Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 03-MAC Authentication Commands | 63.46 KB |
Table of Contents
Chapter 1 MAC Authentication Configuration Commands.
1.1 MAC Authentication Configuration Commands
1.1.1 debugging mac-authentication event
1.1.2 display mac-authentication
1.1.4 mac-authentication domain
1.1.5 mac-authentication timer
1.1.6 mac-authentication user-name-format
1.1.7 reset mac-authentication statistics
Chapter 1 MAC Authentication Configuration Commands
1.1 MAC Authentication Configuration Commands
1.1.1 debugging mac-authentication event
Syntax
debugging mac-authentication event [ slot slot-number ]
undo debugging mac-authentication event [ slot slot-number ]
View
User view
Default Level
1: Monitor level
Parameters
slot slot-number: Enables debugging for the service board in the specified slot of the MAC authentication module.
Description
Use the debugging mac-authentication event command to enable event debugging for centralized MAC authentication.
Use the undo debugging mac-authentication event command to disable event debugging for centralized MAC authentication.
By default, event debugging for MAC authentication is disabled.
Examples
# Enable event debugging for centralized MAC authentication.
<Sysname> debugging mac-authentication event
1.1.2 display mac-authentication
Syntax
display mac-authentication [ interface interface-list ]
View
Any view
Default Level
2: System level
Parameters
interface interface-list: Specifies an Ethernet port list, in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1-10>, where &<1-10> indicates that you can specify up to 10 port ranges. A port range defined without the to interface-type interface-number portion comprises only one port. With an interface range, the end interface number and the start interface number must be of the same type and the former must be greater than the latter.
Description
Use the display mac-authentication command to display global MAC authentication information or MAC authentication information about specified ports.
Examples
# Display global MAC authentication information.
<Sysname> display mac-authentication
MAC address authentication is enabled.
User name format is MAC address, like xxxxxxxxxxxx
Fixed username: Not configured
Fixed password: Not configured
Offline detect period is 180s
Quiet period is 3 minute(s).
Server response timeout value is 100s
The max allowed user number is 1024 per slot
Current user number amounts to 0
Current domain is aabbcc.net
Silent MAC User info:
MAC ADDR From Port Port Index
GigabitEthernet4/2/1 is link-up
MAC address authentication is enabled
Current online user number is 0
MAC ADDR Authenticate state AuthIndex
GigabitEthernet4/2/2 is link-down
MAC address authentication is enabled
Authenticate success: 0, failed: 0
Current online user number is 0
MAC ADDR Authenticate state AuthIndex
……(omitted)
Table 1-1 Description on the fields of the display mac-authentication command
|
Field |
Description |
|
MAC address authentication is Enabled |
Whether MAC authentication is enabled |
|
User name format is MAC address, like xxxxxxxxxxxx |
— |
|
Fixed username: |
Fixed username |
|
Fixed password: |
Password of fixed username |
|
Offline detect period |
Offline detect timer. It sets the interval of checking whether a user is offline and defaults to 300 seconds. |
|
Quiet period |
Quiet timer. It is the period of time during which the switch remains quiet before reinitiating authentication on the user after user authentication fails. |
|
Server response timeout value |
Server connection timeout timer. It sets the timeout time for the connection between the switch and the RADIUS server. |
|
The max allowed user number |
Maximum number of MAC-authenticated users each slot in the switch supports |
|
Current user number amounts to |
Total number of online users |
|
Current domain: not configured, use default domain |
Currently used ISP domain |
|
Silent Mac User info |
Information on users who are kept silent after failing MAC authentication |
|
Ethernet1/1/1 is link-up |
Status of the link on port Ethernet 1/1/1 |
|
MAC address authentication is enabled |
Whether MAC authentication is enabled on port Ethernet 1/1/1 |
|
Authenticate success: 0, failed: 0 |
MAC authentication statistics, including the number of successful authentication attempts and that of unsuccessful authentication attempts |
|
Current online user number |
Number of online users on the port |
|
MAC ADDR |
Online user MAC address |
|
Authenticate state |
User status. Possible values are: l CONNECTING: The user is logging in. l SUCCESS: The user has passed the authentication. l FAILURE: The user failed the authentication. l LOGOFF: The user has logged off. |
|
AuthIndex |
Authenticator Index |
1.1.3 mac-authentication
Syntax
In system view:
mac-authentication [ interface interface-list ]
undo mac-authentication [ interface interface-list ]
In interface view:
mac-authentication
undo mac-authentication
View
System view/Ethernet interface view
Default Level
2: System level
Parameters
interface interface-list: Specifies an Ethernet port list, in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1-10>, where &<1-10> indicates that you can specify up to 10 port ranges. A port range defined without the to interface-type interface-number portion comprises only one port.
