802.1X configuration commands 1

display dot1x· 1

dot1x· 4

dot1x authentication-method· 5

dot1x auth-fail vlan· 6

dot1x domain-delimiter 7

dot1x guest-vlan· 8

dot1x handshake· 9

dot1x handshake secure· 10

dot1x mandatory-domain· 10

dot1x max-user 11

dot1x multicast-trigger 12

dot1x port-control 13

dot1x port-method· 14

dot1x quiet-period· 15

dot1x re-authenticate· 16

dot1x retry· 17

dot1x timer 17

dot1x unicast-trigger 19

reset dot1x statistics 19

 

display dot1x

Syntax

display dot1x [ sessions | statistics ] [ interface interface-list ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

sessions: Displays 802.1X session information.

statistics: Displays 802.1X statistics.

interface interface-list: Specifies an Ethernet port list, which can contain multiple Ethernet ports. The interface-list argument is in the format of interface-list = { interface-type interface-number [ to interface-type interface-number ] } & <1-10>, where interface-type represents the port type, interface-number represents the port number, and & <1-10> means that you can provide up to 10 ports or port ranges. The start port number must be smaller than the end number and the two ports must be the same type.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display dot1x command to display information about 802.1X.

If you specify neither the sessions keyword nor the statistics keyword, the command displays all information about 802.1X, including session information, statistics, and configurations.

Related commands: reset dot1x statistics, dot1x, dot1x retry, dot1x max-user, dot1x port-control, dot1x port-method, and dot1x timer.

Examples

# Display all information about 802.1X.

<Sysname> display dot1x

Equipment 802.1X protocol is enabled

 CHAP authentication is enabled

 

 Configuration: Transmit Period   30 s,  Handshake Period       15 s

                Quiet Period      60 s,  Quiet Period Timer is disabled

                Supp Timeout      30 s,  Server Timeout        100 s

                Reauth Period   3600 s

                The maximal retransmitting times    2

 

 The maximum 802.1X user resource number is 1024 per slot

 Total current used 802.1X resource number is 0

 

 GigabitEthernet3/0/1  is link-up

   802.1X protocol is disabled

   Handshake is enabled

   Handshake secure is disabled

802.1X unicast-trigger is disabled

   Periodic reauthentication is disabled

   The port is an authenticator

   Authentication Mode is Auto

   Port Control Type is Mac-based

   802.1X Multicast-trigger is enabled

   Mandatory authentication domain: NOT configured

   Guest VLAN: NOT configured

   Auth-Fail VLAN: NOT configured

   Max number of on-line users is 1024

 

   EAPOL Packet: Tx 0, Rx 0

   Sent EAP Request/Identity Packets : 0

        EAP Request/Challenge Packets: 0

        EAP Request/Challenge Packets: 0

   Received EAPOL Start Packets : 0

            EAPOL LogOff Packets: 0

            EAP Response/Identity Packets : 0

            EAP Response/Challenge Packets: 0

            Error Packets: 0

 

