H3C S3100 Series Ethernet Switches command Manual-Release 21XX Series(V1.06)

HomeSupportSwitchesH3C S3100 Switch SeriesReference GuidesCommand ReferencesH3C S3100 Series Ethernet Switches command Manual-Release 21XX Series(V1.06)
17-802.1x-System Guard Commands
Title Size Download
17-802.1x-System Guard Commands 196.32 KB

802.1x Configuration Commands

802.1x Configuration Commands

display dot1x

Syntax

display dot1x [ sessions | statistics ] [ interface interface-list ]

View

Any view

Parameter

sessions: Displays the information about 802.1x sessions.

statistics: Displays the statistics on 802.1x.

interface: Display the 802.1x-related information about a specified port.

interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet port and interface-number is the number of the port. The string “&<1-10>” means that up to 10 port lists can be provided.

Description

Use the display dot1x command to display 802.1x-related information, such as configuration information, operation information (session information), and statistics.

When the interface-list argument is not provided, this command displays 802.1x-related information about all the ports. The output information can be used to verify 802.1 x-related configurations and to troubleshoot.

Related command: reset dot1x statistics, dot1x, dot1x retry, dot1x max-user, dot1x port-control, dot1x port-method, and dot1x timer.

Example

# Display 802.1x-related information.

<Sysname> display dot1x

Global 802.1X protocol is enabled

 CHAP authentication is enabled

 DHCP-launch is disabled

 Handshake is enabled     

 Proxy trap checker is disabled

 Proxy logoff checker is disabled

 EAD Quick Deploy is enabled

 

 Configuration: Transmit Period     30 s,  Handshake Period       15 s

                ReAuth Period     3600 s,  ReAuth MaxTimes        2  

                Quiet Period        60 s,  Quiet Period Timer is disabled

                Supp Timeout        30 s,  Server Timeout         100 s

                Interval between version requests is 30s

                Maximal request times for version information is 3

                The maximal retransmitting times          2

  EAD Quick Deploy configuration:

                Url: http: //192.168.19.23

                Free-ip: 192.168.19.0 255.255.255.0

                Acl-timeout:   30 m 

 

 Total maximum 802.1x user resource number is 1024

 Total current used 802.1x resource number is 1

 

 Ethernet1/0/1  is link-up

   802.1X protocol is enabled

   Proxy trap checker is disabled

   Proxy logoff checker is disabled

   Version-Check is disabled

   The port is an authenticator

   Authentication Mode is Auto

   Port Control Type is Port-based

   ReAuthenticate is disabled

   Max number of on-line users is 256

 

   Authentication Success: 4, Failed: 2

   EAPOL Packets: Tx 7991, Rx 14

   Sent EAP Request/Identity Packets : 7981

        EAP Request/Challenge Packets: 0

   Received EAPOL Start Packets : 5

            EAPOL LogOff Packets: 1

            EAP Response/Identity Packets : 4

            EAP Response/Challenge Packets: 4

            Error Packets: 0

 1. Authenticated user : MAC address: 000d-88f6-44c1

 

   Controlled User(s) amount to 1                  

 

Ethernet1/0/2

……

Table 1-1 Description on the fields of the display dot1x command

Field

Description

Equipment 802.1X protocol is enabled

802.1x protocol (802.1x for short) is enabled on the switch.

CHAP authentication is enabled

CHAP authentication is enabled.

DHCP-launch is disabled

DHCP-triggered. 802.1x authentication is disabled.

Handshake is enabled

The online user handshaking function is enabled.

Proxy trap checker is disabled

Whether or not to send Trap packets when detecting a supplicant system logs in through a proxy.

l      Disable means the switch does not send Trap packets when it detects that a supplicant system logs in through a proxy.

l      Enable means the switch sends Trap packets when it detects that a supplicant system logs in through a proxy.

Proxy logoff checker is disabled

Whether or not to disconnect a supplicant system when detecting it logs in through a proxy.

l      Disable means the switch does not disconnect a supplicant system when it detects that the latter logs in through a proxy.

l      Enable means the switch disconnects a supplicant system when it detects that the latter logs in through a proxy.

EAD Quick Deploy is enabled

Quick EAD deployment is enabled.

Transmit Period

Setting of the Transmission period timer (the tx-period)

Handshake Period

Setting of the handshake period timer (the handshake-period)

ReAuth Period

Re-authentication interval

ReAuth MaxTimes

Maximum times of re-authentications

Quiet Period

Setting of the quiet period timer (the quiet-period)

Quiet Period Timer is disabled

The quiet period timer is disabled here. It can also be configured as enabled when necessary.

Supp Timeout

Setting of the supplicant timeout timer (supp-timeout)

Server Timeout

Setting of the server-timeout timer (server-timeout)

The maximal retransmitting times

The maximum number of times that a switch can send authentication request packets to a supplicant system

Url

URL for HTTP redirection

Free-ip

Free IP range that users can access before passing authentication

Acl-timeout

ACL timeout period

Total maximum 802.1x user resource number

The maximum number of 802.1x users that a switch can accommodate

Total current used 802.1x resource number

The number of online supplicant systems

Ethernet1/0/1 is link-down

Ethernet 1/0/1 port is down.

802.1X protocol is disabled

802.1x is disabled on the port

Proxy trap checker is disabled

Whether or not to send Trap packets when detecting a supplicant system in logging in through a proxy.

l      Disable means the switch does not send Trap packets when it detects that a supplicant system logs in through a proxy.

l      Enable means the switch sends Trap packets when it detects that a supplicant system logs in through a proxy.

