Login
- Table of Contents
-
- H3C WX3000 Series Unified Switches Switching Engine Command Reference-6W103
- 00-Preface
- 01-CLI Command
- 02-Login Command
- 03-Configuration File Management Command
- 04-VLAN Command
- 05-Auto Detect Command
- 06-Voice VLAN Command
- 07-GVRP Command
- 08-Basic Port Configuration Command
- 09-Link Aggregation Command
- 10-Port Isolation Command
- 11-Port Security-Port Binding Command
- 12-DLDP Command
- 13-MAC Address Table Management Command
- 14-MSTP Command
- 15-802.1x and System Guard Command
- 16-AAA Command
- 17-MAC Address Authentication Command
- 18-IP Address and Performance Command
- 19-DHCP Command
- 20-ACL Command
- 21-QoS-QoS Profile Command
- 22-Mirroring Command
- 23-ARP Command
- 24-SNMP-RMON Command
- 25-Multicast Command
- 26-NTP Command
- 27-SSH Command
- 28-File System Management Command
- 29-FTP-SFTP-TFTP Command
- 30-Information Center Command
- 31-System Maintenance and Debugging Command
- 32-VLAN-VPN Command
- 33-HWPing Command
- 34-DNS Command
- 35-Smart Link-Monitor Link Command
- 36-PoE-PoE Profile Command
- 37-Routing Protocol Command
- 38-UDP Helper Command
- 39-Index
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 17-MAC Address Authentication Command | 71.45 KB |
Table of Contents
1 MAC Authentication Configuration Commands·
MAC Authentication Basic Function Configuration Commands
mac-authentication authmode usernameasmacaddress
mac-authentication authmode usernamefixed
mac-authentication authpassword
mac-authentication authusername
MAC Address Authentication Enhanced Function Configuration Commands
mac-authentication max-auth-num
mac-authentication timer guest-vlan-reauth
MAC Authentication Basic Function Configuration Commands
display mac-authentication
Syntax
display mac-authentication [ interface interface-list ]
View
Any view
Parameters
interface interface-list: List of Ethernet ports. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10> means that you can provide up to 10 port indexes/port index ranges for this argument.
Description
Use the display mac-authentication command to display information about MAC authentication.
Examples
# Display the global information about MAC authentication.
<device> display mac-authentication
Mac address authentication is Enabled.
Authentication mode is UsernameAsMacAddress usernameformat with-hyphen lowercase
Fixed username:mac
Fixed password:not configured
Offline detect period is 300s
Quiet period is 60 second(s).
Server response timeout value is 100s
Guest VLAN re-authenticate period is 30s
Max allowed user number is 1024
Current user number amounts to 1
Current domain: not configured, use default domain
Silent Mac User info:
MAC ADDR From Port Port Index
GigabitEthernet1/0/1 is link-up
MAC address authentication is Enabled
max-auth-num is 256
Guest VLAN is 2
Authenticate success: 1, failed: 0
Current online user number is 1
MAC ADDR Authenticate state AuthIndex
000d-88f8-4e71 MAC_AUTHENTICATOR_SUCCESS 0
……(The following is omitted)
Table 1-1 display mac-authentication command output description
|
Field |
Description |
|
Mac address authentication is Enabled |
MAC authentication is enabled. |
|
Authentication mode |
User name used in the MAC address mode. The default is the MAC address. |
|
Fixed username |
User name used in the fixed mode, which defaults to “mac”. |
|
Fixed password |
Password used in the fixed mode, which is not configured by default. |
|
Offline detect period |
Offline detect timer, which sets the time interval to check whether a user goes offline and defaults to 300 seconds. |
|
Quiet period |
Quiet timer sets the quiet period. The device goes through a quiet period if a user fails to pass the MAC address authentication. The default value is 60 seconds. |
|
Server response timeout value |
Server timeout timer, which sets the timeout time for the connection between the device and the RADIUS server. By default, it is 100 seconds. |
|
Guest VLAN re-authenticate period |
Re-authenticate timer, which sets the time interval to reauthenticate the users in the Guest VLAN and defaults to 30 seconds. |
|
Max allowed user number |
The maximum number of users supported by the device. It is 1,024 by default. |
|
Current user number amounts to |
The current number of users |
|
Current domain |
The current domain. It is not configured by default. |
|
Silent Mac User info |
The information about the silent user. When the user fails to pass MAC address authentication because of inputting error user name and password, the device sets the user to be in quiet state. During quiet period, the device does not process the authentication request of this user. |