   Controlled User(s) amount to 0      

Table 1 Output description

Field	Description
Equipment 802.1X protocol is enabled	Specifies whether 802.1X is enabled globally
CHAP authentication is enabled	Specifies whether CHAP authentication is enabled
Transmit Period	Username request timeout timer in seconds
Handshake Period	Handshake timer in seconds
Reauth Period	Periodic re-authentication timer in seconds
Quiet Period	Quiet timer in seconds
Quiet Period Timer is disabled	Status of the quiet timer. In this example, the quiet timer is enabled.
Supp Timeout	Client timeout timer in seconds
Server Timeout	Server timeout timer in seconds
The maximal retransmitting times	Maximum number of attempts for sending an authentication request to a client
The maximum 802.1X user resource number per slot	Maximum number of concurrent 802.1X user per card
Total current used 802.1X resource number	Total number of online 802.1X users
GigabitEthernet3/0/1 is link-up	Status of the port. In this example, GigabitEthernet 3/0/1 is up.
802.1X protocol is disabled	Specifies whether 802.1X is enabled on the port
Handshake is disabled	Specifies whether handshake is enabled on the port
Handshake secure is disabled	Specifies whether handshake security is enabled on the port
802.1X unicast-trigger is disabled	Specifies whether unicast trigger is enabled on the port.
Periodic reauthentication is disabled	Specifies whether periodic online user re-authentication is enabled on the port
The port is an authenticator	Role of the port
Authenticate Mode is Auto	Authorization state of the port
Port Control Type is Mac-based	Access control method of the port
802.1X Multicast-trigger is enabled	Specifies whether the 802.1X multicast-trigger function is enabled
Mandatory authentication domain	Mandatory authentication domain on the port
Guest VLAN	802.1X guest VLAN configured on the port. NOT configured is displayed if no guest VLAN is configured.
Auth-fail VLAN	Auth-Fail VLAN configured on the port. NOT configured is displayed if no Auth-Fail VLAN is configured.
Max number of on-line users	Maximum number of concurrent 802.1X users on the port
EAPOL Packet	Number of sent (Tx) and received (Rx) EAPOL packets
Sent EAP Request/Identity Packets	Number of sent EAP-Request/Identity packets
EAP Request/Challenge Packets	Number of sent EAP-Request/Challenge packets
EAP Success Packets	Number of sent EAP Success packets
Fail Packets	Number of sent EAP-Failure packets
Received EAPOL Start Packets	Number of received EAPOL-Start packets
EAPOL LogOff Packets	Number of received EAPOL-LogOff packets
EAP Response/Identity Packets	Number of received EAP-Response/Identity packets
EAP Response/Challenge Packets	Number of received EAP-Response/Challenge packets
Error Packets	Number of received error packets
Controlled User(s) amount	Number of authenticated users on the port

 

dot1x

Syntax

In system view:

dot1x [ interface interface-list ]

undo dot1x [ interface interface-list ]

In Ethernet interface view:

dot1x

undo dot1x

View

System view, Ethernet interface view

Default level

2: System level

Parameters

interface interface-list: Specifies a port list, which can contain multiple ports. The interface-list argument is in the format of interface-list = { interface-type interface-number [ to interface-type interface-number ] } & <1-10>, where interface-type represents the port type, interface-number represents the port number, and & <1-10> means that you can provide up to 10 ports or port ranges. The start port number must be smaller than the end number and the two ports must be of the same type.

Description

Use the dot1x command in system view to enable 802.1X globally.

Use the undo dot1x command in system view to disable 802.1X globally.

Use the dot1x interface command in system view or the dot1x command in interface view to enable 802.1X for specified ports.

Use the undo dot1x interface command in system view or the undo dot1x command in interface view to disable 802.1X for specified ports.

By default, 802.1X is neither enabled globally nor enabled for any port.

802.1X must be enabled both globally in system view and for the intended ports in system view or interface view. Otherwise, it does not function.

You can configure 802.1X parameters either before or after enabling 802.1X.

Related commands: display dot1x.

Examples

# Enable 802.1X for ports GigabitEthernet 3/0/1, and GigabitEthernet 3/0/5 to GigabitEthernet 3/0/7.

<Sysname> system-view

[Sysname] dot1x interface GigabitEthernet 3/0/1 GigabitEthernet 3/0/5 to GigabitEthernet 3/0/7

Or

<Sysname> system-view

[Sysname] interface GigabitEthernet 3/0/1

[Sysname-GigabitEthernet3/0/1] dot1x

[Sysname-GigabitEthernet3/0/1] quit

[Sysname] interface GigabitEthernet 3/0/5

[Sysname-GigabitEthernet3/0/5] dot1x

[Sysname-GigabitEthernet3/0/5] quit

[Sysname] interface GigabitEthernet 3/0/6

[Sysname-GigabitEthernet3/0/6] dot1x

[Sysname-GigabitEthernet3/0/6] quit

[Sysname] interface GigabitEthernet 3/0/7

[Sysname-GigabitEthernet3/0/7] dot1x

# Enable 802.1X globally.

<Sysname> system-view

[Sysname] dot1x

dot1x authentication-method

Syntax

dot1x authentication-method { chap | eap | pap }

undo dot1x authentication-method

View

System view

Default level

2: System level

Parameters

chap: Sets the access device to perform Extensible Authentication Protocol (EAP) termination and use the Challenge Handshake Authentication Protocol (CHAP) to communicate with the RADIUS server.

eap: Sets the access device to relay EAP packets, and supports any of the EAP authentication methods to communicate with the RADIUS server.

pap: Sets the access device to perform EAP termination and use the Password Authentication Protocol (PAP) to communicate with the RADIUS server.