Proxy logoff checker is disabled

Whether or not to disconnect a supplicant system when detecting it in logging in through a proxy.

l      Disable means the switch does not disconnect a supplicant system when it detects that the latter logs in through a proxy.

l      Enable means the switch disconnects a supplicant system when it detects that the latter logs in through a proxy.

Version-Check is disabled

Whether or not the client version checking function is enabled:

l      Disable means the switch does not checks client version.

l      Enable means the switch checks client version.

The port is an authenticator

The port acts as an authenticator system.

Authentication Mode is Auto

The port access control mode is Auto.

Port Control Type is Mac-based

The access control method of the port is MAC-based. That is, supplicant systems are authenticated based on their MAC addresses.

ReAuthenticate is disabled

ReAuthenticate is disabled

Max number of on-line users

The maximum number of online users that the port can accommodate

Information omitted here

 

dot1x

Syntax

dot1x [ interface interface-list ]

undo dot1x [ interface interface-list ]

View

System view, Ethernet port view

Parameter

interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet port and interface-number is the number of the port. The string “&<1-10>” means that up to 10 port lists can be provided.

Description

Use the dot1x command to enable 802.1x globally or for specified Ethernet ports.

Use the undo dot1x command to disable 802.1x globally or for specified Ethernet ports.

By default, 802.1x is disabled globally and also on all ports.

In system view:

l          If you do not provide the interface-list argument, the dot1x command enables 802.1x globally.

l          If you specify the interface-list argument, the dot1x command enables 802.1x for the specified Ethernet ports.

In Ethernet port view, the interface-list argument is not available and the command enables 802.1x for only the current Ethernet port.

802.1x-related configurations take effect on a port only after 802.1x is enabled both globally and on the port.

 

l          Configurations of 8021.x and the maximum number of MAX addresses that can be learnt are mutually exclusive. That is, when 802.1x is enabled for a port, it cannot also have the maximum number of MAX addresses to be learned configured at the same time. Conversely, if you configure the maximum number of MAX addresses that can be learnt for a port, 802.1x is unavailable to it.

l          If you enable 802.1x for a port, it is not available to add the port to an aggregation group. Meanwhile, if a port has been added to an aggregation group, it is prohibited to enable 802.1x for the port.

 

Related command: display dot1x.

Example

# Enable 802.1x for Ethernet1/0/1 port.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x interface Ethernet 1/0/1

# Enable 802.1x globally.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x

dot1x authentication-method

Syntax

dot1x authentication-method { chap | pap | eap }

undo dot1x authentication-method

View

System view

Parameter

chap: Authenticates using challenge handshake authentication protocol (CHAP).

pap: Authenticates using password authentication protocol (PAP).

eap: Authenticates using extensible authentication protocol (EAP).

Description

Use the dot1x authentication-method command to set the 802.1x authentication method.

Use the undo dot1x authentication-method command to revert to the default 802.1x authentication method.

The default 802.1x authentication method is CHAP.

PAP applies a two-way handshaking procedure. In this method, passwords are transmitted in plain text.

CHAP applies a three-way handshaking procedure. In this method, user names are transmitted rather than passwords. Therefore this method is safer.

In EAP authentication, a switch authenticates supplicant systems by encapsulating 802.1x authentication information in EAP packets and sending the packets to the RADIUS server, instead of converting the packets into RADIUS packets before forwarding to the RADIUS server. You can use EAP authentication in one of the four sub-methods: PEAP, EAP-TLS, EAP-TTLS and EAP-MD5.

Related command: display dot1x.

 

When the current device operates as the authentication server, EAP authentication is unavailable.

 

Example

# Specify the authentication method to be PAP.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x authentication-method pap

dot1x dhcp-launch

Syntax

dot1x dhcp-launch

undo dot1x dhcp-launch

View

System view

Parameter

None

Description

Use the dot1x dhcp-launch command to specify an 802.1x-enabled switch to launch the process to authenticate a supplicant system when the supplicant system applies for a dynamic IP address through DHCP.

Use the undo dot1x dhcp-launch command to disable an 802.1x-enabled switch from authenticating a supplicant system when the supplicant system applies for a dynamic IP address through DHCP.

By default, an 802.1x-enabled switch does not authenticate a supplicant system when the latter applies for a dynamic IP address through DHCP.

Related command: display dot1x.

Example

# Configure to authenticate a supplicant system when it applies for a dynamic IP address through DHCP.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x dhcp-launch

dot1x guest-vlan

Syntax

dot1x guest-vlan vlan-id [ interface interface-list ]

undo dot1x guest-vlan [ interface interface-list ]

View

System view, Ethernet port view

Parameter

vlan-id: VLAN ID of a Guest VLAN, in the range 1 to 4094.

interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet port and interface-number is the number of the port. The string “&<1-10>” means that up to 10 port lists can be provided.

Description

Use the dot1x guest-vlan command to enable the Guest VLAN function for ports.

Use the undo dot1x guest-vlan command to disable the Guest VLAN function for ports.

After 802.1x and guest VLAN are properly configured on a port:

l          If the switch receives no response from the port after sending EAP-Request/Identity packets to the port for the maximum number of times, the switch will add the port to the guest VLAN.

l          Users in a guest VLAN can access the guest VLAN resources without 802.1x authentication. However, they have to pass the 802.1x authentication to access the external resources.

In system view,

l          If you do not provide the interface-list argument, these two commands apply to all the ports of the switch.

l          If you specify the interface-list argument, these two commands apply to the specified ports.

In Ethernet port view, the interface-list argument is not available and these two commands apply to only the current Ethernet port.

