Login
- Table of Contents
-
- H3C S3100 Series Ethernet Switches command Manual-Release 21XX Series(V1.06)
- 00-1Cover
- 01-CLI Commands
- 02-Login Commands
- 03-Configuration File Management Commands
- 04-VLAN Commands
- 05-Management VLAN Commands
- 06-IP Address-IP Performance Commands
- 07-Voice VLAN Commands
- 08-GVRP Commands
- 09-Port Basic Configuration Commands
- 10-Link Aggregation Commands
- 11-Port Isolation Commands
- 12-Port Security-Port Binding Commands
- 13-DLDP Commands
- 14-MAC Address Table Management Commands
- 15-MSTP Commands
- 16-Multicast Commands
- 17-802.1x-System Guard Commands
- 18-AAA Commands
- 19-MAC Address Authentication Commands
- 20-ARP Commands
- 21-DHCP Commands
- 22-ACL Commands
- 23-QoS-QoS Profile Commands
- 24-Mirroring Commands
- 25-Stack-Cluster Commands
- 26-PoE-PoE Profile Commands
- 27-SNMP-RMON Commands
- 28-NTP Commands
- 29-SSH Commands
- 30-File System Management Commands
- 31-FTP-SFTP-TFTP Commands
- 32-Information Center Commands
- 33-System Maintenance and Debugging Commands
- 34-VLAN-VPN Commands
- 35-HWPing Commands
- 36-IPv6 Management Commands
- 37-DNS Commands
- 38-Smart Link-Monitor Link Commands
- 39-Appendix
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 19-MAC Address Authentication Commands | 76.76 KB |
Table of Contents
1 MAC Address Authentication Configuration Commands
MAC Address Authentication Basic Function Configuration Commands
mac-authentication authmode usernameasmacaddress
mac-authentication authmode usernamefixed
mac-authentication authpassword
mac-authentication authusername
MAC Address Authentication Enhanced Function Configuration Commands
mac-authenticiaon intrusion-mode block-mac
mac-authentication max-auth-num
mac-authentication timer guest-vlan-reauth
MAC Address Authentication Basic Function Configuration Commands
display mac-authentication
Syntax
display mac-authentication [ interface interface-list ]
View
Any view
Parameters
interface interface-list: List of Ethernet ports. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10> means that you can provide up to 10 port indexes/port index ranges for this argument.
Description
Use the display mac-authentication command to display information about MAC address authentication.
Examples
# Display the global information about MAC address authentication.
<Sysname> display mac-authentication
Mac address authentication is Enabled.
Authentication mode is UsernameAsMacAddress
Usernameformat:with-hyphen lowercase
Fixed password:not configured
Offline detect period is 300s
Quiet period is 60 second(s).
Server response timeout value is 100s
Guest VLAN re-authenticate period is 30s
Max allowed user number is 1024
Current user number amounts to 1
Current domain: not configured, use default domain
Silent Mac User info:
MAC ADDR From Port Port Index
0016-e0be-e201 Ethernet1/0/2 1(vlan:1)
--- 1 silent mac address(es) found. ---
Ethernet1/0/1 is link-up
MAC address authentication is Enabled
max-auth-num is 256
Guest VLAN is 2
Authenticate success: 1, failed: 0
Current online user number is 1
MAC ADDR Authenticate state AuthIndex
000d-88f8-4e71 MAC_AUTHENTICATOR_SUCCESS 0
……(The following is omitted)
Table 1-1 Description on the fields of the display mac-authentication command
|
Field |
Description |
|
Mac address authentication is Enabled |
MAC address authentication is enabled. |
|
Authentication mode |
Username type used in the MAC address authentication: l UsernameFixed: Uses the fixed username for authentication. l UsernameAsMacAddress: Uses the MAC address of a user as the username for authentication. The default is the MAC address (UsernameAsMacAddress). |
|
Fixed password |
Meaning of this field varies by the username type for MAC address authentication: l If the username type is MAC address, this field indicates whether to use a fixed password for authentication. By default, this field is not configured, which means using the MAC address of a user as the password for authentication. l If the username type is fixed username, this field indicates whether a fixed password is configured. By default, this field is not configured, which means the password is null. |
|
Fixed password |
Password used in the fixed mode, which is not configured by default. |
|
Offline detect period |
Offline detect timer, which sets the time interval to check whether a user goes offline and defaults to 300 seconds. |
|
Quiet period |
Quiet timer sets the quiet period. A switch goes through a quiet period if a user fails to pass the MAC address authentication. The default value is 60 seconds. |
|
Server response timeout value |
Server timeout timer, which sets the timeout time for the connection between a switch and the RADIUS server. By default, it is 100 seconds. |
|
Guest VLAN re-authenticate period |
Re-authenticate timer, which sets the time interval to reauthenticate the users in the Guest VLAN and defaults to 30 seconds. |
|
Max allowed user number |
The maximum number of users supported by the switch. It is 1,024 by default. |
|
Current user number amounts to |
The current number of users |
|
Current domain |
The current domain. It is not configured by default. |
|
Silent Mac User info |
