- Table of Contents
-
- H3C S3100 Series Ethernet Switches Command Manual (For Soliton)(V1.02)
- 00-1Cover
- 01-CLI Commands
- 02-Login Commands
- 03-Configuration File Management Commands
- 04-VLAN Commands
- 05-Management VLAN Commands
- 06-IP Address-IP Performance Commands
- 07-Voice VLAN Commands
- 08-GVRP Commands
- 09-Port Basic Configuration Commands
- 10-Link Aggregation Commands
- 11-Port Isolation Commands
- 12-Port Security-Port Binding Commands
- 13-DLDP Commands
- 14-MAC Address Table Management Commands
- 15-MSTP Commands
- 16-Multicast Commands
- 17-802.1x-System Guard Commands
- 18-AAA Commands
- 19-MAC Address Authentication Commands
- 20-ARP Commands
- 21-DHCP Commands
- 22-ACL Commands
- 23-QoS-QoS Profile Commands
- 24-Mirroring Commands
- 25-Stack-Cluster Commands
- 26-SNMP-RMON Commands
- 27-NTP Commands
- 28-SSH Commands
- 29-File System Management Commands
- 30-FTP-SFTP-TFTP Commands
- 31-Information Center Commands
- 32-System Maintenance and Debugging Commands
- 33-VLAN-VPN Commands
- 34-HWPing Commands
- 35-IPv6 Management Commands
- 36-DNS Commands
- 37-Smart Link-Monitor Link Commands
- 38-Appendix
- Related Documents
-
Title | Size | Download |
---|---|---|
17-802.1x-System Guard Commands | 161.44 KB |
Table of Contents
Chapter 1 802.1x Configuration Commands
1.1 802.1x Configuration Commands
1.1.3 dot1x authentication-method
1.1.13 dot1x retry-version-max
1.1.17 dot1x timer reauth-period
Chapter 2 Quick EAD Deployment Configuration Commands
2.1 Quick EAD Deployment Configuration Commands
Chapter 3 HABP Configuration Commands
3.1 HABP Configuration Commands
Chapter 4 System-Guard Configuration Commands
4.1 System-Guard Configuration Commands
4.1.1 display system-guard attack-record
4.1.2 display system-guard state
4.1.3 system-guard detect-threshold
4.1.6 system-guard timer-interval
Chapter 1 802.1x Configuration Commands
1.1 802.1x Configuration Commands
1.1.1 display dot1x
Syntax
display dot1x [ sessions | statistics ] [ interface interface-list ]
View
Any view
Parameter
sessions: Displays the information about 802.1x sessions.
statistics: Displays the statistics on 802.1x.
interface: Display the 802.1x-related information about a specified port.
interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet port and interface-number is the number of the port. The string “&<1-10>” means that up to 10 port lists can be provided.
Description
Use the display dot1x command to display 802.1x-related information, such as configuration information, operation information (session information), and statistics.
When the interface-list argument is not provided, this command displays 802.1x-related information about all the ports. The output information can be used to verify 802.1 x-related configurations and to troubleshoot.
Related command: reset dot1x statistics, dot1x, dot1x retry, dot1x max-user, dot1x port-control, dot1x port-method, and dot1x timer.
Example
# Display 802.1x-related information.
<Sysname> display dot1x
Global 802.1X protocol is enabled
CHAP authentication is enabled
DHCP-launch is disabled
Handshake is enabled
Proxy trap checker is disabled
Proxy logoff checker is disabled
EAD Quick Deploy is enabled
Configuration: Transmit Period 30 s, Handshake Period 15 s
ReAuth Period 3600 s, ReAuth MaxTimes 2
Quiet Period 60 s, Quiet Period Timer is disabled
Supp Timeout 30 s, Server Timeout 100 s
Interval between version requests is 30s
Maximal request times for version information is 3
The maximal retransmitting times 2
EAD Quick Deploy configuration:
Url: http: //192.168.19.23
Free-ip: 192.168.19.0 255.255.255.0
Acl-timeout: 30 m
Total maximum 802.1x user resource number is 1024
Total current used 802.1x resource number is 1
Ethernet1/0/1 is link-up
802.1X protocol is enabled
Proxy trap checker is disabled
Proxy logoff checker is disabled
Version-Check is disabled
The port is an authenticator
Authentication Mode is Auto
Port Control Type is Port-based
ReAuthenticate is disabled
Max number of on-line users is 256
Authentication Success: 4, Failed: 2
EAPOL Packets: Tx 7991, Rx 14
Sent EAP Request/Identity Packets : 7981
EAP Request/Challenge Packets: 0
Received EAPOL Start Packets : 5
EAPOL LogOff Packets: 1
EAP Response/Identity Packets : 4
EAP Response/Challenge Packets: 4
Error Packets: 0
1. Authenticated user : MAC address: 000d-88f6-44c1
Controlled User(s) amount to 1
Ethernet1/0/2
……
Table 1-1 Description on the fields of the display dot1x command
Field |
Description |
Equipment 802.1X protocol is enabled |
802.1x protocol (802.1x for short) is enabled on the switch. |
CHAP authentication is enabled |
CHAP authentication is enabled. |
DHCP-launch is disabled |
DHCP-triggered. 802.1x authentication is disabled. |
Handshake is enabled |
The online user handshaking function is enabled. |
Proxy trap checker is disabled |
Whether or not to send Trap packets when detecting a supplicant system logs in through a proxy. l Disable means the switch does not send Trap packets when it detects that a supplicant system logs in through a proxy. l Enable means the switch sends Trap packets when it detects that a supplicant system logs in through a proxy. |
Proxy logoff checker is disabled |
Whether or not to disconnect a supplicant system when detecting it logs in through a proxy. l Disable means the switch does not disconnect a supplicant system when it detects that the latter logs in through a proxy. l Enable means the switch disconnects a supplicant system when it detects that the latter logs in through a proxy. |
