Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 02-802.1x Commands | 75 KB |
Table of Contents
Chapter 1 802.1x Configuration Commands
1.1 802.1x Configuration Commands
1.1.3 dot1x authentication-method
Chapter 1 802.1x Configuration Commands
1.1 802.1x Configuration Commands
1.1.1 display dot1x
Syntax
display dot1x [ enabled-interface | guest vlan | interface interface-list | sessions | statistics ]
View
Any view
Parameters
enabled-interface: Configures to display the Ethernet port that starts 802.1x.
guest vlan: Displays Guest VLAN IDs and specifies the port that enables Guest VLAN.
interface: Configures to display the 802.1x information on the specified interface.
interface-list: Ethernet interface list expressed in the format interface-list =interface-type interface-number [ to interface-type interface-number ] &<1-10>. interface-type means the interface type, interface-number is the interface number. Refer to Ethernet Port Configuration Command of the Access Volume for the respective meanings and value ranges of them. The interface number after the key word to should be no smaller than the interface number before to. &<1-10> in the command means that the preceding parameter can be entered up to 10 times.
sessions: Configures to display the session connection information of 802.1x.
statistics: Configures to display the relevant statistics information of 802.1x.
Description
Use display dot1x command to view the relevant information of 802.1x, including configuration information, running state (session connection information) and relevant statistics information.
By default, all the relevant 802.1x information about each interface will be displayed.
This command can be used to display the following information on the specified interface: 802.1x configuration, state or statistics. If no port is specified when executing this command, the system will display all 802.1x related information. For example, 802.1x configuration of all ports, 802.1x session connection information, and 802.1x data statistical information. The output information of this command can help the user to verify the current 802.1x configurations so as to troubleshoot 802.1x.
Related commands: reset dot1x statistics, dot1x, dot1x retry, dot1x max-user, dot1x port-control, dot1x port-method, dot1x timer.
Examples
# Display the configuration information of 802.1x.
<H3C> display dot1x
Equipment 802.1X protocol is enabled
CHAP authentication is enabled
DHCP-launch is disabled
Proxy trap checker is disabled
Proxy logoff checker is disabled
Configuration: Transmit Period 30 s, Handshake Period 30 s
Quiet Period 60 s, Quiet Period Timer is disabled
Supp Timeout 30 s, Server Timeout 100 s
The maximal retransmitting times 2
Total maximum 802.1x user resource number is 2048
Total current used 802.1x resource number is 0
Ethernet3/1/1 is link-down
802.1X protocol is disabled
Proxy trap checker is disabled
Proxy logoff checker is disabled
The port is a(n) authenticator
Authenticate Mode is auto
Port Control Type is Mac-based
Max on-line user number is 1024
… (Omitted)
Table 1-1 Description of 802.1x configuration information
|
Field |
Description |
|
Equipment 802.1X protocol is enabled |
802.1X protocol is enabled on the switch. |
|
CHAP authentication is enabled |
CHAP authentication is enabled |
|
DHCP-launch is disabled |
If any user configures a static IP without authorization in DHCP environment, the switch will trigger authentication on the user. |
|
Proxy trap checker is disabled |
The system does not check the access of users who log on through a proxy. |
|
Proxy logoff checker is disabled |
|
|
Transmit Period |
Transmit interval timer |
|
Handshake Period |
The interval of sending handshake packets of 802.1x |
|
Quiet Period |
Quiet period set by Quiet timer |
|
Quiet Period Timer is disable |
Quiet Period Timer is disable |
|
Supp Timeout |
Timeout timer for Supplicant authentication |
|
Server Timeout |
Timeout timer for Authentication Server |
|
The maximal retransmitting times |
The maximal times for the Ethernet switch to retransmit authentication request frames to access user |
|
Total maximum 802.1x user resource number |
The maximum number of access users allowed |
|
Total current used 802.1x resource number |
Number of access users currently on line |
|
Ethernet3/1/1 is link-up |
The state of Ethernet 2/1/1 is Up. |
|
802.1X protocol is disabled |
802.1X protocol is disabled on the port |
|
Proxy trap checker is disabled |
The port prohibits the access of users who log on through a proxy |
|
Proxy logoff checker is disabled |
|
|
The port is a(n) authenticator |
The port acts as authenticator |
|
Authenticate Mode is auto |
The authentication mode of the port is Auto |
|
Port Control Type is Mac-based |
The port control type is Mac-based, namely, authentication of access users is implemented based on the MAC address. |
|
Max on-line user number |
The maximum number of on-line users |
|
… |
Omitted |
1.1.2 dot1x
Syntax
dot1x [ interface interface-list ]
undo dot1x [ interface interface-list ]
View
System view, Ethernet port view
Parameters
interface-list: Ethernet interface list expressed in the format interface-list =interface-type interface-number [ to interface-type interface-number ] &<1-10>. interface-type means the interface type, interface-number is the interface number. Refer to Ethernet Port Configuration Command of the Access Volume for the respective meanings and value ranges of them. The interface number after the key word to should be no smaller than the interface number before to. &<1-10> in the command means that the preceding parameter can be entered up to 10 times.
