interface interface-list: Specifies an Ethernet port list, which can contain multiple Ethernet ports. The interface-list argument is in the format of interface-list = { interface-type interface-number [ to interface-type interface-number ] } & <1-10>, where interface-type represents the port type, interface-number represents the port number, and & <1-10> means that you can provide up to 10 port indexes/port index lists for this argument. The start port number must be smaller than the end number and the two ports must of the same type.

Description

Use the display dot1x command to display 802.1x session information, statistics, or configuration information of specified or all ports.

If you specify neither the sessions keyword nor the statistics keyword, the command displays all information about 802.1x, including session information, statistics, and configurations.

Related commands: reset dot1x statistics, dot1x, dot1x retry, dot1x max-user, dot1x port-control, dot1x port-method, dot1x timer.

Examples

# Display all information about 802.1x.

<Sysname> display dot1x

Global 802.1X protocol is enabled

CHAP authentication is enabled

Proxy trap checker is disabled

Proxy logoff checker is disabled

Configuration: Transmit Period 30 s, Handshake Period 15 s

Quiet Period 60 s, Quiet Period Timer is disabled

Supp Timeout 30 s, Server Timeout 100 s

The maximal retransmitting times 3

The maximum 802.1x user resource number is 1024 per slot

Total current used 802.1x resource number is 0

Ethernet3/1/1 is link-up

802.1X protocol is disabled

Proxy trap checker is disabled

Proxy logoff checker is disabled

Handshake is disabled

The port is an authenticator

Authenticate Mode is Auto

Port Control Type is Mac-based

Guest VLAN: 0

Max number of on-line users is 1024

EAPOL Packet: Tx 0, Rx 0

Sent EAP Request/Identity Packets : 0

EAP Request/Challenge Packets: 0

Received EAPOL Start Packets : 0

EAPOL LogOff Packets: 0

EAP Response/Identity Packets : 0

EAP Response/Challenge Packets: 0

Error Packets: 0

Controlled User(s) amount to 0

Table 1-1 Descriptions on the fields of the display dot1x command

Field	Description
Global 802.1X protocol is enabled	Indicates whether 802.1x is enabled
CHAP authentication is enabled	Indicates whether CHAP authentication is enabled
Proxy trap checker is disabled	Indicates whether the device is configured to send a trap packet when detecting that a user is trying to login through a proxy
Proxy logoff checker is disabled	Indicates whether the device is configured to get offline any user trying to login through a proxy
Transmit Period	Setting of the username request timeout timer
Handshake Period	Setting of the handshake timer
Quiet Period	Setting of the quiet timer
Quiet Period Timer is disabled	Indicates whether the quiet timer is enabled
Supp Timeout	Setting of the supplicant timeout timer
Server Timeout	Setting of the server timeout timer
The maximal retransmitting times	Maximum number of attempts for the authenticator to send authentication requests to the supplicant
The maximum 802.1x user resource number per slot	Maximum number of users supported per board
Total current used 802.1x resource number	Total number of online users
Ethernet3/1/1 is link-up	Status of port Ethernet 3/1/1
802.1X protocol is disabled	Indicates whether 802.1x is enabled on the port
Proxy trap checker is disabled	Indicates whether the port is configured to send a trap packet when detecting that a user is trying to login through a proxy
Proxy logoff checker is disabled	Indicates whether the port is configured to get offline any user trying to login through a proxy
Handshake is disabled	Indicates whether handshake is enabled on the port
The port is an authenticator	Role of the port
Authenticate Mode is Auto	Access control mode for the port
Port Control Type is Mac-based	Access control method for the port
Guest VLAN	Guest VLAN configured for the port. The value of 0 means that no guest VLAN is configured.
Max number of on-line users	Maximum number of users supported on the port
EAPOL Packet	Number of EAPOL packets received (Tx) or sent (Rx)
Sent EAP Request/Identity Packets	Number of EAP Request/Identity packets sent
EAP Request/Challenge Packets	Number of EAP Request/Challenge packets sent
EAP Success Packets	Number of EAP Success packets sent
Received EAPOL Start Packets	Number of EAPOL Start packets received
EAPOL LogOff Packets	Number of EAPOL LogOff packets received
EAP Response/Identity Packets	Number of EAP Response/Identity packets received
EAP Response/Challenge Packets	Number of EAP Response/Challenge packets received
Error Packets	Number of erroneous packets received
Controlled User(s) amount to 0	Number of controlled users on the port

1.1.3 dot1x

Syntax

In system view:

dot1x [ interface interface-list ]

undo dot1x [ interface interface-list ]

In Ethernet interface view:

dot1x

undo dot1x

View

System view, Ethernet interface view

Default Level

2: System level

Parameters

Description

Use the dot1x command in system view to enable 802.1x globally.

