ethernet interface view
Parameter
macbased: Specifies to use the macbased authentication method. With this method, each user of a port must be authenticated separately, and when an authenticated user goes offline, no other users are affected.
portbased: Specifies to use the portbased authentication method. With this method, after the first user of a port passes authentication, all other users of the port can access the network without authentication, and when the first user goes offline, all other users get offline at the same time.
interface interface-list: Ethernet interface list, in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1-10>, where &<1-10> indicates that you can specify up to 10 port ranges. A port range defined without the to interface-type interface-num portion comprises only one port.
Description
Use the dot1x port-method command to set the access control method for specified or all ports.
Use the undo dot1x port-method command to restore the default.
The default access control method is macbased.
Related command: display dot1x.
Example
# Set the access control method to portbased for port GigabitEthernet1/0/1.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] dot1x port-method portbased interface GigabitEthernet 1/0/1
1.1.9 dot1x quiet-period
Syntax
dot1x quiet-period
undo dot1x quiet-period
View
System view
Parameter
None
Description
Use the dot1x quiet-period command to enable the quiet timer function.
Use the undo dot1x quiet-period command to disable the function.
By default, the function is disabled.
After a supplicant fails the authentication, the authenticator refuses further authentication requests from the supplicant in the period specified by the quiet timer.
Related command: display dot1x, dot1x timer.
Example
# Enable the quiet timer.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] dot1x quiet-period
1.1.10 dot1x retry
Syntax
dot1x retry max-retry-value
undo dot1x retry
View
System view
Parameter
max-retry-value: Maximum number of attempts for sending authentication requests to an accessing user, in the range 1 to 10. The default is 2.
Description
Use the dot1x retry command to set the maximum number of attempts for sending authentication requests to an accessing user.
Use the undo dot1x retry command to restore the default.
Note that:
l When max-retry-value is set to 1, the authenticator sends authentication requests to an accessing user only once. If no answer is received, the authenticator will not send authentication requests again. When max-retry-value is set to 2, the authenticator sends authentication requests again if it does not receive an answer, and so on.
l After the authenticator sends authentication requests to an accessing user, if it does not receive an answer within the specified period, which can be set by using the dot1x timer tx-period tx-period-value or dot1x timer supp-timeout supp-timeout-value command, the authenticator determines whether to send authentication requests to the accessing user based on the value of max-retry-value.
l This command applies to all the ports.
Related command: display dot1x.
Example
# Set the maximum number of attempts for sending authentication requests to an accessing user as 9.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] dot1x retry 9
1.1.11 dot1x timer
Syntax
dot1x timer { handshake-period handshake-period-value | quiet-period quiet-period-value | tx-period tx-period-value | supp-timeout supp-timeout-value | server-timeout server-timeout-value }
undo dot1x timer { handshake-period | quiet-period | tx-period | supp-timeout | server-timeout }
View
System view
Parameter
handshake-period handshake-period-value: Sets the handshake timer. After a supplicant passes authentication, the authenticator sends to the supplicant handshake requests at this interval to check whether the supplicant is online. The argument ranges from 5 to 1024 seconds and defaults to 15 seconds.
quiet-period quiet-period-value: Sets the quiet timer. When a supplicant fails the authentication, the authenticator refuses further authentication requests from the supplicant in the period specified by the quiet timer. Note that this function is on a per-user basis. The argument ranges from 10 to 120 seconds and defaults to 60 seconds.
tx-period tx-period-value: Sets identity request timeout timer. Once an authenticator sends an EAP-Request/Identity frame to a supplicant, it starts this timer. If this timer expires but it receives no response from the supplicant, it retransmits the request. The argument ranges from 10 to 120 seconds and defaults to 30 seconds.
supp-timeout supp-timeout-value: Sets the password request timeout timer. Once an authenticator sends an EAP-Request/Challenge frame to a supplicant, it starts this timer. If this timer expires but it receives no response from the supplicant, it retransmits the request. The argument ranges from 10 to 120 seconds and defaults to 30 seconds.
server-timeout server-timeout-value: Sets the authentication server timeout timer. Once an authenticator sends a RADIUS Access-Request packet to the authentication server, it starts this timer. If this timer expires but it receives no response from the server, it retransmits the request. The argument ranges from 100 to 300 seconds and defaults to 100 seconds.
Description
Use the dot1x timer command to set 802.1x timers.
Use the undo dot1x timer command to restore the defaults for the timers.
Several timers are used in the 802.1x authentication process to guarantee that the accessing users, the authenticators, and the RADIUS server interact with each other in a reasonable manner. Some of the timers are configurable. This makes sense in some special or extreme network environments. Normally, leave the defaults unchanged.
Related command: display dot1x.
Example
# Set the authentication server timeout timer to 150 seconds.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] dot1x timer server-timeout 150
1.1.12 reset dot1x statistics
Syntax
reset dot1x statistics [ interface interface-list ]
View
User view
Parameter
interface interface-list: Ethernet interface list, in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1-10>, where &<1-10> indicates that you can specify up to 10 port ranges. A port range defined without the to interface-type interface-num portion comprises only one port.