 

l          The Guest VLAN function is available only when the switch operates in the port-based authentication mode.

l          Only one Guest VLAN can be configured on a switch.

l          The Guest VLAN function is unavailable when the dot1x dhcp-launch command is executed on the switch, because the switch does not send authentication request packets in this case.

 

Example

# Configure the switch to operate in the port-based authentication mode.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x port-method portbased

# Enable the Guest VLAN function for all the ports.

[Sysname] dot1x guest-vlan 1

dot1x handshake

Syntax

dot1x handshake enable

undo dot1x handshake enable

View

System view

Parameter

None

Description

Use the dot1x handshake enable command to enable the online user handshaking function.

Use the undo dot1x handshake enable command to disable the online user handshaking function.

By default, the online user handshaking function is enabled.

 

l          To enable the proxy detecting function, you need to enable the online user handshaking function first.

l          Handshaking packets need the support of the H3C-proprietary client. They are used to test whether or not a user is online.

l          As clients that are not of H3C do not support the online user handshaking function, switches cannot receive handshaking acknowledgement packets from them in handshaking periods. To prevent users being falsely considered offline, you need to disable the online user handshaking function in this case.

 

Example

# Enable the online user handshaking function.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x handshake enable

dot1x handshake secure

Syntax

dot1x handshake secure

undo dot1x handshake secure

View

Ethernet port view

Parameter

None

Description

Use the dot1x handshake secure command to enable the handshaking packet secure function, preventing the device from attacks resulted from simulating clients.

Use the undo dot1x handshake secure command to disable the handshaking packet secure function.

By default, the handshaking packet secure function is disabled.

 

 

For the handshaking packet secure function to take effect, the clients that enable the function need to cooperate with the authentication server. If either the clients or the authentication server does not support the function, disabling the handshaking packet secure function is needed.

 

Example

# Enable the handshaking packet secure function.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] interface Ethernet 1/0/1

[Sysname-Ethernet1/0/1] dot1x handshake secure

dot1x max-user

Syntax

dot1x max-user user-number [ interface interface-list ]

undo dot1x max-user [ interface interface-list ]

View

System view, Ethernet port view

Parameter

user-number: Maximum number of users a port can accommodate, in the range 1 to 256.

interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet port and interface-number is the number of the port. The string “&<1-10>” means that up to 10 port lists can be provided.

Description

Use the dot1x max-user command to set the maximum number of users an Ethernet port can accommodate.

Use the undo dot1x max-user command to revert to the default maximum user number.

By default, a port can accommodate up to 256 users.

In system view:

l          If you do not provide the interface-list argument, these two commands apply to all the ports of the switch.

l          If you specify the interface-list argument, these two commands apply to the specified ports.

In Ethernet port view, the interface-list argument is not available and the commands apply to only the current port.

Related command: display dot1x.

Example

# Configure the maximum number of users that Ethernet1/01 port can accommodate to be 32.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x max-user 32 interface Ethernet 1/0/1

dot1x port-control

Syntax

dot1x port-control { auto | authorized-force | unauthorized-force } [ interface interface-list ]

undo dot1x port-control [ interface interface-list ]

View

System view, Ethernet port view

Parameter

auto: Specifies to operate in auto access control mode. When a port operates in this mode, all the unauthenticated hosts connected to it are unauthorized. In this case, only EAPoL packets can be exchanged between the switch and the hosts. And the hosts connected to the port are authorized to access the network resources after the hosts pass the authentication. Normally, a port operates in this mode.

authorized-force: Specifies to operate in authorized-force access control mode. When a port operates in this mode, all the hosts connected to it can access the network resources without being authenticated.

unauthorized-force: Specifies to operate in unauthorized-force access control mode. When a port operates in this mode, the hosts connected to it cannot access the network resources.

interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet port and interface-number is the number of the port. The string “&<1-10>” means that up to 10 port lists can be provided.

Description

Use the dot1x port-control command to specify the access control mode for specified Ethernet ports.

Use the undo dot1x port-control command to revert to the default access control mode.

The default access control mode is auto.

Use the dot1x port-control command to configure the access control mode for specified 802.1x-enabled ports.

In system view:

l          If you do not provide the interface-list argument, these two commands apply to all the ports of the switch.

l          If you specify the interface-list argument, these commands apply to the specified ports.

In Ethernet port view, the interface-list argument is not available and the commands apply to only the current Ethernet port.

Related command: display dot1x.

Example

# Specify Ethernet1/0/1 port to operate in unauthorized-force access control mode.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x port-control unauthorized-force interface Ethernet 1/0/1

dot1x port-method

Syntax

dot1x port-method { macbased | portbased } [ interface interface-list ]

undo dot1x port-method [ interface interface-list ]

View

System view, Ethernet port view

Parameter

macbased: Performs MAC address-based authentication.

portbased: Performs port-based authentication.

interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet port and interface-number is the number of the port. The string “&<1-10>” means that up to 10 port lists can be provided.

Description

Use the dot1x port-method command to specify the access control method for specified Ethernet ports.

Use the undo dot1x port-method command to revert to the default access control method.

By default, the access control method is macbased.

This command specifies the way in which the users are authenticated.

l          If you specify to authenticate users by MAC addresses (that is, executing the dot1x port-method command with the macbased keyword specified), all the users connected to the specified Ethernet ports are authenticated separately. And if an online user logs off, others are not affected.

l          If you specify to authenticate supplicant systems by port numbers (that is, executing the dot1x port-method command with the portbased keyword specified), all the users connected to a specified Ethernet port are able to access the network without being authenticated if a user among them passes the authentication. And when the user logs off, the network is inaccessible to all other supplicant systems either.

l          Changing the access control method on a port by the dot1x port-method command will forcibly log out the online 802.1x users on the port.

