interface interface-list: Ethernet interface list, in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1-10>, where &<1-10> indicates that you can specify up to 10 port ranges. A port range defined without the to interface-type interface-num portion comprises only one port.

Description

Use the display dot1x command to display 802.1x session information, statistics, or configuration information of specified or all ports.

Use the command with the sessions keyword or the statistics keyword to display the session information or related statistics information. Use the command with neither the sessions keyword nor the statistics keyword to display 802.1x configuration information.

Example

# Display 802.1x configuration information of interface GigabitEthernet 1/0/1.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] display dot1x interface GigabitEthernet 1/0/1

Equipment 802.1X protocol is enabled

CHAP authentication is enabled

Configuration: Transmit Period 30 s, Handshake Period 15 s

Quiet Period 60 s, Quiet Period Timer is disabled

Supp Timeout 30 s, Server Timeout 100 s

The maximal retransmitting times 32

Total maximum 802.1x1X user resource number is 1024

Total current used 802.1x1X resource number is 0

GigabitEthernet1/0/1 is link-up

802.1X protocol is disabled

Handshake is disabled

The port is a(n) authenticator

Authenticate Authentication Mode is autoAuto

Port Control Type is Mac-based

Guest VLAN: 0

Max number of on-line user number users is 256

EAPOL Packet: Tx 0, Rx 0

Send EAP Request/Identity Packet : 0

EAP Request/Challenge Packet: 0

EAP Success Packet: 0, Fail Packet: 0

Received EAPOL Start Packet : 0

EAPOL LogOff Packet: 0

EAP Response/Identity Packet : 0

EAP Response/Challenge Packet: 0

Error Packet: 0

EAPOL Packet: Tx 0, Rx 0

Sent EAP Request/Identity Packets : 0

EAP Request/Challenge Packets: 0

EAP Success Packets: 0, Fail Packets: 0

Received EAPOL Start Packets : 0

EAPOL LogOff Packets: 0

EAP Response/Identity Packets : 0

EAP Response/Challenge Packets: 0

Error Packets: 0

Controlled User(s) amount to 0

Table 1-1 Descriptions on the fields of the display dot1x command

Field	Description
Equipment 802.1X protocol is enabled	Indicates whether 802.1x is enabled
CHAP authentication is enabled	Indicates whether CHAP authentication is enabled
Transmit Period	Value of the identity request timeout timer
Handshake Period	Value of the handshake timer
Quiet Period	Value of the quiet timer
Quiet Period Timer is disable	Indicates whether the quiet timer is enabled
Supp Timeout	Value of the password request timeout timer
Server Timeout	Value of the authentication server timeout timer
The maximal retransmitting times	Maximum number of attempts for the authenticator to send authentication requests to the accessing user
Total maximum 802.1x user resource number	Total maximum number of accessing users
Total current used 802.1x resource number	Total number of online users
GigabitEthernet1/0/1 is link-up	Status of port GigabitEthernet1/0/1
802.1X protocol is disabled	Indicates whether 802.1x is enabled on the port
Handshake is disabled	Indicates whether handshake is enabled
The port is a(n) authenticator	Role of the port
Authenticate Mode is auto	Access control mode for the port
Port Control Type is Mac-based	Access control method for the port
Guest VLAN	Guest VLAN configured on the port. If it is not configured, 0 will be displayed
Max number of on-line user numberusers	Maximum number of accessing users on the port
EAPOL Packet: Tx 0, Rx 0	EAPOL packet: transmitted 0, received 0.
Send EAP Request/Identity Packets : EAP Request/Challenge Packets: EAP Success Packet: 0, Fail Packets	Transmitted EAP Request/Identity packets Transmitted EAP Request/Challenge packets Transmitted EAP Success packets, Fail packets
Received EAPOL Start Packets : EAPOL LogOff Packets: EAP Response/Identity Packets : EAP Response/Challenge Packets: Error Packets:	Received EAPOL Start packets Received EAPOL LogOff packets Received EAP Response/Identity packets Received EAP Response/Challenge packets Received invalid packets
Controlled User(s) amount to	Number of controlled users on the port

1.1.2 dot1x

Syntax

dot1x [ interface interface-list ]

undo dot1x [ interface interface-list ]

View

System view/Ethernet interface view

Parameter

Description

Use the dot1x command in system view to enable 802.1x globally.