Description

Use the dot1x authentication-method command to specify an EAP message handling method.

Use the undo dot1x authentication-method command to restore the default.

By default, the network access device performs EAP termination and uses CHAP to communicate with the RADIUS server.

The network access device terminates or relays EAP packets:

1.      In EAP termination mode, the access device re-encapsulates and sends the authentication data from the client in standard RADIUS packets to the RADIUS server, and performs either CHAP or PAP authentication with the RADIUS server. In this mode the RADIUS server supports only MD5-Challenge EAP authentication, and “username+password” EAP authentication initiated by an iNode client.

¡  PAP transports usernames and passwords in clear text. The authentication method applies to scenarios that do not require high security. To use PAP, the client must be an H3C iNode 802.1X client.

¡  CHAP transports username in plaintext and encrypted password over the network. It is more secure than PAP.

2.      In EAP relay mode, the access device relays EAP messages between the client and the RADIUS server. The EAP relay mode supports multiple EAP authentication methods, such as MD5-Challenge, EAP-TL, and PEAP. To use this mode, you must make sure that the RADIUS server supports the EAP-Message and Message-Authenticator attributes, and uses the same EAP authentication method as the client. If this mode is used, the user-name-format command configured in RADIUS scheme view does not take effect. For more information about the user-name-format command, see the chapter “RADIUS configuration commands.”

Local authentication supports PAP and CHAP.

If RADIUS authentication is used, you must configure the network access device to use the same authentication method (PAP, CHAP, or EAP) as the RADIUS server.

Related commands: display dot1x.

Examples

# Enable the access device to terminate EAP packets and perform PAP authentication with the RADIUS server.

<Sysname> system-view

[Sysname] dot1x authentication-method pap

dot1x auth-fail vlan

Syntax

dot1x auth-fail vlan authfail-vlan-id

undo dot1x auth-fail vlan

View

Ethernet interface view

Default level

2: System level

Parameters

authfail-vlan-id: Specifies the ID of the Auth-Fail VLAN for the port, in the range of 1 to 4094. Ensure that the VLAN has been created and is not a super VLAN. For more information about super VLANs, see Layer 2—LAN Switching Configuration Guide.

Descriptions

Use the dot1x auth-fail vlan command to configure an Auth-Fail VLAN for a port. An Auth-Fail VLAN accommodates users that have failed 802.1X authentication because of the failure to comply with the organization security strategy, such as using a wrong password.

Use the undo dot1x auth-fail vlan command to restore the default.

By default, no Auth-Fail VLAN is configured on a port.

You must enable MAC-based VLAN for an Auth-Fail VLAN to take effect on a port that performs MAC-based access control.

When you change the access control method from MAC-based to port-based on a port that carries an Auth-Fail VLAN, the mappings between MAC addresses and the 802.1X Auth-Fail VLAN are removed. You can use the display mac-vlan command to display MAC-to-VLAN mappings.

You must enable 802.1X multicast trigger function for an Auth-Fail VLAN to take effect on a port that performs port-based access control.

When you change the access control method from port-based to MAC-based on a port that is in an Auth-Fail VLAN, the port is removed from the Auth-Fail VLAN.

To delete a VLAN that has been configured as an Auth-Fail VLAN, you must remove the Auth-Fail VLAN configuration first.

You can configure both an Auth-Fail VLAN and a guest VLAN for a port.

Related commands: dot1x and dot1x port-method.

Examples

# Configure VLAN 3 as the Auth-Fail VLAN on port GigabitEthernet 3/0/1.

<Sysname> system-view

[Sysname] interface GigabitEthernet 3/0/1

[Sysname-GigabitEthernet3/0/1] dot1x auth-fail vlan 3

dot1x domain-delimiter

Syntax

dot1x domain-delimiter string

undo dot1x domain-delimiter

View

System view

Default level

2: System level

Parameters

string: Specifies a set of 1 to 16 domain name delimiters for 802.1X users. No space is required between delimiters. Available delimiters include the at sign (@), backslash (/), and forward slash (\).

