Table of Contents

1 MAC Authentication Configuration Commands· 1-1

MAC Authentication Configuration Commands· 1-1

display mac-authentication· 1-1

mac-authentication· 1-3

mac-authentication domain· 1-4

mac-authentication guest-vlan· 1-5

mac-authentication max-user 1-6

mac-authentication timer 1-6

mac-authentication user-name-format 1-7

reset mac-authentication statistics· 1-8

MAC Authentication Configuration Commands

display mac-authentication

Syntax

display mac-authentication [ interface interface-list ]

View

Any view

Default Level

2: System level

Parameters

interface interface-list: Specifies an Ethernet port list, in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1-10>, where &<1-10> indicates that you can specify up to 10 port ranges. The start port and end port of a port range must be of the same type and the end port number must be greater than the start port number. A port range defined without the to interface-type interface-number portion comprises only one port..

Description

Use the display mac-authentication command to display MAC authentication information about all ports or the specified ports.

Examples

# Display MAC authentication information about all ports.

<Sysname> display mac-authentication

 MAC address authentication is enabled.

User name format is MAC address in lowercase, like xxxxxxxxxxxx

 Fixed username:mac

 Fixed password:not configured

          Offline detect period is 300s

          Quiet period is 60s.

          Server response timeout value is 100s

          the max allowed user number is 2048 per slot

          Current user number amounts to 0

          Current domain: not configured, use default domain

 

Silent Mac User info:

         MAC Addr               From Port           Port Index

 

GigabitEthernet1/0/1 is link-up

  MAC address authentication is enabled

  Authenticate success: 0, failed: 0

 Max number of on-line users is 0

  Current online user number is 0

          MAC Addr          Authenticate state           Auth Index

……(part of the output omitted)

Table 1-1 display mac-authentication command output description

Field	Description
MAC address authentication is enabled	Whether MAC authentication is enabled
User name format is MAC address in lowercase, like xxxxxxxxxxxx	Type of username for MAC authentication. In this example, the type of username is MAC address without hyphens, like xxxxxxxxxxxx, in lower case. If the type of username is configured as MAC address with hyphens, “like xx-xx-xx-xx-xx-xx” will be displayed.
Fixed username:	Fixed username
Fixed password:	Password of the fixed username
Offline detect period	Setting of the offline detect timer
Quiet period	Setting of the quiet timer
Server response timeout value	Setting of the server timeout timer
the max allowed user number	Maximum number of users each slot in the device supports
Current user number amounts to	Number of online users
Current domain: not configured, use default domain	Currently used ISP domain
Silent Mac User info	Information about quiet MAC addresses
GigabitEthernet1/0/1 is link-up	Status of the link on port GigabitEthernet1/0/1
MAC address authentication is enabled	Whether MAC authentication is enabled on port GigabitEthernet1/0/1
Authenticate success: 0, failed: 0	MAC authentication statistics, including the number of successful authentication attempts and that of unsuccessful authentication attempts
Max number of on-line users	Maximum number of online users allowed on the port If MAC authentication is not enabled on the port, 0 will be displayed for this field.
Current online user number	Number of online users on the port
MAC Addr	Online user MAC address
Authenticate state	User status. Possible values are: l  CONNECTING: The user is logging in. l  SUCCESS: The user has passed the authentication. l  FAILURE: The user failed the authentication. l  LOGOFF: The user has logged off.
Auth Index	Authenticator Index

 

mac-authentication

Syntax

In system view:

mac-authentication [ interface interface-list ]

undo mac-authentication [ interface interface-list ]

In Ethernet interface view:

mac-authentication

undo mac-authentication

View

System view, Ethernet interface view

Default Level

2: System level

Parameters

interface interface-list: Specifies an Ethernet port list, in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1-10>, where &<1-10> indicates that you can specify up to 10 port ranges. A port range defined without the to interface-type interface-number portion comprises only one port.

Description

Use the mac-authentication command to enable MAC authentication globally or for one or more ports.

Use the undo mac-authentication command to disable MAC authentication globally or for one or more ports.

By default, MAC authentication is neither enabled globally nor enabled on any port.

Note that:

l   In system view, if you provide the interface-list argument, the command enables MAC authentication for the specified ports; otherwise, the command enables MAC authentication globally.

l   You can enable MAC authentication for ports before enabling it globally. However, MAC authentication begins to function only after you also enable it globally.

l   You can configure MAC authentication parameters globally or for specified ports either before or after enabling MAC authentication. If no MAC authentication parameters are configured when MAC authentication takes effect, the default values are used.