Use the undo dot1x command in system view to disable 802.1x globally.

Use the dot1x interface interface-list command in system view or the dot1x command in Ethernet interface view to enable 802.1x for specified ports.

Use the undo dot1x interface interface-list command in system view or the undo dot1x command in Ethernet interface view to disable 802.1x for specified ports.

By default, 802.1x is neither enabled globally nor enabled for any port.

Note that:

l 802.1x must be enabled both globally in system view and for the intended ports in system view or Ethernet interface view. Otherwise, it does not function.

l You can configure 802.1x parameters either before or after enabling 802.1x.

Related commands: display dot1x.

Examples

# Enable 802.1x for ports Ethernet 3/1/1, and Ethernet 3/1/5 to Ethernet 3/1/7.

<Sysname> system-view

[Sysname] dot1x interface ethernet 3/1/1 ethernet 3/1/5 to ethernet 3/1/7

<Sysname> system-view

[Sysname] interface ethernet 3/1/1

[Sysname-Ethernet3/1/1] dot1x

[Sysname-Ethernet3/1/1] quit

[Sysname] interface ethernet 3/1/5

[Sysname-Ethernet3/1/5] dot1x

[Sysname-Ethernet3/1/5] quit

[Sysname] interface ethernet 3/1/6

[Sysname-Ethernet3/1/6] dot1x

[Sysname-Ethernet3/1/6] quit

[Sysname] interface ethernet 3/1/7

[Sysname-Ethernet3/1/7] dot1x

# Enable 802.1x globally.

<Sysname> system-view

[Sysname] dot1x

1.1.4 dot1x authentication-method

Syntax

dot1x authentication-method { chap | eap | pap }

undo dot1x authentication-method

View

System view

Default Level

2: System level

Parameters

chap: Authenticates supplicants using CHAP.

eap: Authenticates supplicants using EAP.

pap: Authenticates supplicants using PAP.

Description

Use the dot1x authentication-method command to set the 802.1x authentication method.

Use the undo dot1x authentication-method command to restore the default.

By default, CHAP is used.

l The password authentication protocol (PAP) transports passwords in simple text.

l The challenge handshake authentication protocol (CHAP) transports only usernames over the network. Compared with PAP, CHAP provides better security.

l With EAP relay authentication, the authenticator encapsulates 802.1x user information in the EAP attributes of RADIUS packets and sends the packets to the RADIUS server for authentication; it does not need to repackage the EAP packets into standard RADIUS packets for authentication. In this case, you can configure the user-name-format command but it does not take effect. For information about the user-name-format command, refer to AAA RADIUS HWTACACS Commands in the Security Volume.

Note that:

l Local authentication supports only PAP and CHAP.

l For RADIUS authentication, the RADIUS server must be configured accordingly to support PAP, CHAP, or EAP authentication.

Related commands: display dot1x.

Examples

# Set the 802.1x authentication method to PAP.

<Sysname> system-view

[Sysname] dot1x authentication-method pap

1.1.5 dot1x guest-vlan

Syntax

In system view:

dot1x guest-vlan vlan-id [ interface interface-list ]

undo dot1x guest-vlan [ interface interface-list ]

In Ethernet interface view:

dot1x guest-vlan vlan-id

undo dot1x guest-vlan

View

System view, Ethernet interface view

Default Level

2: System level

Parameters

vlan-id: ID of the VLAN to be specified as the guest VLAN, in the range 1 to 4094.

Description

Use the dot1x guest-vlan command to configure the guest VLAN for specified or all ports.

Use the undo dot1x guest-vlan command to remove the guest VLAN(s) configured for specified or all ports.

By default, a port is configured with no guest VLAN.

In system view, this command configures guest VLAN for all Ethernet ports with interface-list not provided, and configures guest VLAN for specified with interface-list provided.

In Ethernet interface view, you cannot specify the interface-list argument and can only configure guest VLAN for the current port.

For the guest VLAN feature to take effect on a port, make sure that:

l 802.1x is enabled.

l The port access control method is set to portbased.

l The port access control mode is set to auto.

l The link type of the port is set to access.