In system view:

l          If you do not provide the interface-list argument, these two commands apply to all the ports of the switch.

l          If you specify the interface-list argument, these commands apply to the specified ports.

In Ethernet port view, the interface-list argument is not available and the commands apply to only the current Ethernet port.

Related command: display dot1x.

Example

# Specify to authenticate users connected to Ethernet1/0/1 port by port numbers.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x port-method portbased interface Ethernet 1/0/1

dot1x quiet-period

Syntax

dot1x quiet-period

undo dot1x quiet-period

View

System view

Parameter

None

Description

Use the dot1x quiet-period command to enable the quiet-period timer.

Use the undo dot1x quiet-period command to disable the quiet-period timer.

When a user fails to pass the authentication, the authenticator system (such as a H3C series Ethernet switch) will stay quiet for a period (determined by the quiet-period timer) before it performs another authentication. During the quiet period, the authenticator system performs no 802.1x authentication of the user.

By default, the quiet-period timer is disabled.

Related commands: display dot1x, dot1x timer.

Example

# Enable the quiet-period timer.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x quiet-period

dot1x retry

Syntax

dot1x retry max-retry-value

undo dot1x retry

View

System view

Parameter

max-retry-value: Maximum number of times that a switch sends authentication request packets to a user. This argument ranges from 1 to 10.

Description

Use the dot1x retry command to specify the maximum number of times that a switch sends authentication request packets to a user.

Use the undo dot1x retry command to revert to the default value.

By default, a switch sends authentication request packets to a user for up to 2 times.

After a switch sends an authentication request packet to a user, it sends another authentication request packet if it does not receive response from the user after a specific period of time. If the switch still receives no response when the configured maximum number of authentication request transmission attempts is reached, it no long sends an authentication request packet to the user. This command applies to all ports.

Related command: display dot1x.

Example

# Specify the maximum number of times that the switch sends authentication request packets to be 9.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x retry 9

dot1x retry-version-max

Syntax

dot1x retry-version-max max-retry-version-value

undo dot1x retry-version-max

View

System view

Parameter

max-retry-version-value: Maximum number of times that a switch sends version request packets to a user. This argument ranges from 1 to 10.

Description

Use the dot1x retry-version-max command to set the maximum number of times that a switch sends version request packets to a user.

Use the undo dot1x retry-version-max command to revert to the default value.

By default, a switch sends version request packets to a user for up to 3 times.

After a switch sends a version request packet to a user, it sends another version request packet if it does receive response from the user after a specific period of time (as determined by the client version request timer). When the number set by this command has reached and there is still no response from the user, the switch continues the following authentication procedures without sending version requests. This command applies to all the ports with the version checking function enabled.

Related commands: display dot1x, dot1x timer.

Example

# Configure the maximum number of times that the switch sends version request packets to be 6.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x retry-version-max 6

dot1x re-authenticate

Syntax

dot1x re-authenticate [ interface interface-list ]

undo dot1x re-authenticate [ interface interface-list ]

View

System view/Ethernet port view

Parameter

interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet port and interface-number is the number of the port. The string “&<1-10>” means that up to 10 port lists can be provided.

Description

Use the dot1x re-authenticate command to enable 802.1x re-authentication on specific ports or on all ports of the switch.

Use the undo dot1x re-authenticate command to disable 802.1x re-authentication on specific ports or on all ports of the switch.

By default, 802.1x re-authentication is disabled on all ports.

In system view:

l          If you do not specify the interface-list argument, this command will enable 802.1x re-authentication on all ports.

l          If you specify the interface-list argument, the command will enable 802.1x on the specified ports.

In Ethernet port view, the interface-list argument is not available and 8021.x re-authentication is enabled on the current port only.

 

802.1x must be enabled globally and on the current port before 802.1x re-authentication can be configured on a port.

 

Example

# Enable 802.1x re-authentication on port Ethernet 1/0/1.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x

 802.1X is enabled globally.

[Sysname] interface Ethernet 1/0/1

[Sysname-Ethernet1/0/1] dot1x

 802.1X is enabled on port Ethernet1/0/1 already.

[Sysname-Ethernet1/0/1] dot1x re-authenticate

 Re-authentication is enabled on port Ethernet1/0/1

dot1x supp-proxy-check

Syntax

dot1x supp-proxy-check { logoff | trap } [ interface interface-list ]

undo dot1x supp-proxy-check { logoff | trap } [ interface interface-list ]

View

System view, Ethernet port view

Parameter

logoff: Disconnects a user upon detecting it logging in through a proxy or through multiple network adapters.

trap: Sends Trap packets upon detecting a user logging in through a proxy or through multiple network adapters.

interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet port and interface-number is the number of the port. The string “&<1-10>” means that up to 10 port lists can be provided.

Description

Use the dot1x supp-proxy-check command to enable 802.1x proxy checking for specified ports.

Use the undo dot1x supp-proxy-check command to disable 802.1x proxy checking for specified ports.

By default, 802.1x proxy checking is disabled on all Ethernet ports.

In system view:

l          If you do not specify the interface-list argument, the configurations performed by these two commands are global.

l          If you specify the interface-list argument, these two commands apply to the specified Ethernet ports.

In Ethernet port view, the interface-list argument is not available and the commands apply to only the current Ethernet port.

The proxy checking function takes effect on a port only when the function is enabled both globally and on the port.