The information about the silent user. When the user fails to pass MAC address authentication because of inputting error user name and password, the switch sets the user to be in quiet state. During quiet period, the switch does not process the authentication request of this user. |
|
Ethernet1/0/1 is link-up |
The link connected to Ethernet1/0/1 port is up. |
|
MAC address authentication is Enabled |
MAC address authentication is enabled for Ethernet1/0/1 port. |
|
max-auth-num |
Maximum number of MAC address authentication users that the port can accommodate |
|
Guest VLAN |
Guest VLAN of the port |
|
Authenticate success: 1, failed: 0 |
Statistics of the MAC address authentications performed on the port, including the numbers of successful and failed authentication operations. |
|
Current online user number |
The number of the users current access the network through the port |
|
MAC ADDR |
Peer MAC address |
|
Authenticate state |
The state of the users accessing the network through the port, which can be: l MAC_AUTHENTICATOR_CONNECTING: Connecting l MAC_AUTHENTICATOR_SUCCESS: Authentication passed l MAC_AUTHENTICATOR_FAILURE: Fail to pass authentication l MAC_AUTHENTICATOR_LOGOFF: Offline |
|
AuthIndex |
Index of the current MAC address with regard to the authentication port |
mac-authentication
Syntax
mac-authentication
undo mac-authentication
View
System view, Ethernet port view
Parameters
None
Description
Use the mac-authentication command to enable MAC address authentication globally or on the current port.
Use the undo mac-authentication command to disable MAC address authentication globally or on the current port.
By default, MAC address authentication is disabled both globally and on a port.
When being executed in system view, the mac-authentication command enables MAC address authentication globally.
When being executed in Ethernet port view, the mac-authentication command enables MAC address authentication on the current port.
To make the MAC address authentication take effect, you must enable MAC address authentication globally and on the relevant ports.
You can configure MAC address authentication on a port before enabling it globally. However, the configuration will not take effect unless MAC address authentication is enabled globally.
Examples
# Enable MAC address authentication globally.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] mac-authentication
MAC-Authentication is enabled globally.
# Enable MAC address authentication on port Ethernet 1/0/1.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] mac-authentication
mac-authentication interface
Syntax
mac-authentication interface interface-list
undo mac-authentication interface interface-list
View
Parameters
interface-list: List of Ethernet ports. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10> means that you can provide up to 10 port indexes/port index ranges for this argument.
Description
Use the mac-authentication interface command to enable the MAC address authentication for on the specified port(s).
Use the undo mac-authentication interface command to disable the MAC address authentication for the specified port(s).
By default, MAC address authentication is disabled on a port.
l This command is essential for MAC address authentication to work on a port or on particular ports after MAC address authentication is globally enabled.
l You cannot configure the maximum number of dynamic MAC address entries for a port (through the mac-address max-mac-count command) with MAC address authentication enabled. Likewise, you cannot enable the MAC address authentication feature on a port with a limit of dynamic MAC addresses configured.
l If you have enabled MAC address authentication on a port, you cannot add the port to an aggregation group. If a port is already added to an aggregation group, you cannot enable MAC address authentication on the port.
Examples
# Enable MAC address authentication for Ethernet1/0/1 port.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] mac-authentication interface Ethernet 1/0/1
mac-authentication authmode usernameasmacaddress
Syntax
mac-authentication authmode usernameasmacaddress [ usernameformat { with-hyphen | without-hyphen } ] { lowercase | uppercase } | fixedpassword password ]
undo mac-authentication authmode usernameasmacaddress [ usernameformat | fixedpassword ]
View
System view
Parameters
usernameformat: Specifies the input format of the username and password.
with-hyphen: Uses hyphened MAC addresses as usernames and passwords, for example, 00-05-e0-1c-02-e3.
without-hyphen: Uses MAC addresses without hyphens as usernames and passwords, for example, 0005e01c02e3.
lowercase: Uses lowercase MAC addresses as usernames and passwords.
uppercase: Uses uppercase MAC addresses as usernames and passwords.
fixedpassword password: Specifies the password for MAC address authentication as the specified fixed password instead of user MAC addresses. password is a string of 1 to 63 characters.
Description
Use the mac-authentication authmode usernameasmacaddress command to set the username type for MAC address authentication to MAC address and specify the username format.
