interface interface-list: Specifies an Ethernet port list, which can contain multiple Ethernet ports. The interface-list argument is in the format of interface-list = { interface-type interface-number [ to interface-type interface-number ] } & <1-10>, where interface-type represents the port type, interface-number represents the port number, and & <1-10> means that you can provide up to 10 port indexes/port index lists for this argument. The start port number must be smaller than the end number and the two ports must of the same type.

Description

Use the display dot1x command to display information about 802.1x, including session information, statistics, or configuration.

With both the sessions keyword and the statistics keyword not provided, this command displays 802.1x configuration information.

Related commands: reset dot1x statistics, dot1x, dot1x retry, dot1x max-user, dot1x port-control, dot1x port-method, dot1x timer.

Examples

# Display 802.1x configuration information.

<Sysname> display dot1x

Global 802.1X protocol is enabled

CHAP authentication is enabled

Proxy trap checker is disabled

Proxy logoff checker is disabled

EAD quick deploy is enabled

Configuration: Transmit Period 30 s, Handshake Period 15 s

Quiet Period 60 s, Quiet Period Timer is disabled

Supp Timeout 30 s, Server Timeout 100 s

The maximal retransmitting times 3

EAD quick deploy configuration:

URL: http://192.168.0.38

Free IP: 192.168.0.0 255.255.255.0

EAD timeout: 30 m

Total maximum 802.1x user resource number is 1024 per slot

Total current used 802.1x resource number is 0

Ethernet1/0/1 is link-up

802.1X protocol is disabled

Proxy trap checker is disabled

Proxy logoff checker is disabled

Handshake is disabled

The port is an authenticator

Authenticate Mode is Auto

8021X Multicast-trigger is enabled

Port Control Type is Mac-based

Guest VLAN: 0

Max on-line user number is 256

EAPOL Packet: Tx 0, Rx 0

Sent EAP Request/Identity Packets : 0

EAP Request/Challenge Packets: 0

EAP Success Packets: 0, Fail Packets: 0

Received EAPOL Start Packets : 0

EAPOL LogOff Packets: 0

EAP Response/Identity Packets : 0

EAP Response/Challenge Packets: 0

Error Packets: 0

Controlled User(s) amount to 0

Table 1-1 Description on the fields of the display dot1x command

Field	Description
Global 802.1X protocol is enabled	Indicates whether 802.1x is enabled
CHAP authentication is enabled	Indicates whether CHAP authentication is enabled
Proxy trap checker is disabled	Indicates whether the device is configured to send a trap packet when detecting that a user is trying to login through a proxy
Proxy logoff checker is disabled	Indicates whether the device is configured to get offline any user trying to login through a proxy
EAD quick deploy is enabled	Indicates whether EAD quick deployment is enabled
Transmit Period	Setting of the username request timeout timer
Handshake Period	Setting of the handshake timer
Quiet Period	Setting of the quiet timer
Quiet Period Timer is disabled	Indicates whether the quiet timer is enabled
Supp Timeout	Setting of the supplicant timeout timer
Server Timeout	Setting of the server timeout timer
The maximal retransmitting times	Maximum number of attempts for the authenticator to send authentication requests to the supplicant
EAD quick deploy configuration	EAD quick deployment configurations
URL	Redirect URL for IE users
Free IP	Accessible network segment
EAD timeout	EAD rule timeout time
Total maximum 802.1x user resource number per slot	Maximum number of supplicants supported per board
Total current used 802.1x resource number	Total number of online users
Ethernet1/0/1 is link-up	Status of port Ethernet 1/0/1
802.1X protocol is disabled	Indicates whether 802.1x is enabled on the port
Proxy trap checker is disabled	Indicates whether the port is configured to send a trap packet when detecting that a user is trying to login through a proxy
Proxy logoff checker is disabled	Indicates whether the port is configured to get offline any user trying to login through a proxy
Handshake is disabled	Indicates whether handshake is enabled on the port
The port is an authenticator	Role of the port
Authenticate Mode is Auto	Access control mode for the port
8021X Multicast-trigger is enabled	Indicates whether 8021X multicast trigger is enabled
Port Control Type is Mac-based	Access control method for the port
Guest VLAN	Guest VLAN configured for the port. The value of 0 means that no guest VLAN is configured.
Max on-line user number	Maximum number of users supported on the port
EAPOL Packet	Number of EAPOL packets received (Tx) or sent (Rx)
Sent EAP Request/Identity Packets	Number of EAP Request/Identity packets sent
EAP Request/Challenge Packets	Number of EAP Request/Challenge packets sent
EAP Success Packets	Number of EAP Success packets sent
Received EAPOL Start Packets	Number of EAPOL Start packets received
EAPOL LogOff Packets	Number of EAPOL LogOff packets received
EAP Response/Identity Packets	Number of EAP Response/Identity packets received
EAP Response/Challenge Packets	Number of EAP Response/Challenge packets received
Error Packets	Number of erroneous packets received
Controlled User(s) amount	Number of controlled users on the port

