- Table of Contents
- Related Documents
-
Title | Size | Download |
---|---|---|
03-MAC Authentication Commands | 60.14 KB |
Table of Contents
1 MAC Authentication Configuration Commands·
MAC Authentication Configuration Commands
mac-authentication user-name-format
reset mac-authentication statistics
MAC Authentication Configuration Commands
display mac-authentication
Syntax
display mac-authentication [ interface interface-list ]
View
Any view
Default Level
2: System level
Parameters
interface interface-list: Specifies an Ethernet port list, in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1-10>, where &<1-10> indicates that you can specify up to 10 port ranges. A port range defined without the to interface-type interface-number portion comprises only one port. With an interface range, the end interface number and the start interface number must be of the same type and the former must be greater than the latter.
Description
Use the display mac-authentication command to display global MAC authentication information or MAC authentication information about specified ports.
Examples
# Display global MAC authentication information.
<Sysname> display mac-authentication
MAC address authentication is enabled.
User name format is MAC address, like xxxxxxxxxxxx
Fixed username:mac
Fixed password:not configured
Offline detect period is 300s
Quiet period is 60s.
Server response timeout value is 100s
the max allowed user number is 2048 per slot
Current user number amounts to 0
Current domain: not configured, use default domain
Silent Mac User info:
MAC Addr From Port Port Index
GigabitEthernet2/0/1 is link-up
MAC address authentication is enabled
Authenticate success: 0, failed: 0
Current online user number is 0
MAC Addr Authenticate state AuthIndex
……(part of the output omitted)
Table 1-1 display mac-authentication command output description
Field |
Description |
MAC address authentication is enabled |
Whether MAC authentication is enabled |
User name format is MAC address, like xxxxxxxxxxxx |
The username is in the format of an MAC address without hyphens, like xxxxxxxxxxxx. If the username format is configured as MCA address with hyphens, “like xx-xx-xx-xx-xx-xx” will be displayed. |
Fixed username: |
Fixed username |
Fixed password: |
Password of the fixed username |
Offline detect period |
Setting of the offline detect timer |
Quiet period |
Setting of the quiet timer |
Server response timeout value |
Setting of the server timeout timer |
the max allowed user number |
Maximum number of users each slot in the device supports |
Current user number amounts to |
Number of online users |
Current domain: not configured, use default domain |
Currently used ISP domain |
Silent Mac User info |
Information about silent MAC addresses |
GigabitEthernet2/0/1 is link-up |
Status of the link on port GigabitEthernet 2/0/1 |
MAC address authentication is enabled |
Whether MAC authentication is enabled on port GigabitEthernet 2/0/1 |
Authenticate success: 0, failed: 0 |
MAC authentication statistics, including the number of successful authentication attempts and that of unsuccessful authentication attempts |
Current online user number |
Number of online users on the port |
MAC Addr |
Online user MAC address |
Authenticate state |
User status. Possible values are: l CONNECTING: The user is logging in. l SUCCESS: The user has passed the authentication. l FAILURE: The user failed the authentication. l LOGOFF: The user has logged off. |
AuthIndex |
Authenticator Index |
mac-authentication
Syntax
In system view:
mac-authentication [ interface interface-list ]
undo mac-authentication [ interface interface-list ]
In Ethernet interface view:
mac-authentication
undo mac-authentication
View
System view, Ethernet interface view
Default Level
2: System level
Parameters
interface interface-list: Specifies an Ethernet port list, in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1-10>, where &<1-10> indicates that you can specify up to 10 port ranges. A port range defined without the to interface-type interface-number portion comprises only one port.
Description
Use the mac-authentication command to enable MAC authentication globally or for one or more ports.
Use the undo mac-authentication command to disable MAC authentication globally or for one or more ports.
By default, MAC authentication is neither enabled globally nor enabled on any port.
Note that:
l In system view, if you provide the interface-list argument, the command enables MAC authentication for the specified ports; otherwise, the command enables MAC authentication globally. In Ethernet interface view, the command enables MAC authentication for the port because the interface-list argument is not available.
l You can enable MAC authentication for ports before enabling it globally. However, MAC authentication begins to function only after you also enable it globally.
l You can configure MAC authentication parameters globally or for specified ports either before or after enabling MAC authentication. If no MAC authentication parameters are configured when MAC authentication takes effect, the default values are used.
Examples
# Enable MAC authentication globally.
<Sysname> system-view
[Sysname] mac-authentication
Mac-auth is enabled globally.
# Enable MAC authentication for port GigabitEthernet 2/0/1.
<Sysname> system-view
[Sysname] mac-authentication interface GigabitEthernet 2/0/1
Mac-auth is enabled on port GigabitEthernet2/0/1.
Or
<Sysname> system-view
[Sysname] interface GigabitEthernet 2/0/1
[Sysname-GigabitEthernet2/0/1] mac-authentication
Mac-auth is enabled on port GigabitEthernet2/0/1.
mac-authentication domain
Syntax
mac-authentication domain isp-name
undo mac-authentication domain
View
System view
Default Level
2: System level
Parameters
isp-name: ISP domain name, a case-insensitive string of 1 to 24 characters that cannot contain any forward slash (/), colon (:), asterisk (*), question mark (?), less-than sign (<), greater-than sign (>), or @.