Description

Use the dot1x domain-delimiter command to specify a set of domain name delimiters supported by the access device. Any character in the configured set can be used as the domain name delimiter for 802.1X authentication users.

Use the undo dot1x domain-delimiter command to restore the default.

By default, the access device supports only the at sign (@) delimiter for 802.1X users.

The delimiter set you configured overrides the default setting. If @ is not included in the delimiter set, the access device will not support the 802.1X users that use @ as the domain name delimiter.

If a username string contains multiple configured delimiters, the leftmost delimiter is the domain name delimiter. For example, if you configure @, /, and \ as delimiters, the domain name delimiter for the username string 123/22\@abc is the forward slash (/).

The cut connection user-name user-name and display connection user-name user-name commands are not available for 802.1X users that use / or \ as the domain name delimiter. For more information about the two commands, see the chapter “AAA configuration commands.”

Examples

# Specify the characters @, /, and \ as domain name delimiters.

<Sysname> system-view

[Sysname] dot1x domain-delimiter @\/

dot1x guest-vlan

Syntax

In system view:

dot1x guest-vlan guest-vlan-id [ interface interface-list ]

undo dot1x guest-vlan [ interface interface-list ]

In interface view:

dot1x guest-vlan guest-vlan-id

undo dot1x guest-vlan

View

System view, Ethernet interface view

Default level

2: System level

Parameters

guest-vlan-id: Specifies the ID of the VLAN to be specified as the 802.1X guest VLAN, in the range of 1 to 4094. Ensure that the VLAN has been created and is not a super VLAN. For more information about super VLANs, see Layer 2—LAN Switching Configuration Guide.

interface interface-list: Specifies a port list. The interface-list argument is in the format of interface-list = { interface-type interface-number [ to interface-type interface-number ] } & <1-10>, where interface-type represents the port type, interface-number represents the port number, and & <1-10> means that you can provide up to 10 ports or port ranges. The start port number must be smaller than the end number and the two ports must be of the same type. If no interface is specified, you configure an 802.1X guest VLAN for all Layer 2 Ethernet ports.

Description

Use the dot1x guest-vlan command to configure an 802.1X guest VLAN for the specified or all ports. A guest VLAN on a port accommodates users that have not performed 802.1X authentication. In the guest VLAN, users can access a limited set of network resources, such as a software server, to download anti-virus software and system patches.

Use the undo dot1x guest-vlan command to remove the 802.1X guest VLAN on the specified or all ports.

By default, no 802.1X guest VLAN is configured on a port.

You must enable 802.1X for an 802.1X guest VLAN to take effect.

To have the 802.1X guest VLAN take effect, complete the following tasks:

·           Enable 802.1X both globally and on the interface.

·           If the port performs port-based access control, enable the 802.1X multicast trigger function.

·           If the port performs MAC-based access control, configure the MAC-based VLAN function on the port.

When you change the access control method from MAC-based to port-based on a port that carries a guest VLAN, the mappings between MAC addresses and the 802.1X guest VLAN are removed. You can use the display mac-vlan command to display MAC-to-VLAN mappings.

When you change the access control method from port-based to MAC-based on a port that is in a guest VLAN, the port is removed from the guest VLAN.

To delete a VLAN that has been configured as a guest VLAN, you must remove the guest VLAN configuration first.

Related commands: dot1x, dot1x port-method, and dot1x multicast-trigger; mac-vlan enable and display mac-vlan (Layer 2—LAN Switching Command Reference).