Use the undo dot1x command in system view to disable 802.1x globally.

Use the dot1x interface interface-list command in system view or the dot1x command in Ethernet interface view to enable 802.1x for specified ports.

Use the undo dot1x interface interface-list command in system view or the undo dot1x command in Ethernet interface view to disable 802.1x for specified ports.

By default, 802.1x is neither enabled globally nor enabled for any port.

Note that:

l 802.1x must be enabled both globally in system view and definitely for the intended ports in system view or Ethernet interface view. Otherwise, it does not function.

l You can configure 802.1x parameters either before or after enabling 802.1x.

l With 802.1x enabled on a port, you cannot configure the maximum number of MAC addresses that the port can learn (by using the mac-address max-mac-count command), and vice versa.

Related command: display dot1x.

Example

# Enable 802.1x for port GigabitEthernet1/0/2

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x interface GigabitEthernet 1/0/2

# Enable 802.1x globally.

[Sysname] dot1x

1.1.3 dot1x authentication-method

Syntax

dot1x authentication-method { chap | pap | eap }

undo dot1x authentication-method

View

System view

Parameter

chap: Authenticates using CHAP.

pap: Authenticates using PAP.

eap: Authenticates using EAP.

Description

Use the dot1x authentication-method command to set the 802.1x authentication method.

Use the undo dot1x authentication-method command to restore the default.

By default, CHAP is used.

Note that:

l Password authentication protocol (PAP), it transports passwords in clear text.

l Challenge handshake authentication protocol (CHAP), it transports only usernames over the network. Compared with PAP, CHAP provides better security.

l EAP encapsulates 802.1x user information in EAP packets, which are then encapsulated in the EAP attributes of RADIUS and sent to the RADIUS server for authentication.

l The RADIUS server must be configured accordingly to support PAP, CHAP, or EAP authentication.

l For local authentication, only PAP and CHAP are available.

Related command: display dot1x.

Example

# Set the 802.1x authentication method to PAP.

<Sysname>system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x authentication-method pap

1.1.4 dot1x guest-vlan

Syntax

dot1x guest-vlan vlan-id [ interface interface-list ]

undo dot1x guest-vlan [ interface interface-list ]

View

System view/Ethernet port view

Parameter

vlan-id: ID of the specified GuestVlan in a range of 1 to 4094.

interface interface-list: Ethernet interface list, including many Ethernet interfaces represented in the format of interface-list = { interface-type interface-number [ to interface-type interface-number ] }&<1-10>, where interface-type specifies interface type; interface-number specifies interface number. You can enter the parameters before &<1-10> repeatedly up to 10 times.

Description

Use the dot1x guest-vlan command to configure GuestVlan on a specified port.

Use the undo dot1x guest-vlan command to remove GuestVlan on a specified port.

By default, GuestVlan is not configured on a port.

Note that:

l When using the command in system view, if you do not specify the interface-list parameter, configure GuestVlan on all ports; if you specify the interface-list parameter, configure GuestVlan on an specified port. When using the command in Ethernet port view, you cannot specify the interface-list parameter. Only GuestVlan on the current port is configured.

l To bring GuestVlan into effect, enable 802.1x.

l GuestVlan can be configured successfully when the mode of access control is set portbased on a port. But you cannot configure the mode of access control after GuestVlan is configured on a port.

l GuestVlan configuration takes effect only when the mode of access control is set auto on a port.

l Deleting the VLAN which is configured as GuestVlan is prohibited.

Example

# In system view, configure VLAN 999 as the GuestVlan of GigabitEthernet1/0/1.

<Sysname>system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x guest-vlan 999 interface GigabitEthernet1/0/1

# In system view, configure VLAN 10 as the GuestVlan of GigabitEthernet1/0/1 to GigabitEthernet1/0/5.

<Sysname>system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x guest-vlan 10 interface GigabitEthernet 1/0/1 to GigabitEthernet 1/0/5

# In system view, configure VLAN 7 as the GuestVlan of all ports.

<Sysname>system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x guest-vlan 7

# In Ethernet port view, configure VLAN 3 as the GuestVlan of GigabitEthernet1/0/7.

<Sysname>system-view

System View: return to User View with Ctrl+Z.

[Sysname]interface Ethernet 1/0/7

[Sysname-Ethernet1/0/7] dot1x guest-vlan 3

1.1.5 dot1x handshake

Syntax

dot1x handshake

undo dot1x handshake

View

Ethernet interface view

Parameter

None

Description

Use the dot1x handshake command to enable the online user handshake function.