Note that:

l You cannot delete a VLAN that has been configured as a guest VLAN.

l A super VLAN cannot be set as the guest VLAN. Similarly, a guest VLAN cannot be set as the super VLAN. For information about super VLAN, refer to VLAN Configuration in the Access Volume.

l The guest VLAN function does not apply to non-access interfaces.

l You cannot modify the access control method of a port configured with a guest VLAN.

Examples

# Specify port Ethernet 1/1/1 to use VLAN 999 as its guest VLAN.

<Sysname> system-view

[Sysname] dot1x guest-vlan 999 interface ethernet 1/1/1

# Specify ports Ethernet 1/1/2 to Ethernet 1/1/5 to use VLAN 10 as its guest VLAN.

<Sysname> system-view

[Sysname] dot1x guest-vlan 10 interface ethernet 1/1/1 to ethernet 1/1/5

# Specify all ports to use VLAN 7 as their guest VLAN.

<Sysname> system-view

[Sysname] dot1x guest-vlan 7

# Specify port Ethernet 1/1/7 to use VLAN 3 as its guest VLAN.

<Sysname> system-view

[Sysname] interface ethernet 1/1/7

[Sysname-Ethernet1/1/7] dot1x guest-vlan 3

1.1.6 dot1x handshake

Syntax

dot1x handshake

undo dot1x handshake

View

Ethernet interface view

Default Level

2: System level

Parameters

None

Description

Use the dot1x handshake command to enable the online user handshake function so that the device can periodically send handshake messages to the client to check whether a user is online.

Use the undo dot1x handshake command to disable the function.

By default, the function is enabled.

Note that the 802.1x proxy detection function depends on the online user handshake function. Be sure to enable handshake before enabling proxy detection and to disable proxy detection before disabling handshake.

Examples

# Enable online user handshake.

<Sysname> system-view

[Sysname] interface ethernet 0/4/1

[Sysname-Ethernet0/4/1] dot1x handshake

# Disable online user handshake.

<Sysname> system-view

[Sysname] interface ethernet 0/4/1

[Sysname-Ethernet0/4/1] undo dot1x handshake

1.1.7 dot1x max-user

Syntax

In system view:

dot1x max-user user-number [ interface interface-list ]

undo dot1x max-user [ interface interface-list ]

In Ethernet interface view:

dot1x max-user user-number

undo dot1x max-user

View

System view, Ethernet interface view

Default Level

2: System level

Parameters

user-number: Maximum number of users to be supported simultaneously. It ranges from 1 to 1024 and defaults to 1024.

Description

Use the dot1x max-user command to set the maximum number of users to be supported simultaneously for specified or all ports.

Use the undo dot1x max-user command to restore the default.

With no interface specified, the command sets the threshold for all ports.

Related commands: display dot1x.

Examples

# Set the maximum number of users for port Ethernet 3/1/1 to support simultaneously as 32.

<Sysname> system-view

[Sysname] dot1x max-user 32 interface ethernet 3/1/1

<Sysname> system-view

[Sysname] interface ethernet 3/1/1

[Sysname-Ethernet3/1/1] dot1x max-user 32

1.1.8 dot1x port-control

Syntax

In system view:

dot1x port-control { authorized-force | auto | unauthorized-force } [ interface interface-list ]

undo dot1x port-control [ interface interface-list ]

In Ethernet interface view:

dot1x port-control { authorized-force | auto | unauthorized-force }

undo dot1x port-control

View

System view, Ethernet interface view

Default Level

2: System level

Parameters

authorized-force: Places the specified or all ports in the state of authorized, allowing users of the ports to access the network without authentication.

auto: Places the specified or all ports in the state of unauthorized initially to allow only EAPOL frames to pass, and turns the ports into the state of authorized to allow access to the network after the users pass authentication. This is the most common choice.

unauthorized-force: Places the specified or all ports in the state of unauthorized, denying any access requests from users of the ports.

Description

Use the dot1x port-control command to set the access control mode for specified or all ports.

Use the undo dot1x port-control command to restore the default.

The default access control mode is auto.

Related commands: display dot1x.

Examples

# Set the access control mode of port Ethernet 3/1/1 to unauthorized-force.

<Sysname> system-view

[Sysname] dot1x port-control unauthorized-force interface ethernet 3/1/1

<Sysname> system-view

[Sysname] interface ethernet 3/1/1

[Sysname-Ethernet3/1/1] dot1x port-control unauthorized-force

1.1.9 dot1x port-method

Syntax

In system view:

dot1x port-method { macbased | portbased } [ interface interface-list ]

undo dot1x port-method [ interface interface-list ]

In Ethernet interface view:

dot1x port-method { macbased | portbased }

undo dot1x port-method

View

System view, Ethernet interface view

Default Level

2: System level

Parameters

macbased: Specifies to use the macbased authentication method. With this method, each user of a port must be authenticated separately, and when an authenticated user goes offline, no other users are affected.

portbased: Specifies to use the portbased authentication method. With this method, after the first user of a port passes authentication, all other users of the port can access the network without authentication, and when the first user goes offline, all other users get offline at the same time.

