interface interface-list: Specifies an Ethernet port list, which can contain multiple Ethernet ports. The interface-list argument is in the format of interface-list = { interface-type interface-number [ to interface-type interface-number ] } & <1-10>, where interface-type represents the port type, interface-number represents the port number, and & <1-10> means that you can provide up to 10 port indexes/port index lists for this argument. The start port number must be smaller than the end number and the two ports must be of the same type.

Description

Use the display dot1x command to display information about 802.1X.

If you specify neither the sessions keyword nor the statistics keyword, the command displays all information about 802.1X, including session information, statistics, and configurations.

Related commands: reset dot1x statistics, dot1x, dot1x retry, dot1x max-user, dot1x port-control, dot1x port-method, dot1x timer.

Examples

# Display all information about 802.1X.

<Sysname> display dot1x

Equipment 802.1X protocol is enabled

CHAP authentication is enabled

EAD quick deploy is enabled

Configuration: Transmit Period 30 s, Handshake Period 15 s

Quiet Period 60 s, Quiet Period Timer is disabled

Supp Timeout 30 s, Server Timeout 100 s

Reauth Period 3600 s

The maximal retransmitting times 3

EAD quick deploy configuration:

URL: http://192.168.19.23

Free IP: 192.168.19.0 255.255.255.0

EAD timeout: 30m

The maximum 802.1X user resource number is 1024 per slot

Total current used 802.1X resource number is 1

GigabitEthernet1/0/1 is link-up

802.1X protocol is enabled

Handshake is disabled

802.1X unicast-trigger is enabled

Periodic reauthentication is disabled

The port is an authenticator

Authenticate Mode is Auto

Port Control Type is Mac-based

802.1X Multicast-trigger is enabled

Mandatory authentication domain: NOT configured

Guest VLAN: 4

Auth-fail VLAN: NOT configured

Max number of on-line users is 256

EAPOL Packet: Tx 1087, Rx 986

Sent EAP Request/Identity Packets : 943

EAP Request/Challenge Packets: 60

EAP Success Packets: 29, Fail Packets: 55

Received EAPOL Start Packets : 60

EAPOL LogOff Packets: 24

EAP Response/Identity Packets : 724

EAP Response/Challenge Packets: 54

Error Packets: 0

1. Authenticated user : MAC address: 0015-e9a6-7cfe

Controlled User(s) amount to 1

Table 1-1 display dot1x command output description

Field	Description
Equipment 802.1X protocol is enabled	Indicates whether 802.1X is enabled globally
CHAP authentication is enabled	Indicates whether CHAP authentication is enabled
EAD quick deploy is enabled	Indicates whether EAD quick deployment is enabled
Transmit Period	Setting of the username request timeout timer
Handshake Period	Setting of the handshake timer
Reauth Period	Setting of the periodic re-authentication timer
Quiet Period	Setting of the quiet timer
Quiet Period Timer is disabled	Indicates whether the quiet timer is enabled
Supp Timeout	Setting of the client timeout timer
Server Timeout	Setting of the server timeout timer
The maximal retransmitting times	Maximum number of attempts for the device to send authentication requests to the client
EAD quick deploy configuration	EAD quick deployment configurations
URL	Redirect URL for IE users
Free IP	Freely accessible network segment
EAD timeout	EAD rule timeout time
The maximum 802.1X user resource number per slot	Maximum number of clients supported per board
Total current used 802.1X resource number	Total number of online users
GigabitEthernet1/0/1 is link-up	Status of port GigabitEthernet 1/0/1
802.1X protocol is disabled	Indicates whether 802.1X is enabled on the port
Handshake is disabled	Indicates whether handshake is enabled on the port
802.1X unicast-trigger is enabled	Indicates whether 802.1X unicast trigger function is enabled
Periodic reauthentication is disabled	Indicates whether periodic re-authentication is enabled on the port
The port is an authenticator	Role of the port
Authenticate Mode is Auto	Authorization mode for the port
Port Control Type is Mac-based	Access control method for the port
802.1X Multicast-trigger is enabled	Indicates whether the 802.1X multicast-trigger function is enabled
Mandatory authentication domain	Mandatory authentication domain for users accessing the port
Guest VLAN	Guest VLAN configured for the port. NOT configured will be displayed if no guest VLAN is configured.
Auth-fail VLAN	Auth-Fail VLAN configured for the port. NOT configured means no Auth-Fail VLAN is configured.
Max number of on-line users	Maximum number of users supported on the port
EAPOL Packet	Counts of EAPOL packets sent (Tx) and received (Rx)
Sent EAP Request/Identity Packets	Number of EAP Request/Identity packets sent
EAP Request/Challenge Packets	Number of EAP Request/Challenge packets sent
EAP Success Packets	Number of EAP Success packets sent
Received EAPOL Start Packets	Number of EAPOL Start packets received
EAPOL LogOff Packets	Number of EAPOL LogOff packets received
EAP Response/Identity Packets	Number of EAP Response/Identity packets received
EAP Response/Challenge Packets	Number of EAP Response/Challenge packets received
Error Packets	Number of erroneous packets received
Authenticated user	User that has passed the authentication
Controlled User(s) amount	Number of controlled users on the port