1.1.2 dot1x

Syntax

In system view:

dot1x [ interface interface-list ]

undo dot1x [ interface interface-list ]

In Ethernet interface view:

dot1x

undo dot1x

View

System view, interface view

Parameters

interface interface-list: Specifies a port list, which can contain multiple ports. The interface-list argument is in the format of interface-list = { interface-type interface-number [ to interface-type interface-number ] } & <1-10>, where interface-type represents the port type, interface-number represents the port number, and & <1-10> means that you can provide up to 10 port indexes/port index lists for this argument. The start port number must be smaller than the end number and the two ports must of the same type.

Description

Use the dot1x command in system view to enable 802.1x globally.

Use the undo dot1x command in system view to disable 802.1x globally.

Use the dot1x interface interface-list command in system view or the dot1x command in interface view to enable 802.1x for specified ports.

Use the undo dot1x interface interface-list command in system view or the undo dot1x command in interface view to disable 802.1x for specified ports.

By default, 802.1x is neither enabled globally nor enabled for any port.

Note that:

l 802.1x must be enabled both globally in system view and for the intended ports in system view or interface view. Otherwise, it does not function.

l You can configure 802.1x parameters either before or after enabling 802.1x.

Related commands: display dot1x.

Examples

# Enable 802.1x for ports Ethernet 1/0/1, and Ethernet 1/0/5 to Ethernet 1/0/7.

<Sysname> system-view

[Sysname] dot1x interface ethernet 1/0/1 ethernet 1/0/5 to ethernet 1/0/7

<Sysname> system-view

[Sysname] interface ethernet 1/0/1

[Sysname-Ethernet1/0/1] dot1x

[Sysname-Ethernet1/0/1] quit

[Sysname] interface ethernet 1/0/5

[Sysname-Ethernet1/0/5] dot1x

[Sysname-Ethernet1/0/5] quit

[Sysname] interface ethernet 1/6

[Sysname-Ethernet1/0/6] dot1x

[Sysname-Ethernet1/0/6] quit

[Sysname] interface ethernet 1/0/7

[Sysname-Ethernet1/0/7] dot1x

# Enable 802.1x globally.

<Sysname> system-view

[Sysname] dot1x

1.1.3 dot1x authentication-method

Syntax

dot1x authentication-method { chap | eap | pap }

undo dot1x authentication-method

View

System view

Parameters

chap: Authenticates supplicants using CHAP.

eap: Authenticates supplicants using EAP.

pap: Authenticates supplicants using PAP.

Description

Use the dot1x authentication-method command to set the 802.1x authentication method.

Use the undo dot1x authentication-method command to restore the default.

By default, CHAP is used.

l The password authentication protocol (PAP) transports passwords in plain text.

l The challenge handshake authentication protocol (CHAP) transports only usernames over the network. Compared with PAP, CHAP provides better security.

l With EAP relay authentication, the authenticator encapsulates 802.1x user information in the EAP attributes of RADIUS packets and sends the packets to the RADIUS server for authentication; it does not need to repackage the EAP packets into standard RADIUS packets for authentication. In this case, you can configure the user-name-format command but it does not take effect. Currently, the device supports these EAP modes: EAP-TLS, EAP-TTLS, EAP-MD5, and PEAP. For information about the user-name-format command, refer to AAA RADIUS HWTACACS Commands.

Note that:

l Local authentication supports only PAP and CHAP.

l For RADIUS authentication, the RADIUS server must be configured accordingly to support PAP, CHAP, or EAP authentication.

Related commands: display dot1x.

Examples

# Set the 802.1x authentication method to PAP.

<Sysname> system-view

[Sysname] dot1x authentication-method pap

1.1.4 dot1x guest-vlan

Syntax

In system view:

dot1x guest-vlan vlan-id [ interface interface-list ]

undo dot1x guest-vlan [ interface interface-list ]

In Ethernet interface view:

dot1x guest-vlan vlan-id

undo dot1x guest-vlan

View

System view, Ethernet interface view

Parameters

vlan-id: ID of the VLAN to be specified as the guest VLAN, in the range 1 to 4094.

Description

Use the dot1x guest-vlan command to configure the guest VLAN for specified or all ports.

Use the undo dot1x guest-vlan command to remove the guest VLAN(s) configured for specified or all ports.

By default, a port is configured with no guest VLAN.

In system view, this command configures guest VLAN for all ports with interface-list not provided, and configures guest VLAN for specified with interface-list provided.