Examples

# Specify port GigabitEthernet 3/0/1 to use VLAN 999 as its guest VLAN.

<Sysname> system-view

[Sysname] dot1x guest-vlan 999 interface GigabitEthernet 3/0/1

# Specify ports GigabitEthernet 3/0/2 to GigabitEthernet 3/0/5 to use VLAN 10 as its guest VLAN.

<Sysname> system-view

[Sysname] dot1x guest-vlan 10 interface GigabitEthernet 3/0/2 to GigabitEthernet 3/0/5

# Specify all ports to use VLAN 7 as their guest VLAN.

<Sysname> system-view

[Sysname] dot1x guest-vlan 7

# Specify port GigabitEthernet 3/0/7 to use VLAN 3 as its guest VLAN.

<Sysname> system-view

[Sysname] interface GigabitEthernet 3/0/7

[Sysname-GigabitEthernet3/0/7] dot1x guest-vlan 3

dot1x handshake

Syntax

dot1x handshake

undo dot1x handshake

View

Ethernet Interface view

Default level

2: System level

Parameters

None

Description

Use the dot1x handshake command to enable the online user handshake function. The function enables the device to periodically send handshake messages to the client to check whether a user is online.

Use the undo dot1x handshake command to disable the function.

By default, the function is enabled.

H3C recommends that you use the iNode client software to guarantee the normal operation of the online user handshake function.

Examples

# Enable the online user handshake.

<Sysname> system-view

[Sysname] interface GigabitEthernet 3/0/4

[Sysname-GigabitEthernet3/0/4] dot1x handshake

dot1x handshake secure

Syntax

dot1x handshake secure

undo dot1x handshake secure

View

Ethernet Interface view

Default level

2: System level

Parameters

None

Description

Use the dot1x handshake secure command to enable the online user handshake security function. The function enables the device to prevent users from using illegal client software.

Use the undo dot1x handshake secure command to disable the function.

By default, the function is disabled.

The online user handshake security function is implemented based on the online user handshake function. To bring the security function into effect, make sure the online user handshake function is enabled.

H3C recommends you use the iNode client software and iMC server to guarantee the normal operation of the online user handshake security function.

Related commands: dot1x handshake.

Examples

# Enable the online user handshake security function.

<Sysname> system-view

[Sysname] interface GigabitEthernet 3/0/4

[Sysname-GigabitEthernet3/0/4] dot1x handshake secure

dot1x mandatory-domain

Syntax

dot1x mandatory-domain domain-name

undo dot1x mandatory-domain

View

Ethernet Interface view

Default level

2: System level

Parameters

domain-name: Specifies the ISP domain name, a case-insensitive string of 1 to 24 characters. The specified domain must already exist.

Description

Use the dot1x mandatory-domain command to specify a mandatory 802.1X authentication domain on a port.

Use the undo dot1x mandatory-domain command to remove the mandatory authentication domain.

By default, no mandatory authentication domain is specified.

When authenticating an 802.1X user trying to access the port, the system selects an authentication domain in the following order: the mandatory domain, the ISP domain specified in the username, and the default ISP domain.

To display or cut all 802.1X connections in a mandatory domain, use the display connection domain isp-name or cut connection domain isp-name command. The output of the display connection command without any parameters displays domain names input by users at login. For more information about the display connection command or the cut connection command, see the chapter “AAA configuration commands.”

Related commands: display dot1x.

Examples

# Configure the mandatory authentication domain my-domain for 802.1X users on GigabitEthernet 3/0/1.

<Sysname> system-view

[Sysname] interface GigabitEthernet 3/0/1

[Sysname-GigabitEthernet3/0/1] dot1x mandatory-domain my-domain

# After 802.1X user usera passes the authentication, execute the display connection command to display the user connection information on GigabitEthernet 3/0/1. For more information about the display connection command, see the chapter “AAA configuration commands.”

[Sysname-GigabitEthernet3/0/1] display connection interface GigabitEthernet 3/0/1

slot:3

Index=68  ,Username=usera@my-domian

IP=3.3.3.3

IPv6=N/A

MAC=0015-e9a6-7cfe 

Total 1 connection(s) matched on slot 3.

