Table of Contents

Chapter 1 Centralized MAC Address Authentication Configuration Commands. 1-1

1.1 Centralized MAC Address Authentication Configuration Commands. 1-1

1.1.1 display mac-authentication. 1-1

1.1.2 mac-authentication. 1-3

1.1.3 mac-authentication interface. 1-4

1.1.4 mac-authentication authmode usernameasmacaddress. 1-5

1.1.5 mac-authentication authmode usernamefixed. 1-6

1.1.6 mac-authentication authpassword. 1-7

1.1.7 mac-authentication authusername. 1-7

1.1.8 mac-authentication domain. 1-8

1.1.9 mac-authentication timer 1-9

1.1.10 reset mac-authentication. 1-10

 

Chapter 1  Centralized MAC Address Authentication Configuration Commands

1.1  Centralized MAC Address Authentication Configuration Commands

1.1.1  display mac-authentication

Syntax

display mac-authentication [ interface interface-list ]

View

Any view

Parameter

interface-list: List of Ethernet ports. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10> means that you can provide up to 10 port indexes/port index ranges for this argument.

Description

Use the display mac-authentication command to display global information about centralized MAC address authentication, including:

l           The state of centralized MAC address authentication (enabled/disabled)

l           Timer settings

l           The number of online users

l           The MAC addresses in quiet period

l           MAC authentication information about each port

Example

# Display the global information about centralized MAC address authentication.

<H3C> display mac-authentication

mac address authentication is Enabled.

 authentication mode is UsernameAsMacAddress

 Fixed username:mac

 Fixed password:not configured

         offline detect period is 300s

         quiet period is 60s.

         server response timeout value  is 100s

         max allowed user number is 1024

         current user number amounts to  1

         current domain: not configured, use default domain

Silent Mac User info:

         MAC ADDR             From Port               Port Index

Ethernet1/0/1 is link-up

  MAC address authentication  is Enabled

  Authenticate success: 1, failed: 0

  Current online user number is 1

    MAC ADDR         Authenticate state           AuthIndex

000d-88f8-4e71   MAC_AUTHENTICATOR_SUCCESS     0

……

Table 1-1 Description on the fields of the display mac-authentication command

Field	Description
mac address authentication is Enabled	Centralized MAC address authentication is enabled.
authentication mode	Centralized MAC address authentication mode. The default is the MAC address mode.
Fixed username	User name used in the fixed mode, which defaults to mac.
Fixed password	Password used in the fixed mode, which is not configured by default.
offline detect period	Offline detect timer, which sets the time interval to check whether a user goes offline and defaults to 300 seconds.
quiet period	Quiet timer sets the quiet period. A switch goes through a quiet period if a user fails to pass the MAC address authentication. The default value is 60 seconds.
server response timeout value	Server timeout timer, which sets the timeout time for the connection between a switch and the RADIUS server. By default, it is 100 seconds.
max allowed user number	The maximum number of users supported by the switch. It is 1,024 by default.
current user number amounts to	The current number of users
current domain	The current domain. It is not configured by default.
Silent Mac User info	The information about the silent user. When the user fails to pass MAC address authentication because of inputting error user name and password, the switch sets the user to be in quiet state. During quiet period, the switch does not process the authentication request of this user.
Ethernet1/0/1 is link-up	The link connected to Ethernet1/0/1 port is up.
MAC address authentication is Enabled	MAC address authentication is enabled for Ethernet1/0/1 port.
Authenticate success: 1, failed: 0	Statistics of the MAC address authentications performed on the port, including the numbers of successful and failed authentication operations.
Current online user number	The number of the users current access the network through the port
MAC ADDR	Peer MAC address
Authenticate state	The state of the users accessing the network through the port, which can be: l      MAC_AUTHENTICATOR_CONNECTING: Connecting l      MAC_AUTHENTICATOR_SUCCESS: Authentication passed l      MAC_AUTHENTICATOR_FAILURE: Fail to pass authentication l      MAC_AUTHENTICATOR_LOGOFF: Offline
AuthIndex	Index of the current MAC address with regard to the authentication port

 

1.1.2  mac-authentication

Syntax

mac-authentication

undo mac-authentication

View

System view, Ethernet port view

Parameter

None

Description

Use the mac-authentication command to enable centralized MAC address authentication globally or for a specified port.

Use the undo mac-authentication command to disable centralized MAC address authentication globally or for a specified port.

By default, centralized MAC address authentication is disabled both globally and for a port.

When being executed in system view, the mac-authentication command enables centralized MAC address authentication globally.

When being executed in Ethernet port view, the mac-authentication command enables centralized MAC address authentication for the current port.

 

 

Example

# Enable centralized MAC address authentication globally.

<H3C> system-view

System View: return to User View with Ctrl+Z.  

[H3C] mac-authentication

  MAC-Authentication is already enabled globally.

# Enable centralized MAC address authentication for Ethernet1/0/1 port.

[H3C] interface Ethernet 1/0/1

[H3C-Ethernet1/0/1] mac-authentication

1.1.3  mac-authentication interface

Syntax

mac-authentication interface interface-list

undo mac-authentication interface interface-list

View

System view

Parameter

interface-list: List of Ethernet ports. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10> means that you can provide up to 10 port indexes/port index ranges for this argument.

Description

Use the mac-authentication interface command to enable the centralized MAC address authentication for specified ports.