EAD Quick Deploy is enabled |
Quick EAD deployment is enabled. |
Transmit Period |
Setting of the Transmission period timer (the tx-period) |
Handshake Period |
Setting of the handshake period timer (the handshake-period) |
ReAuth Period |
Re-authentication interval |
ReAuth MaxTimes |
Maximum times of re-authentications |
Quiet Period |
Setting of the quiet period timer (the quiet-period) |
Quiet Period Timer is disabled |
The quiet period timer is disabled here. It can also be configured as enabled when necessary. |
Supp Timeout |
Setting of the supplicant timeout timer (supp-timeout) |
Server Timeout |
Setting of the server-timeout timer (server-timeout) |
The maximal retransmitting times |
The maximum number of times that a switch can send authentication request packets to a supplicant system |
Url |
URL for HTTP redirection |
Free-ip |
Free IP range that users can access before passing authentication |
Acl-timeout |
ACL timeout period |
Total maximum 802.1x user resource number |
The maximum number of 802.1x users that a switch can accommodate |
Total current used 802.1x resource number |
The number of online supplicant systems |
Ethernet1/0/1 is link-down |
Ethernet 1/0/1 port is down. |
802.1X protocol is disabled |
802.1x is disabled on the port |
Proxy trap checker is disabled |
Whether or not to send Trap packets when detecting a supplicant system in logging in through a proxy. l Disable means the switch does not send Trap packets when it detects that a supplicant system logs in through a proxy. l Enable means the switch sends Trap packets when it detects that a supplicant system logs in through a proxy. |
Proxy logoff checker is disabled |
Whether or not to disconnect a supplicant system when detecting it in logging in through a proxy. l Disable means the switch does not disconnect a supplicant system when it detects that the latter logs in through a proxy. l Enable means the switch disconnects a supplicant system when it detects that the latter logs in through a proxy. |
Version-Check is disabled |
Whether or not the client version checking function is enabled: l Disable means the switch does not checks client version. l Enable means the switch checks client version. |
The port is an authenticator |
The port acts as an authenticator system. |
Authentication Mode is Auto |
The port access control mode is Auto. |
Port Control Type is Mac-based |
The access control method of the port is MAC-based. That is, supplicant systems are authenticated based on their MAC addresses. |
ReAuthenticate is disabled |
ReAuthenticate is disabled |
Max number of on-line users |
The maximum number of online users that the port can accommodate |
… |
Information omitted here |
1.1.2 dot1x
Syntax
dot1x [ interface interface-list ]
undo dot1x [ interface interface-list ]
View
System view, Ethernet port view
Parameter
interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet port and interface-number is the number of the port. The string “&<1-10>” means that up to 10 port lists can be provided.
Description
Use the dot1x command to enable 802.1x globally or for specified Ethernet ports.
Use the undo dot1x command to disable 802.1x globally or for specified Ethernet ports.
By default, 802.1x is disabled globally and also on all ports.
In system view:
l If you do not provide the interface-list argument, the dot1x command enables 802.1x globally.
l If you specify the interface-list argument, the dot1x command enables 802.1x for the specified Ethernet ports.
In Ethernet port view, the interface-list argument is not available and the command enables 802.1x for only the current Ethernet port.
802.1x-related configurations take effect on a port only after 802.1x is enabled both globally and on the port.
& Note:
l Configurations of 8021.x and the maximum number of MAX addresses that can be learnt are mutually exclusive. That is, when 802.1x is enabled for a port, it cannot also have the maximum number of MAX addresses to be learned configured at the same time. Conversely, if you configure the maximum number of MAX addresses that can be learnt for a port, 802.1x is unavailable to it.
l If you enable 802.1x for a port, it is not available to add the port to an aggregation group. Meanwhile, if a port has been added to an aggregation group, it is prohibited to enable 802.1x for the port.
Related command: display dot1x.
Example
# Enable 802.1x for Ethernet1/0/1 port.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] dot1x interface Ethernet 1/0/1
# Enable 802.1x globally.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] dot1x
1.1.3 dot1x authentication-method
Syntax
dot1x authentication-method { chap | pap | eap }
undo dot1x authentication-method
View
System view
Parameter
chap: Authenticates using challenge handshake authentication protocol (CHAP).
pap: Authenticates using password authentication protocol (PAP).
eap: Authenticates using extensible authentication protocol (EAP).
Description
Use the dot1x authentication-method command to set the 802.1x authentication method.
Use the undo dot1x authentication-method command to revert to the default 802.1x authentication method.
The default 802.1x authentication method is CHAP.
PAP applies a two-way handshaking procedure. In this method, passwords are transmitted in plain text.
CHAP applies a three-way handshaking procedure. In this method, user names are transmitted rather than passwords. Therefore this method is safer.