In Ethernet interface view, you cannot specify the interface-list argument and can only configure guest VLAN for the current port.

For the guest VLAN feature to take effect on a port, make sure that:

l 802.1x is enabled.

l The port access control method is set to portbased. When the port access control method is macbased, you can configure a guest VLAN but your configuration will not take effect.

l The port access control mode is set to auto.

l The link type of the port is set to access.

Note that:

l Do not delete a VLAN that has been configured as a guest VLAN.

l You can specify a tagged VLAN as the guest VLAN for a Hybrid port, but the guest VLAN does not take effect. Similarly, if a guest VLAN for a Hybrid port is in operation, you cannot configure the guest VLAN to carry tags.

Examples

# Specify port Ethernet 1/0/1 to use VLAN 999 as its guest VLAN.

<Sysname> system-view

[Sysname] dot1x guest-vlan 999 interface ethernet 1/0/1

# Specify ports Ethernet 1/0/2 to Ethernet 1/0/5 to use VLAN 10 as its guest VLAN.

<Sysname> system-view

[Sysname] dot1x guest-vlan 10 interface ethernet 1/0/2 to ethernet 1/0/5

# Specify all ports to use VLAN 7 as their guest VLAN.

<Sysname> system-view

[Sysname] dot1x guest-vlan 7

# Specify port Ethernet 1/0/7 to use VLAN 3 as its guest VLAN.

<Sysname> system-view

[Sysname] interface ethernet 1/0/7

[Sysname-Ethernet1/0/7] dot1x guest-vlan 3

1.1.5 dot1x handshake

Syntax

dot1x handshake

undo dot1x handshake

View

Interface view

Parameters

None

Description

Use the dot1x handshake command to enable the online user handshake function so that the device can periodically send handshake messages to the client to check whether a user is online.

Use the undo dot1x handshake command to disable the function.

By default, the function is enabled.

Note that the 802.1x proxy detection function depends on the online user handshake function. Be sure to enable handshake before enabling proxy detection and to disable proxy detection before disabling handshake.

Examples

# Enable online user handshake.

<Sysname> system-view

[Sysname] interface ethernet 1/0/4

[Sysname-Ethernet1/0/4] dot1x handshake

1.1.6 dot1x max-user

Syntax

In system view:

dot1x max-user user-number [ interface interface-list ]

undo dot1x max-user [ interface interface-list ]

In Ethernet interface view:

dot1x max-user user-number

undo dot1x max-user

View

System view, Ethernet interface view

Parameters

user-number: Maximum number of users to be supported simultaneously. The valid range is from 1 to 256.

Description

Use the dot1x max-user command to set the maximum number of users to be supported simultaneously for specified or all ports.

Use the undo dot1x max-user command to restore the default.

By default, the maximum number of concurrent users supported on a port is 256.

With no interface specified, the command sets the threshold for all ports.

Related commands: display dot1x.

Examples

# Configure port Ethernet 1/0/1 to support up to 32 concurrent users.

<Sysname> system-view

[Sysname] dot1x max-user 32 interface ethernet 1/0/1

<Sysname> system-view

[Sysname] interface ethernet 1/0/1

[Sysname-Ethernet1/0/1] dot1x max-user 32

1.1.7 dot1x multicast -trigger

Syntax

dot1x multicast-trigger

undo dot1x multicast-trigger

View

Interface view

Parameters

None

Description

Use the dot1x multicast-trigger command to enable the multicast trigger function of 802.1x to send multicast trigger messages to the clients periodically.

Use the undo dot1x multicast-trigger command to disable this function.

By default, the multicast trigger function is enabled.

Related commands: display dot1x.

Examples

# Disable the multicast trigger function for interface Ethernet 1/0/1.

<Sysname> system-view

[Sysname] interface ethernet 1/0/1

[Sysname-Ethernet1/0/1] undo dot1x multicast-trigger

1.1.8 dot1x port-control

Syntax

In system view:

dot1x port-control { authorized-force | auto | unauthorized-force } [ interface interface-list ]

undo dot1x port-control [ interface interface-list ]

In Ethernet interface view:

dot1x port-control { authorized-force | auto | unauthorized-force }

undo dot1x port-control

View

System view, Ethernet interface view

Parameters

authorized-force: Places the specified or all ports in the state of authorized, allowing users of the ports to access the network without authentication.

auto: Places the specified or all ports in the state of unauthorized initially to allow only EAPOL frames to pass, and turns the ports into the state of authorized to allow access to the network after the users pass authentication. This is the most common choice.

unauthorized-force: Places the specified or all ports in the state of unauthorized, denying any access requests from users of the ports.

Description

Use the dot1x port-control command to set the access control mode for specified or all ports.

Use the undo dot1x port-control command to restore the default.

The default access control mode is auto.

Related commands: display dot1x.