802.1x proxy checking checks for:

l          Users logging in through proxies

l          Users logging in through IE proxies

l          Whether or not a user logs in through multiple network adapters (that is, when the user attempts to log in, it contains more than one active network adapters.)

A switch can optionally take the following actions in response to any of the above three cases:

l          Only disconnects the user but sends no Trap packets, which can be achieved by using the dot1x supp-proxy-check logoff command.

l          Sends Trap packets without disconnecting the user, which can be achieved by using the dot1x supp-proxy-check trap command.

This function needs the cooperation of 802.1x clients and the CAMS server:

l          Multiple network adapter checking, proxy checking, and IE proxy checking are enabled on the 802.1x client.

l          The CAMS server is configured to disable the use of multiple network adapters, proxies, and IE proxy.

By default, proxy checking is disabled on 802.1x client. In this case, if you configure the CAMS server to disable the use of multiple network adapters, proxies, and IE proxy, it sends messages to the 802.1x client to ask the latter to disable the use of multiple network adapters, proxies, and IE proxy after the user passes the authentication.

 

l          The 802.1x proxy checking function needs the cooperation of H3C's 802.1x client program.

l          The proxy checking function takes effect only after the client version checking function is enabled on the switch (using the dot1x version-check command).

 

Related command: display dot1x.

Example

# Configure to disconnect the users connected to Ethernet1/0/1 through Ethernet1/0/8 ports if they are detected logging in through proxies.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x supp-proxy-check logoff

[Sysname] dot1x supp-proxy-check logoff interface Ethernet 1/0/1 to Ethernet 1/0/8

# Configure the switch to send Trap packets if the users connected to Ethernet1/0/9 port is detected logging in through proxies.

[Sysname] dot1x supp-proxy-check trap

[Sysname] dot1x supp-proxy-check trap interface Ethernet 1/0/9

dot1x timer

Syntax

dot1x timer { handshake-period handshake-period-value | quiet-period quiet-period-value | server-timeout server-timeout-value | supp-timeout supp-timeout-value | tx-period tx-period-value | ver-period ver-period-value }

undo dot1x timer { handshake-period | quiet-period | server-timeout | supp-timeout | tx-period | ver-period }

View

System view

Parameter

handshake-period handshake-period-value: Sets the handshake timer. This timer sets the handshake-period and is triggered after a supplicant system passes the authentication. It sets the interval for a switch to send handshake request packets to online users. If you set the number of retries to N by using the dot1x retry command, an online user is considered offline when the switch does not receive response packets from it in a period N times of the handshake-period.

The handshake-period-value argument ranges from 5 to 1,024 (in seconds). By default, the handshake timer is set to 15 seconds.

quiet-period quiet-period-value: Sets the quiet-period timer. This timer sets the quiet-period. When a supplicant system fails to pass the authentication, the switch quiets for the set period (set by the quiet-period timer) before it processes another authentication request re-initiated by the supplicant system. During this quiet period, the switch does not perform any 802.1x authentication-related actions for the supplicant system.

The quiet-period-value argument ranges from 10 to 120 (in seconds). By default, the quiet-period timer is set to 60 seconds.

server-timeout server-timeout-value: Sets the RADIUS server timer. This timer sets the server-timeout period. After sending an authentication request packet to the RADIUS server, a switch sends another authentication request packet if it does not receive the response from the RADIUS server when this timer times out.

The server-timeout-value argument ranges from 100 to 300 (in seconds). By default, the RADIUS server timer is set to 100 seconds.

supp-timeout supp-timeout-value: Sets the supplicant system timer. This timer sets the supp-timeout period and is triggered by the switch after the switch sends a request/challenge packet to a supplicant system (The packet is used to request the supplicant system for the MD5 encrypted string.) The switch sends another request/challenge packet to the supplicant system if the switch does not receive the response from the supplicant system when this timer times out..

The supp-timeout-value argument ranges from 10 to 120 (in seconds). By default, the supplicant system timer is set to 30 seconds.

tx-period tx-period-value: Sets the transmission timer. This timer sets the tx-period and is triggered in two cases. The first case is when the client requests for authentication. The switch sends a unicast request/identity packet to a supplicant system and then triggers the transmission timer. The switch sends another request/identity packet to the supplicant system if it does not receive the reply packet from the supplicant system when this timer times out. The second case is when the switch authenticates the 802.1x client who cannot request for authentication actively. The switch sends multicast request/identity packets periodically through the port enabled with 802.1x function. In this case, this timer sets the interval to send the multicast request/identity packets.

The tx-period-value argument ranges from 10 to 120 (in seconds). By default, the transmission timer is set to 30 seconds.

ver-period ver-period-value: Sets the client version request timer. This timer sets the version period and is triggered after a switch sends a version request packet. The switch sends another version request packet if it does receive version response packets from the supplicant system when the timer expires.

The ver-period-value argument ranges from 1 to 30 (in seconds). By default, the client version request timer is set to 30 seconds.

Description

Use the dot1x timer command to set a specified 802.1x timer.

Use the undo dot1x timer command to restore a specified 802.1x timer to the default setting.

During an 802.1x authentication process, multiple timers are triggered to ensure that the supplicant systems, the authenticator systems, and the Authentication servers interact with each other in an orderly way. To make authentications being processed in the desired way, you can use the dot1x timer command to set the timers as needed. This may be necessary in some special situations or in tough network environments. Normally, the defaults are recommended. (Note that some timers cannot be adjusted.)

Related command: display dot1x.