dot1x

Syntax

In system view:

dot1x [ interface interface-list ]

undo dot1x [ interface interface-list ]

In Ethernet interface view:

dot1x

undo dot1x

View

System view, Ethernet interface view

Default Level

2: System level

Parameters

interface interface-list: Specifies a port list, which can contain multiple ports. The interface-list argument is in the format of interface-list = { interface-type interface-number [ to interface-type interface-number ] } & <1-10>, where interface-type represents the port type, interface-number represents the port number, and & <1-10> means that you can provide up to 10 port indexes/port index lists for this argument. The start port number must be smaller than the end number and the two ports must be of the same type.

Description

Use the dot1x command in system view to enable 802.1X globally.

Use the undo dot1x command in system view to disable 802.1X globally.

Use the dot1x interface command in system view or the dot1x command in interface view to enable 802.1X for specified ports.

Use the undo dot1x interface command in system view or the undo dot1x command in interface view to disable 802.1X for specified ports.

By default, 802.1X is neither enabled globally nor enabled for any port.

Note that:

l 802.1X must be enabled both globally in system view and for the intended ports in system view or interface view. Otherwise, it does not function.

l You can configure 802.1X parameters either before or after enabling 802.1X.

Related commands: display dot1x.

Examples

# Enable 802.1X for ports GigabitEthernet 1/0/1, and GigabitEthernet 1/0/5 to GigabitEthernet 1/0/7.

<Sysname> system-view

[Sysname] dot1x interface gigabitethernet 1/0/1 gigabitethernet 1/0/5 to gigabitethernet 1/0/7

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dot1x

[Sysname-GigabitEthernet1/0/1] quit

[Sysname] interface gigabitethernet 1/0/5

[Sysname-GigabitEthernet1/0/5] dot1x

[Sysname-GigabitEthernet1/0/5] quit

[Sysname] interface gigabitethernet 1/0/6

[Sysname-GigabitEthernet1/0/6] dot1x

[Sysname-GigabitEthernet1/0/6] quit

[Sysname] interface gigabitethernet 1/0/7

[Sysname-GigabitEthernet1/0/7] dot1x

# Enable 802.1X globally.

<Sysname> system-view

[Sysname] dot1x

dot1x authentication-method

Syntax

dot1x authentication-method { chap | eap | pap }

undo dot1x authentication-method

View

System view

Default Level

2: System level

Parameters

chap: Authenticates clients using CHAP.

eap: Authenticates clients using EAP.

pap: Authenticates clients using PAP.

Description

Use the dot1x authentication-method command to set the 802.1X authentication method.

Use the undo dot1x authentication-method command to restore the default.

By default, CHAP is used.

l The Password Authentication Protocol (PAP) transports passwords in clear text.

l The Challenge Handshake Authentication Protocol (CHAP) transports only usernames over the network. Compared with PAP, CHAP provides better security.

l With EAP relay authentication, the device encapsulates 802.1X user information in the EAP attributes of RADIUS packets and sends the packets to the RADIUS server for authentication; it does not need to repackage the EAP packets into standard RADIUS packets for authentication. In this case, you can configure the user-name-format command but it does not take effect. For information about the user-name-format command, see AAA Commands in the Command Reference - Part 8 - Security.

Note that:

l Local authentication supports PAP and CHAP.

l For RADIUS authentication, the RADIUS server must be configured accordingly to support PAP, CHAP, or EAP authentication.

Related commands: display dot1x.

Examples

# Set the 802.1X authentication method to PAP.

<Sysname> system-view

[Sysname] dot1x authentication-method pap

dot1x auth-fail vlan

Syntax

dot1x auth-fail vlan authfail-vlan-id

undo dot1x auth-fail vlan

View

Ethernet interface view

Default Level

2: System level

Parameters

authfail-vlan-id: ID of the Auth-Fail VLAN for the port, in the range of 1 to 4094. The VLAN must already exist.