Description
Use the dot1x command to enable 802.1x on the specified port or globally (i.e., on the current device).
Use the undo dot1x command to disable the 802.1x on the specified port or globally.
By default, 802.1x is disabled on all the ports and globally on the device.
When the dot1x command is used in system view, if the parameter interface-list is not specified, 802.1x will be globally enabled. If the parameter interface-list is specified, 802.1x will be enabled on the specified port. When this command is used in Ethernet port view, the parameter interface-list cannot be input and 802.1x can only be enabled on the current port.
The configuration command can be used to configure the global or port 802.1x performance parameters before or after 802.1x is enabled. Before 802.1x is enabled globally, if the parameters are not configured globally or for a specified port, they will maintain the default values.
After the global 802.1x performance is enabled, only when port 802.1x performance is enabled will the configuration of 802.1x become effective on the port.
If 802.1x is enabled on a port, you cannot configure the maximum number of learned MAC addresses (by using the mac-address max-mac-count command), and vice versa.
Related commands: display dot1x.
Examples
# Enable 802.1x on Ethernet 3/1/1.
[H3C] dot1x interface Ethernet 3/1/1
# Enable the 802.1x globally.
[H3C] dot1x
1.1.3 dot1x authentication-method
Syntax
dot1x authentication-method { chap | pap | eap { md5-challenge | peap | tls } }
undo dot1x authentication-method
View
System view
Parameters
chap: Uses CHAP authentication method.
pap: Uses PAP authentication method.
eap: Uses EAP authentication method.
md5-challenge: EAP MD5-Challenge authentication method.
peap: EAP PEAP authentication method.
tls: EAP TLS authentication method.
Description
Use the dot1x authentication-method command to configure the authentication method for 802.1x user.
Use the undo dot1x authentication-method command to restore the default authentication method of 802.1x user.
By default, CHAP authentication is used for 802.1x user authentication.
Password Authentication Protocol (PAP) is a kind of authentication protocol with two handshakes. It sends password in the form of simple text.
Challenge Handshake Authentication Protocol (CHAP) is a kind of authentication protocol with three handshakes. It only transmits username but not password. CHAP is more secure and reliable.
In the process of EAP authentication, switch directly sends authentication information of 802.1x user to RADIUS server in the form of EAP packet. It is not necessary to transfer the EAP packet to standard RADIUS packet first and then send it to RADIUS server.
Please note: To realize PAP, CHAP or EAP authentication, RADIUS server should support PAP, CHAP or EAP authentication respectively.
Related commands: display dot1x.
Examples
# Configure 802.1x user to use PAP authentication
[H3C] dot1x authentication-method pap
1.1.4 dot1x dhcp-launch
Syntax
dot1x dhcp-launch
undo dot1x dhcp-launch
View
System view
Parameters
None
Description
Use the dot1x dhcp-launch command to set 802.1x to disable the switch to trigger the user ID authentication over the users who configure static IP addresses in DHCP environment.
Use the undo dot1x dhcp-launch command to set 802.1x to enable the switch to trigger the authentication over them.
By default, the switch can trigger the user ID authentication over the users who configure static IP addresses in DHCP environment.
Related commands: display dot1x.