Total 1 connection(s) matched.

dot1x max-user

Syntax

In system view:

dot1x max-user user-number [ interface interface-list ]

undo dot1x max-user [ interface interface-list ]

In Ethernet interface view:

dot1x max-user user-number

undo dot1x max-user

View

System view, Ethernet interface view

Default level

2: System level

Parameters

user-number: Maximum number of users to be supported simultaneously. The valid range is from 1 to 1024 and defaults to 1024.

interface interface-list: Specifies an Ethernet port list, which can contain multiple Ethernet ports. The interface-list argument is in the format of interface-list = { interface-type interface-number [ to interface-type interface-number ] } & <1-10>, where interface-type represents the port type, interface-number represents the port number, and & <1-10> means that you can provide up to 10 ports or port ranges. The start port number must be smaller than the end number and the two ports must be of the same type.

Description

Use the dot1x max-user command to set the maximum number of concurrent 802.1X users on a port.

Use the undo dot1x max-user command to restore the default.

In system view:

·           If you do not specify the interface-list argument, execution of the command applies to all ports.

·           If you specify the interface-list argument, execution of the command applies to the specified ports.

In Ethernet port view, the interface-list argument is not available and the command applies to only the current port.

Related commands: display dot1x.

Examples

# Set the maximum number of users for port GigabitEthernet 3/0/1 to support simultaneously as 32.

<Sysname> system-view

[Sysname] dot1x max-user 32 interface GigabitEthernet 3/0/1

Or

<Sysname> system-view

[Sysname] interface GigabitEthernet 3/0/1

[Sysname-GigabitEthernet3/0/1] dot1x max-user 32

# Configure GigabitEthernet 3/0/2 through GigabitEthernet 3/0/5 each to support a maximum of 32 concurrent 802.1X users.

<Sysname> system-view

[Sysname] dot1x max-user 32 interface GigabitEthernet 3/0/2 to GigabitEthernet 3/0/5

dot1x multicast-trigger

Syntax

dot1x multicast-trigger

undo dot1x multicast-trigger

View

Ethernet interface view

Default level

2: System level

Parameters

None

Description

Use the dot1x multicast-trigger command to enable the 802.1X multicast trigger function. The device acts as the initiator and periodically multicasts EAP-Request/Identify packets to the clients.

Use the undo dot1x multicast-trigger command to disable this function.

By default, the multicast trigger function is enabled.

Related commands: display dot1x.

Examples

# Enable the multicast trigger function on interface GigabitEthernet 3/0/1.

<Sysname> system-view

[Sysname] interface GigabitEthernet 3/0/1

[Sysname-GigabitEthernet3/0/1] dot1x multicast-trigger

dot1x port-control

Syntax

In system view:

dot1x port-control { authorized-force | auto | unauthorized-force } [ interface interface-list ]

undo dot1x port-control [ interface interface-list ]

In Ethernet interface view:

dot1x port-control { authorized-force | auto | unauthorized-force }

undo dot1x port-control

View

System view, Ethernet interface view

Default level

2: System level

Parameters

authorized-force: Places the specified or all ports in the authorized state, allowing users of the ports to access the network without authentication.

auto: Places the specified or all ports in the unauthorized state initially to allow only EAPOL packets to pass, and turns the ports into the authorized state to allow access to the network after the users pass authentication. This is the most common choice.

unauthorized-force: Places the specified or all ports in the unauthorized state, denying any access requests from users of the ports.

interface interface-list: Specifies an Ethernet port list, which can contain multiple Ethernet ports. The interface-list argument is in the format of interface-list = { interface-type interface-number [ to interface-type interface-number ] } & <1-10>, where interface-type represents the port type, interface-number represents the port number, and & <1-10> means that you can provide up to 10 ports or port ranges. The start port number must be smaller than the end number and the two ports must be of the same type.

Description

Use the dot1x port-control command to set the authorization mode for specified or all ports.

Use the undo dot1x port-control command to restore the default.

The default port authorization mode is auto.

In system view, if no interface-list argument is specified, this command sets the authorization mode for all ports.

Related commands: display dot1x.