Examples

# Set the access control mode of port Ethernet 1/0/1 to unauthorized-force.

<Sysname> system-view

[Sysname] dot1x port-control unauthorized-force interface ethernet 1/0/1

<Sysname> system-view

[Sysname] interface ethernet 1/0/1

[Sysname-Ethernet1/0/1] dot1x port-control unauthorized-force

1.1.9 dot1x port-method

Syntax

In system view:

dot1x port-method { macbased | portbased } [ interface interface-list ]

undo dot1x port-method [ interface interface-list ]

In Ethernet interface view:

dot1x port-method { macbased | portbased }

undo dot1x port-method

View

System view, Ethernet interface view

Parameters

macbased: Specifies to use the macbased authentication method. With this method, each user of a port must be authenticated separately, and when an authenticated user goes offline, no other users are affected.

portbased: Specifies to use the portbased authentication method. With this method, after the first user of a port passes authentication, all other users of the port can access the network without authentication, and when the first user goes offline, all other users get offline at the same time.

Description

Use the dot1x port-method command to set the access control method for specified or all ports.

Use the undo dot1x port-method command to restore the default.

The default access control method is macbased.

Related commands: display dot1x.

Examples

# Set the access control method to portbased for port Ethernet 1/0/1.

<Sysname> system-view

[Sysname] dot1x port-method portbased interface ethernet 1/0/1

<Sysname> system-view

[Sysname] interface ethernet 1/0/1

[Sysname-Ethernet1/0/1] dot1x port-method portbased

1.1.10 dot1x quiet-period

Syntax

dot1x quiet-period

undo dot1x quiet-period

View

System view

Parameters

None

Description

Use the dot1x quiet-period command to enable the quiet timer function.

Use the undo dot1x quiet-period command to disable the function.

By default, the function is disabled.

After a supplicant fails the authentication, the authenticator refuses further authentication requests from the supplicant in the period dictated by the quiet timer.

Related commands: display dot1x, dot1x timer.

Examples

# Enable the quiet timer.

<Sysname> system-view

[Sysname] dot1x quiet-period

1.1.11 dot1x retry

Syntax

dot1x retry max-retry-value

undo dot1x retry

View

System view

Parameters

max-retry-value: Maximum number of attempts to send an authentication request to a supplicant, in the range 1 to 10.

Description

Use the dot1x retry command to set the maximum number of attempts to send an authentication request to a supplicant.

Use the undo dot1x retry command to restore the default.

By default, the authenticator can send an authentication request to a supplicant for up to twice.

Note that after sending an authentication request to a supplicant, the authenticator may retransmit the request if it does not receive any response at an interval specified by the username request timeout timer or supplicant timeout timer. The number of retransmission attempts is one less than the value set by this command.

Related commands: display dot1x.

Examples

# Set the maximum number of attempts to send an authentication request to a supplicant as 9.

<Sysname> system-view

[Sysname] dot1x retry 9

1.1.12 dot1x supp-proxy-check

Syntax

In system view:

dot1x supp-proxy-check { logoff | trap } [ interface interface-list ]

undo dot1x supp-proxy-check { logoff | trap } [ interface interface-list ]

In Ethernet interface view:

dot1x supp-proxy-check { logoff | trap }

undo dot1x supp-proxy-check { logoff | trap }

View

System view, Ethernet interface view

Parameters

logoff: Gets offline any user trying to login through a proxy.

trap: Sends a trap to the network management system when detecting that a user is trying to login through a proxy.

Description

Use the dot1x supp-proxy-check command to enable detection and control of users logging in through proxies for specified or all ports.

Use the undo dot1x supp-proxy-check command to disable the function for specified or all ports.

By default, the function is disabled.

Note that:

l This function requires the cooperation of the 802.1x client program by H3C.

l In system view, this command enables detection and control of users’ login for all ports with interface-list not provided, and enables detection and control of users’ login for specified with interface-list provided.

l In Ethernet interface view, you cannot specify the interface-list argument and can only enable detection and control of users’ login for the current port.

l This function must be enabled both globally in system view and for the intended ports in system view or Ethernet interface view. Otherwise, it does not work.

Related commands: display dot1x.

