- Table of Contents
-
- H3C S3600 Series Ethernet Switches Command Manual-Release 1510(V1.04)
- 00-1Cover
- 01-CLI Command
- 02-Login Command
- 03-Configuration File Management Command
- 04-VLAN Command
- 05-IP Address and Performance Configuration Command
- 06-Management VLAN Command
- 07-Voice VLAN Command
- 08-GVRP Command
- 09-Port Basic Configuration Command
- 10-Link Aggregation Command
- 11-Port Isolation Command
- 12-Port Security-Port Binding Command
- 13-DLDP Command
- 14-MAC Address Table Command
- 15-Auto Detect Command
- 16-MSTP Command
- 17-Routing Protocol Command
- 18-Multicast Command
- 19-802.1x Command
- 20-AAA-RADIUS-HWTACACS-EAD Command
- 21-VRRP Command
- 22-Centralized MAC Address Authentication Command
- 23-ARP Command
- 24-DHCP Command
- 25-ACL Command
- 26-QoS-QoS Profile Command
- 27-Web Cache Redirection Command
- 28-Mirroring Command
- 29-IRF Fabric Command
- 30-Cluster Command
- 31-PoE-PoE Profile Command
- 32-UDP Helper Command
- 33-SNMP-RMON Command
- 34-NTP Command
- 35-SSH Terminal Service Command
- 36-File System Management Command
- 37-FTP and TFTP Command
- 38-Information Center Command
- 39-System Maintenance and Debugging Command
- 40-VLAN-VPN Command
- 41-HWPing Command
- 42-DNS Command
- 43-Access Management Command
- 44-Appendix
- Related Documents
-
Title | Size | Download |
---|---|---|
22-Centralized MAC Address Authentication Command | 85 KB |
Table of Contents
Chapter 1 Centralized MAC Address Authentication Configuration Commands
1.1 Centralized MAC Address Authentication Configuration Commands
1.1.1 display mac-authentication
1.1.3 mac-authentication interface
1.1.4 mac-authentication authmode usernameasmacaddress
1.1.5 mac-authentication authmode usernamefixed
1.1.6 mac-authentication authpassword
1.1.7 mac-authentication authusername
1.1.8 mac-authentication domain
1.1.9 mac-authentication timer
1.1.10 reset mac-authentication
Chapter 1 Centralized MAC Address Authentication Configuration Commands
1.1 Centralized MAC Address Authentication Configuration Commands
1.1.1 display mac-authentication
Syntax
display mac-authentication [ interface interface-list ]
View
Any view
Parameter
interface-list: List of Ethernet ports. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10> means that you can provide up to 10 port indexes/port index ranges for this argument.
Description
Use the display mac-authentication command to display global information about centralized MAC address authentication, including:
l The state of centralized MAC address authentication (enabled/disabled)
l Timer settings
l The number of online users
l The MAC addresses in quiet period
l MAC authentication information about each port
Example
# Display the global information about centralized MAC address authentication.
<H3C> display mac-authentication
mac address authentication is Enabled.
authentication mode is UsernameAsMacAddress
Fixed username:mac
Fixed password:not configured
offline detect period is 300s
quiet period is 60s.