Example

# Set the RADIUS server timer to 150 seconds.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x timer server-timeout 150

dot1x timer reauth-period

Syntax

dot1x timer reauth-period reauth-period-value

undo dot1x timer reauth-period

View

System view

Parameter

reauth-period reauth-period-value: Specifies re-authentication interval, in seconds. After this timer expires, the switch initiates 802.1x re-authentication. The value of the reauth-period-value argument ranges from 60 to 7,200.

Description

Use the dot1x timer reauth-period command to configure the interval for 802.1x re-authentication.

Use the undo dot1x timer reauth-period command to restore the default 802.1x re-authentication interval.

By default, the 802.1x re-authentication interval is 3,600 seconds.

Example

# Set the 802.1x re-authentication interval to 150 seconds.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x timer reauth-period 150

dot1x version-check

Syntax

dot1x version-check [ interface interface-list ]

undo dot1x version-check [ interface interface-list ]

View

System view, Ethernet port view

Parameter

interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet port and interface-number is the number of the port. The string “&<1-10>” means that up to 10 port lists can be provided.

Description

Use the dot1x version-check command to enable 802.1x client version checking for specified Ethernet ports.

Use the undo dot1x version-check command to disable 802.1x client version checking for specified Ethernet ports.

By default, 802.1x client version checking is disabled on all the Ethernet ports.

In system view:

l          If you do not provide the interface-list argument, these two commands apply to all the ports of the switch.

l          If you specify the interface-list argument, these commands apply to the specified ports.

In Ethernet port view, the interface-list argument is not available and the commands apply to only the current Ethernet port.

Example

# Configure Ethernet 1/0/1 port to check the version of the 802.1x client upon receiving authentication packets.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] interface Ethernet 1/0/1

[Sysname-Ethernet1/0/1] dot1x version-check

reset dot1x statistics

Syntax

reset dot1x statistics [ interface interface-list ]

View

User view

Parameter

interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet port and interface-number is the number of the port. The string “&<1-10>” means that up to 10 port lists can be provided.

Description

Use the reset dot1x statistics command to clear 802.1x-related statistics.

To retrieve the latest 802.1x-related statistics, you can use this command to clear the existing 802.1x-related statistics first.

When you execute this command,

If the interface-list argument is not specified, this command clears the global 802.1x statistics and the 802.1x statistics on all the ports.

If the interface-list argument is specified, this command clears the 802.1x statistics on the specified ports.

Related command: display dot1x.

Example

# Clear 802.1x statistics on Ethernet 1/0/1 port.

<Sysname> reset dot1x statistics interface Ethernet 1/0/1

 


 

The command introduced in this chapter is only supported by the S3100-EI series switches.

 

Quick EAD Deployment Configuration Commands

dot1x free-ip

Syntax

dot1x free-ip ip-address { mask-address | mask-length }

undo dot1x free-ip [ ip-address { mask-address | mask-length } ]

View

System view

Parameters

ip-address: Free IP address, in dotted decimal notation.

mask-address: Subnet mask of the free IP address, in dotted decimal notation.

mask-length: Length of the subnet mask of the free IP address, in the range 0 to 32.

Description

Use the dot1x free-ip command to configure a free IP range. A free IP range is an IP range that users can access before passing 802.1x authentication.

Use the undo dot1x free-ip command to remove a specified free IP range or all free IP ranges.

By default, no free IP range is configured.

 

l          You must configure the URL for HTTP redirection before configuring a free IP range.

l          The device supports up to two free IP ranges.

 

Examples

# Configure a free IP range for users to access before passing authentication.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x free-ip 192.168.19.23 24

dot1x timer acl-timeout

Syntax

dot1x timer acl-timeout acl-timeout-value

undo dot1x timer acl-timeout

View

System view

Parameters

acl-timeout-value: ACL timeout period (in minutes), in the range of 1 to 1440.

Description

Use the dot1x timer acl-timeout command to configure the ACL timeout period.

Use the undo dot1x timer acl-timeout command to restore the default.

By default, the ACL timeout period is 30 minutes.

Related commands: dot1x configuration commands.

Examples

# Set the ACL timeout period to 40 minutes.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x timer acl-timeout 40

dot1x url

Syntax

dot1x url url-string

undo dot1x url

View

System view

Parameters

url-string: URL for HTTP redirection, in the format of http://x.x.x.x.

Description

Use the dot1x url command to configure the URL for HTTP redirection.

Use the undo dot1x url command to remove the configuration.

By default, no URL is configured for HTTP redirection.

Related commands: dot1x configuration commands.

Examples

# Configure the URL for HTTP redirection.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] dot1x url http://192.168.19.23

 


HABP Configuration Commands

display habp

Syntax

display habp

View

Any view

Parameter

None

Description

Use the display habp command to display HABP configuration and status.

Example

# Display HABP configuration and status.

<Sysname> display habp

Global HABP information:

        HABP Mode: Server

        Sending HABP request packets every 20 seconds

        Bypass VLAN: 2

Table 3-1 Description on the fields of the display habp command

Field

Description

HABP Mode

Indicates the HABP mode of the switch. A switch can operate as an HABP server (displayed as Server) or an HABP client (displayed as Client).

Sending HABP request packets every 20 seconds

HABP request packets are sent once in every 20 seconds.

Bypass VLAN

Indicates the IDs of the VLANs to which HABP request packets are sent.

 

display habp table

Syntax

display habp table

View

Any view

Parameter

None

Description

Use the display habp table command to display the MAC address table maintained by HABP.