Descriptions

Use the dot1x auth-fail vlan command to configure the Auth-Fail VLAN for a port, that is, the VLAN for users failing authentication.

Use the undo dot1x auth-fail vlan command to restore the default.

By default, no Auth-Fail VLAN is configured on a port.

An Auth-Fail VLAN can be a port-based Auth-Fail VLAN (PAFV) or a MAC-based Auth-Fail VLAN (MAFV), depending on the port access control method.

Note that:

l Note that failing authentication means being denied by the authentication server due to reasons such as wrong password. Authentication failures caused by authentication timeout or network connection problems do not fall into this category.

l You must enable MAC VLAN for an MAFV to take effect.

l After an MAFV takes effect, if you change the port access method from macbased to portbased, the established MAFV entries will be removed. MAFV entries show the MAC addresses in Auth-Fail VLANs and the configured MAC VLANs, which can be displayed by the display mac-vlan command.

l After a PAFV takes effect, if you change the port access method from portbased to macbased, the port will leave the Auth-Fail VLAN.

l It is not allowed to delete a VLAN that is configured as an Auth-Fail VLAN directly. To delete such a VLAN, you need to remove the Auth-Fail VLAN configuration first by using the undo dot1x auth-fail vlan command.

l You cannot configure both the Auth-Fail VLAN function and the free IP function on a port.

l You can configure both an Auth-Fail VLAN and a guest VLAN for a port, but they cannot both take effect at a time.

Related commands: dot1x, dot1x port-method.

Examples

# Configure VLAN 3 as the Auth-Fail VLAN on port GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dot1x auth-fail vlan 3

dot1x guest-vlan

Syntax

In system view:

dot1x guest-vlan guest-vlan-id [ interface interface-list ]

undo dot1x guest-vlan [ interface interface-list ]

In interface view:

dot1x guest-vlan guest-vlan-id

undo dot1x guest-vlan

View

System view, Ethernet interface view

Default Level

2: System level

Parameters

guest-vlan-id: ID of the VLAN to be specified as the guest VLAN, in the range 1 to 4094. It must already exist.

interface interface-list: Specifies a port list. The interface-list argument is in the format of interface-list = { interface-type interface-number [ to interface-type interface-number ] } & <1-10>, where interface-type represents the port type, interface-number represents the port number, and & <1-10> means that you can provide up to 10 port indexes/port index lists for this argument. The start port number must be smaller than the end number and the two ports must be of the same type.

Description

Use the dot1x guest-vlan command to configure the guest VLAN for specified or all ports.

Use the undo dot1x guest-vlan command to remove the guest VLAN(s) configured for specified or all ports.

By default, a port is configured with no guest VLAN.

A guest VLAN can be a port-based guest VLAN (PGV) or a MAC-based guest VLAN (MGV), depending on the port access control method.

Note that:

l In system view, this command configures a guest VLAN for all Layer 2 Ethernet ports if you do not specify the interface-list argument, and configures a guest VLAN for specified ports if you specify the interface-list argument.

l You must enable 802.1X for a guest VLAN to take effect.

l You must enable MAC VLAN for an MGV to take effect.

l You must enable the 802.1X multicast trigger function for a PGV to take effect.

l After an MGV takes effect, if you change the port access method from macbased to portbased, the established MGV entries will be removed. MGV entries show the MAC addresses in guest VLANs and the configured MAC VLANs, which can be displayed by the display mac-vlan command.

l PGV can be configured and take effect. If you change the port access method from portbased to macbased, the port will leave the guest VLAN.

l It is not allowed to delete a VLAN that is configured as a guest VLAN. To delete such a VLAN, you need to remove the guest VLAN configuration first.

l You cannot configure both the guest VLAN function and the free IP function on a port.

l You can configure both an Auth-Fail VLAN and a guest VLAN for a port, but they cannot both take effect at a time.

Related commands: dot1x; dot1x port-method; dot1x multicast-trigger; mac-vlan enable and display mac-vlan in VLAN Commands of the Command Reference - Part 3 - Access.