Use the undo mac-authentication authmode command to restore the default user name mode.
By default, the user name and password in MAC address mode are used for MAC address authentication.
Examples
# Use the user name in MAC address mode for MAC address authentication, requiring hyphened lowercase MAC addresses as the usernames and passwords.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] mac-authentication authmode usernameasmacaddress usernameformat with-hyphen lowercase
mac-authentication authmode usernamefixed
Syntax
mac-authentication authmode usernamefixed
undo mac-authentication authmode
View
Parameters
None
Description
Use the mac-authentication authmode usernamefixed command to set the user name in fixed mode for MAC address authentication.
Use the undo mac-authentication authmode command to restore the default user name mode for MAC address authentication.
By default, the MAC address mode is used.
Examples
# Use the user name in fixed mode for MAC address authentication.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] mac-authentication authmode usernamefixed
mac-authentication authpassword
Syntax
mac-authentication authpassword password
undo mac-authentication authpassword
View
System view
Parameters
password: Password to be set, a string comprising 1 to 63 characters.
Description
Use the mac-authentication authpassword command to set a password for MAC address authentication when the user name in fixed mode is used.
Use the undo mac-authentication authpassword command to cancel the configured password.
By default, no password is configured.
Examples
# Set the password to newmac.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] mac-authentication authpassword newmac
mac-authentication authusername
Syntax
mac-authentication authusername username
undo mac-authentication authusername
View
System view
Parameters
username: User name used in authentication, a string of 1 to 55 characters.
Description
Use the mac-authentication authusername command to set a user name in fixed mode.
Use the undo mac-authentication authusername command to restore the default user name.
By default, the user name in fixed mode is “mac”.
Examples
# Set the user name to vipuser in fixed mode.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] mac-authentication authusername vipuser
mac-authentication domain
Syntax
mac-authentication domain isp-name
undo mac-authentication domain
View
System view
Parameters
isp-name: ISP domain name, a string of 1 to 128 characters. Note that this argument cannot be null and cannot contain these characters: “/”, “:”, “*”, “?”, “<”, and “>”.
Description
Use the mac-authentication domain command to configure an ISP domain for MAC address authentication.
Use the undo mac-authentication domain command to restore the default ISP domain for MAC address authentication.
By default, no domain for MAC address authentication is configured.
Use the “default domain” as the ISP domain name.
Examples
# Configure the domain for MAC address authentication to be aabbcc.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] mac-authentication domain aabbcc
mac-authentication timer
Syntax
mac-authentication timer { offline-detect offline-detect-value | quiet quiet-value | server-timeout server-timeout-value }
undo mac-authentication timer { offline-detect | quiet | server-timeout }
View
System view
Parameters
offline-detect-value: Offline detect timer (in seconds) setting. This argument ranges from 1 to 65,535 and defaults to 300. The offline detect timer sets the time interval for a switch to test whether a user goes offline.
quiet-value: Quiet timer (in seconds) setting. This argument ranges from 1 to 3,600 and defaults to 60. After a user fails to pass the authentication performed by a switch, the switch quiets for a specific period (the quiet period) before it authenticates the user again.
server-timeout-value: Server timeout timer setting (in seconds). This argument ranges from 1 to 65,535 and defaults to 100. During authentication, the switch prohibits a user from accessing the network if the connection between the switch and the RADIUS server times out.
Description
Use the mac-authentication timer command to configure the timers used in MAC address authentication.
Use the undo mac-authentication timer command to restore a timer to its default setting.
Related commands: display mac-authentication.
Examples
# Set the server timeout timer to 150 seconds.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] mac-authentication timer server-timeout 150
reset mac-authentication
Syntax
reset mac-authentication statistics [ interface interface-list ]
View
User view
Parameters
interface-list: List of Ethernet ports. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10> means that you can provide up to 10 port indexes/port index ranges for this argument.
Description
Use the reset mac-authentication command to clear the MAC address authentication statistics. With the interface keyword specified, the command clears the MAC address authentication statistics of the specified port. Without this keyword, the command clears the global MAC address authentication statistics.
Examples
# Clear the MAC address authentication statistics for port Ethernet 1/0/1.
<Sysname> reset mac-authentication statistics interface Ethernet 1/0/1
MAC Address Authentication Enhanced Function Configuration Commands
mac-authentication guest-vlan
Syntax
mac-authentication guest-vlan vlan-id
undo mac-authentication guest-vlan
View
Ethernet port view
Parameters
vlan-id: ID of the guest VLAN configured for the current port. This argument is in the range of 1 to 4,094.