Example

# Display the MAC address table maintained by HABP.

<Sysname> display habp table

MAC             Holdtime  Receive Port

001f-3c00-0030  53        Ethernet1/0/1

Table 3-2 Description on the fields of the display habp table command

Field

Description

MAC

MAC addresses contained in the HABP MAC address table.

Holdtime

Hold time of the entries in the HABP MAC address table. An entry is removed from the table if it is not updated in a period determined by the hold time.

Receive Port

The port from which a MAC address is learned

 

display habp traffic

Syntax

display habp traffic

View

Any view

Parameter

None

Description

Use the display habp traffic command to display the statistics on HABP packets.

Example

# Display the statistics on HABP packets.

<Sysname> display habp traffic

HABP counters :

        Packets output: 0, Input: 0

        ID error: 0, Type error: 0, Version error: 0

        Sent failed: 0

Table 3-3 Description on the fields of the display habp traffic command

Field

Description

Packets output

Number of the HABP packets sent

Input

Number of the HABP packets received

ID error

Number of the HABP packets with ID errors

Type error

Number of the HABP packets with type errors

Version error

Number of the HABP packets with version errors

Sent failed

Number of the HABP packets that failed to be sent

 

habp enable

Syntax

habp enable

undo habp enable

View

System view

Parameter

None

Description

Use the habp enable command to enable HABP for a switch.

Use the undo habp enable command to disable HABP for a switch.

By default, HABP is enabled on a switch.

If an 802.1x-enabled switch does not have HABP enabled, it cannot manage the switches attached to it. So, you need to enable HABP on specific switches in a network with 802.1x enabled.

Example

# Enable HABP.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] habp enable

habp server vlan

Syntax

habp server vlan vlan-id

undo habp server

View

System view

Parameter

vlan-id: VLAN ID, ranging from 1 to 4094.

Description

Use the habp server vlan command to configure a switch to operate as an HABP server. This command also specifies the VLAN where HABP packets are broadcast.

Use the undo habp server vlan command to revert to the default HABP mode.

By default, a switch operates as an HABP client.

To specify a switch to operate as an HABP server, you need to enable HABP (using the habp enable command) for the switch first. When HABP is not enabled, the habp server vlan command cannot take effect.

Example

# Specify the switch to operate as an HABP server and the HABP packets to be broadcast in VLAN 2. (Assume that HABP is enabled.)

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] habp server vlan 2

habp timer

Syntax

habp timer interval

undo habp timer

View

System view

Parameter

interval: Interval (in seconds) to send HABP request packets. This argument ranges from 5 to 600.

Description

Use the habp timer command to set the interval for a switch to send HABP request packets.

Use the undo habp timer command to revert to the default interval.

The default interval for a switch to send HABP request packets is 20 seconds.

Use these two commands on switches operating as HABP servers only.

Example

# Configure the switch to send HABP request packets once in every 50 seconds

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] habp timer 50

 


 

The command introduced in this chapter is only supported by the S3100-EI series switches.

 

System-Guard Configuration Commands

display system-guard attack-record

Syntax

display system-guard attack-record

View

Any view

Parameter

None

Description

Use the display system-guard attack-record command to display the record of detected attacks.

Example

# Display the record of detected attacks.

<Sysname> display system-guard attack-record

Target No.  : 1

 Range       : 2

 Packet type : BOGUS

 Port        : 1

 MAC address : 00e0-fc00-0001

 IP address  : 10.10.10.10

 Alive time  : 6

Table 4-1 Description on the fields of display system-guard attack-record

Field

Description

Target No

Number of the attack record

Range

Control range of the attack

Packet type

Type of the attack packet

Port

Number of the port being attacked

MAC address

Source MAC address of the attack packet

IP address

Source IP address of the attack packet

Alive time

Remaining time during which attack packets of the type are isolated

 

display system-guard state

Syntax

display system-guard state

View

Any view

Parameter

None

Description

Use the display system-guard state command to display the state of the system-guard feature.

Related command: system-guard enable, system-guard detect-threshold, and system-guard timer-interval.

Example

# Display the state of the system-guard feature.

<Sysname> display system-guard state

 System-guard Status: Enabled

 Permitted Interfaces:

  Ethernet1/0/1  

 Detect Threshold: 201

 Isolated Time: 20

 Attack Number: 0   

Table 4-2 Description on the fields of the display system-guard state command

Field

Description

System-guard Status

The enable/disable status of the system-guard function

Permitted Interfaces

Interfaces enabled with the system-guard function

Detect Threshold

The threshold for the number of packets when an attack is detected

Isolated Time

The length of the isolation after an attack is detected

Attack Number

The times of detected attacks

 

system-guard detect-threshold

Syntax

system-guard detect-threshold threshold-value

undo system-guard detect-threshold

View

System view

Parameter

threshold-value: Threshold for the number of packets when an attack is detected, in the range of 200 to 1,000.

Description

Use the system-guard detect-threshold command to set the threshold for the number of packets when an attack is detected. When the number of inbound packets of the same type exceeds the threshold, one attack is detected and recorded.

Use the undo system-guard detect-threshold command to restore the threshold to the default value.

By default, the threshold is 200.

Related command: display system-guard state.

Example

# Set the threshold for the number of packets when an attack is detected to 300.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname]system-guard detect-threshold 300 

system-guard enable

Syntax

system-guard enable

undo system-guard enable

View

System view

Parameter

None

Description

Use the system-guard enable command to enable the system-guard feature.

Use the undo system-guard enable command to disable the system-guard feature.

By default, the system-guard feature is disabled.

Related command: display system-guard state.