|
GigabitEthernet1/0/1 is link-up |
The link connected to port GigabitEthernet 1/0/1 is up. |
|
MAC address authentication is Enabled |
MAC address authentication is enabled for port GigabitEthernet 1/0/1. |
|
max-auth-num |
Maximum number of MAC authentication users that the port can accommodate |
|
Guest VLAN |
Guest VLAN of the port |
|
Authenticate success: 1, failed: 0 |
Statistics of the MAC address authentications performed on the port, including the numbers of successful and failed authentication operations. |
|
Current online user number |
The number of the users current access the network through the port |
|
MAC ADDR |
Peer MAC address |
|
Authenticate state |
The state of the users accessing the network through the port, which can be: l MAC_AUTHENTICATOR_CONNECTING: Connecting l MAC_AUTHENTICATOR_SUCCESS: Authentication passed l MAC_AUTHENTICATOR_FAILURE: Fail to pass authentication l MAC_AUTHENTICATOR_LOGOFF: Offline |
|
AuthIndex |
Index of the current MAC address with regard to the authentication port |
mac-authentication
Syntax
mac-authentication
undo mac-authentication
View
System view, Ethernet port view
Parameters
None
Description
Use the mac-authentication command to enable MAC authentication globally or on the current port.
Use the undo mac-authentication command to disable MAC authentication globally or on the current port.
By default, MAC authentication is disabled both globally and on a port.
When being executed in system view, the mac-authentication command enables MAC authentication globally.
When being executed in Ethernet port view, the mac-authentication command enables MAC authentication on the current port.
You can configure MAC authentication on a port before enabling it globally. However, the configuration will not take effect unless MAC authentication is enabled globally.
Examples
# Enable MAC authentication globally.
<device> system-view
System View: return to User View with Ctrl+Z.
[device] mac-authentication
MAC-Authentication is enabled globally.
# Enable MAC authentication on port GigabitEthernet 1/0/1.
[device] interface GigabitEthernet 1/0/1
[device-GigabitEthernet1/0/1] mac-authentication
mac-authentication interface
Syntax
mac-authentication interface interface-list
undo mac-authentication interface interface-list
View
Parameters
interface-list: List of Ethernet ports. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10> means that you can provide up to 10 port indexes/port index ranges for this argument.
Description
Use the mac-authentication interface command to enable the MAC authentication for on the specified port(s).
Use the undo mac-authentication interface command to disable the MAC authentication for the specified port(s).
By default, MAC authentication is disabled on a port.
l This command is essential for MAC authentication to work on a port or on particular ports after MAC authentication is globally enabled.
l You cannot configure the maximum number of dynamic MAC address entries for a port (through the mac-address max-mac-count command) with MAC authentication enabled. Likewise, you cannot enable the MAC authentication feature on a port with a limit of dynamic MAC addresses configured.
Examples
# Enable MAC authentication for GigabitEthernet1/0/1 port.
<device> system-view
System View: return to User View with Ctrl+Z.
[device] mac-authentication interface GigabitEthernet 1/0/1
mac-authentication authmode usernameasmacaddress
Syntax
mac-authentication authmode usernameasmacaddress [ usernameformat { with-hyphen | without-hyphen } ] { lowercase | uppercase } | fixedpassword password ]
undo mac-authentication authmode usernameasmacaddress [ usernameformat | fixedpassword ]
View
System view
Parameters
usernameformat: Specifies the input format of the username and password.
with-hyphen: Uses hyphened MAC addresses as usernames and passwords, for example, 00-05-e0-1c-02-e3.
without-hyphen: Uses MAC addresses without hyphens as usernames and passwords, for example, 0005e01c02e3.
Lowercase: Uses lowercase MAC addresses as usernames and passwords.
Uppercase: Uses uppercase MAC addresses as usernames and passwords.
Fixedpassword: Uses the fixed password in MAC address mode for MAC authentication.
Password: Password for MAC authentication, a string of 1 to 63 characters.
Description
Use the mac-authentication authmode usernameasmacaddress command to set the user name in MAC address mode for MAC authentication.
Use the undo mac-authentication authmode command to restore the default user name mode.
By default, the user name and password in MAC address mode are used for MAC authentication.