Use the undo dot1x handshake command to disable the function.

By default, the function is enabled.

Example

# Enable online user handshake.

<Sysname>system-view

System View: return to User View with Ctrl+Z.

[Sysname]interface GigabitEthernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dot1x handshake

# Disable online user handshake.

[Sysname-GigabitEthernet1/0/1] undo dot1x handshake

1.1.6 dot1x max-user

Syntax

dot1x max-user user-number [ interface interface-list ]

undo dot1x max-user [ interface interface-list ]

View

System view/Ethernet interface view

Parameter

user-number: Maximum number of accessing users, in the range 1 to 256. The default is 256 per port.

Description

Use the dot1x max-user command to set the maximum number of accessing users for specified or all ports.

Use the undo dot1x max-user command to restore the default.

If you perform a configuration in system view and do not specify the interface-list argument, the configuration applies to all ports. Configurations performed in Ethernet port view apply to the current Ethernet port only and the interface-list argument is not needed in this case.

Related command: display dot1x.

Example

# Set the maximum number of accessing users to 32 for port GigabitEthernet1/0/1.

<Sysname>system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x max-user 32 interface GigabitEthernet 1/0/1

1.1.7 dot1x port-control

Syntax

dot1x port-control { auto | authorized-force | unauthorized-force } [ interface interface-list ]

undo dot1x port-control [ interface interface-list ]

View

System view/Ethernet interface view

Parameter

auto: Places the specified or all ports in the state of unauthorized initially to allow only EAPOL frames to pass, and turns the ports to the state of authorized to allow access to the network after the users pass authentication. This is the most common choice.

authorized-force: Places the specified or all ports in the state of authorized, allowing users of the ports to access the network without authentication.

unauthorized-force: Places the specified or all ports in the state of unauthorized, denying any access requests from users of the ports.

Description

Use the dot1x port-control command to set the access control mode for specified or all ports.

Use the undo dot1x port-control command to restore the default.

The default access control mode is auto.

Related command: display dot1x.

Example

# Set the access control mode of port GigabitEthernet1/0/1 to unauthorized-force.

<Sysname>system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x port-control unauthorized-force interface GigabitEthernet 1/0/1

1.1.8 dot1x port-method

Syntax

dot1x port-method { macbased | portbased } [ interface interface-list ]

undo dot1x port-method [ interface interface-list ]

View

System view/Ethernet interface view

Parameter

macbased: Specifies to use the macbased authentication method. With this method, each user of a port must be authenticated separately, and when an authenticated user goes offline, no other users are affected.

portbased: Specifies to use the portbased authentication method. With this method, after the first user of a port passes authentication, all other users of the port can access the network without authentication, and when the first user goes offline, all other users get offline at the same time.

Description

Use the dot1x port-method command to set the access control method for specified or all ports.

Use the undo dot1x port-method command to restore the default.

The default access control method is macbased.

Related command: display dot1x.

Example

# Set the access control method to portbased for port GigabitEthernet1/0/1.

<Sysname>system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x port-method portbased interface GigabitEthernet 1/0/1

1.1.9 dot1x quiet-period

Syntax

dot1x quiet-period

undo dot1x quiet-period

View

System view

Parameter

None

Description

Use the dot1x quiet-period command to enable the quiet timer function.

Use the undo dot1x quiet-period command to disable the function.

By default, the function is disabled.

After a supplicant fails the authentication, the authenticator refuses further authentication requests from the supplicant in the period specified by the quiet timer.

Related command: display dot1x, dot1x timer.

Example

# Enable the quiet timer.

<Sysname>system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x quiet-period

1.1.10 dot1x retry

Syntax

dot1x retry max-retry-value

undo dot1x retry

View

System view

Parameter

max-retry-value: Maximum number of attempts for sending authentication requests to an accessing user, in the range 1 to 10. The default is 2.

Description

Use the dot1x retry command to set the maximum number of attempts for sending authentication requests to an accessing user.

Use the undo dot1x retry command to restore the default.