Description

Use the dot1x port-method command to set the access control method for specified or all ports.

Use the undo dot1x port-method command to restore the default.

The default access control method is macbased.

Related commands: display dot1x.

Examples

# Set the access control method to portbased for port Ethernet 3/1/1.

<Sysname> system-view

[Sysname] dot1x port-method portbased interface ethernet 3/1/1

<Sysname> system-view

[Sysname] interface ethernet 3/1/1

[Sysname-Ethernet3/1/1] dot1x port-method portbased

1.1.10 dot1x quiet-period

Syntax

dot1x quiet-period

undo dot1x quiet-period

View

System view

Default Level

2: System level

Parameters

None

Description

Use the dot1x quiet-period command to enable the quiet timer function.

Use the undo dot1x quiet-period command to disable the function.

By default, the function is disabled.

After a supplicant fails the authentication, the authenticator refuses further authentication requests from the supplicant in the period dictated by the quiet timer.

Related commands: display dot1x, dot1x timer.

Examples

# Enable the quiet timer.

<Sysname> system-view

[Sysname] dot1x quiet-period

1.1.11 dot1x retry

Syntax

dot1x retry max-retry-value

undo dot1x retry

View

System view

Default Level

2: System level

Parameters

max-retry-value: Maximum number of attempts to send an authentication request to a supplicant, in the range 1 to 10.

Description

Use the dot1x retry command to set the maximum number of attempts to send an authentication request to a supplicant.

Use the undo dot1x retry command to restore the default.

By default, the authenticator can send an authentication request to a supplicant for up to twice.

Note that:

l The dot1x retry command is used to set the maximum number of times that a switch sends request packets to a user. If you set the number to 1, the switch only sends request packets once, and 2 means that the switch sends request packets for second time if no response comes back, and so on.

l After sending an authentication request to a supplicant, the authenticator may retransmit the request if it does not receive any response at an interval specified by the dot1x timer tx-period tx-period-value command or the dot1x timer supp-timeout supp-timeout-value command. The number of retransmission attempts is one less than the value set by this command.

l This command applies to all ports.

Related commands: display dot1x.

Examples

# Set the maximum number of attempts to send an authentication request to a supplicant as 9.

<Sysname> system-view

[Sysname] dot1x retry 9

1.1.12 dot1x supp-proxy-check

Syntax

In system view:

dot1x supp-proxy-check { logoff | trap } [ interface interface-list ]

undo dot1x supp-proxy-check { logoff | trap } [ interface interface-list ]

In Ethernet interface view:

dot1x supp-proxy-check { logoff | trap }

undo dot1x supp-proxy-check { logoff | trap }

View

System view, Ethernet interface view

Default Level

2: System level

Parameters

logoff: Gets offline any user trying to login through a proxy.

trap: Sends a trap packet to the network management system when detecting that a user is trying to login through a proxy.

Description

Use the dot1x supp-proxy-check command to enable detection and control of users logging in through proxies for specified or all ports.

Use the undo dot1x supp-proxy-check command to disable the function for specified or all ports.

By default, the function is disabled.

Note that:

l This function requires the cooperation of the 802.1x client program developed by H3C.

l In system view, this command enables detection and control of users’ login for all ports with interface-list not provided, and enables detection and control of users’ login for specified with interface-list provided.

l In Ethernet interface view, you cannot specify the interface-list argument and can only enable detection and control of users’ login for the current port.

l This function must be enabled both globally in system view and for the intended ports in system view or Ethernet interface view. Otherwise, it does not work.

Related commands: display dot1x.