In EAP authentication, a switch authenticates supplicant systems by encapsulating 802.1x authentication information in EAP packets and sending the packets to the RADIUS server, instead of converting the packets into RADIUS packets before forwarding to the RADIUS server. You can use EAP authentication in one of the four sub-methods: PEAP, EAP-TLS, EAP-TTLS and EAP-MD5.
Related command: display dot1x.
& Note:
When the current device operates as the authentication server, EAP authentication is unavailable.
Example
# Specify the authentication method to be PAP.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] dot1x authentication-method pap
1.1.4 dot1x dhcp-launch
Syntax
dot1x dhcp-launch
undo dot1x dhcp-launch
View
System view
Parameter
None
Description
Use the dot1x dhcp-launch command to specify an 802.1x-enabled switch to launch the process to authenticate a supplicant system when the supplicant system applies for a dynamic IP address through DHCP.
Use the undo dot1x dhcp-launch command to disable an 802.1x-enabled switch from authenticating a supplicant system when the supplicant system applies for a dynamic IP address through DHCP.
By default, an 802.1x-enabled switch does not authenticate a supplicant system when the latter applies for a dynamic IP address through DHCP.
Related command: display dot1x.
Example
# Configure to authenticate a supplicant system when it applies for a dynamic IP address through DHCP.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] dot1x dhcp-launch
1.1.5 dot1x guest-vlan
Syntax
dot1x guest-vlan vlan-id [ interface interface-list ]
undo dot1x guest-vlan [ interface interface-list ]
View
System view, Ethernet port view
Parameter
vlan-id: VLAN ID of a Guest VLAN, in the range 1 to 4094.
interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet port and interface-number is the number of the port. The string “&<1-10>” means that up to 10 port lists can be provided.
Description
Use the dot1x guest-vlan command to enable the Guest VLAN function for ports.
Use the undo dot1x guest-vlan command to disable the Guest VLAN function for ports.
After 802.1x and guest VLAN are properly configured on a port:
l If the switch receives no response from the port after sending EAP-Request/Identity packets to the port for the maximum number of times, the switch will add the port to the guest VLAN.
l Users in a guest VLAN can access the guest VLAN resources without 802.1x authentication. However, they have to pass the 802.1x authentication to access the external resources.
In system view,
l If you do not provide the interface-list argument, these two commands apply to all the ports of the switch.
l If you specify the interface-list argument, these two commands apply to the specified ports.
In Ethernet port view, the interface-list argument is not available and these two commands apply to only the current Ethernet port.
Caution:
l The Guest VLAN function is available only when the switch operates in the port-based authentication mode.
l Only one Guest VLAN can be configured on a switch.
l The Guest VLAN function is unavailable when the dot1x dhcp-launch command is executed on the switch, because the switch does not send authentication request packets in this case.
Example
# Configure the switch to operate in the port-based authentication mode.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] dot1x port-method portbased
# Enable the Guest VLAN function for all the ports.
[Sysname] dot1x guest-vlan 1
1.1.6 dot1x handshake
Syntax
dot1x handshake enable
undo dot1x handshake enable
View
System view
Parameter
None
Description
Use the dot1x handshake enable command to enable the online user handshaking function.
Use the undo dot1x handshake enable command to disable the online user handshaking function.
By default, the online user handshaking function is enabled.
Caution:
l To enable the proxy detecting function, you need to enable the online user handshaking function first.
l Handshaking packets need the support of the H3C-proprietary client. They are used to test whether or not a user is online.
l As clients that are not of H3C do not support the online user handshaking function, switches cannot receive handshaking acknowledgement packets from them in handshaking periods. To prevent users being falsely considered offline, you need to disable the online user handshaking function in this case.
Example
# Enable the online user handshaking function.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] dot1x handshake enable
1.1.7 dot1x handshake secure
Syntax
dot1x handshake secure
undo dot1x handshake secure
View
Ethernet port view
Parameter
None
Description
Use the dot1x handshake secure command to enable the handshaking packet secure function, preventing the device from attacks resulted from simulating clients.
Use the undo dot1x handshake secure command to disable the handshaking packet secure function.
By default, the handshaking packet secure function is disabled.
Caution:
For the handshaking packet secure function to take effect, the clients that enable the function need to cooperate with the authentication server. If either the clients or the authentication server does not support the function, disabling the handshaking packet secure function is needed.
Example
# Enable the handshaking packet secure function.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] dot1x handshake secure
1.1.8 dot1x max-user
Syntax
dot1x max-user user-number [ interface interface-list ]
undo dot1x max-user [ interface interface-list ]
View
System view, Ethernet port view
Parameter
user-number: Maximum number of users a port can accommodate, in the range 1 to 256.
interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet port and interface-number is the number of the port. The string “&<1-10>” means that up to 10 port lists can be provided.
Description
Use the dot1x max-user command to set the maximum number of users an Ethernet port can accommodate.
Use the undo dot1x max-user command to revert to the default maximum user number.
By default, a port can accommodate up to 256 users.
In system view:
l If you do not provide the interface-list argument, these two commands apply to all the ports of the switch.
l If you specify the interface-list argument, these two commands apply to the specified ports.
In Ethernet port view, the interface-list argument is not available and the commands apply to only the current port.
Related command: display dot1x.