Note that:

l When max-retry-value is set to 1, the authenticator sends authentication requests to an accessing user only once. If no answer is received, the authenticator will not send authentication requests again. When max-retry-value is set to 2, the authenticator sends authentication requests again if it does not receive an answer, and so on.

l After the authenticator sends authentication requests to an accessing user, if it does not receive an answer within the specified period, which can be set by using the dot1x timer tx-period tx-period-value or dot1x timer supp-timeout supp-timeout-value command, the authenticator determines whether to send authentication requests to the accessing user based on the value of max-retry-value.

l This command applies to all the ports.

Related command: display dot1x.

Example

# Set the maximum number of attempts for sending authentication requests to an accessing user as 9.

<Sysname>system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x retry 9

1.1.11 dot1x timer

Syntax

dot1x timer { handshake-period handshake-period-value | quiet-period quiet-period-value | tx-period tx-period-value | supp-timeout supp-timeout-value | server-timeout server-timeout-value }

undo dot1x timer { handshake-period | quiet-period | tx-period | supp-timeout | server-timeout }

View

System view

Parameter

handshake-period handshake-period-value: Sets the handshake timer. After a supplicant passes authentication, the authenticator sends to the supplicant handshake requests at this interval to check whether the supplicant is online. The argument ranges from 5 to 1024 seconds and defaults to 15 seconds.

quiet-period quiet-period-value: Sets the quiet timer. When a supplicant fails the authentication, the authenticator refuses further authentication requests from the supplicant in the period specified by the quiet timer. Note that this function is on a per-user basis. The argument ranges from 10 to 120 seconds and defaults to 60 seconds.

tx-period tx-period-value: Sets identity request timeout timer. Once an authenticator sends an EAP-Request/Identity frame to a supplicant, it starts this timer. If this timer expires but it receives no response from the supplicant, it retransmits the request. The argument ranges from 10 to 120 seconds and defaults to 30 seconds.

supp-timeout supp-timeout-value: Sets the password request timeout timer. Once an authenticator sends an EAP-Request/Challenge frame to a supplicant, it starts this timer. If this timer expires but it receives no response from the supplicant, it retransmits the request. The argument ranges from 10 to 120 seconds and defaults to 30 seconds.

server-timeout server-timeout-value: Sets the authentication server timeout timer. Once an authenticator sends a RADIUS Access-Request packet to the authentication server, it starts this timer. If this timer expires but it receives no response from the server, it retransmits the request. The argument ranges from 100 to 300 seconds and defaults to 100 seconds.

Description

Use the dot1x timer command to set 802.1x timers.

Use the undo dot1x timer command to restore the defaults for the timers.

Several timers are used in the 802.1x authentication process to guarantee that the accessing users, the authenticators, and the RADIUS server interact with each other in a reasonable manner. Some of the timers are configurable. This makes sense in some special or extreme network environments. Normally, leave the defaults unchanged.

Related command: display dot1x.

Example

# Set the authentication server timeout timer to 150 seconds.

<Sysname>system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x timer server-timeout 150

1.1.12 reset dot1x statistics

Syntax

reset dot1x statistics [ interface interface-list ]

View

User view

Parameter

Description

Use the reset dot1x statistics command to clear 802.1x statistics.

With the interface interface-list argument specified, the command clears 802.1x statistics on the specified ports. With the argument unspecified, the command clears global 802.1x statistics and 802.1x statistics on all ports.

Related command: display dot1x.

Example

# Clear 802.1x statistics on port GigabitEthernet1/0/1.

<Sysname> reset dot1x statistics interface GigabitEthernet1/0/1

Chapter 2 HABP Configuration Commands

2.1 HABP Configuration Commands

2.1.1 display habp

Syntax

display habp

View

Any view

Parameter

None

Description

Use the display habp command to display HABP configuration and status information.

Example

# Display HABP configuration and status information.

<Sysname>system-view

System View: return to User View with Ctrl+Z.

[Sysname] display habp

Global HABP information:

HABP Mode: Server

Sending HABP request packets every 20 seconds

Bypass VLAN: 2

Table 2-1 Description on the fields of the display habp command

Field	Description
HABP Mode	Indicates the HABP mode of the switch. A switch can operate as an HABP server (displayed as Server) or an HABP client (displayed as Client).
Sending HABP request packets every 20 seconds	HABP request packets are sent once in every 20 seconds.
Bypass VLAN	Indicates the ID(s) of the VALN(s) to which HABP request packets are sent

2.1.2 display habp table

Syntax

display habp table

View

Any view

Parameter

None

Description

Use the display habp table command to display the MAC address table maintained by HABP.