Examples

# Specify port GigabitEthernet 1/0/1 to use VLAN 999 as its guest VLAN.

<Sysname> system-view

[Sysname] dot1x guest-vlan 999 interface gigabitethernet 1/0/1

# Specify ports GigabitEthernet 1/0/2 to GigabitEthernet 1/0/5 to use VLAN 10 as its guest VLAN.

<Sysname> system-view

[Sysname] dot1x guest-vlan 10 interface gigabitethernet 1/0/2 to gigabitethernet 1/0/5

# Specify all ports to use VLAN 7 as their guest VLAN.

<Sysname> system-view

[Sysname] dot1x guest-vlan 7

# Specify port GigabitEthernet 1/0/7 to use VLAN 3 as its guest VLAN.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/7

[Sysname-GigabitEthernet1/0/7] dot1x guest-vlan 3

dot1x handshake

Syntax

dot1x handshake

undo dot1x handshake

View

Ethernet Interface view

Default Level

2: System level

Parameters

None

Description

Use the dot1x handshake command to enable the online user handshake function so that the device can periodically send handshake messages to the client to check whether a user is online.

Use the undo dot1x handshake command to disable the function.

By default, the function is enabled.

Note that: To ensure that the online user handshake function can work normally, you are recommended to use H3C 802.1X client software.

Examples

# Enable online user handshake.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/4

[Sysname-GigabitEthernet1/0/4] dot1x handshake

dot1x mandatory-domain

Syntax

dot1x mandatory-domain domain-name

undo dot1x mandatory-domain

View

Ethernet Interface view

Default Level

2: System level

Parameters

domain-name: ISP domain name, a case-insensitive string of 1 to 24 characters.

Description

Use the dot1x mandatory-domain command to specify the mandatory authentication domain for users accessing the port.

Use the undo dot1x mandatory-domain command to remove the mandatory authentication domain.

By default, no mandatory authentication domain is specified.

Note that:

l When authenticating an 802.1X user trying to access the port, the system selects an authentication domain in the following order: the mandatory domain, the ISP domain specified in the username, and the default ISP domain.

l The specified mandatory authentication domain must exist.

l On a port configured with a mandatory authentication domain, the user domain name displayed by the display connection command is the name of the mandatory authentication domain. For detailed information about the display connection command, see AAA Commands in the Command Reference - Part 8 - Security.

Related commands: display dot1x.

Examples

# Configure the mandatory authentication domain my-domain for 802.1X users on GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dot1x mandatory-domain my-domain

# After 802.1X user usera passes the authentication, execute the display connection command to display the user connection information on GigabitEthernet 1/0/1.

[Sysname-GigabitEthernet1/0/1] display connection interface gigabitethernet 1/0/1

Slot: 1

Index=827 , Username=usera@my-domian

IP=3.3.3.3

MAC=0017-9ac0-2d65

Total 1 connection(s) matched on slot 1.

Total 1 connection(s) matched.

dot1x max-user

Syntax

In system view:

dot1x max-user user-number [ interface interface-list ]

undo dot1x max-user [ interface interface-list ]

In Ethernet interface view:

dot1x max-user user-number

undo dot1x max-user

View

System view, Ethernet interface view

Default Level

2: System level

Parameters

user-number: Maximum number of users to be supported simultaneously, in the range 1 to 2048.

Description

Use the dot1x max-user command to set the maximum number of users an Ethernet port can support simultaneously.

Use the undo dot1x max-user command to restore the default.

In system view:

l If you do not specify the interface-list argument, execution of the command applies to all ports.

l If you specify the interface-list argument, execution of the command applies to the specified ports.

In Ethernet port view, the interface-list argument is not available and the command applies to only the current port.

Related commands: display dot1x.

Examples

# Set the maximum number of users for port GigabitEthernet 1/0/1 to support simultaneously as 32.

<Sysname> system-view

[Sysname] dot1x max-user 32 interface gigabitethernet 1/0/1

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dot1x max-user 32

dot1x multicast -trigger

Syntax

dot1x multicast-trigger

undo dot1x multicast-trigger

View

Ethernet Interface view

Default Level

2: System level

Parameters

None

Description

Use the dot1x multicast-trigger command to enable the multicast trigger function of 802.1X to send multicast trigger messages to the clients periodically.

Use the undo dot1x multicast-trigger command to disable this function.

By default, the multicast trigger function is enabled.

Related commands: display dot1x.

Examples

# Enable the multicast trigger function for interface GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dot1x multicast-trigger

dot1x port-control

Syntax

In system view:

dot1x port-control { authorized-force | auto | unauthorized-force } [ interface interface-list ]

undo dot1x port-control [ interface interface-list ]

In Ethernet interface view:

dot1x port-control { authorized-force | auto | unauthorized-force }

undo dot1x port-control

View

System view, Ethernet interface view

Default Level

2: System level

Parameters

authorized-force: Places the specified or all ports in the authorized state, allowing users of the ports to access the network without authentication.

auto: Places the specified or all ports in the unauthorized state initially to allow only EAPOL packets to pass, and turns the ports into the authorized state to allow access to the network after the users pass authentication. This is the most common choice.

unauthorized-force: Places the specified or all ports in the unauthorized state, denying any access requests from users of the ports.