Description
Use the reset dot1x statistics command to clear 802.1x statistics.
With the interface interface-list argument specified, the command clears 802.1x statistics on the specified ports. With the argument unspecified, the command clears global 802.1x statistics and 802.1x statistics on all ports.
Related command: display dot1x.
Example
# Clear 802.1x statistics on port GigabitEthernet1/0/1.
<Sysname> reset dot1x statistics interface GigabitEthernet1/0/1
Chapter 2 HABP Configuration Commands
2.1 HABP Configuration Commands
2.1.1 display habp
Syntax
display habp
View
Any view
Parameter
None
Description
Use the display habp command to display HABP configuration and status information.
Example
# Display HABP configuration and status information.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] display habp
Global HABP information:
HABP Mode: Server
Sending HABP request packets every 20 seconds
Bypass VLAN: 2
Table 2-1 Description on the fields of the display habp command
Field |
Description |
HABP Mode |
Indicates the HABP mode of the switch. A switch can operate as an HABP server (displayed as Server) or an HABP client (displayed as Client). |
Sending HABP request packets every 20 seconds |
HABP request packets are sent once in every 20 seconds. |
Bypass VLAN |
Indicates the ID(s) of the VALN(s) to which HABP request packets are sent |
2.1.2 display habp table
Syntax
display habp table
View
Any view
Parameter
None
Description
Use the display habp table command to display the MAC address table maintained by HABP.
Example
# Display the MAC address table maintained by HABP.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] display habp table
MAC Holdtime Receive Port
001f-3c00-0030 53 GigabitEthernet 1/0/1
Table 2-2 Description on the fields of the display habp table command
Field |
Description |
MAC |
MAC addresses listed in the HABP MAC address table. |
Holdtime |
Hold time of the entries in the HABP MAC address table, in seconds. The initial value is three times of the interval for sending HABP request packets. In this period, an address will be removed from the table if it has not been updated during the hold time. |
Receive Port |
The port from which a MAC address is learned |
2.1.3 display habp traffic
Syntax
display habp traffic
View
Any view
Parameter
None
Description
Use the display habp traffic command to display statistics on HABP packets.
Example
# Display statistics on HABP packets.
<Sysname>system-view
System View: return to User View with Ctrl+Z.
[Sysname] display habp traffic
HABP counters :
Packets output: 0, Input: 0
ID error: 0, Type error: 0, Version error: 0
Sent failed: 0
Table 2-3 Description on the fields of the display habp traffic command
Field |
Description |
Packets output |
Number of the HABP packets sent |
Input |
Number of the HABP packets received |
ID error |
Number of HABP packets with ID errors |
Type error |
Number of HABP packets with type errors |
Version error |
Number of HABP packets with version errors |
Sent failed |
Number of HABP packets that failed to be sent |
2.1.4 habp enable
Syntax
habp enable
undo habp enable
View
System view
Parameter
None
Description
Use the habp enable command to enable HABP for a switch.
Use the undo habp enable command to disable HABP for a switch.
By default, HABP is enabled on a switch.
If an 802.1x-enabled (or MAC authentication-enabled) switch does not have HABP enabled, it cannot manage the switches attached to it.
When the cluster and 802.1x functions (or MAC authentication functions) are enabled simultaneously, the manager device cannot managed the connected devices if the HABP function is not enabled. In this case, you must enable the HABP function also on the device.
Example
# Enable HABP.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] habp enable
2.1.5 habp server vlan
Syntax
habp server vlan vlan-id
undo habp server
View
System view
Parameter
vlan-id: VLAN ID, ranging from 1 to 4,094.
Description
Use the habp server vlan command to configure a switch to operate as an HABP server and HABP packets to be broadcast in specified VLAN.
Use the undo habp server vlan command to revert to the default HABP mode.
By default, a switch operates as an HABP client.
To specify a switch to operate as an HABP server, you need to enable HABP (using the habp enable command) for the switch first. Even if HABP is not enabled, the client can still configure the switch to work as an HABP client, although this has no effect.
Example
# Specify the switch to operate as an HABP server and the HABP packets to be broadcast in VLAN 2.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] habp server vlan 2
2.1.6 habp timer
Syntax
habp timer interval-time
undo habp timer
View
System view
Parameter
interval: Interval (in seconds) to send HABP request packets. This argument ranges from 5 to 600.
Description
Use the habp timer command to set the interval for a switch to send HABP request packets.
Use the undo habp timer command to revert to the default interval.
The default interval for a switch to send HABP request packets is 20 seconds.
Use these two commands on switches operating as HABP servers only.
Example
# Configure the switch to send HABP request packets once in every 50 seconds <Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] habp timer 50
Chapter 3 MAC Authentication Configuration Commands
3.1 MAC Authentication Configuration Commands
3.1.1 display mac-authentication
Syntax
display mac-authentication [ interface interface-list ]
View
Any view
Parameter
interface interface-list: Ethernet interface list, in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1-10>, where &<1-10> indicates that you can specify up to 10 port ranges. A port range defined without the to interface-type interface-num portion comprises only one port.