Examples

# Configure ports Ethernet 1/0/1 to Ethernet 1/0/8 to get offline users trying to login through proxies.

<Sysname> system-view

[Sysname] dot1x supp-proxy-check logoff

[Sysname] dot1x supp-proxy-check logoff interface ethernet 1/0/1 to ethernet 1/0/8

# Configure port Ethernet 1/0/9 to send a trap packet when detecting that a user is trying to login through a proxy.

<Sysname> system-view

[Sysname] dot1x supp-proxy-check trap

[Sysname] dot1x supp-proxy-check trap interface ethernet 1/0/9

<Sysname> system-view

[Sysname] dot1x supp-proxy-check trap

[Sysname] interface ethernet 1/0/9

[Sysname-Ethernet1/0/9] dot1x supp-proxy-check trap

1.1.13 dot1x timer

Syntax

dot1x timer { handshake-period handshake-period-value | quiet-period quiet-period-value | server-timeout server-timeout-value | supp-timeout supp-timeout-value | tx-period tx-period-value }

undo dot1x timer { handshake-period | quiet-period | server-timeout | supp-timeout | tx-period }

View

System view

Parameters

handshake-period-value: Setting for the handshake timer in seconds. It ranges from 5 to 1024 and defaults to 15.

quiet-period-value: Setting for the quiet timer in seconds. It ranges from 10 to 120 and defaults to 60.

server-timeout-value: Setting for the server timeout timer in seconds. It ranges from 100 to 300 and defaults to 100.

supp-timeout-value: Setting for the supplicant timeout timer in seconds. It ranges from 10 to 120 and defaults to 30.

tx-period-value: Setting for the username request timeout timer in seconds. It ranges from 10 to 120 and defaults to 30.

Description

Use the dot1x timer command to set 802.1x timers.

Use the undo dot1x timer command to restore the defaults.

Several timers are used in the 802.1x authentication process to guarantee that the supplicants, the authenticators, and the RADIUS server interact with each other in a reasonable manner. You can use this command to set these timers:

l Handshake timer (handshake-period): After a supplicant passes authentication, the authenticator sends to the supplicant handshake requests at this interval to check whether the supplicant is online. If the authenticator receives no response after sending the allowed maximum number of handshake requests, it considers that the supplicant is offline.

l Quiet timer (quiet-period): When a supplicant fails the authentication, the authenticator refuses further authentication requests from the supplicant in this period of time.

l Server timeout timer (server-timeout): Once an authenticator sends a RADIUS Access-Request packet to the authentication server, it starts this timer. If this timer expires but it receives no response from the server, it retransmits the request.

l Supplicant timeout timer (supp-timeout): Once an authenticator sends an EAP-Request/MD5 Challenge frame to a supplicant, it starts this timer. If this timer expires but it receives no response from the supplicant, it retransmits the request.

l Username request timeout timer (tx-period): Once an authenticator sends an EAP-Request/Identity frame to a supplicant, it starts this timer. If this timer expires but it receives no response from the supplicant, it retransmits the request. In addition, to be compatible with clients that do not send EAPOL-Start requests unsolicitedly, the device multicasts EAP-Request/Identity frame periodically to detect the clients, with the multicast interval defined by tx-period.

Generally, it is unnecessary to change the timers unless in some special or extreme network environments.

Related commands: display dot1x.

Examples

# Set the server timeout timer to 150 seconds.

<Sysname> system-view

[Sysname] dot1x timer server-timeout 150

1.1.14 reset dot1x statistics

Syntax

reset dot1x statistics [ interface interface-list ]

View

User view

Parameters

Description

Use the reset dot1x statistics command to clear 802.1x statistics.

With the interface interface-list argument specified, the command clears 802.1x statistics on the specified ports. With the argument unspecified, the command clears global 802.1x statistics and 802.1x statistics on all ports.

Related commands: display dot1x.

Examples

# Clear 802.1x statistics on port Ethernet 1/0/1.

<Sysname> reset dot1x statistics interface ethernet 1/0/1

Chapter 2 EAD Fast Deployment Configuration Commands

2.1 EAD Fast Deployment Configuration Commands

2.1.1 dot1x free-ip

Syntax

dot1x free-ip ip-address { mask-address | mask-length }

undo dot1x free-ip { ip-address { mask | mask-length } | all }

View

System view

Parameters

ip-address: IP address of the freely accessible network segment, also called a free IP.

mask: Mask of the freely accessible network segment.

mask-length: Length of the mask of the freely accessible network segment.

Description

Use the dot1x free-ip command to configure a freely accessible network segment, that is, a network segment that users can access before passing 802.1x authentication.

Use the undo dot1x free-ip command to remove one or all freely accessible network segments.

By default, no freely accessible network segment is configured.

Note that:

l The free IP function is mutually exclusive with the global MAC authentication function and the port security function.

l The free IP function is effective only when the port access control mode is auto.

l The maximum number of freely accessible network segments varies by device.

Related commands: display dot1x.

Examples

# Configure 192.168.0.0 as a freely accessible network segment.

<Sysname> system-view

[Sysname] dot1x free-ip 192.168.0.0 24

2.1.2 dot1x timer ead-timeout

Syntax

dot1x timer ead-timeout ead-timeout-value

undo dot1x timer ead-timeout

View

System view

Parameters

ead-timeout-value: EAD rule timeout time, in the range 1 minute to 1440 minutes.