Example
# Configure the maximum number of users that Ethernet1/01 port can accommodate to be 32.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] dot1x max-user 32 interface Ethernet 1/0/1
1.1.9 dot1x port-control
Syntax
dot1x port-control { auto | authorized-force | unauthorized-force } [ interface interface-list ]
undo dot1x port-control [ interface interface-list ]
View
System view, Ethernet port view
Parameter
auto: Specifies to operate in auto access control mode. When a port operates in this mode, all the unauthenticated hosts connected to it are unauthorized. In this case, only EAPoL packets can be exchanged between the switch and the hosts. And the hosts connected to the port are authorized to access the network resources after the hosts pass the authentication. Normally, a port operates in this mode.
authorized-force: Specifies to operate in authorized-force access control mode. When a port operates in this mode, all the hosts connected to it can access the network resources without being authenticated.
unauthorized-force: Specifies to operate in unauthorized-force access control mode. When a port operates in this mode, the hosts connected to it cannot access the network resources.
interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet port and interface-number is the number of the port. The string “&<1-10>” means that up to 10 port lists can be provided.
Description
Use the dot1x port-control command to specify the access control mode for specified Ethernet ports.
Use the undo dot1x port-control command to revert to the default access control mode.
The default access control mode is auto.
Use the dot1x port-control command to configure the access control mode for specified 802.1x-enabled ports.
In system view:
l If you do not provide the interface-list argument, these two commands apply to all the ports of the switch.
l If you specify the interface-list argument, these commands apply to the specified ports.
In Ethernet port view, the interface-list argument is not available and the commands apply to only the current Ethernet port.
Related command: display dot1x.
Example
# Specify Ethernet1/0/1 port to operate in unauthorized-force access control mode.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] dot1x port-control unauthorized-force interface Ethernet 1/0/1
1.1.10 dot1x port-method
Syntax
dot1x port-method { macbased | portbased } [ interface interface-list ]
undo dot1x port-method [ interface interface-list ]
View
System view, Ethernet port view
Parameter
macbased: Performs MAC address-based authentication.
portbased: Performs port-based authentication.
interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet port and interface-number is the number of the port. The string “&<1-10>” means that up to 10 port lists can be provided.
Description
Use the dot1x port-method command to specify the access control method for specified Ethernet ports.
Use the undo dot1x port-method command to revert to the default access control method.
By default, the access control method is macbased.
This command specifies the way in which the users are authenticated.
l If you specify to authenticate users by MAC addresses (that is, executing the dot1x port-method command with the macbased keyword specified), all the users connected to the specified Ethernet ports are authenticated separately. And if an online user logs off, others are not affected.
l If you specify to authenticate supplicant systems by port numbers (that is, executing the dot1x port-method command with the portbased keyword specified), all the users connected to a specified Ethernet port are able to access the network without being authenticated if a user among them passes the authentication. And when the user logs off, the network is inaccessible to all other supplicant systems either.
l Changing the access control method on a port by the dot1x port-method command will forcibly log out the online 802.1x users on the port.
In system view:
l If you do not provide the interface-list argument, these two commands apply to all the ports of the switch.
l If you specify the interface-list argument, these commands apply to the specified ports.
In Ethernet port view, the interface-list argument is not available and the commands apply to only the current Ethernet port.
Related command: display dot1x.
Example
# Specify to authenticate users connected to Ethernet1/0/1 port by port numbers.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] dot1x port-method portbased interface Ethernet 1/0/1
1.1.11 dot1x quiet-period
Syntax
dot1x quiet-period
undo dot1x quiet-period
View
System view
Parameter
None
Description
Use the dot1x quiet-period command to enable the quiet-period timer.
Use the undo dot1x quiet-period command to disable the quiet-period timer.
When a user fails to pass the authentication, the authenticator system (such as a H3C series Ethernet switch) will stay quiet for a period (determined by the quiet-period timer) before it performs another authentication. During the quiet period, the authenticator system performs no 802.1x authentication of the user.
By default, the quiet-period timer is disabled.
Related commands: display dot1x, dot1x timer.
Example
# Enable the quiet-period timer.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] dot1x quiet-period
1.1.12 dot1x retry
Syntax
dot1x retry max-retry-value
undo dot1x retry
View
System view
Parameter
max-retry-value: Maximum number of times that a switch sends authentication request packets to a user. This argument ranges from 1 to 10.
Description
Use the dot1x retry command to specify the maximum number of times that a switch sends authentication request packets to a user.
Use the undo dot1x retry command to revert to the default value.
By default, a switch sends authentication request packets to a user for up to 2 times.
After a switch sends an authentication request packet to a user, it sends another authentication request packet if it does not receive response from the user after a specific period of time. If the switch still receives no response when the configured maximum number of authentication request transmission attempts is reached, it no long sends an authentication request packet to the user. This command applies to all ports.
Related command: display dot1x.
Example
# Specify the maximum number of times that the switch sends authentication request packets to be 9.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] dot1x retry 9
1.1.13 dot1x retry-version-max
Syntax
dot1x retry-version-max max-retry-version-value
undo dot1x retry-version-max
View
System view
Parameter
max-retry-version-value: Maximum number of times that a switch sends version request packets to a user. This argument ranges from 1 to 10.
Description
Use the dot1x retry-version-max command to set the maximum number of times that a switch sends version request packets to a user.
Use the undo dot1x retry-version-max command to revert to the default value.
By default, a switch sends version request packets to a user for up to 3 times.