Description
Use the display mac-authentication command to display the global MAC authentication information or the MAC authentication information about specified interfaces.
Example
# Display the global MAC authentication information.
<Sysname> display mac-authentication
MAC address authentication is enabled.
Offline detect period is 300s
Quiet period is 1 minute(s).
Server response timeout value is 100s
Max allowed user number is 1024
Current user number amounts to 0
Current domain: not configured, use default domain
Silent Mac User info:
MAC ADDR From Port Port Index
GigabitEthernet1/0/1 is link-up
MAC address authentication is enabled
Authenticate success: 0, failed: 0
Current online user number is 0
MAC ADDR Authenticate state AuthIndex
Table 3-1 Description on the fields of the display mac-authentication command
Field |
Description |
MAC address authentication is enabled |
Whether MAC authentication is enabled |
Offline detect period |
Setting of the offline-detect timer |
Quiet period |
Setting of the quiet timer |
Server response timeout value |
Setting of the server timeout timer |
Max allowed user number |
Maximum number of users that the switch supports |
Current user number amounts |
Total number of online users passing MAC authentication |
Current domain |
Currently used ISP domain |
Silent Mac User info |
Information on users who are kept silent after failing MAC authentication |
GigabitEthernet 1/0/1 is link-up |
Status of the link on port GigabitEthernet 1/0/1 |
MAC address authentication is Enabled |
Whether MAC authentication is enabled for port GigabitEthernet 1/0/1 |
Authenticate success: 0, failed: 0 |
MAC authentication statistics, including the numbers of times that authentication has succeeded and failed |
Current online user number |
Number of online users on the port |
MAC ADDR |
MAC address of a online user |
Authenticate state |
User status. Possible values are: l CONNECTING: The user is logging in. l SUCCESS: The user has passed the authentication. l FAILURE: The user failed the authentication. l LOGOFF: The user has logged off. |
AuthIndex |
Authenticator Index |
3.1.2 mac-authentication
Syntax
mac-authentication [ interface interface-list ]
undo mac-authentication [ interface interface-list ]
View
System view/Ethernet port view
Parameter
interface interface-list: Ethernet interface list, in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1-10>, where &<1-10> indicates that you can specify up to 10 port ranges. A port range defined without the to interface-type interface-num portion comprises only one port.
Description
Use the mac-authentication command in system view to enable MAC authentication globally.
Use the undo mac-authentication command in system view to disable MAC authentication globally.
Use the mac-authentication interface interface-list command in system view or the mac-authentication command in Ethernet port view to enable MAC authentication for specified ports.
Use the undo mac-authentication interface interface-list command in system view or the undo mac-authentication command in Ethernet port view to disable MAC authentication for specified ports.
By default, MAC authentication is neither enabled globally nor enabled for any port.
Note that:
l MAC authentication must be enabled both globally in system view and definitely for the intended ports in system view or Ethernet interface view. Otherwise, it does not function.
l You can configure MAC authentication parameters either before or after enabling MAC authentication.
Example
# Enable MAC authentication for port GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] mac-authentication interface GigabitEthernet 1/0/1
# Enable MAC authentication globally.
[Sysname] mac-authentication
3.1.3 mac-authentication domain
Syntax
mac-authentication domain isp-name
undo mac-authentication domain
View
System view
Parameter
isp-name: ISP domain name, a string of 1 to 24 characters.
Description
Use the mac-authentication domain command to specify the ISP domain for MAC authentication.
Use the undo mac-authentication domain command to restore the default.
By default, the default ISP domain is used.
Example
# Specify the ISP domain for MAC authentication to be Cams.
<Sysname> system-view
[Sysname] mac-authentication domain Cams
3.1.4 mac-authentication timer
Syntax
mac-authentication timer { offline-detect offline-detect-value | quiet quiet-value | server-timeout server-timeout-value }
undo mac-authentication timer { offline-detect | quiet | server-timeout }
View
System view
Parameter
offline-detect offline-detect-value: Sets the offline-detect timer, the interval at which the switch checks whether a user has gone offline. Once detecting that a user has gone offline, the switch informs the RADIUS server to stop accounting for the user. The argument ranges from 1 to 300 seconds and defaults to 300 seconds.
quiet quiet-value: Sets the quiet timer. When a user fails the MAC authentication, the switch stays quiet for a period specified by the quiet timer before initializing another authentication of the user. Note that this function is on a per-user basis. The argument ranges from 1 to 65,535 minutes and defaults to 1 minute.
server-timeout server-timeout-value: Sets the server timeout timer. During authentication of a user, if the switch receives no response from the RADIUS server in this period, it assumes that its connection to the RADIUS server has timed out and forbids the user from accessing the network. The argument ranges from 1 to 300 seconds and defaults to 100 seconds.
Description
Use the mac-authentication timer command to set the MAC authentication timers.
Use the undo mac-authentication timer command to restore the defaults.
Related command: display mac-authentication.
Example
# Set the server timeout timer to 150 seconds.
<Sysname> system-view
[Sysname] mac-authentication timer server-timeout 150