Description

Use the dot1x port-control command to set the authorization mode for specified or all ports.

Use the undo dot1x port-control command to restore the default.

The default port authorization mode is auto.

Related commands: display dot1x.

Examples

# Set the authorization mode of port GigabitEthernet 1/0/1 to unauthorized-force.

<Sysname> system-view

[Sysname] dot1x port-control unauthorized-force interface gigabitethernet 1/0/1

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dot1x port-control unauthorized-force

dot1x port-method

Syntax

In system view:

dot1x port-method { macbased | portbased } [ interface interface-list ]

undo dot1x port-method [ interface interface-list ]

In Ethernet interface view:

dot1x port-method { macbased | portbased }

undo dot1x port-method

View

System view, Ethernet interface view

Default Level

2: System level

Parameters

macbased: Specifies to use the macbased authentication method. With this method, each user of a port must be authenticated separately, and when an authenticated user goes offline, no other users are affected.

portbased: Specifies to use the portbased authentication method. With this method, after the first user of a port passes authentication, all other users of the port can access the network without authentication, and when the first user goes offline, all other users get offline at the same time.

Description

Use the dot1x port-method command to set the access control method for specified or all ports.

Use the undo dot1x port-method command to restore the default.

The default access control method is macbased.

Related commands: display dot1x.

Examples

# Set the access control method to portbased for port GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] dot1x port-method portbased interface gigabitethernet 1/0/1

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dot1x port-method portbased

dot1x quiet-period

Syntax

dot1x quiet-period

undo dot1x quiet-period

View

System view

Default Level

2: System level

Parameters

None

Description

Use the dot1x quiet-period command to enable the quiet timer.

Use the undo dot1x quiet-period command to disable the timber.

By default, the timer is disabled.

After a client fails the authentication, the device refuses further authentication requests from the client in the period dictated by the quiet timer.

Related commands: display dot1x, dot1x timer.

Examples

# Enable the quiet timer.

<Sysname> system-view

[Sysname] dot1x quiet-period

dot1x re-authenticate

Syntax

dot1x re-authenticate

undo dot1x re-authenticate

View

Ethernet interface view

Default Level

2: System level

Parameters

None

Description

Use the dot1x re-authenticate command to enable the periodic re-authentication function.

Use the undo dot1x re-authenticate command to disable the function.

By default, this function is disabled.

After periodic re-authentication is enabled on a port, the device will perform 802.1X authentication for online users on the port at the interval specified by the periodic re-authentication timer (which is configured by the dot1x timer reauth-period command). This is intended to track the connection status of online users and update the authorization attributes assigned by the server, such as the ACL, VLAN, and QoS Profile, ensuring that the users are in normal online state.

Related commands: dot1x timer reauth-period.

Examples

# Enable the 802.1X re-authentication function on GigabitEthernet 1/0/1 and configure the periodic re-authentication interval as 1800 seconds.

<Sysname> system-view

[Sysname] dot1x timer reauth-period 1800

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dot1x re-authenticate

dot1x retry

Syntax

dot1x retry max-retry-value

undo dot1x retry

View

System view

Default Level

2: System level

Parameters

max-retry-value: Maximum number of attempts to send an authentication request to a client, in the range 1 to 10.

Description

Use the dot1x retry command to set the maximum number of attempts to send an authentication request to a client.

Use the undo dot1x retry command to restore the default.

By default, the device can send an authentication request to a client twice at most.

Note that after sending an authentication request to a client, the device may retransmit the request if it does not receive any response at an interval specified by the username request timeout timer or client timeout timer. The number of retransmission attempts is one less than the value set by this command.

Related commands: display dot1x.

Examples

# Set the maximum number of attempts to send an authentication request to a client as 9.

<Sysname> system-view

[Sysname] dot1x retry 9

dot1x unicast-trigger

Syntax

dot1x unicast-trigger

undo dot1x unicast-trigger

View

Ethernet interface view

Default Level

2: System level

Parameters

None

Description

Use the dot1x unicast-trigger command to enable the unicast trigger function of 802.1X on a port.

Use the undo dot1x unicast-trigger command to disable this function.

By default, the unicast trigger function is disabled.