After a switch sends a version request packet to a user, it sends another version request packet if it does receive response from the user after a specific period of time (as determined by the client version request timer). When the number set by this command has reached and there is still no response from the user, the switch continues the following authentication procedures without sending version requests. This command applies to all the ports with the version checking function enabled.
Related commands: display dot1x, dot1x timer.
Example
# Configure the maximum number of times that the switch sends version request packets to be 6.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] dot1x retry-version-max 6
1.1.14 dot1x re-authenticate
Syntax
dot1x re-authenticate [ interface interface-list ]
undo dot1x re-authenticate [ interface interface-list ]
View
System view/Ethernet port view
Parameter
interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet port and interface-number is the number of the port. The string “&<1-10>” means that up to 10 port lists can be provided.
Description
Use the dot1x re-authenticate command to enable 802.1x re-authentication on specific ports or on all ports of the switch.
Use the undo dot1x re-authenticate command to disable 802.1x re-authentication on specific ports or on all ports of the switch.
By default, 802.1x re-authentication is disabled on all ports.
In system view:
l If you do not specify the interface-list argument, this command will enable 802.1x re-authentication on all ports.
l If you specify the interface-list argument, the command will enable 802.1x on the specified ports.
In Ethernet port view, the interface-list argument is not available and 8021.x re-authentication is enabled on the current port only.
& Note:
802.1x must be enabled globally and on the current port before 802.1x re-authentication can be configured on a port.
Example
# Enable 802.1x re-authentication on port Ethernet 1/0/1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] dot1x
802.1X is enabled globally.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] dot1x
802.1X is enabled on port Ethernet1/0/1 already.
[Sysname-Ethernet1/0/1] dot1x re-authenticate
Re-authentication is enabled on port Ethernet1/0/1
1.1.15 dot1x supp-proxy-check
Syntax
dot1x supp-proxy-check { logoff | trap } [ interface interface-list ]
undo dot1x supp-proxy-check { logoff | trap } [ interface interface-list ]
View
System view, Ethernet port view
Parameter
logoff: Disconnects a user upon detecting it logging in through a proxy or through multiple network adapters.
trap: Sends Trap packets upon detecting a user logging in through a proxy or through multiple network adapters.
interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet port and interface-number is the number of the port. The string “&<1-10>” means that up to 10 port lists can be provided.
Description
Use the dot1x supp-proxy-check command to enable 802.1x proxy checking for specified ports.
Use the undo dot1x supp-proxy-check command to disable 802.1x proxy checking for specified ports.
By default, 802.1x proxy checking is disabled on all Ethernet ports.
In system view:
l If you do not specify the interface-list argument, the configurations performed by these two commands are global.
l If you specify the interface-list argument, these two commands apply to the specified Ethernet ports.
In Ethernet port view, the interface-list argument is not available and the commands apply to only the current Ethernet port.
The proxy checking function takes effect on a port only when the function is enabled both globally and on the port.
802.1x proxy checking checks for:
l Users logging in through proxies
l Users logging in through IE proxies
l Whether or not a user logs in through multiple network adapters (that is, when the user attempts to log in, it contains more than one active network adapters.)
A switch can optionally take the following actions in response to any of the above three cases:
l Only disconnects the user but sends no Trap packets, which can be achieved by using the dot1x supp-proxy-check logoff command.
l Sends Trap packets without disconnecting the user, which can be achieved by using the dot1x supp-proxy-check trap command.
This function needs the cooperation of 802.1x clients and the CAMS server:
l Multiple network adapter checking, proxy checking, and IE proxy checking are enabled on the 802.1x client.
l The CAMS server is configured to disable the use of multiple network adapters, proxies, and IE proxy.
By default, proxy checking is disabled on 802.1x client. In this case, if you configure the CAMS server to disable the use of multiple network adapters, proxies, and IE proxy, it sends messages to the 802.1x client to ask the latter to disable the use of multiple network adapters, proxies, and IE proxy after the user passes the authentication.
& Note:
l The 802.1x proxy checking function needs the cooperation of H3C's 802.1x client program.
l The proxy checking function takes effect only after the client version checking function is enabled on the switch (using the dot1x version-check command).
Related command: display dot1x.
Example
# Configure to disconnect the users connected to Ethernet1/0/1 through Ethernet1/0/8 ports if they are detected logging in through proxies.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] dot1x supp-proxy-check logoff
[Sysname] dot1x supp-proxy-check logoff interface Ethernet 1/0/1 to Ethernet 1/0/8
# Configure the switch to send Trap packets if the users connected to Ethernet1/0/9 port is detected logging in through proxies.
[Sysname] dot1x supp-proxy-check trap
[Sysname] dot1x supp-proxy-check trap interface Ethernet 1/0/9
1.1.16 dot1x timer
Syntax
dot1x timer { handshake-period handshake-period-value | quiet-period quiet-period-value | server-timeout server-timeout-value | supp-timeout supp-timeout-value | tx-period tx-period-value | ver-period ver-period-value }
undo dot1x timer { handshake-period | quiet-period | server-timeout | supp-timeout | tx-period | ver-period }
View
System view
Parameter
handshake-period handshake-period-value: Sets the handshake timer. This timer sets the handshake-period and is triggered after a supplicant system passes the authentication. It sets the interval for a switch to send handshake request packets to online users. If you set the number of retries to N by using the dot1x retry command, an online user is considered offline when the switch does not receive response packets from it in a period N times of the handshake-period.