Description
Use the mac-authentication command to enable MAC authentication globally or for one or more ports.
Use the undo mac-authentication command to disable MAC authentication globally or for one or more ports.
By default, MAC authentication is neither enabled globally nor enabled on any port.
Note that:
l In system view, if you provide the interface-list argument, the command enables MAC authentication for the specified ports; otherwise, the command enables MAC authentication globally. In Ethernet interface view, the command enables MAC authentication for the current port only.
l You can configure MAC authentication parameters globally or for specified ports either before or after enabling MAC authentication. If no MAC authentication parameters are configured before MAC authentication is enabled globally, the default values are used.
l You can enable MAC authentication for ports before enabling it globally. However, MAC authentication begins to function only after you also enable it globally.
Examples
# Enable MAC authentication globally.
<Sysname> system-view
[Sysname] mac-authentication
Mac-auth is enabled globally.
# Enable MAC authentication for port Ethernet 1/1/1.
<Sysname> system-view
[Sysname] mac-authentication interface Ethernet 1/1/1
Mac-auth is enabled on port Ethernet1/1/1.
Or
<Sysname> systemsystme-view
[Sysname] interface ethernet 1/1/1
[Sysname-Ethernet1/1/1] mac-authentication
Mac-auth is enabled on port Ethernet1/1/1.
1.1.4 mac-authentication domain
Syntax
mac-authentication domain isp-name
undo mac-authentication domain
View
System view
Default Level
2: System level
Parameters
isp-name: ISP domain name, a case-insensitive string of 1 to 24 characters. It cannot contain any forward slash (/), colon (:), asterisk (*), question mark (?), less-than sign (<), or greater-than sign (>).
Description
Use the mac-authentication domain command to specify the ISP domain for MAC authentication.
Use the undo mac-authentication domain command to restore the default.
By default, the default ISP domain (system) is used.
Examples
# Specify the ISP domain for MAC authentication as domain1.
<Sysname> system-view
[Sysname] mac-authentication domain domain1
1.1.5 mac-authentication timer
Syntax
mac-authentication timer { offline-detect offline-detect-value | quiet quiet-value | server-timeout server-timeout-value }
undo mac-authentication timer { offline-detect | quiet | server-timeout }
View
System view
Default Level
2: System level
Parameters
offline-detect-value: Offline detect interval, in the range 1 to 65,535 seconds.
quiet-value: Quiet period, in the range 1 to 65,535 minutes.
server-timeout-value: Server timeout period, in the range 1 to 300 seconds.
Description
Use the mac-authentication timer command to set the MAC authentication timers.
Use the undo mac-authentication timer command to restore the defaults.
By default, the offline detect interval is 300 seconds, the quiet period is one minute, and the server timeout period is 100 seconds.
The following timers function in the process of MAC authentication:
l Offline detect timer: At this interval, the device checks to see whether an online user has gone offline. Once detecting that a user becomes offline, the device sends to the RADIUS server a stop accounting notice.
l Quiet timer: Whenever a user fails MAC authentication, the device does not initiate any MAC authentication of the user during such a period.
l Server timeout timer: During authentication of a user, if the device receives no response from the RADIUS server in this period, it assumes that its connection to the RADIUS server has timed out and forbids the user from accessing the network.