server response timeout value is 100s
max allowed user number is 1024
current user number amounts to 1
current domain: not configured, use default domain
Silent Mac User info:
MAC ADDR From Port Port Index
Ethernet1/0/1 is link-up
MAC address authentication is Enabled
Authenticate success: 1, failed: 0
Current online user number is 1
MAC ADDR Authenticate state AuthIndex
000d-88f8-4e71 MAC_AUTHENTICATOR_SUCCESS 0
……
Table 1-1 Description on the fields of the display mac-authentication command
Field |
Description |
mac address authentication is Enabled |
Centralized MAC address authentication is enabled. |
authentication mode |
Centralized MAC address authentication mode. The default is the MAC address mode. |
Fixed username |
User name used in the fixed mode, which defaults to mac. |
Fixed password |
Password used in the fixed mode, which is not configured by default. |
offline detect period |
Offline detect timer, which sets the time interval to check whether a user goes offline and defaults to 300 seconds. |
quiet period |
Quiet timer sets the quiet period. A switch goes through a quiet period if a user fails to pass the MAC address authentication. The default value is 60 seconds. |
server response timeout value |
Server timeout timer, which sets the timeout time for the connection between a switch and the RADIUS server. By default, it is 100 seconds. |
max allowed user number |
The maximum number of users supported by the switch. It is 1,024 by default. |
current user number amounts to |
The current number of users |
current domain |
The current domain. It is not configured by default. |
Silent Mac User info |
The information about the silent user. When the user fails to pass MAC address authentication because of inputting error user name and password, the switch sets the user to be in quiet state. During quiet period, the switch does not process the authentication request of this user. |
Ethernet1/0/1 is link-up |
The link connected to Ethernet1/0/1 port is up. |
MAC address authentication is Enabled |
MAC address authentication is enabled for Ethernet1/0/1 port. |
Authenticate success: 1, failed: 0 |
Statistics of the MAC address authentications performed on the port, including the numbers of successful and failed authentication operations. |
Current online user number |
The number of the users current access the network through the port |
MAC ADDR |
Peer MAC address |
Authenticate state |
The state of the users accessing the network through the port, which can be: l MAC_AUTHENTICATOR_CONNECTING: Connecting l MAC_AUTHENTICATOR_SUCCESS: Authentication passed l MAC_AUTHENTICATOR_FAILURE: Fail to pass authentication l MAC_AUTHENTICATOR_LOGOFF: Offline |
AuthIndex |
Index of the current MAC address with regard to the authentication port |
1.1.2 mac-authentication
Syntax
mac-authentication
undo mac-authentication
View
System view, Ethernet port view
Parameter
None
Description
Use the mac-authentication command to enable centralized MAC address authentication globally or for a specified port.
Use the undo mac-authentication command to disable centralized MAC address authentication globally or for a specified port.
By default, centralized MAC address authentication is disabled both globally and for a port.
When being executed in system view, the mac-authentication command enables centralized MAC address authentication globally.
When being executed in Ethernet port view, the mac-authentication command enables centralized MAC address authentication for the current port.
& Note:
You can configure other MAC address authentication-related attributes before or after you enable centralized MAC address authentication globally or for a port. With the attributes not configured, the defaults are adopted when you enable centralized MAC address authentication.
Example
# Enable centralized MAC address authentication globally.
<H3C> system-view
System View: return to User View with Ctrl+Z.
[H3C] mac-authentication
MAC-Authentication is already enabled globally.
# Enable centralized MAC address authentication for Ethernet1/0/1 port.
[H3C] interface Ethernet 1/0/1
[H3C-Ethernet1/0/1] mac-authentication
1.1.3 mac-authentication interface
Syntax
mac-authentication interface interface-list
undo mac-authentication interface interface-list
View
Parameter
interface-list: List of Ethernet ports. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10> means that you can provide up to 10 port indexes/port index ranges for this argument.
Description
Use the mac-authentication interface command to enable the centralized MAC address authentication for specified ports.
Use the undo mac-authentication interface command to disable the centralized MAC address authentication on specified ports.
By default, centralized MAC address authentication is disabled on a port.
& Note:
l To make the centralized MAC address authentication configuration takes effect on a port, you need to enable the centralized MAC address authentication for the port after you enable centralized MAC address authentication globally.
l The configuration of the maximum number of learned MAC addresses (configured through the mac-address max-mac-count command) is unavailable for the ports with centralized MAC address authentication enabled. Similarly, the centralized MAC address authentication is unavailable for the ports with the maximum number of learned MAC addresses configured.
Example
# Enable centralized MAC address authentication for Ethernet1/0/1 port.
<H3C> system-view
System View: return to User View with Ctrl+Z.
[H3C] mac-authentication interface Ethernet 1/0/1
1.1.4 mac-authentication authmode usernameasmacaddress
Syntax
mac-authentication authmode usernameasmacaddress [ usernameformat { with-hyphen | without-hyphen } ]
undo mac-authentication authmode
View
System view
Parameter
usernameformat: Specifies the input format of the username and password.
with-hyphen: Uses hyphened MAC addresses as usernames and passwords, 00-05-e0-1c-02-e3 for example.
without-hyphen: Uses MAC addresses without hyphens as usernames and passwords, 0005e01c02e3 for example.
Description
Use the mac-authentication authmode usernameasmacaddress command to specify the centralized MAC address authentication mode as MAC address.
Use the undo mac-authentication authmode command to restore the default centralized MAC address authentication mode.
By default, the MAC address mode is adopted for the centralized MAC address authentication.
Example
# Specify centralized MAC address authentication mode as MAC address, using hyphened MAC addresses as the usernames and passwords.
<H3C> system-view
System View: return to User View with Ctrl+Z.