Example

# Display the MAC address table maintained by HABP.

<Sysname>system-view

System View: return to User View with Ctrl+Z.

[Sysname] display habp table

MAC Holdtime Receive Port

001f-3c00-0030 53 GigabitEthernet 1/0/1

Table 2-2 Description on the fields of the display habp table command

Field	Description
MAC	MAC addresses listed in the HABP MAC address table.
Holdtime	Hold time of the entries in the HABP MAC address table, in seconds. The initial value is three times of the interval for sending HABP request packets. In this period, an address will be removed from the table if it has not been updated during the hold time.
Receive Port	The port from which a MAC address is learned

2.1.3 display habp traffic

Syntax

display habp traffic

View

Any view

Parameter

None

Description

Use the display habp traffic command to display statistics on HABP packets.

Example

# Display statistics on HABP packets.

<Sysname>system-view

System View: return to User View with Ctrl+Z.

[Sysname] display habp traffic

HABP counters :

Packets output: 0, Input: 0

ID error: 0, Type error: 0, Version error: 0

Sent failed: 0

Table 2-3 Description on the fields of the display habp traffic command

Field	Description
Packets output	Number of the HABP packets sent
Input	Number of the HABP packets received
ID error	Number of HABP packets with ID errors
Type error	Number of HABP packets with type errors
Version error	Number of HABP packets with version errors
Sent failed	Number of HABP packets that failed to be sent

2.1.4 habp enable

Syntax

habp enable

undo habp enable

View

System view

Parameter

None

Description

Use the habp enable command to enable HABP for a switch.

Use the undo habp enable command to disable HABP for a switch.

By default, HABP is enabled on a switch.

If an 802.1x-enabled (or MAC authentication-enabled) switch does not have HABP enabled, it cannot manage the switches attached to it.

When the cluster and 802.1x functions (or MAC authentication functions) are enabled simultaneously, the manager device cannot managed the connected devices if the HABP function is not enabled. In this case, you must enable the HABP function also on the device.

Example

# Enable HABP.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] habp enable

2.1.5 habp server vlan

Syntax

habp server vlan vlan-id

undo habp server

View

System view

Parameter

vlan-id: VLAN ID, ranging from 1 to 4,094.

Description

Use the habp server vlan command to configure a switch to operate as an HABP server and HABP packets to be broadcast in specified VLAN.

Use the undo habp server vlan command to revert to the default HABP mode.

By default, a switch operates as an HABP client.

To specify a switch to operate as an HABP server, you need to enable HABP (using the habp enable command) for the switch first. Even if HABP is not enabled, the client can still configure the switch to work as an HABP client, although this has no effect.

Example

# Specify the switch to operate as an HABP server and the HABP packets to be broadcast in VLAN 2.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] habp server vlan 2

2.1.6 habp timer

Syntax

habp timer interval-time

undo habp timer

View

System view

Parameter

interval: Interval (in seconds) to send HABP request packets. This argument ranges from 5 to 600.

Description

Use the habp timer command to set the interval for a switch to send HABP request packets.

Use the undo habp timer command to revert to the default interval.

The default interval for a switch to send HABP request packets is 20 seconds.

Use these two commands on switches operating as HABP servers only.

Example

# Configure the switch to send HABP request packets once in every 50 seconds <Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] habp timer 50

Chapter 3 MAC Authentication Configuration Commands

3.1 MAC Authentication Configuration Commands

3.1.1 display mac-authentication

Syntax

display mac-authentication [ interface interface-list ]

View

Any view

Parameter

Description

Use the display mac-authentication command to display the global MAC authentication information or the MAC authentication information about specified interfaces.

Example

# Display the global MAC authentication information.

<Sysname> display mac-authentication

MAC address authentication is enabled.

Offline detect period is 300s

Quiet period is 1 minute(s).