Examples
# Disable the switch to trigger the authentication over the users who configure static IP addresses in DHCP environment.
[H3C] dot1x dhcp-launch
1.1.5 dot1x guest-vlan
Syntax
dot1x guest-vlan vlan-id [ interface interface-list ]
undo dot1x guest-vlan vlan-id [ interface interface-list ]
View
System view, Ethernet port view
Parameters
vlan-id: ID of the VLAN specified as the Guest VLAN. It ranges from 1 to 4094.
interface-list: List of Guest VLAN-enabled ports expressed in the format interface-list =interface-type interface-number [ to interface-type interface-number ] &<1-10>. interface-type means the interface type, interface-number is the interface number. Refer to Ethernet Port Configuration Command of the Access Volume for the respective meanings and value ranges of them. The interface number after the key word to should be no smaller than the interface number before to. &<1-10> in the command means that the preceding parameter can be entered up to 10 times.
Description
Use the dot1x guest-vlan command to enable Guest VLAN on a specific port.
Use the undo dot1x guest-vlan command to disable Guest VLAN.
If you execute the dot1x guest-vlan command in system view and do not provide the interface-list argument, Guest VLAN is enabled on all ports. However, if you provide the interface-list argument, Guest VLAN is enabled on the ports specified by this argument.
If you execute the dot1x guest-vlan command in Ethernet interface view, this command does not accept the interface-list argument and Guest VLAN is enabled only on the current port.
Examples
# Specify to perform port-based authentications.
[H3C] dot1x port-method portbased
# Enable Guest VLAN on all ports.
[H3C] dot1x guest-vlan 1
1.1.6 dot1x handshake
Syntax
dot1x handshake enable
undo dot1x handshake enable
View
System view
Parameters
None
Description
Use the dot1x handshake enable command to enable the handshake-period timer.
Use the undo dot1x handshake enable command to disable the timer.
By default, the handshake-period timer is enabled.
With the handshake-period timer enabled and set, after an 802.1x user passes the authentication, the Authenticator will send handshake requests to the user at the interval specified by the timer to check whether the user is online. If the Authenticator receives no response from the user when it has transmitted a handshake request for the maximum number of times, it will consider that the user has logged off and set the user state to logoff.
& Note:
The undo dot1x handshake enable command takes effect immediately for all users, while the dot1x handshake enable command takes effect only for users who pass authentication after you configure the command. You are recommended to configure the commands before user authentication.
Related commands: display dot1x, dot1x timer.
Examples
# Disable the handshake-period timer.
[H3C] undo dot1x handshake enable
1.1.7 dot1x max-user
Syntax
dot1x max-user user-number [ interface interface-list ]
undo dot1x max-user [ interface interface-list ]
View
System view, Ethernet port view
Parameters
user-number: Specifies the limit to the amount of supplicants on the port, ranging from 1 to 1,024.
By default, the maximum user number is 1,024. And a switch can accommodate a total of 2,048 users.
interface interface-list: Ethernet interface list expressed in the format interface-list =interface-type interface-number [ to interface-type interface-number ] &<1-10>. interface-type means the interface type, interface-number is the interface number. Refer to Ethernet Port Configuration Command of the Access Volume for the respective meanings and value ranges of them. The interface number after the key word to should be no smaller than the interface number before to. &<1-10> in the command means that the preceding parameter can be entered up to 10 times.
Description
Use the dot1x max-user command to configure a limit to the amount of supplicants on the specified interface of 802.1x.
Use the undo dot1x max-user command to restore the default value.
This command is used for setting a limit to the amount of supplicants that 802.1x can hold on the specified interface. This command has effect on the interface specified by the parameter interface-list when executed in system view. It has effect on all the interfaces when no interface is specified. The parameter interface-list cannot be input when the command is executed in Ethernet interface view and it has effect only on the current interface.
Related commands: display dot1x.