Description
Use the mac-authentication domain command to specify the ISP domain for MAC authentication.
Use the undo mac-authentication domain command to restore the default.
By default, the default ISP domain is used for MAC authentication users. For information about the default ISP domain, refer to the domain default enable command in AAA Commands of the Security Volume.
Examples
# Specify the ISP domain for MAC authentication as domain1.
<Sysname> system-view
[Sysname] mac-authentication domain domain1
mac-authentication timer
Syntax
mac-authentication timer { offline-detect offline-detect-value | quiet quiet-value | server-timeout server-timeout-value }
undo mac-authentication timer { offline-detect | quiet | server-timeout }
View
System view
Default Level
2: System level
Parameters
offline-detect offline-detect-value: Specifies the offline detect interval, in the range 60 to 65,535 seconds.
quiet quiet-value: Specifies the quiet period, in the range 1 to 3,600 seconds.
server-timeout server-timeout-value: Specifies the server timeout period, in the range 100 to 300 seconds.
Description
Use the mac-authentication timer command to set the MAC authentication timers.
Use the undo mac-authentication timer command to restore the defaults.
By default, the offline detect interval is 300 seconds, the quiet period is 60 seconds, and the server timeout period is 100 seconds.
The following timers function in the process of MAC authentication:
l Offline detect timer: This timer sets the idle timeout interval for users. If no packet is received from a user over two consecutive timeout intervals, the system disconnects the user connection and notifies the RADIUS server.
l Quiet timer: Whenever a user fails MAC authentication, the device does not perform MAC authentication of the user during such a period.
l Server timeout timer: During authentication of a user, if the device receives no response from the RADIUS server in this period, it assumes that its connection to the RADIUS server has timed out and forbids the user from accessing the network.
Related commands: display mac-authentication.
Examples
# Set the server timeout timer to 150 seconds.
<Sysname> system-view
[Sysname] mac-authentication timer server-timeout 150
mac-authentication user-name-format
Syntax
mac-authentication user-name-format { fixed [ account name ] [ password { cipher | simple } password ] | mac-address [ with-hyphen | without-hyphen ] }
undo mac-authentication user-name-format
View
System view
Default Level
2: System level
Parameters
fixed: Uses the MAC authentication username type of fixed username.
account name: Specifies the fixed username. The name argument is a case-insensitive string of 1 to 55 characters and defaults to mac.
password { cipher | simple } password: Specifies the password for the fixed username. Specify the cipher keyword to display the password in cipher text or the simple keyword to display the password in plain text. In the former case, the password can be either a string of 1 to 63 characters in plain text or a string of 24 or 88 characters in cipher text. In the latter case, the password must be a string of 1 to 63 characters in plain text.
mac-address: Uses the source MAC address of a user as the username for authentication.
with-hyphen: Indicates that the MAC address must include “-“, like xx-xx-xx-xx-xx-xx. The letters in the address must be in lower case.
without-hyphen: Indicates that the MAC address must not include “-“, like xxxxxxxxxxxx. The letters in the address must be in lower case.
Description
Use the mac-authentication user-name-format command to configure the MAC authentication username type and, if the type of fixed username is used, the username and password for MAC authentication.
Use the undo mac-authentication user-name-format command to restore the default.
By default, each user’s source MAC address is used as the username and password for MAC authentication, without “-“ in the MAC address.
Note that:
l When the type of MAC address is used, each user’s source MAC address is used as both the username and password for MAC authentication.
l In cipher display mode, a password in plain text with no more than 16 characters will be encrypted into a password in cipher text with 24 characters, and a password in plain text with 16 to 63 characters will be encrypted into a password in cipher text with 88 characters. For a password with 24 characters, if it can be decrypted by the system, it will be treated as a cipher-text one; otherwise, it will be treated as a plain-text one.
Related commands: display mac-authentication.
Examples
# Configure the username for MAC authentication as abc, and the password displayed in plain text as xyz.
<Sysname> system-view
[Sysname] mac-authentication user-name-format fixed account abc password simple xyz
reset mac-authentication statistics
Syntax
reset mac-authentication statistics [ interface interface-list ]
View
User view
Default Level
2: System level
Parameters
interface interface-list: Specifies an Ethernet port list, in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1-10>, where &<1-10> indicates that you can specify up to 10 port ranges. A port range defined without the to interface-type interface-number portion comprises only one port.
Description
Use the reset mac-authentication statistics command to clear MAC authentication statistics.
Note that:
l If you do not specify the interface-list argument, the command clears the global MAC authentication statistics and the MAC authentication statistics on all ports.
l If you specify the interface-list argument, the command clears the MAC authentication statistics on the specified ports.
Related commands: display mac-authentication.
Examples
# Clear MAC authentication statistics on GigabitEthernet 2/0/1.
<Sysname> reset mac-authentication statistics interface GigabitEthernet 2/0/1