The handshake-period-value argument ranges from 5 to 1,024 (in seconds). By default, the handshake timer is set to 15 seconds.
quiet-period quiet-period-value: Sets the quiet-period timer. This timer sets the quiet-period. When a supplicant system fails to pass the authentication, the switch quiets for the set period (set by the quiet-period timer) before it processes another authentication request re-initiated by the supplicant system. During this quiet period, the switch does not perform any 802.1x authentication-related actions for the supplicant system.
The quiet-period-value argument ranges from 10 to 120 (in seconds). By default, the quiet-period timer is set to 60 seconds.
server-timeout server-timeout-value: Sets the RADIUS server timer. This timer sets the server-timeout period. After sending an authentication request packet to the RADIUS server, a switch sends another authentication request packet if it does not receive the response from the RADIUS server when this timer times out.
The server-timeout-value argument ranges from 100 to 300 (in seconds). By default, the RADIUS server timer is set to 100 seconds.
supp-timeout supp-timeout-value: Sets the supplicant system timer. This timer sets the supp-timeout period and is triggered by the switch after the switch sends a request/challenge packet to a supplicant system (The packet is used to request the supplicant system for the MD5 encrypted string.) The switch sends another request/challenge packet to the supplicant system if the switch does not receive the response from the supplicant system when this timer times out..
The supp-timeout-value argument ranges from 10 to 120 (in seconds). By default, the supplicant system timer is set to 30 seconds.
tx-period tx-period-value: Sets the transmission timer. This timer sets the tx-period and is triggered in two cases. The first case is when the client requests for authentication. The switch sends a unicast request/identity packet to a supplicant system and then triggers the transmission timer. The switch sends another request/identity packet to the supplicant system if it does not receive the reply packet from the supplicant system when this timer times out. The second case is when the switch authenticates the 802.1x client who cannot request for authentication actively. The switch sends multicast request/identity packets periodically through the port enabled with 802.1x function. In this case, this timer sets the interval to send the multicast request/identity packets.
The tx-period-value argument ranges from 10 to 120 (in seconds). By default, the transmission timer is set to 30 seconds.
ver-period ver-period-value: Sets the client version request timer. This timer sets the version period and is triggered after a switch sends a version request packet. The switch sends another version request packet if it does receive version response packets from the supplicant system when the timer expires.
The ver-period-value argument ranges from 1 to 30 (in seconds). By default, the client version request timer is set to 30 seconds.
Description
Use the dot1x timer command to set a specified 802.1x timer.
Use the undo dot1x timer command to restore a specified 802.1x timer to the default setting.
During an 802.1x authentication process, multiple timers are triggered to ensure that the supplicant systems, the authenticator systems, and the Authentication servers interact with each other in an orderly way. To make authentications being processed in the desired way, you can use the dot1x timer command to set the timers as needed. This may be necessary in some special situations or in tough network environments. Normally, the defaults are recommended. (Note that some timers cannot be adjusted.)
Related command: display dot1x.
Example
# Set the RADIUS server timer to 150 seconds.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] dot1x timer server-timeout 150
1.1.17 dot1x timer reauth-period
Syntax
dot1x timer reauth-period reauth-period-value
undo dot1x timer reauth-period
View
System view
Parameter
reauth-period reauth-period-value: Specifies re-authentication interval, in seconds. After this timer expires, the switch initiates 802.1x re-authentication. The value of the reauth-period-value argument ranges from 60 to 7,200.
Description
Use the dot1x timer reauth-period command to configure the interval for 802.1x re-authentication.
Use the undo dot1x timer reauth-period command to restore the default 802.1x re-authentication interval.
By default, the 802.1x re-authentication interval is 3,600 seconds.
Example
# Set the 802.1x re-authentication interval to 150 seconds.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] dot1x timer reauth-period 150
1.1.18 dot1x version-check
Syntax
dot1x version-check [ interface interface-list ]
undo dot1x version-check [ interface interface-list ]
View
System view, Ethernet port view
Parameter
interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet port and interface-number is the number of the port. The string “&<1-10>” means that up to 10 port lists can be provided.
Description
Use the dot1x version-check command to enable 802.1x client version checking for specified Ethernet ports.
Use the undo dot1x version-check command to disable 802.1x client version checking for specified Ethernet ports.
By default, 802.1x client version checking is disabled on all the Ethernet ports.
In system view:
l If you do not provide the interface-list argument, these two commands apply to all the ports of the switch.
l If you specify the interface-list argument, these commands apply to the specified ports.
In Ethernet port view, the interface-list argument is not available and the commands apply to only the current Ethernet port.
Example
# Configure Ethernet 1/0/1 port to check the version of the 802.1x client upon receiving authentication packets.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] dot1x version-check
1.1.19 reset dot1x statistics
Syntax
reset dot1x statistics [ interface interface-list ]
View
User view
Parameter
interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet port and interface-number is the number of the port. The string “&<1-10>” means that up to 10 port lists can be provided.
Description
Use the reset dot1x statistics command to clear 802.1x-related statistics.
To retrieve the latest 802.1x-related statistics, you can use this command to clear the existing 802.1x-related statistics first.
When you execute this command,
If the interface-list argument is not specified, this command clears the global 802.1x statistics and the 802.1x statistics on all the ports.
If the interface-list argument is specified, this command clears the 802.1x statistics on the specified ports.