Examples
# Configure the interface Ethernet 3/1/1 to hold no more than 32 users.
[H3C] dot1x max-user 32 interface Ethernet 3/1/1
1.1.8 dot1x port-control
Syntax
dot1x port-control { auto | authorized-force | unauthorized-force } [ interface interface-list ]
undo dot1x port-control [ interface interface-list ]
View
System view, Ethernet port view
Parameters
auto: Automatic identification mode, showing that the initial state of the interface is unauthorized. The user is only allowed to receive or transmit EAPoL packets but not to access the network resources. If the user passes the authentication flow, the interface will switch over to the authorized state and then the user is allowed to access the network resources. This is the most common case.
authorized-force: Forced authorized mode, showing that the interface to always stay in authorized state and the user is allowed to access the network resources without authentication/authorization.
unauthorized-force: Forced unauthorized mode, showing that the interface to always stay in non-authorized mode, the switch does not respond to authentication requests and the user is not allowed to access the network resources.
interface interface-list: Ethernet interface list expressed in the format interface-list =interface-type interface-number [ to interface-type interface-number ] &<1-10>. interface-type means the interface type, interface-number is the interface number. Refer to Ethernet Port Configuration Command of the Access Volume for the respective meanings and value ranges of them. The interface number after the key word to should be no smaller than the interface number before to. &<1-10> in the command means that the preceding parameter can be entered up to 10 times.
Description
Use the dot1x port-control command to configure the port authorization mode for 802.1x to perform access control on the specified ports.
Use the undo dot1x port-control command to restore the default port authorization mode.
By default, the port authorization mode is auto.
This command is used to set the port authorization mode, or the port state, for 802.1x to perform access control on the specified port. This command has effect on the ports specified by the parameter interface-list when executed in system view. It has effect on all ports when no port is specified. The parameter interface-list cannot be input when the command is executed in Ethernet port view and it has effect only on the current port.
Related commands: display dot1x.
Examples
# Configure port Ethernet 2/1/1 to be in unauthorized-force state.
[H3C] dot1x port-control unauthorized-force interface ethernet 2/1/1
1.1.9 dot1x port-method
Syntax
dot1x port-method { macbased | portbased } [ interface interface-list ]
undo dot1x port-method [ interface interface-list ]
View
System view, Ethernet port view
Parameters
macbased: Configures the 802.1x authentication system to control user accesses based on MAC address.
portbased: Configures the 802.1x authentication system to control user accesses based on port.
interface interface-list: Ethernet interface list expressed in the format interface-list =interface-type interface-number [ to interface-type interface-number ] &<1-10>. interface-type means the interface type, interface-number is the interface number. Refer to Ethernet Port Configuration Command of the Access Volume for the respective meanings and value ranges of them. The interface number after the key word to should be no smaller than the interface number before to. &<1-10> in the command means that the preceding parameter can be entered up to 10 times.
Description
Use the dot1x port-method command to configure the method for 802.1x to perform access control on the specified ports.
Use the undo dot1x port-method command to restore the default access control method.
The 802.1x access control method on a port can be port-based or MAC-based. By default, the access control method is macbased.
When macbased is configured for a port, all users connected to the port must be authenticated in order to access the network, and when a user goes offline, the others are not affected. When portbased is configured for a port, after a user passes the authentication on the port, all subsequent users on the port can access the network without being authenticated. However, these users will be denied network access if the user who passes the authentication goes offline.
This command has effect on the ports specified by the parameter interface-list when executed in system view. It has effect on all ports when no port is specified. The parameter interface-list cannot be input when the command is executed in Ethernet port view and it has effect only on the current port.
Related commands: display dot1x.
Examples
# Specify the access control method on Ethernet 2/1/1 as port-based.
[H3C] dot1x port-method portbased interface ethernet 2/1/1
& Note:
l When using the 802.1x dynamic ACL advertisement function, you need to ensure that the ACL dynamically advertised matches the traffic templates (including the default and self-defined traffic template) validated on the port.
l If the 802.1x-enabled port is MAC authentication based and uses the dynamic ACL, you must also ensure that the traffic template validated on the port contains the source MAC (SMAC). Otherwise, the authentication will be failed.
1.1.10 dot1x quiet-period
dot1x quiet-period
undo dot1x quiet-period
View
System view
Parameters
None
Description
Use the dot1x quiet-period command to enable the Quiet-period timer.
Use the undo dot1x quiet-period command to disable this timer.
If an 802.1x user has not passed the authentication, the Authenticator will keep quiet for a while (which is specified by quiet-period timer) before launching the authentication again. During the quiet period, the Authenticator does not do anything related to 802.1x authentication.