Related commands: display mac-authentication.
Examples
# Set the server timeout timer to 150 seconds.
<Sysname> system-view
[Sysname] mac-authentication timer server-timeout 150
1.1.6 mac-authentication user-name-format
Syntax
mac-authentication user-name-format { fixed { account name | password { cipher | simple } password } | mac-address { with-hyphen | without-hyphen } }
mac-authentication user-name-format fixed account name password { cipher | simple } password
undo mac-authentication user-name-format
View
System view
Default Level
2: System level
Parameters
fixed: Uses fixed username and password or only fixed password, depending on the subsequent parameters.
account name: Specifies the fixed username. The name argument is a string of 1 to 55 characters and has no default value.
password { cipher | simple } password: Specifies the fixed password. Specify the cipher keyword to display the password in cipher text or the simple keyword to display the password in plain text. In the former case, the password can be either a string of 1 to 63 characters in plain text or a string of 24 or 88 characters in cipher text. In the latter case, the password must be a string of 1 to 63 characters in plain text.
mac-address: Uses the source MAC address of a user as the username for authentication.
with-hyphen: Indicates that the MAC address must include “-“, like xx-xx-xx-xx-xx-xx. The letters in the address must be in lower case.
without-hyphen: Indicates that the MAC address must not include “-“, like xxxxxxxxxxxx. The letters in the address must be in lower case.
Description
Use the mac-authentication user-name-format command to configure the MAC authentication username type and, if the type of fixed username is used, the username and password for MAC authentication.
Use the undo mac-authentication user-name-format command to restore the default.
By default, each user’s source MAC address is used as the username and password for MAC authentication. Whether “-“ is necessary in the MAC address depends on the device model.
Note that:
l If you configure both a fixed username and a fixed password using the mac-authentication user-name-format fixed account name password { cipher | simple } password command, the device will use the configured username and password for authentication of all users.
l If you configure only a fixed username using the mac-authentication user-name-format fixed account name command, the device will use the configured username and use null as the password for authentication of all users.
l If you configure only a fixed password using the mac-authentication user-name-format fixed password { cipher | simple } password command, the device will use the MAC address of each user and the configured password as the username and password respectively for authentication of all users.
l If you configure the MAC address format after you have configured the fixed username and password type, the device will use the MAC address of each user instead of the previously configured fixed username and password as the username and password for authentication of all users.
l In cipher display mode, a password in plain text with no more than 16 characters will be encrypted into a password in cipher text with 24 characters, and a password in plain text with 16 to 63 characters will be encrypted into a password in cipher text with 88 characters. For a password with 24 characters, the system will determine whether it can decrypt the password. If so, it treats the password as a cipher-text one. Otherwise, it treats it as a plain-text one.
Related commands: display mac-authentication.
Examples
# Configure the username for MAC authentication as abc, and the password displayed in plain text as xyz.
<Sysname> system-view
[Sysname] mac-authentication user-name-format fixed account abc password simple xyz
1.1.7 reset mac-authentication statistics
Syntax
reset mac-authentication statistics [ interface interface-list ]
View
User view
Default Level
2: System level
Parameters
interface interface-list: Specifies an Ethernet port list, in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1-10>, where &<1-10> indicates that you can specify up to 10 port ranges. A port range defined without the to interface-type interface-number portion comprises only one port.
Description
Use the reset mac-authentication statistics command to clear MAC authentication statistics.
Note that:
l If you do not specify the interface-list argument, the command clears the global MAC authentication statistics and the MAC authentication statistics on all ports.
l If you specify the interface-list argument, the command clears the MAC authentication statistics on the specified ports.
l This command does not take effect on a port configured with 802.1x authentication.
Related commands: display mac-authentication.
Examples
# Clear MAC authentication statistics on Ethernet 1/1/1.
<Sysname> reset mac-authentication statistics interface ethernet 1/1/1