Server response timeout value is 100s

Max allowed user number is 1024

Current user number amounts to 0

Current domain: not configured, use default domain

Silent Mac User info:

MAC ADDR From Port Port Index

GigabitEthernet1/0/1 is link-up

MAC address authentication is enabled

Authenticate success: 0, failed: 0

Current online user number is 0

MAC ADDR Authenticate state AuthIndex

Table 3-1 Description on the fields of the display mac-authentication command

Field	Description
MAC address authentication is enabled	Whether MAC authentication is enabled
Offline detect period	Setting of the offline-detect timer
Quiet period	Setting of the quiet timer
Server response timeout value	Setting of the server timeout timer
Max allowed user number	Maximum number of users that the switch supports
Current user number amounts	Total number of online users passing MAC authentication
Current domain	Currently used ISP domain
Silent Mac User info	Information on users who are kept silent after failing MAC authentication
GigabitEthernet 1/0/1 is link-up	Status of the link on port GigabitEthernet 1/0/1
MAC address authentication is Enabled	Whether MAC authentication is enabled for port GigabitEthernet 1/0/1
Authenticate success: 0, failed: 0	MAC authentication statistics, including the numbers of times that authentication has succeeded and failed
Current online user number	Number of online users on the port
MAC ADDR	MAC address of a online user
Authenticate state	User status. Possible values are: l CONNECTING: The user is logging in. l SUCCESS: The user has passed the authentication. l FAILURE: The user failed the authentication. l LOGOFF: The user has logged off.
AuthIndex	Authenticator Index

3.1.2 mac-authentication

Syntax

mac-authentication [ interface interface-list ]

undo mac-authentication [ interface interface-list ]

View

System view/Ethernet port view

Parameter

Description

Use the mac-authentication command in system view to enable MAC authentication globally.

Use the undo mac-authentication command in system view to disable MAC authentication globally.

Use the mac-authentication interface interface-list command in system view or the mac-authentication command in Ethernet port view to enable MAC authentication for specified ports.

Use the undo mac-authentication interface interface-list command in system view or the undo mac-authentication command in Ethernet port view to disable MAC authentication for specified ports.

By default, MAC authentication is neither enabled globally nor enabled for any port.

Note that:

l MAC authentication must be enabled both globally in system view and definitely for the intended ports in system view or Ethernet interface view. Otherwise, it does not function.

l You can configure MAC authentication parameters either before or after enabling MAC authentication.

Example

# Enable MAC authentication for port GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] mac-authentication interface GigabitEthernet 1/0/1

# Enable MAC authentication globally.

[Sysname] mac-authentication

3.1.3 mac-authentication domain

Syntax

mac-authentication domain isp-name

undo mac-authentication domain

View

System view

Parameter

isp-name: ISP domain name, a string of 1 to 24 characters.

Description

Use the mac-authentication domain command to specify the ISP domain for MAC authentication.

Use the undo mac-authentication domain command to restore the default.

By default, the default ISP domain is used.

Example

# Specify the ISP domain for MAC authentication to be Cams.

<Sysname> system-view

[Sysname] mac-authentication domain Cams

3.1.4 mac-authentication timer

Syntax

mac-authentication timer { offline-detect offline-detect-value | quiet quiet-value | server-timeout server-timeout-value }

undo mac-authentication timer { offline-detect | quiet | server-timeout }

View

System view

Parameter

offline-detect offline-detect-value: Sets the offline-detect timer, the interval at which the switch checks whether a user has gone offline. Once detecting that a user has gone offline, the switch informs the RADIUS server to stop accounting for the user. The argument ranges from 1 to 300 seconds and defaults to 300 seconds.

quiet quiet-value: Sets the quiet timer. When a user fails the MAC authentication, the switch stays quiet for a period specified by the quiet timer before initializing another authentication of the user. Note that this function is on a per-user basis. The argument ranges from 1 to 65,535 minutes and defaults to 1 minute.

server-timeout server-timeout-value: Sets the server timeout timer. During authentication of a user, if the switch receives no response from the RADIUS server in this period, it assumes that its connection to the RADIUS server has timed out and forbids the user from accessing the network. The argument ranges from 1 to 300 seconds and defaults to 100 seconds.

Description

Use the mac-authentication timer command to set the MAC authentication timers.

Use the undo mac-authentication timer command to restore the defaults.

Related command: display mac-authentication.

Example

# Set the server timeout timer to 150 seconds.

<Sysname> system-view

[Sysname] mac-authentication timer server-timeout 150

H3C S5500-SI Series Ethernet Switches Command Manual-Release 1205-(V1.03)

1.1.1 display dot1x

1.1.11 dot1x timer

2.1.1 display habp

3.1.1 display mac-authentication

Cloud & AI

InterConnect

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Resources

Partner Business Management

Company Information

News & Events

Contact Us