Description

Use the dot1x timer ead-timeout command to set the EAD rule timeout time.

Use the undo dot1x timer ead-timeout command to restore the default.

By default, the timeout time is 30 minutes.

Related commands: display dot1x.

Examples

# Set the EAD rule timeout time to 5 minutes.

<Sysname> system-view

[Sysname] dot1x timer ead-timeout 5

2.1.3 dot1x url

Syntax

dot1x url url-string

undo dot1x [ url-string ]

View

System view

Parameters

url-string: Redirect URL, a case-sensitive string of 1 to 64 characters in the format http://string.

Description

Use the dot1x url command to configure a URL to which the system redirects users’ HTTP access before they pass 802.1x authentication.

Use the undo dot1x url command to remove the redirect URL.

By default, no redirect URL is defined.

Note that:

l The redirect URL and the free IP must be in the same network segment; otherwise, the URL may be inaccessible.

l You can configure the dot1x url command for more than once but only the last one takes effect.

Related commands: display dot1x, dot1x free-ip.

Examples

# Configure the redirect URL as http://192.168.0.1.

<Sysname> system-view

[Sysname] dot1x url http://192.168.0.1

Chapter 3 HABP Configuration Commands

3.1 HABP Configuration Commands

3.1.1 display habp

Syntax

display habp

View

Any view

Parameters

None

Description

Use the display habp command to display HABP configuration information.

Examples

# Display HABP configuration information.

<Sysname> display habp

Global HABP information:

HABP Mode: Server

Sending HABP request packets every 20 seconds

Bypass VLAN: 2

Table 3-1 Description on the fields of the display habp command

Field	Description
HABP Mode	HABP mode of the current device, server or client
Sending HABP request packets every 20 seconds	Interval to send HABP request packets
Bypass VLAN	ID of the VLAN in which HABP packets are transmitted

3.1.2 display habp table

Syntax

display habp table

View

Any view

Parameters

None

Description

Use the display habp table command to display HABP MAC address table entries.

Examples

# Display HABP MAC address table entries.

<Sysname> display habp table

MAC Holdtime Receive Port

001f-3c00-0030 53 Ethernet1/0/1

Table 3-2 Description on the fields of the display habp table command

Field	Description
MAC	MAC address
Holdtime	Lifetime of an entry in seconds. The initial value is three times of the interval to send HABP request packets. An entry will age out if it is not updated during the holdtime.
Receive Port	Port that learned the MAC address

3.1.3 display habp traffic

Syntax

display habp traffic

View

Any view

Parameters

None

Description

Use the display habp traffic command to display HABP packet statistics.

Examples

# Display HABP packet statistics.

<Sysname> display habp traffic

HABP counters :

Packets output: 0, Input: 0

ID error: 0, Type error: 0, Version error: 0

Sent failed: 0

Table 3-3 Description on the fields of the display habp traffic command

Field	Description
Packets output	Number of HABP packets sent
Input	Number of HABP packets received
ID error	Number of packets with an incorrect ID
Type error	Number of packets with an incorrect type
Version error	Number of packets with an incorrect version number
Sent failed	Number of packets failed to be sent

3.1.4 habp enable

Syntax

habp enable

undo habp enable

View

System view

Parameters

None

Description

Use the habp enable command to enable HABP.

Use the undo habp enable command to disable HABP.

By default, HABP is enabled.

Examples

# Enable HABP.

<Sysname> system-view

[Sysname] habp enable

3.1.5 habp server vlan

Syntax

habp server vlan vlan-id

undo habp server

View

System view

Parameters

vlan-id: ID of the VLAN in which HABP packets are to be transmitted, in the range 1 to 4094.

Description

Use the habp server vlan command to configure HABP to work in server mode and specify the VLAN in which HABP packets are to be transmitted.

Use the undo habp server vlan command to configure HABP to work in the default mode.

By default, HABP works in client mode.

Examples

# Configure HABP to work in server mode and specify the VLAN for HABP packets as VLAN 2.

<Sysname> system-view

[Sysname] habp server vlan 2

3.1.6 habp timer

Syntax

habp timer interval

undo habp timer

View

System view

Parameters

interval: Interval (in seconds) to send HABP request packets, in the range 5 to 600.

Description

Use the habp timer command to set the interval to send HABP request packets.

Use the undo habp timer command to restore the default.

The default interval is 20 seconds.

This command is required only on the HABP server.