Related command: display dot1x.
Example
# Clear 802.1x statistics on Ethernet 1/0/1 port.
<Sysname> reset dot1x statistics interface Ethernet 1/0/1
Chapter 2 Quick EAD Deployment Configuration Commands
2.1 Quick EAD Deployment Configuration Commands
2.1.1 dot1x free-ip
Syntax
dot1x free-ip ip-address { mask-address | mask-length }
undo dot1x free-ip [ ip-address { mask-address | mask-length } ]
View
System view
Parameters
ip-address: Free IP address, in dotted decimal notation.
mask-address: Subnet mask of the free IP address, in dotted decimal notation.
mask-length: Length of the subnet mask of the free IP address, in the range 0 to 32.
Description
Use the dot1x free-ip command to configure a free IP range. A free IP range is an IP range that users can access before passing 802.1x authentication.
Use the undo dot1x free-ip command to remove a specified free IP range or all free IP ranges.
By default, no free IP range is configured.
& Note:
l You must configure the URL for HTTP redirection before configuring a free IP range.
l The device supports up to two free IP ranges.
Examples
# Configure a free IP range for users to access before passing authentication.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] dot1x free-ip 192.168.19.23 24
2.1.2 dot1x timer acl-timeout
Syntax
dot1x timer acl-timeout acl-timeout-value
undo dot1x timer acl-timeout
View
System view
Parameters
acl-timeout-value: ACL timeout period (in minutes), in the range of 1 to 1440.
Description
Use the dot1x timer acl-timeout command to configure the ACL timeout period.
Use the undo dot1x timer acl-timeout command to restore the default.
By default, the ACL timeout period is 30 minutes.
Related commands: dot1x configuration commands.
Examples
# Set the ACL timeout period to 40 minutes.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] dot1x timer acl-timeout 40
2.1.3 dot1x url
Syntax
dot1x url url-string
undo dot1x url
View
System view
Parameters
url-string: URL for HTTP redirection, in the format of http://x.x.x.x.
Description
Use the dot1x url command to configure the URL for HTTP redirection.
Use the undo dot1x url command to remove the configuration.
By default, no URL is configured for HTTP redirection.
Related commands: dot1x configuration commands.
Examples
# Configure the URL for HTTP redirection.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] dot1x url http://192.168.19.23
Chapter 3 HABP Configuration Commands
3.1 HABP Configuration Commands
3.1.1 display habp
Syntax
display habp
View
Any view
Parameter
None
Description
Use the display habp command to display HABP configuration and status.
Example
# Display HABP configuration and status.
<Sysname> display habp
Global HABP information:
HABP Mode: Server
Sending HABP request packets every 20 seconds
Bypass VLAN: 2
Table 3-1 Description on the fields of the display habp command
Field |
Description |
HABP Mode |
Indicates the HABP mode of the switch. A switch can operate as an HABP server (displayed as Server) or an HABP client (displayed as Client). |
Sending HABP request packets every 20 seconds |
HABP request packets are sent once in every 20 seconds. |
Bypass VLAN |
Indicates the IDs of the VLANs to which HABP request packets are sent. |
3.1.2 display habp table
Syntax
display habp table
View
Any view
Parameter
None
Description
Use the display habp table command to display the MAC address table maintained by HABP.
Example
# Display the MAC address table maintained by HABP.
<Sysname> display habp table
MAC Holdtime Receive Port
001f-3c00-0030 53 Ethernet1/0/1
Table 3-2 Description on the fields of the display habp table command
Field |
Description |
MAC |
MAC addresses contained in the HABP MAC address table. |
Holdtime |
Hold time of the entries in the HABP MAC address table. An entry is removed from the table if it is not updated in a period determined by the hold time. |
Receive Port |
The port from which a MAC address is learned |
3.1.3 display habp traffic
Syntax
display habp traffic
View
Any view
Parameter
None
Description
Use the display habp traffic command to display the statistics on HABP packets.
Example
# Display the statistics on HABP packets.
<Sysname> display habp traffic
HABP counters :
Packets output: 0, Input: 0
ID error: 0, Type error: 0, Version error: 0
Sent failed: 0
Table 3-3 Description on the fields of the display habp traffic command
Field |
Description |
Packets output |
Number of the HABP packets sent |
Input |
Number of the HABP packets received |
ID error |
Number of the HABP packets with ID errors |
Type error |
Number of the HABP packets with type errors |
Version error |
Number of the HABP packets with version errors |
Sent failed |
Number of the HABP packets that failed to be sent |
3.1.4 habp enable
Syntax
habp enable
undo habp enable
View
System view
Parameter
None
Description
Use the habp enable command to enable HABP for a switch.
Use the undo habp enable command to disable HABP for a switch.
By default, HABP is enabled on a switch.
If an 802.1x-enabled switch does not have HABP enabled, it cannot manage the switches attached to it. So, you need to enable HABP on specific switches in a network with 802.1x enabled.
Example
# Enable HABP.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] habp enable
3.1.5 habp server vlan
Syntax
habp server vlan vlan-id
undo habp server
View
System view
Parameter
vlan-id: VLAN ID, ranging from 1 to 4094.
Description
Use the habp server vlan command to configure a switch to operate as an HABP server. This command also specifies the VLAN where HABP packets are broadcast.
Use the undo habp server vlan command to revert to the default HABP mode.