Description
Use the mac-authentication guest-vlan command to configure a guest VLAN for the current port. If the client connected to the port fails in the authentication, the port will be added to the guest VLAN, and thus the users accessing the port can access network resources in the guest VLAN.
Use the undo mac-authentication guest-vlan command to remove the guest VLAN configuration for the port.
No guest VLAN is configured for a port by default.
The system will re-authenticate users in the guest VLAN at the interval configured by the mac-authentication timer guest-vlan-reauth command. If the user of a port passes the authentication, the port will leave the guest VLAN and return to the initial VLAN configured for it.
l If more than one client are connected to a port, you cannot configure a Guest VLAN for this port.
l When a Guest VLAN is configured for a port, only one MAC address authentication user can access the port. Even if you set the limit on the number of MAC address authentication users to more than one, the configuration does not take effect.
l The undo vlan command cannot be used to remove the VLAN configured as a Guest VLAN. If you want to remove this VLAN, you must remove the Guest VLAN configuration for it. Refer to the VLAN module in this manual for the description on the undo vlan command.
l Only one Guest VLAN can be configured for a port, and the VLAN configured as the Guest VLAN must be an existing VLAN. Otherwise, the Guest VLAN configuration does not take effect. If you want to change the Guest VLAN for a port, you must remove the current Guest VLAN and then configure a new Guest VLAN for this port.
l 802.1x authentication cannot be enabled for a port configured with a Guest VLAN.
l The Guest VLAN function for MAC address authentication does not take effect when port security is enabled.
Related commands: mac-authentication timer guest-vlan-reauth.
Examples
# Configure VLAN 4 as the Guest VLAN for Ethernet 1/0/1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] mac-authentication guest-vlan 4
mac-authenticiaon intrusion-mode block-mac
Syntax
mac-authenticiaon intrusion-mode block-mac enable
undo mac-authenticiaon intrusion-mode block-mac enable
View
Ethernet port view
Parameter
None
Description
Use the mac-authenticiaon intrusion-mode block-mac enable command to enable the quiet MAC function on a port. When this function is enabled, the MAC address connected to this port will be set as a quiet MAC address if its authentication fails. When this function is disabled, the MAC address will not become quiet no matter whether the authentication is failed.
Use the undo mac-authenticiaon intrusion-mode block-mac enable command to disable the quiet MAC function on a port.
By default, quiet MAC function is enabled on a port.
Example
# Enable the quiet MAC function on port Ethernet 1/0/1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] mac-authenticiaon intrusion-mode block-mac enable
mac-authentication max-auth-num
Syntax
mac-authentication max-auth-num user-number
undo mac-authentication max-auth-num
View
Ethernet port view
Parameters
user-name: Maximum number of MAC address authentication users allowed to access a port. This argument is in the range of 1 to 256.
Description
Use the mac-authentication max-auth-num command to configure the maximum number of MAC address authentication users allowed to access the port. After the number of access users has exceeded the configured maximum number, the switch will not trigger MAC address authentication for subsequent access users, and thus these subsequent access users cannot access the network normally.
Use the undo mac-authentication max-auth-num command to restore the maximum number of MAC address authentication users allowed to access the port to the default value.
By default, the maximum number of MAC address authentication users allowed to access a port is 256.
l If both the limit on the number of MAC address authentication users and the limit on the number of users configured in the port security function are configured for a port at the same time, the smaller value of the two configured limits is adopted as the maximum number of MAC address authentication users allowed to access this port. Refer to the Port Security module in this manual for the description on the port security function.
l You cannot configure the maximum number of MAC address authentication users for a port if any user connected to this port is online.
Examples
# Set the maximum number of MAC address authentication users allowed to access Ethernet 1/0/2 to 100.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet 1/0/2
[Sysname-Ethernet1/0/2] mac-authentication max-auth-num 100
mac-authentication timer guest-vlan-reauth
Syntax
mac-authentication timer guest-vlan-reauth interval
undo mac-authentication timer guest-vlan-reauth
View
System view
Parameters
interval: Interval at which the switch re-authenticates users in guest VLANs. This argument is in the range of 1 to 3,600 in seconds.
Description
Use the mac-authentication timer guest-vlan-reauth command to configure the interval at which the switch re-authenticates users in guest VLANs. If the user of a port passes the authentication, the port will leave the guest VLAN and return to the initial VLAN configured for it.
Use the undo mac-authentication timer guest-vlan-reauth command to restore the re-authentication interval to the default value.
The switch re-authenticates the users in guest VLANs at the interval of 30 seconds by default.
Examples
# Configure the switch to re-authenticate users in Guest VLANs at the interval of 60 seconds.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] mac-authentication timer guest-vlan-reauth 60