Examples

# Set the interval to send HABP request packets to 50 seconds.

<Sysname> system-view

[Sysname] habp timer 50

Chapter 4 MAC Authentication Configuration Commands

4.1 MAC Authentication Configuration Commands

4.1.1 display mac-authentication

Syntax

display mac-authentication [ interface interface-list ]

View

Any view

Parameter

interface interface-list: Specifies an Ethernet port list, in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1-10>, where &<1-10> indicates that you can specify up to 10 port ranges. A port range defined without the to interface-type interface-number portion comprises only one port. With an interface range, the end interface number and the start interface number must be of the same type and the former must be greater than the latter.

Description

Use the display mac-authentication command to display global MAC authentication information or MAC authentication information about specified ports.

Examples

# Display global MAC authentication information.

<Sysname> display mac-authentication

MAC address authentication is enabled.

User name format is MAC address, like xxxxxxxxxxxx

Fixed username:mac

Fixed password:not configured

Offline detect period is 300s

Quiet period is 60s.

Server response timeout value is 100s

the max allowed user number is 1024 per slot

Current user number amounts to 0

Current domain: not configured, use default domain

Silent Mac User info:

MAC ADDR From Port Port Index

Ethernet1/0/1 is link-up

MAC address authentication is Enabled

Authenticate success: 0, failed: 0

Current online user number is 0

MAC ADDR Authenticate state AuthIndex

……(omitted)

Table 4-1 Description on the fields of the display mac-authentication command

Field	Description
MAC address authentication is Enabled	Whether MAC authentication is enabled
User name format is MAC address, like xxxxxxxxxxxx	The username is in format of MAC address, like xxxxxxxxxxxx
Fixed username:	Fixed username
Fixed password:	Password of the fixed username
Offline detect period	Setting of the offline detect timer
Quiet period	Setting of the quiet timer
Server response timeout value	Setting of the server timeout timer
the max allowed user number	Maximum number of users each slot in the device supports
Current user number amounts to	Total number of online users
Current domain: not configured, use default domain	Currently used ISP domain
Silent Mac User info	Information on users who are kept silent after failing MAC authentication
Ethernet1/0/1 is link-up	Status of the link on port Ethernet 1/0/1
MAC address authentication is Enabled	Whether MAC authentication is enabled on port Ethernet 1/0/1
Authenticate success: 0, failed: 0	MAC authentication statistics, including the number of successful authentication attempts and that of unsuccessful authentication attempts
Current online user number	Number of online users on the port
MAC ADDR	Online user MAC address
Authenticate state	User status. Possible values are: l CONNECTING: The user is logging in. l SUCCESS: The user has passed the authentication. l FAILURE: The user failed the authentication. l LOGOFF: The user has logged off.
AuthIndex	Authenticator Index

4.1.2 mac-authentication

Syntax

mac-authentication [ interface interface-list ]

undo mac-authentication [ interface interface-list ]

View

System view, Ethernet interface view

Parameters

Description

Use the mac-authentication command to enable MAC authentication globally or for one or more ports.

Use the undo mac-authentication command to disable MAC authentication globally or for one or more ports.

By default, MAC authentication is neither enabled globally nor enabled on any port.

Note that:

l In system view, if you provide the interface-list argument, the command enables MAC authentication for the specified ports; otherwise, the command enables MAC authentication globally. In Ethernet interface view, the command enables MAC authentication for the port without requiring the interface-list argument.

l You can configure MAC authentication parameters globally or for specified ports either before or after enabling MAC authentication. If no MAC authentication parameters are configured before MAC authentication is enabled globally, the default values are used.

l You can enable MAC authentication for ports before enabling it globally. However, MAC authentication begins to function only after you also enable it globally.

Examples

# Enable MAC authentication globally.

<Sysname> systme-view

[Sysname] mac-authentication

Mac-auth is enabled globally.

# Enable MAC authentication for port Ethernet 1/0/1.

<Sysname> systme-view

[Sysname] mac-authentication interface ethernet 1/0/1

Mac-auth is enabled on port Ethernet1/0/1.

<Sysname> systme-view

[Sysname] interface ethernet 1/0/1

[Sysname-Ethernet1/0/1] mac-authentication

Mac-auth is enabled on port Ethernet1/0/1.

4.1.3 mac-authentication domain

Syntax

mac-authentication domain isp-name

undo mac-authentication domain

View

System view

Parameters

isp-name: ISP domain name, a case-insensitive string of 1 to 24 characters that cannot contain any forward slash (/), colon (:), asterisk (*), question mark (?), less-than sign (<), greater-than sign (>), and @.

Description

Use the mac-authentication domain command to specify the ISP domain for MAC authentication.

Use the undo mac-authentication domain command to restore the default.

By default, the default ISP domain (system) is used.