By default, a switch operates as an HABP client.
To specify a switch to operate as an HABP server, you need to enable HABP (using the habp enable command) for the switch first. When HABP is not enabled, the habp server vlan command cannot take effect.
Example
# Specify the switch to operate as an HABP server and the HABP packets to be broadcast in VLAN 2. (Assume that HABP is enabled.)
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] habp server vlan 2
3.1.6 habp timer
Syntax
habp timer interval
undo habp timer
View
System view
Parameter
interval: Interval (in seconds) to send HABP request packets. This argument ranges from 5 to 600.
Description
Use the habp timer command to set the interval for a switch to send HABP request packets.
Use the undo habp timer command to revert to the default interval.
The default interval for a switch to send HABP request packets is 20 seconds.
Use these two commands on switches operating as HABP servers only.
Example
# Configure the switch to send HABP request packets once in every 50 seconds
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] habp timer 50
Chapter 4 System-Guard Configuration Commands
4.1 System-Guard Configuration Commands
4.1.1 display system-guard attack-record
Syntax
display system-guard attack-record
View
Any view
Parameter
None
Description
Use the display system-guard attack-record command to display the record of detected attacks.
Example
# Display the record of detected attacks.
<Sysname> display system-guard attack-record
Range : 2
Packet type : BOGUS
Port : 1
MAC address : 00e0-fc00-0001
IP address : 10.10.10.10
Alive time : 6
Table 4-1 Description on the fields of display system-guard attack-record
Field |
Description |
Target No |
Number of the attack record |
Range |
Control range of the attack |
Packet type |
Type of the attack packet |
Port |
Number of the port being attacked |
MAC address |
Source MAC address of the attack packet |
IP address |
Source IP address of the attack packet |
Alive time |
Remaining time during which attack packets of the type are isolated |
4.1.2 display system-guard state
Syntax
display system-guard state
View
Any view
Parameter
None
Description
Use the display system-guard state command to display the state of the system-guard feature.
Related command: system-guard enable, system-guard detect-threshold, and system-guard timer-interval.
Example
# Display the state of the system-guard feature.
<Sysname> display system-guard state
System-guard Status: Enabled
Permitted Interfaces:
Ethernet1/0/1
Detect Threshold: 201
Isolated Time: 20
Attack Number: 0
Table 4-2 Description on the fields of the display system-guard state command
Field |
Description |
System-guard Status |
The enable/disable status of the system-guard function |
Permitted Interfaces |
Interfaces enabled with the system-guard function |
Detect Threshold |
The threshold for the number of packets when an attack is detected |
Isolated Time |
The length of the isolation after an attack is detected |
Attack Number |
The times of detected attacks |
4.1.3 system-guard detect-threshold
Syntax
system-guard detect-threshold threshold-value
undo system-guard detect-threshold
View
System view
Parameter
threshold-value: Threshold for the number of packets when an attack is detected, in the range of 200 to 1,000.
Description
Use the system-guard detect-threshold command to set the threshold for the number of packets when an attack is detected. When the number of inbound packets of the same type exceeds the threshold, one attack is detected and recorded.
Use the undo system-guard detect-threshold command to restore the threshold to the default value.
By default, the threshold is 200.
Related command: display system-guard state.
Example
# Set the threshold for the number of packets when an attack is detected to 300.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname]system-guard detect-threshold 300
4.1.4 system-guard enable
Syntax
system-guard enable
undo system-guard enable
View
System view
Parameter
None
Description
Use the system-guard enable command to enable the system-guard feature.
Use the undo system-guard enable command to disable the system-guard feature.
By default, the system-guard feature is disabled.
Related command: display system-guard state.
Example
# Enable the system-guard feature.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname]system-guard enable
System-guard is enabled
4.1.5 system-guard permit
Syntax
system-guard permit interface-list
undo system-guard permit interface-list
View
System view
Parameter
permit: Specifies the ports to which with the system-guard function is to be applied.
interface-list: Specifies an Ethernet port list, which can contain multiple Ethernet ports. The interface-list argument is in the format of interface-list = { interface-type interface-number [ to interface-type interface-number ] } & <1-10>, where interface-type represents the port type, interface-number represents the port number, and & <1-10> means that you can provide up to 10 port indexes/port index lists for this argument. The start port number must be smaller than the end number and the two ports must of the same type.
Description
Use the system-guard permit command to specify the ports to which the system-guard function is to be applied to. A switch checks the ports with the system-guard function applied regularly for attacked ports.
Use the undo system-guard permit command to disable the system-guard function for specified ports.
By default, the system-guard function is disabled on a port.
Example
# Apply the system-guard function to Ethernet1/0/1 through Ethernet1/0/10 ports.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] system-guard permit Ethernet 1/0/1 to Ethernet 1/0/10
4.1.6 system-guard timer-interval
Syntax
system-guard timer-interval isolate-timer
undo system-guard timer-interval
View
System view
Parameter
isolate-timer: Length of the isolation after an attack is detected, in the range of 1 to 10,000 in minutes.
Description
Use the system-guard timer-interval command to set the length of the isolation after an attack is detected.
Use the undo system-guard timer-interval command to restore the length of the isolation to the default value.
By default, the length of the isolation after an attack is detected is 10 minutes.
Related command: display system-guard state.
Example
# Set the length of the isolation after an attack is detected to 20 minutes.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname]system-guard timer-interval 20