Examples

# Enable MAC authentication globally.

<Sysname> system-view

[Sysname] mac-authentication

Mac-auth is enabled globally.

# Enable MAC authentication for port GigabitEthernet1/0/1.

<Sysname> system-view

[Sysname] mac-authentication interface gigabitethernet1/0/1

Mac-auth is enabled on port GigabitEthernet1/0/1.

Or

<Sysname> system-view

[Sysname] interface gigabitethernet1/0/1

[Sysname-GigabitEthernet1/0/1] mac-authentication

Mac-auth is enabled on port GigabitEthernet1/0/1.

mac-authentication domain

Syntax

mac-authentication domain domain-name

undo mac-authentication domain

View

System view

Default Level

2: System level

Parameters

domain-name: ISP domain name, a case-insensitive string of 1 to 24 characters that cannot contain any forward slash (/), colon (:), asterisk (*), question mark (?), less-than sign (<), greater-than sign (>), or @. The specified authentication domain must have existed.

Description

Use the mac-authentication domain command to specify the authentication domain for MAC authentication.

Use the undo mac-authentication domain command to restore the default.

By default, no authentication domain is specified and the system default authentication domain is used for MAC authentication users. For information about the default ISP domain, refer to the domain default enable command in AAA Commands of the Command Reference - Part 8 – Security.

Examples

# Specify the ISP domain for MAC authentication as domain1.

<Sysname> system-view

[Sysname] mac-authentication domain domain1

mac-authentication guest-vlan

Syntax

mac-authentication guest-vlan guest-vlan-id

undo mac-authentication guest-vlan

View

Layer 2 Ethernet interface view

Default Level

2: System level

Parameters

guest-vlan-id: ID of the guest VLAN for the port, in the range 1 to 4094. It must already exist.

Description

Use the mac-authentication guest-vlan command to specify a MAC-based guest VLAN (MGV) for MAC authentication. After the configured MGV takes effect, all users failing the authentication on the port will be added to the guest VLAN.

Use the undo mac-authentication guest-vlan command to remove the guest VLAN configuration.

By default, no MGV is configured on a port.

Note that:

l   You must enable MAC authentication for the guest VLAN function to take effect.

l   You must enable MAC VLAN on a port for the guest VLAN of the port to take effect.

l   You are not allowed to delete a VLAN that is configured as a guest VLAN. To delete such a VLAN, you need to remove the guest VLAN configuration first.

l   The super VLAN cannot be specified as a guest VLAN. Similarly, a guest VLAN cannot be specified as the super VLAN. For information about super VLAN, see VLAN Configuration in the Configuration Guide - Part 3 - Access.

Related commands: mac-authentication; mac-vlan enable in VLAN Commands of the Command Reference - Part 3 - Access.

Examples

# Configure VLAN 5 as the MGV on port GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] mac-authentication guest-vlan 5

mac-authentication max-user

Syntax

mac-authentication max-user user-number

undo mac-authentication max-user

View

Ethernet interface view

Default Level

2: System level

Parameters

user-number: Maximum number of online MAC authentication users allowed on the port, in the range 1 to 2048.

Parameters

Use the mac-authentication max-user command to set the maximum number of online MAC authentication users allowed on a port.

Use the undo mac-authentication max-user command to restore the default.

The default maximum number of online users allowed on a port is 2048.

Examples

# Configure port GigabitEthernet1/0/1 to allow up to 32 online MAC authentication users.

<Sysname> system-view

[Sysname] interface gigabitethernet1/0/1

[Sysname-GigabitEthernet1/0/1] mac-authentication max-user 32

mac-authentication timer

Syntax

mac-authentication timer { offline-detect offline-detect-value | quiet quiet-value | server-timeout server-timeout-value }

undo mac-authentication timer { offline-detect | quiet | server-timeout }

View

System view

Default Level

2: System level

Parameters

offline-detect offline-detect-value: Specifies the offline detect interval, in the range 60 to 65,535 seconds.

quiet quiet-value: Specifies the quiet period, in the range 1 to 3,600 seconds.

server-timeout server-timeout-value: Specifies the server timeout period, in the range 100 to 300 seconds.

Description

Use the mac-authentication timer command to set the MAC authentication timers.