Example

# Enable the system-guard feature.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname]system-guard enable

System-guard is enabled

system-guard permit

Syntax

system-guard permit interface-list

undo system-guard permit interface-list

View

System view

Parameter

permit: Specifies the ports to which with the system-guard function is to be applied.

interface-list: Specifies an Ethernet port list, which can contain multiple Ethernet ports. The interface-list argument is in the format of interface-list = { interface-type interface-number [ to interface-type interface-number ] } & <1-10>, where interface-type represents the port type, interface-number represents the port number, and & <1-10> means that you can provide up to 10 port indexes/port index lists for this argument. The start port number must be smaller than the end number and the two ports must of the same type.

Description

Use the system-guard permit command to specify the ports to which the system-guard function is to be applied to. A switch checks the ports with the system-guard function applied regularly for attacked ports.

Use the undo system-guard permit command to disable the system-guard function for specified ports.

By default, the system-guard function is disabled on a port.

Example

# Apply the system-guard function to Ethernet1/0/1 through Ethernet1/0/10 ports.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] system-guard permit Ethernet 1/0/1 to Ethernet 1/0/10

system-guard timer-interval

Syntax

system-guard timer-interval isolate-timer

undo system-guard timer-interval

View

System view

Parameter

isolate-timer: Length of the isolation after an attack is detected, in the range of 1 to 10,000 in minutes.

Description

Use the system-guard timer-interval command to set the length of the isolation after an attack is detected.

Use the undo system-guard timer-interval command to restore the length of the isolation to the default value.

By default, the length of the isolation after an attack is detected is 10 minutes.

Related command: display system-guard state.

Example

# Set the length of the isolation after an attack is detected to 20 minutes.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname]system-guard timer-interval 20

 


 

The command introduced in this chapter is only supported by the S3100-SI series switches.

 

System-guard Configuration Commands

display system-guard config

Syntax

display system-guard config

View

Any view

Parameter

None

Description

Use the display system-guard config command to display current system-guard configuration and the attacked ports.

Example

# Display the information about system-guard.

<Sysname> display system-guard config

state         : disable

mode          : rate-limit

interval-time : 5

threshold     : 64

timeout       : 60

permit interfaces :

  Ethernet1/0/1

attacked and controled interfaces:

system-guard enable

Syntax

system-guard enable

undo system-guard enable

View

System view

Parameter

None

Description

Use the system-guard enable command to enable the system-guard function.

Use the undo system-guard enable command to disable the system-guard function.

By default, the system-guard function is disabled.

Example

# Enable the system-guard function.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] system-guard enable

system-guard mode

Syntax

system-guard mode rate-limit interval-time threshold timeout

undo system-guard mode

View

System view

Parameter

rate-limit: Specifies that system-guard is achieved by limiting the rates of attacked ports.

interval-time: Interval to perform the system-guard operation.

threshold: Threshold in terms of the number of the packets received by the management port within the period specified by the interval-time argument.

Timeout: Time period within which an attacked port is under control.

Description

Use the system-guard mode rate-limit command to implement the system-guard function by means of port rate limit. A switch checks the management port for the number of the received packets once in each period determined by the interval-time argument. If the number exceeds the threshold, the switch considers the specific ports to be attacked ports and applies the port rate limit to these ports. The port rate limit is invalidated after the time specified by the time-out argument elapses.

Use the undo system-guard mode command to revert to the default system-guard configuration.

Related command: display system-guard config.

Example

# Implement the system-guard function by means of port rate limit, with the checking interval being 5 seconds, the threshold being 100, and the timeout time being 30 seconds.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] system-guard mode rate-limit 5 100 30

 

Upon detection of an attacked port, an S3100-SI switch applies a port rate limit of 64 kbps to the port.

 

system-guard permit

Syntax

system-guard permit interface-list

undo system-guard permit interface-list

View

System view

Parameter

permit: Specifies the ports to which with the system-guard function is to be applied.

interface-list: Specifies an Ethernet port list, which can contain multiple Ethernet ports. The interface-list argument is in the format of interface-list = { interface-type interface-number [ to interface-type interface-number ] } & <1-10>, where interface-type represents the port type, interface-number represents the port number, and & <1-10> means that you can provide up to 10 port indexes/port index lists for this argument. The start port number must be smaller than the end number and the two ports must of the same type.

Description

Use the system-guard permit command to specify the ports to which the system-guard function is to be applied to. A switch checks the ports with the system-guard function applied regularly for attacked ports.

Use the undo system-guard permit command to disable the system-guard function for specified ports.

 

l          After system-guard is enabled on a port, if the number of packets the port received and sent to the CPU in a specified interval exceeds the specified threshold, the system considers that the port is under attack and begins to limit the packet receiving rate on the port (this function is also called inbound rate limit). if the rate of incoming packets on the port exceeds the threshold of inbound rate limit, any service packets, including BPDU packets, are possible to be dropped at random, which may result in state transition of STP.

l          The system–guard function is not applicable to the uplink port of an S3100-SI switch.

 

Example

# Apply the system-guard function to Ethernet1/0/1 through Ethernet1/0/10 ports.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] system-guard permit Ethernet 1/0/1 to Ethernet 1/0/10

 

  • Cloud & AI
  • InterConnect
  • Intelligent Computing
  • Security
  • SMB Products
  • Intelligent Terminal Products
  • Product Support Services
  • Technical Service Solutions
All Services
  • Resource Center
  • Policy
  • Online Help
All Support
  • Become a Partner
  • Partner Resources
  • Partner Business Management
All Partners
  • Profile
  • News & Events
  • Online Exhibition Center
  • Contact Us
All About Us
新华三官网