Use the undo mac-authentication interface command to disable the centralized MAC address authentication on specified ports.

By default, centralized MAC address authentication is disabled on a port.

 

 

Example

# Enable centralized MAC address authentication for Ethernet1/0/1 port.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] mac-authentication interface Ethernet 1/0/1

1.1.4  mac-authentication authmode usernameasmacaddress

Syntax

mac-authentication authmode usernameasmacaddress [ usernameformat { with-hyphen | without-hyphen } ]

undo mac-authentication authmode

View

System view

Parameter

usernameformat: Specifies the input format of the username and password.

with-hyphen: Uses hyphened MAC addresses as usernames and passwords, 00-05-e0-1c-02-e3 for example.

without-hyphen: Uses MAC addresses without hyphens as usernames and passwords, 0005e01c02e3 for example.

Description

Use the mac-authentication authmode usernameasmacaddress command to specify the centralized MAC address authentication mode as MAC address.

Use the undo mac-authentication authmode command to restore the default centralized MAC address authentication mode.

By default, the MAC address mode is adopted for the centralized MAC address authentication.

Example

# Specify centralized MAC address authentication mode as MAC address, using hyphened MAC addresses as the usernames and passwords.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] mac-authentication authmode usernameasmacaddress usernameformat with-hyphen

1.1.5  mac-authentication authmode usernamefixed

Syntax

mac-authentication authmode usernamefixed

undo mac-authentication authmode

View

System view

Parameter

None

Description

Use the mac-authentication authmode usernamefixed command to specify the centralized MAC address authentication mode as fixed mode.

Use the undo mac-authentication authmode command to restore the default centralized MAC address authentication mode.

By default, the MAC address mode is adopted.

Example

# Specify centralized MAC address authentication mode as fixed mode.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] mac-authentication authmode usernamefixed

1.1.6  mac-authentication authpassword

Syntax

mac-authentication authpassword password

undo mac-authentication authpassword

View

System view

Parameter

password: Password to be set, a string comprising 1 to 63 characters.

Description

Use the mac-authentication authpassword command to set a password for centralized MAC address authentication when the fixed mode is adopted.

Use the undo mac-authentication authpassword command to cancel the configured password.

By default, no fixed password is configured.

Example

# Set the password to mac.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] mac-authentication authpassword mac

1.1.7  mac-authentication authusername

Syntax

mac-authentication authusername username

undo mac-authentication authusername

View

System view

Parameter

username: User name to be set, a string comprising 1 to 55 characters.

Description

Use the mac-authentication authusername command to set a user name when the fixed mode is adopted.

Use the undo mac-authentication authusername command to restore the default user name.

By default, the user name used in MAC address authentication (in the fixed mode) is mac.

Example

# Set the user name to vipuser for fixed mode.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] mac-authentication authusername vipuser

1.1.8  mac-authentication domain

Syntax

mac-authentication domain isp-name

undo mac-authentication domain

View

System view

Parameter

isp-name: ISP domain name, a string comprising up to 24 characters. Note that this argument cannot be null and cannot contain these characters: “/”, “:”, “*”, “?”, “<”, and “>”.

Description

Use the mac-authentication domain command to configure an ISP domain for centralized MAC address authentication.

Use the undo mac-authentication domain command to restore the default ISP domain for centralized MAC address authentication.

By default, the domain for centralized MAC address authentication is not configured.

Use the “default domain” as the ISP domain name.

Example

# Configure the domain for centralized MAC address authentication to be Cams.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] mac-authentication domain Cams

1.1.9  mac-authentication timer

Syntax

mac-authentication timer { offline-detect offline-detect-value | quiet quiet-value | server-timeout server-timeout-value }

undo mac-authentication timer { offline-detect | quiet | server-timeout }

View

System view

Parameter

offline-detect-value: Offline detect timer (in seconds) setting. This argument ranges from 1 to 65,535 and defaults to 300. The offline detect timer sets the time interval for a switch to test whether a user goes offline.

quiet-value: Quiet timer (in seconds) setting. This argument ranges from 1 to 3,600 and defaults to 60. After a user fails to pass the authentication performed by a switch, the switch quiets for a specific period (the quiet period) before it authenticates the user again.

server-timeout-value: Server timeout timer setting (in seconds). This argument ranges from 1 to 65,535 and defaults to 100. During authentication, the switch prohibits a user from accessing the network through the corresponding port if the connection between the switch and the RADIUS server times out.

Description

Use the mac-authentication timer command to configure the timers used in centralized MAC address authentication.

Use the undo mac-authentication timer command to restore a timer to its default setting.

Related command: display mac-authentication.

Example

# Set the server timeout timer to 150 seconds.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] mac-authentication timer server-timeout 150

1.1.10  reset mac-authentication

Syntax

reset mac-authentication statistics [ interface interface-type interface-number ]

View

User view

Parameter

interface-type: Port type.

interface-number: Port number.

Description

Use the reset mac-authentication command to clear the centralized MAC address authentication statistics. If you execute this command with the interface keyword specified, the centralized MAC address authentication statistics of the specified port is cleared. If the keyword is not specified, the command clears the global centralized MAC address authentication statistics.

Example

# Clear the centralized MAC address authentication statistics of Ethernet1/0/1 port.

<H3C> reset mac-authentication statistics interface Ethernet 1/0/1