Use the undo mac-authentication timer command to restore the defaults.

By default, the offline detect interval is 300 seconds, the quiet period is 60 seconds, and the server timeout period is 100 seconds.

The following timers function in the process of MAC authentication:

l   Offline detect timer: This timer sets the idle timeout interval for users. If no packet is received from a user over two consecutive timeout intervals, the system disconnects the user connection and notifies the RADIUS server.

l   Quiet timer: Whenever a user fails MAC authentication, the device does not perform MAC authentication of the user but drops the user’s packets directly during the quiet period. After the quiet timer expires, the device re-authenticates the user upon receiving a packet from the user.

l   Server timeout timer: During authentication of a user, if the device receives no response from the RADIUS server in this period, it assumes that its connection to the RADIUS server has timed out and forbids the user from accessing the network.

Related commands: display mac-authentication.

Examples

# Set the server timeout timer to 150 seconds.

<Sysname> system-view

[Sysname] mac-authentication timer server-timeout 150

mac-authentication user-name-format

Syntax

mac-authentication user-name-format { fixed [ account name ] [ password { cipher | simple } password ] | mac-address [ { with-hyphen | without-hyphen } [ lowercase | uppercase ] ] }

undo mac-authentication user-name-format

View

System view

Default Level

2: System level

Parameters

fixed: Uses the MAC authentication username type of fixed username.

account name: Specifies the fixed username. The name argument is a case-insensitive string of 1 to 55 characters and defaults to mac.

password { cipher | simple } password: Specifies the password for the fixed username. Specify the cipher keyword to display the password in cipher text or the simple keyword to display the password in plain text.

l   With cipher specified, you can type a password string of 1 to 63 characters in plain text or a string of 24 or 88 characters in cipher text. You can use the display mac-authentication command to view the password in cipher text.

l   With simple specified, you can type a password string of 1 to 63 characters only in plain text.

mac-address: Uses the MAC address of a user as the username and password for authentication.

with-hyphen: Indicates that the MAC address must include “-“, like xx-xx-xx-xx-xx-xx.

without-hyphen: Indicates that the MAC address must not include “-“, like xxxxxxxxxxxx.

lowercase: Indicates that the letters in the MAC address must be in lower case.

uppercase: Indicates that the letters in the MAC address must be in upper case.

Description

Use the mac-authentication user-name-format command to configure the MAC authentication username type and, if the type of fixed username is used, the username and password for MAC authentication.

Use the undo mac-authentication user-name-format command to restore the default.

By default, each user’s MAC address (without “-“ ) is used as the username and password for MAC authentication, the letters in the MAC address is in lower case.

Note that:

l   When the type of MAC address is used, each user’s MAC address is used as both the username and password for MAC authentication.

l   In cipher display mode, a password in plain text with no more than 16 characters will be encrypted into a password in cipher text with 24 characters, and a password in plain text with 16 to 63 characters will be encrypted into a password in cipher text with 88 characters. For a password with 24 characters, if it can be decrypted by the system, it will be treated as a cipher-text one; otherwise, it will be treated as a plain-text one.

Related commands: display mac-authentication.

Examples

# Configure the username for MAC authentication as abc, and password as xyz, and specify that the password is displayed in plain text.

<Sysname> system-view

[Sysname] mac-authentication user-name-format fixed account abc password simple xyz

# Configure the device to use the MAC address of a user as the username and password for MAC authentication, where the MAC address must be with hyphens (-) and in upper case.

<Sysname> system-view

[Sysname] mac-authentication user-name-format mac-address with-hyphen uppercase

reset mac-authentication statistics

Syntax

reset mac-authentication statistics [ interface interface-list ]

View

User view

Default Level

2: System level

Parameters

interface interface-list: Specifies an Ethernet port list, in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1-10>, where &<1-10> indicates that you can specify up to 10 port ranges. A port range defined without the to interface-type interface-number portion comprises only one port.

Description

Use the reset mac-authentication statistics command to clear MAC authentication statistics.

Note that:

l   If you do not specify the interface-list argument, the command clears the global MAC authentication statistics and the MAC authentication statistics on all ports.

l   If you specify the interface-list argument, the command clears the MAC authentication statistics on the specified ports.

Related commands: display mac-authentication.

Examples

# Clear MAC authentication statistics on GigabitEthernet1/0/1.

<Sysname> reset mac-authentication statistics interface gigabitethernet1/0/1