[H3C] mac-authentication authmode usernameasmacaddress usernameformat with-hyphen
1.1.5 mac-authentication authmode usernamefixed
Syntax
mac-authentication authmode usernamefixed
undo mac-authentication authmode
View
Parameter
None
Description
Use the mac-authentication authmode usernamefixed command to specify the centralized MAC address authentication mode as fixed mode.
Use the undo mac-authentication authmode command to restore the default centralized MAC address authentication mode.
By default, the MAC address mode is adopted.
Example
# Specify centralized MAC address authentication mode as fixed mode.
<H3C> system-view
System View: return to User View with Ctrl+Z.
[H3C] mac-authentication authmode usernamefixed
1.1.6 mac-authentication authpassword
Syntax
mac-authentication authpassword password
undo mac-authentication authpassword
View
System view
Parameter
password: Password to be set, a string comprising 1 to 63 characters.
Description
Use the mac-authentication authpassword command to set a password for centralized MAC address authentication when the fixed mode is adopted.
Use the undo mac-authentication authpassword command to cancel the configured password.
By default, no fixed password is configured.
Example
# Set the password to mac.
<H3C> system-view
System View: return to User View with Ctrl+Z.
[H3C] mac-authentication authpassword mac
1.1.7 mac-authentication authusername
Syntax
mac-authentication authusername username
undo mac-authentication authusername
View
System view
Parameter
username: User name to be set, a string comprising 1 to 55 characters.
Description
Use the mac-authentication authusername command to set a user name when the fixed mode is adopted.
Use the undo mac-authentication authusername command to restore the default user name.
By default, the user name used in MAC address authentication (in the fixed mode) is mac.
Example
# Set the user name to vipuser for fixed mode.
<H3C> system-view
System View: return to User View with Ctrl+Z.
[H3C] mac-authentication authusername vipuser
1.1.8 mac-authentication domain
Syntax
mac-authentication domain isp-name
undo mac-authentication domain
View
System view
Parameter
isp-name: ISP domain name, a string comprising up to 24 characters. Note that this argument cannot be null and cannot contain these characters: “/”, “:”, “*”, “?”, “<”, and “>”.
Description
Use the mac-authentication domain command to configure an ISP domain for centralized MAC address authentication.
Use the undo mac-authentication domain command to restore the default ISP domain for centralized MAC address authentication.
By default, the domain for centralized MAC address authentication is not configured.
Use the “default domain” as the ISP domain name.
Example
# Configure the domain for centralized MAC address authentication to be Cams.
<H3C> system-view
System View: return to User View with Ctrl+Z.
[H3C] mac-authentication domain Cams
1.1.9 mac-authentication timer
Syntax
mac-authentication timer { offline-detect offline-detect-value | quiet quiet-value | server-timeout server-timeout-value }
undo mac-authentication timer { offline-detect | quiet | server-timeout }
View
System view
Parameter
offline-detect-value: Offline detect timer (in seconds) setting. This argument ranges from 1 to 65,535 and defaults to 300. The offline detect timer sets the time interval for a switch to test whether a user goes offline.
quiet-value: Quiet timer (in seconds) setting. This argument ranges from 1 to 3,600 and defaults to 60. After a user fails to pass the authentication performed by a switch, the switch quiets for a specific period (the quiet period) before it authenticates the user again.
server-timeout-value: Server timeout timer setting (in seconds). This argument ranges from 1 to 65,535 and defaults to 100. During authentication, the switch prohibits a user from accessing the network through the corresponding port if the connection between the switch and the RADIUS server times out.
Description
Use the mac-authentication timer command to configure the timers used in centralized MAC address authentication.
Use the undo mac-authentication timer command to restore a timer to its default setting.
Related command: display mac-authentication.
Example
# Set the server timeout timer to 150 seconds.
<H3C> system-view
System View: return to User View with Ctrl+Z.
[H3C] mac-authentication timer server-timeout 150
1.1.10 reset mac-authentication
Syntax
reset mac-authentication statistics [ interface interface-type interface-number ]
View
User view
Parameter
interface-type: Port type.
interface-number: Port number.
Description
Use the reset mac-authentication command to clear the centralized MAC address authentication statistics. If you execute this command with the interface keyword specified, the centralized MAC address authentication statistics of the specified port is cleared. If the keyword is not specified, the command clears the global centralized MAC address authentication statistics.
Example
# Clear the centralized MAC address authentication statistics of Ethernet1/0/1 port.
<H3C> reset mac-authentication statistics interface Ethernet 1/0/1