By default, Quiet-period timer is disabled.
Related commands: display dot1x, dot1x timer.
Examples
# Enable quiet-period timer.
[H3C] dot1x quiet-period
1.1.11 dot1x retry
Syntax
dot1x retry max-retry-value
undo dot1x retry
View
System view
Parameters
max-retry-value: Specifies the maximum times an Ethernet switch can retransmit the authentication request frame to the supplicant, ranging from 1 to 10.
By default, the value is 2, that is, the switch can retransmit the authentication request frame to the supplicant for 2 times.
Description
Use the dot1x retry command to configure the maximum times an Ethernet switch can retransmit the authentication request frame to the supplicant.
Use the undo dot1x retry command to restore the default maximum retransmission time.
After the switch has transmitted authentication request frame to the user for the first time, if no user response is received during the specified time-range, the switch will re-transmit authentication request to the user. This command is used for specifying how many times the switch can re-transmit the authentication request frame to the supplicant. When the time is 1, the switch is configured to transmit authentication request frame only once. A value of 2 indicates that the switch is configured to transmit authentication request frame once again when no response is received for the first time and so on. This command has effect on all the port after configuration.
Related commands: display dot1x.
Examples
# Configure the current device to transmit authentication request frame to the user for no more than 9 times.
[H3C] dot1x retry 9
1.1.12 dot1x supp-proxy-check
Syntax
dot1x supp-proxy-check { logoff | trap } [ interface interface-list ]
undo dot1x supp-proxy-check { logoff | trap } [ interface interface-list ]
View
System view, Ethernet port view
Parameters
logoff: Cuts network connection to a user upon detecting the use of proxy.
trap: Sends trap message upon detecting a user using proxy to access the switch.
interface interface-list: Ethernet interface list expressed in the format interface-list =interface-type interface-number [ to interface-type interface-number ] &<1-10>. interface-type means the interface type, interface-number is the interface number. Refer to Ethernet Port Configuration Command of the Access Volume for the respective meanings and value ranges of them. The interface number after the key word to should be no smaller than the interface number before to. &<1-10> in the command means that the preceding parameter can be entered up to 10 times.
Description
Use the dot1x supp-proxy-check command to configure the control method for 802.1x access users via proxy logon the specified interface.
Use the undo dot1x supp-proxy-check command to cancel the control method set for the 802.1x access users via proxy.
Note that this function must work together with the 802.1x client software, that is, the user logging on via proxy needs to run the 802.1x client program (Version V1.29 or above).
This command is used to set on the specified interface when executed in system view. The parameter interface-list cannot be input when the command is executed in Ethernet Port view and it has effect only on the current interface. After globally enabling proxy user detection and control in system view, only if you enable this feature on a specific port can this configuration take effects on the port.
Related commands: display dot1x.
Examples
# Configure the switch cut network connection to a user upon detecting the use of proxy on Ethernet 2/1/1 through Ethernet 2/1/8.
[H3C] dot1x supp-proxy-check logoff
[H3C] dot1x supp-proxy-check logoff interface Ethernet 2/1/1 to Ethernet 2/1/8
# Configure the switch to send trap message upon detecting the use of proxy on Ethernet 2/1/9.
[H3C] dot1x supp-proxy-check trap
[H3C] dot1x supp-proxy-check trap interface Ethernet 2/1/9
or
[H3C] dot1x supp-proxy-check trap
[H3C] interface Ethernet 2/1/9
[H3C-Ethernet2/1/9] dot1x supp-proxy-check trap
& Note:
You need to disable the proxy detection function if you do not use H3C 802.1x client. Otherwise, the client may get offline.