Examples

# Specify the ISP domain for MAC authentication as domain1.

<Sysname> systme-view

[Sysname] mac-authentication domain domain1

4.1.4 mac-authentication timer

Syntax

mac-authentication timer { offline-detect offline-detect-value | quiet quiet-value | server-timeout server-timeout-value }

undo mac-authentication timer { offline-detect | quiet | server-timeout }

View

System view

Parameters

offline-detect offline-detect-value: Specifies the offline detect interval, in the range 60 to 65,535 seconds.

quiet quiet-value: Specifies the quiet period, in the range 1 to 3,600 seconds.

server-timeout server-timeout-value: Specifies the server timeout period, in the range 100 to 300 seconds.

Description

Use the mac-authentication timer command to set the MAC authentication timers.

Use the undo mac-authentication timer command to restore the defaults.

By default, the offline detect interval is 300 seconds, the quiet period is 60 seconds, and the server timeout period is 100 seconds.

The following timers function in the process of MAC authentication:

l Offline detect timer: At this interval, the device checks to see whether an online user has gone offline. Once detecting that a user becomes offline, the device sends to the RADIUS server a stop accounting notice.

l Quiet timer: Whenever a user fails MAC authentication, the device does not initiate any MAC authentication of the user during such a period.

l Server timeout timer: During authentication of a user, if the device receives no response from the RADIUS server in this period, it assumes that its connection to the RADIUS server has timed out and forbids the user from accessing the network.

Related commands: display mac-authentication.

Examples

# Set the server timeout timer to 150 seconds.

<Sysname> systme-view

[Sysname] mac-authentication timer server-timeout 150

4.1.5 mac-authentication user-name-format

Syntax

mac-authentication user-name-format { fixed [ account name ] [ password { cipher | simple } password ] | mac-address [ with-hyphen | without-hyphen ] }

undo mac-authentication user-name-format

View

System view

Parameters

fixed: Uses the MAC authentication username type of fixed username.

account name: Specifies the fixed username. The name argument is a case-insensitive string of 1 to 55 characters and defaults to mac.

password { cipher | simple } password: Specifies the password for the fixed username. Using the cipher keyword displays the password in cipher text. Using the simple keyword displays the password in plain text. In the former case, the password can be either a string of 1 to 63 characters in plain text or a string of 24 or 88 characters in cipher text. In the latter case, the password must be a string of 1 to 63 characters in plain text.

mac-address: Adopts the user’s source MAC address as the username, which is case-insensitive.

with-hyphen: Indicates that the MAC address must include “-“, like xx-xx-xx-xx-xx-xx. The letters in the address must be in lower case.

without-hyphen: Indicates that the MAC address must not include “-“, like xxxxxxxxxxxx. The letters in the address must be in lower case.

Description

Use the mac-authentication user-name-format command to configure the username and password for MAC authentication.

Use the undo mac-authentication user-name-format command to restore the default.

By default, a user’s source MAC address is used as the username and password, and the MAC address does not contain hyphen “-“.

Note that:

l When adopting a fixed-type username, you must also manually configure the password.

l When the user’s source MAC address is used as the username, the password is also that MAC address.

l In cipher display mode, a password in plain text with no more than 16 characters will be encrypted into a password in cipher text with 24 characters, and a password in plain text with 16 to 63 characters will be encrypted into a password in cipher text with 88 characters. For a password with 24 characters, the system will determine whether it can decrypt the password. If so, it treats the password as a cipher-text one. Otherwise, it treats it as a plain-text one.

Related commands: display mac-authentication.

Examples

# Configure the username for MAC authentication as abc, and the password displayed in plain text as xyz.

<Sysname> system-view

[Sysname] mac-authentication user-name-format fixed account abc password simple xyz

4.1.6 reset mac-authentication statistics

Syntax

reset mac-authentication statistics [ interface interface-list ]

View

User view

Parameters

Description

Use the reset mac-authentication statistics command to clear MAC authentication statistics.

Note that:

l If you do not specify the interface-list argument, the command clears the global MAC authentication statistics and the MAC authentication statistics on all ports.

l If you specify the interface-list argument, the command clears the MAC authentication statistics on the specified ports.

Related commands: display mac-authentication.

Examples

# Clear MAC authentication statistics on Ethernet 1/0/1.

<Sysname> reset mac-authentication statistics interface ethernet 1/0/1

H3C S3610[S5510] Series Ethernet Switches Command Manual-Release 5303(V1.01)

1.1.1 display dot1x

1.1.4 dot1x guest-vlan

1.1.6 dot1x max-user

1.1.7 dot1x multicast-trigger

1.1.9 dot1x port-method

1.1.10 dot1x quiet-period

1.1.11 dot1x retry

1.1.12 dot1x supp-proxy-check

1.1.13 dot1x timer

1.1.14 reset dot1x statistics

3.1.4 habp enable

4.1.1 display mac-authentication

4.1.3 mac-authentication domain

4.1.4 mac-authentication timer

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us

1.1.7 dot1x multicast -trigger