Examples
# Use the user name in MAC address mode for MAC authentication, requiring hyphened lowercase MAC addresses as the usernames and passwords.
<device> system-view
System View: return to User View with Ctrl+Z.
[device] mac-authentication authmode usernameasmacaddress usernameformat with-hyphen lowercase
mac-authentication authmode usernamefixed
Syntax
mac-authentication authmode usernamefixed
undo mac-authentication authmode
View
Parameters
None
Description
Use the mac-authentication authmode usernamefixed command to set the user name in fixed mode for MAC authentication.
Use the undo mac-authentication authmode command to restore the default user name mode for MAC authentication.
By default, the MAC address mode is used.
Examples
# Use the user name in fixed mode for MAC authentication.
<device> system-view
System View: return to User View with Ctrl+Z.
[device] mac-authentication authmode usernamefixed
mac-authentication authpassword
Syntax
mac-authentication authpassword password
undo mac-authentication authpassword
View
System view
Parameters
password: Password to be set, a string comprising 1 to 63 characters.
Description
Use the mac-authentication authpassword command to set a password for MAC authentication when the user name in fixed mode is used.
Use the undo mac-authentication authpassword command to cancel the configured password.
By default, no password is configured.
Examples
# Set the password to “newmac”.
<device> system-view
System View: return to User View with Ctrl+Z.
[device] mac-authentication authpassword newmac
mac-authentication authusername
Syntax
mac-authentication authusername username
undo mac-authentication authusername
View
System view
Parameters
username: User name used in authentication, a string of 1 to 55 characters.
Description
Use the mac-authentication authusername command to set a user name in fixed mode.
Use the undo mac-authentication authusername command to restore the default user name.
By default, the user name in fixed mode is “mac”.
Examples
# Set the user name to “vipuser” in fixed mode.
<device> system-view
System View: return to User View with Ctrl+Z.
[device] mac-authentication authusername vipuser
mac-authentication domain
Syntax
mac-authentication domain isp-name
undo mac-authentication domain
View
System view
Parameters
isp-name: ISP domain name, a string of 1 to 128 characters. Note that this argument cannot be null and cannot contain these characters: “/”, “:”, “*”, “?”, “<”, and “>”.
Description
Use the mac-authentication domain command to configure an ISP domain for MAC authentication.
Use the undo mac-authentication domain command to restore the default ISP domain for MAC authentication.
By default, no domain for MAC authentication is configured.
Use the “default domain” as the ISP domain name.
Examples
# Configure the domain for MAC authentication to be “Cams”.
<device> system-view
System View: return to User View with Ctrl+Z.
[device] mac-authentication domain Cams
mac-authentication timer
Syntax
mac-authentication timer { offline-detect offline-detect-value | quiet quiet-value | server-timeout server-timeout-value }
undo mac-authentication timer { offline-detect | quiet | server-timeout }
View
System view
Parameters
offline-detect-value: Offline detect timer (in seconds) setting. This argument ranges from 1 to 65,535 and defaults to 300. The offline detect timer sets the time interval for the device to test whether a user goes offline.
quiet-value: Quiet timer (in seconds) setting. This argument ranges from 1 to 3,600 and defaults to 60. After a user fails to pass the authentication performed by the device, the device quiets for a specific period (the quiet period) before it authenticates the user again.
server-timeout-value: Server timeout timer setting (in seconds). This argument ranges from 1 to 65,535 and defaults to 100. During authentication, the device prohibits a user from accessing the network if the connection between the device and the RADIUS server times out.
Description
Use the mac-authentication timer command to configure the timers used in MAC authentication.
Use the undo mac-authentication timer command to restore a timer to its default setting.
Related commands: display mac-authentication.
Examples
# Set the server timeout timer to 150 seconds.
<device> system-view
System View: return to User View with Ctrl+Z.
[device] mac-authentication timer server-timeout 150
reset mac-authentication
Syntax
reset mac-authentication statistics [ interface interface-list ]
View
User view
Parameters
interface-list: List of Ethernet ports. You can specify multiple Ethernet ports by providing this argument in the form of interface-list = { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, where &<1-10> means that you can provide up to 10 port indexes/port index ranges for this argument.
Description
Use the reset mac-authentication command to clear the MAC authentication statistics. With the interface keyword specified, the command clears the MAC authentication statistics of the specified port. Without this keyword, the command clears the global MAC authentication statistics.