1.1.13 dot1x timer
Syntax
dot1x timer { handshake-period handshake-period-value | quiet-period quiet-period-value | tx-period tx-period-value | supp-timeout supp-timeout-value | server-timeout server-timeout-value }
undo dot1x timer { handshake-period | quiet-period | tx-period | supp-timeout | server-timeout }
View
System view
Parameters
handshake-period: This timer begins after the user has passed the authentication. After setting handshake-period, system will send the handshake packet by the period. Suppose the dot1x retry time is configured as N, the system will consider the user having logged off and set the user as logoff state if system doesn’t receive the response from user for consecutive N times.
handshake-period-value: Handshake period. The value ranges from 1 to 1024 in units of second and defaults to 30.
quiet-period: Specifies the quiet timer. If an 802.1x user has not passed the authentication, the Authenticator will keep quiet for a while (which is specified by quiet-period timer) before launching the authentication again. During the quiet period, the Authenticator does not do anything related to 802.1x authentication.
quiet-period-value: Specifies how long the quiet period is. The value ranges from 10 to 120 in units of second and defaults to 60.
server-timeout: Specifies the timeout timer of an Authentication Server. If an Authentication Server has not responded before the specified period expires, the Authenticator will resend the authentication request.
server-timeout-value: Specifies how long the duration of a timeout timer of an Authentication Server is. The value ranges from 100 to 300 in units of second and defaults to 100 seconds.
supp-timeout: Specifies the authentication timeout timer of a Supplicant. After the Authenticator sends Request/Challenge request packet which requests the MD5 encrypted text, the supp-timeout timer of the Authenticator begins to run. If the Supplicant does not respond back successfully within the time range set by this timer, the Authenticator will resend the above packet.
supp-timeout-value: Specifies how long the duration of an authentication timeout timer of a Supplicant is. The value ranges from 10 to 120 in units of second and defaults to 30.
tx-period: Has two major effects, which are described in detail in the following section.
l Specifies the transmission timeout timer. After the Authenticator sends the Request/Identity request packet which requests the user name or user name and password together, the tx-period timer of the Authenticator begins to run. If the Supplicant does not respond back with authentication reply packet successfully, then the Authenticator will resend the authentication request packet.
l Specifies the interval of multicasting 802.1x request packets periodically. In order to be compatible with clients who do not send EAPoL-Start frames actively, S9500 switches will multicast 802.1x request packets periodically. The client will respond after receiving these packets. tx-period specifies the period of multicasting 802.1x request packets.
tx-period-value: Specifies how long the duration of the transmission timeout timer is. The value ranges from 10 to 120 in units of second and defaults to 30.
& Note:
It is recommended to configure different handshake period value and handshake timeout times according to the number of users:
l When the number of users is 2048, the handshake period value should be no smaller than 2 minutes, and the handshake timeout times should be no less than 3 times;
l When the number of users is 1024, the handshake period value should be no smaller than 1 minutes, and the handshake timeout times should be no less than 3 times
l When the number of users is 512, the handshake period value should be no smaller than 30 seconds, and the handshake timeout times should be no less than 2 times.
Description
Use the dot1x timer command to configure the 802.1x timers.
Use the undo dot1x timer command to restore the default values.
When it is run, 802.1x enables many timers to control the rational and orderly interacting of the Supplicant, the Authenticator and the Authenticator Server. This command can set some of the timers (while other timers cannot be set) to adapt the interaction process. It could be necessary for some special and hard network environment. Generally, the user should keep the default values of the timers.
Related commands: display dot1x.
Examples
# Set the Authentication Server timeout timer is 150s.
[H3C] dot1x timer server-timeout 150
1.1.14 reset dot1x statistics
Syntax
reset dot1x statistics [ interface interface-list ]
View
User view
Parameters
interface interface-list: Ethernet interface list expressed in the format interface-list =interface-type interface-number [ to interface-type interface-number ] &<1-10>. interface-type means the interface type; interface-number is the interface number. Refer to Ethernet Port Configuration Command of the Access Volume for the respective meanings and value ranges of them. The interface number after the key word to should be no smaller than the interface number before to. &<1-10> in the command means that the preceding parameter can be entered up to 10 times.
Description
Use the reset dot1x statistics command to reset the statistics of 802.1x.
This command can be used to re-perform information statistics if the user wants to delete the former statistics of 802.1x.
When the original statistics is cleared, if no port type or port number is specified, the global 802.1x statistics of the switch and 802.1x statistics on all the ports will be cleared. If the port type and port number are specified, the 802.1x statistics on the specified port will be cleared.
Related commands: display dot1x.
Examples
# Clear the 802.1x statistics on Ethernet 2/1/1.
<H3C> reset dot1x statistics interface Ethernet 2/1/1