Examples

# Specify ports Ethernet 3/1/1 to 3/1/8 to get offline users trying to login through proxies.

<Sysname> system-view

[Sysname] dot1x supp-proxy-check logoff

[Sysname] dot1x supp-proxy-check logoff interface ethernet 3/1/1 to ethernet 3/1/8

# Specify port Ethernet 3/1/9 to send a trap packet when detecting that a user is trying to login through a proxy.

<Sysname> system-view

[Sysname] dot1x supp-proxy-check trap

[Sysname] dot1x supp-proxy-check trap interface ethernet 3/1/9

<Sysname> system-view

[Sysname] dot1x supp-proxy-check trap

[Sysname] interface ethernet 3/1/9

[Sysname-Ethernet3/1/9] dot1x supp-proxy-check trap

1.1.13 dot1x timer

Syntax

dot1x timer { handshake-period handshake-period-value | quiet-period quiet-period-value | server-timeout server-timeout-value | supp-timeout supp-timeout-value | tx-period tx-period-value }

undo dot1x timer { handshake-period | quiet-period | server-timeout | supp-timeout | tx-period }

View

System view

Default Level

2: System level

Parameters

handshake-period-value: Setting for the handshake timer in seconds. It ranges from 5 to 1024 and defaults to 15.

quiet-period-value: Setting for the quiet timer in seconds. It ranges from 10 to 120 and defaults to 60.

server-timeout-value: Setting for the server timeout timer in seconds. It ranges from 100 to 300 and defaults to 100.

supp-timeout-value: Setting for the supplicant timeout timer in seconds. It ranges from 10 to 120 and defaults to 30.

tx-period tx-period-value: Setting for the username request timeout timer in seconds. It ranges from 10 to 120 and defaults to 30.

Description

Use the dot1x timer command to set 802.1x timers.

Use the undo dot1x timer command to restore the defaults.

Several timers are used in the 802.1x authentication process to guarantee that the supplicants, the authenticators, and the RADIUS server interact with each other in a reasonable manner. You can use this command to set these timers:

l Handshake timer (handshake-period): After a supplicant passes authentication, the authenticator sends to the supplicant handshake requests at this interval to check whether the supplicant is online. If the authenticator receives no response after sending the allowed maximum number of handshake requests, it considers that the supplicant is offline.

l Quiet timer (quiet-period): When a supplicant fails the authentication, the authenticator refuses further authentication requests from the supplicant in this period of time.

l Server timeout timer (server-timeout): Once an authenticator sends a RADIUS Access-Request packet to the authentication server, it starts this timer. If this timer expires but it receives no response from the server, it retransmits the request.

l Supplicant timeout timer (supp-timeout): Once an authenticator sends an EAP-Request/MD5 Challenge frame to a supplicant, it starts this timer. If this timer expires but it receives no response from the supplicant, it retransmits the request.

l Username request timeout timer (tx-period): Once an authenticator sends an EAP-Request/Identity frame to a supplicant, it starts this timer. If this timer expires but it receives no response from the supplicant, it retransmits the request. In addition, to be compatible with clients that do not send EAPOL-Start requests unsolicitedly, the S9500 series multicasts EAP-Request/Identity frame periodically to detect the clients, with the multicast interval defined by tx-period.

Generally, it is unnecessary to change the timers unless in some special or extreme network environments. The change of a timer takes effect immediately.

Related commands: display dot1x.

Examples

# Set the server timeout timer to 150 seconds.

<Sysname> system-view

[Sysname] dot1x timer server-timeout 150

1.1.14 reset dot1x statistics

Syntax

reset dot1x statistics [ interface interface-list ]

View

User view

Default Level

2: System level

Parameters

Description

Use the reset dot1x statistics command to clear 802.1x statistics.

With the interface interface-list argument specified, the command clears 802.1x statistics on the specified ports. With the argument unspecified, the command clears global 802.1x statistics and 802.1x statistics on all ports.

This command does not apply to the port with MAC authentication enabled.

Related commands: display dot1x.

Examples

# Clear 802.1x statistics on port Ethernet 3/1/1.

<Sysname> reset dot1x statistics interface ethernet 3/1/1

H3C S9500 Command Manual-Release2132[V2.03]-07 Security Volume

Chapter 1 802.1x Configuration Commands

1.1 802.1x Configuration Commands

1.1.1 debugging dot1x

1.1.2 display dot1x

1.1.3 dot1x

1.1.4 dot1x authentication-method

1.1.5 dot1x guest-vlan

1.1.6 dot1x handshake

1.1.7 dot1x max-user

1.1.8 dot1x port-control

1.1.9 dot1x port-method

1.1.10 dot1x quiet-period

1.1.11 dot1x retry

1.1.12 dot1x supp-proxy-check

1.1.13 dot1x timer

1.1.14 reset dot1x statistics

Cloud & AI

Intelligent Connection

Intelligent Computing

Security

SMB Products

Intelligent Terminal Products

Industry Solutions

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Training & Certification

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Partner Business Management

Service Business

Profile

News & Events

Online Exhibition Center

Contact Us