Examples
# Clear the MAC authentication statistics for port GigabitEthernet 1/0/1.
<device> reset mac-authentication statistics interface GigabitEthernet 1/0/1
MAC Address Authentication Enhanced Function Configuration Commands
mac-authentication guest-vlan
Syntax
mac-authentication guest-vlan vlan-id
undo mac-authentication guest-vlan
View
Ethernet port view
Parameters
vlan-id: ID of the Guest VLAN configured for the current port. This argument is in the range of 1 to 4,094.
Description
Use the mac-authentication guest-vlan command to configure a Guest VLAN for the current port. If the client connected to the port fails in the authentication, the port will be added to the Guest VLAN, and thus the users accessing the port can access network resources in the Guest VLAN.
Use the undo mac-authentication guest-vlan command to remove the Guest VLAN configuration for the port.
No Guest VLAN is configured for a port by default.
l If more than one client is connected to a port, you cannot configure a Guest VLAN for this port.
l When a Guest VLAN is configured for a port, only one MAC address authentication user can access the port. Even if you set the limit on the number of MAC address authentication users to more than one, the configuration does not take effect.
l The undo vlan command cannot be used to remove the VLAN configured as a Guest VLAN. If you want to remove this VLAN, you must remove the Guest VLAN configuration for it. Refer to VLAN l for the description on the undo vlan command.
l Only one Guest VLAN can be configured for a port, and the VLAN configured as the Guest VLAN must be an existing VLAN. Otherwise, the Guest VLAN configuration does not take effect. If you want to change the Guest VLAN for a port, you must remove the current Guest VLAN and then configure a new Guest VLAN for this port.
l 802.1x authentication cannot be enabled for a port configured with a Guest VLAN.
l The Guest VLAN function for MAC authentication does not take effect when port security is enabled.
Related commands: mac-authentication timer guest-vlan-reauth.
Examples
# Configure VLAN 4 as the Guest VLAN for GigabitEthernet1/0/1.
<device> system-view
System View: return to User View with Ctrl+Z.
[device] interface GigabitEthernet 1/0/1
[device-GigabitEthernet1/0/1] mac-authentication guest-vlan 4
mac-authentication max-auth-num
Syntax
mac-authentication max-auth-num user-number
undo mac-authentication max-auth-num
View
Ethernet port view
Parameters
user-name: Maximum number of MAC address authentication users allowed to access a port. This argument is in the range of 1 to 256.
Description
Use the mac-authentication max-auth-num command to configure the maximum number of MAC address authentication users allowed to access the port. After the number of access users has exceeded the configured maximum number, the device will not trigger MAC address authentication for subsequent access users, and thus these subsequent access users cannot access the network normally.
Use the undo mac-authentication max-auth-num command to restore the maximum number of MAC address authentication users allowed to access the port to the default value.
By default, the maximum number of MAC address authentication users allowed to access a port is 256.
l If both the limit on the number of MAC address authentication users and the limit on the number of users configured in the port security function are configured for a port at the same time, the smaller value of the two configured limits is adopted as the maximum number of MAC address authentication users allowed to access this port. Refer to Port Security for the description on the port security function.
l You cannot configure the maximum number of MAC address authentication users for a port if any user connected to this port is online.
Examples
# Set the maximum number of MAC address authentication users allowed to access GigabitEthernet 1/0/2 to 100.
<device> system-view
System View: return to User View with Ctrl+Z.
[device] interface GigabitEthernet 1/0/2
[device-GigabitEthernet1/0/2] mac-authentication max-auth-num 100
mac-authentication timer guest-vlan-reauth
Syntax
mac-authentication timer guest-vlan-reauth interval
undo mac-authentication timer guest-vlan-reauth
View
System view
Parameters
interval: Interval at which the device re-authenticates users in Guest VLANs. This argument is in the range of 1 to 3,600 in seconds.
Description
Use the mac-authentication timer guest-vlan-reauth command to configure the interval at which the device re-authenticates users in Guest VLANs.
Use the undo mac-authentication timer guest-vlan-reauth command to restore the re-authentication interval to the default value.
The device re-authenticates the users in Guest VLANs at the interval of 30 seconds by default.
Examples
# Configure the device to re-authenticate users in Guest VLANs at the interval of 60 seconds.
<device> system-view
System View: return to User View with Ctrl+Z.
[device] mac-authentication timer guest-vlan-reauth 60