With the 802.1X unicast trigger function enabled, when the device receives a data frame with an unknown source MAC address, it unsolicitedly sends a unicast authentication packet to the MAC address to initiate authentication, and will resend the packet if it receives no response within a period of time unless the maximum number of retries is reached. The transmission interval is determined by the setting of the dot1x timer supp-timeout command, while the maximum number of retries depends on the setting of the dot1x retry command.

Related commands: display dot1x, dot1x timer supp-timeout, dot1x retry.

Examples

# Enable the unicast trigger function for GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dot1x unicast-trigger

dot1x timer

Syntax

dot1x timer { handshake-period handshake-period-value | quiet-period quiet-period-value | reauth-period reauth-period-value | server-timeout server-timeout-value | supp-timeout supp-timeout-value | tx-period tx-period-value }

undo dot1x timer { handshake-period | quiet-period | reauth-period | server-timeout | supp-timeout | tx-period }

View

System view

Default Level

2: System level

Parameters

handshake-period-value: Setting for the handshake timer in seconds. It ranges from 5 to 1024.

quiet-period-value: Setting for the quiet timer in seconds. It ranges from 10 to 120.

reauth-period-value: Setting for the periodic re-authentication timer in seconds. It ranges from 60 to 7200.

server-timeout-value: Setting for the server timeout timer in seconds. It ranges from 100 to 300.

supp-timeout-value: Setting for the client timeout timer in seconds. It ranges from 1 to 120.

tx-period-value: Setting for the username request timeout timer in seconds. It ranges from 10 to 120.

Description

Use the dot1x timer command to set 802.1X timers.

Use the undo dot1x timer command to restore the defaults.

By default, the handshake timer value is 15 seconds, the quiet timer value is 60 seconds, the periodic re-authentication timer value is 3600 seconds, the server timeout timer value is 100 seconds, the client timeout timer value is 30 seconds, and the username request timeout timer value is 30 seconds.

Several timers are used in the 802.1X authentication process to guarantee that the clients, the device, and the RADIUS server interact with each other in a reasonable manner. You can use this command to set these timers:

l Handshake timer (handshake-period): After a client passes authentication, the device sends to the client handshake requests at this interval to check whether the client is online. If the device receives no response after sending the allowed maximum number of handshake requests, it considers that the client is offline.

l Quiet timer (quiet-period): When a client fails the authentication, the device refuses further authentication requests from the client in this period of time.

l Periodic re-authentication timer (reauth-period): If you enable periodic re-authentication on a port (by the dot1x re-authenticate command), the device will re-authenticate online users on the port at the interval specified by this timer. If you change the re-authentication interval when there are users online, the device will continue to re-authenticate such users according to the original re-authentication interval setting for one time. Then the device will use the new interval for re-authentication of all online users.

l Server timeout timer (server-timeout): Once the device sends a RADIUS Access-Request packet to the authentication server, it starts this timer. If this timer expires but it receives no response from the server, it retransmits the request.

l Client timeout timer (supp-timeout): Once the device sends an EAP-Request/MD5 Challenge packet to a client, it starts this timer. If this timer expires but it receives no response from the client, it retransmits the request.

l Username request timeout timer (tx-period): Once the device sends an EAP-Request/Identity packet to a client, it starts this timer. If this timer expires but it receives no response from the client, it retransmits the request. In addition, to be compatible with clients that do not send EAPOL-Start requests unsolicitedly, the device multicasts EAP-Request/Identity packet periodically to detect the clients, with the multicast interval defined by tx-period.

It is unnecessary to change the timers unless in some special or extreme network environments. The change of a timer takes effect immediately.

Related commands: display dot1x.

Examples

# Set the server timeout timer to 150 seconds.

<Sysname> system-view

[Sysname] dot1x timer server-timeout 150

reset dot1x statistics

Syntax

reset dot1x statistics [ interface interface-list ]

View

User view

Default Level

2: System level

Parameters

Description

Use the reset dot1x statistics command to clear 802.1X statistics.

With the interface interface-list argument specified, the command clears 802.1X statistics on the specified ports. With the argument unspecified, the command clears global 802.1X statistics and 802.1X statistics on all ports.

Related commands: display dot1x.

Examples

# Clear 802.1X statistics on port GigabitEthernet 1/0/1.

<Sysname> reset dot1x statistics interface gigabitethernet 1/0/1

TOP

H3C reserves the right to modify its collaterals without any prior notice. For the latest information of the collaterals, please consult H3C sales or call 400 hotline.