Examples

# Set the authorization mode of port GigabitEthernet3/0/1 to unauthorized-force.

<Sysname> system-view

[Sysname] dot1x port-control unauthorized-force interface GigabitEthernet 3/0/1

Or

<Sysname> system-view

[Sysname] interface GigabitEthernet 3/0/1

[Sysname-GigabitEthernet3/0/1] dot1x port-control unauthorized-force

# Set the authorization state of ports GigabitEthernet 3/0/2 through GigabitEthernet 3/0/5 to unauthorized-force.

<Sysname> system-view

[Sysname] dot1x port-control unauthorized-force interface GigabitEthernet 3/0/2 to GigabitEthernet 3/0/5

dot1x port-method

Syntax

In system view:

dot1x port-method { macbased | portbased } [ interface interface-list ]

undo dot1x port-method [ interface interface-list ]

In Ethernet interface view:

dot1x port-method { macbased | portbased }

undo dot1x port-method

View

System view, Ethernet interface view

Default level

2: System level

Parameters

macbased: Uses MAC-based access control on a port to separately authenticate each user attempting to access the network. In this approach, when an authenticated user logs off, no other online users are affected.

portbased: Uses port-based access control on a port. In this approach, once an 802.1X user passes authentication on the port, any subsequent user can access the network through the port without authentication. When the authenticated user logs off, all other users are logged off.

interface interface-list: Specifies an Ethernet port list, which can contain multiple Ethernet ports. The interface-list argument is in the format of interface-list = { interface-type interface-number [ to interface-type interface-number ] } & <1-10>, where interface-type represents the port type, interface-number represents the port number, and & <1-10> means that you can provide up to 10 ports or port ranges for this argument. The start port number must be smaller than the end number and the two ports must be the same type.

Description

Use the dot1x port-method command to set the access control method for specified or all ports.

Use the undo dot1x port-method command to restore the default.

By default, MAC-based access control applies.

In system view, if no interface-list argument is specified, the command applies to all ports.

Related commands: display dot1x.

Examples

# Configure port GigabitEthernet 3/0/1 to implement port-based access control.

<Sysname> system-view

[Sysname] dot1x port-method portbased interface GigabitEthernet 3/0/1

Or

<Sysname> system-view

[Sysname] interface GigabitEthernet 3/0/1

[Sysname-GigabitEthernet3/0/1] dot1x port-method portbased

# Configure ports GigabitEthernet 3/0/2 through GigabitEthernet 3/0/5 to implement port-based access control.

<Sysname> system-view

[Sysname] dot1x port-method portbased interface GigabitEthernet 3/0/2 to GigabitEthernet 3/0/5

dot1x quiet-period

Syntax

dot1x quiet-period

undo dot1x quiet-period

View

System view

Default level

2: System level

Parameters

None

Description

Use the dot1x quiet-period command to enable the quiet timer. When a client fails 802.1X authentication, the device must wait a period of time before it can process authentication requests from the client.

Use the undo dot1x quiet-period command to disable the timer.

By default, the quiet timer is disabled.

Related commands: display dot1x and dot1x timer.

Examples

# Enable the quiet timer.

<Sysname> system-view

[Sysname] dot1x quiet-period

dot1x re-authenticate

Syntax

dot1x re-authenticate

undo dot1x re-authenticate

View

Ethernet interface view

Default level

2: System level

Parameters

None

Description

Use the dot1x re-authenticate command to enable the periodic online user re-authentication function.

Use the undo dot1x re-authenticate command to disable the function.

By default, the periodic online user re-authentication function is disabled.

Periodic re-authentication enables the access device to periodically authenticate online 802.1X users on a port. This function tracks the connection status of online users and updates the authorization attributes assigned by the server, such as the ACL, VLAN, and user profile-based QoS.

You can use the dot1x timer reauth-period command to configure the interval for re-authentication.

Related commands: dot1x timer reauth-period.

Examples

# Enable the 802.1X periodic online user re-authentication function on GigabitEthernet 3/0/1 and set the periodic re-authentication interval as 1800 seconds.

<Sysname> system-view

[Sysname] dot1x timer reauth-period 1800

[Sysname] interface GigabitEthernet 3/0/1

[Sysname-GigabitEthernet3/0/1] dot1x re-authenticate

dot1x retry

Syntax

dot1x retry max-retry-value

undo dot1x retry

View

System view

Default level

2: System level

Parameters

max-retry-value: Specifies the maximum number of attempts for sending an authentication request to a client, in the range of 1 to 10.

Description

Use the dot1x retry command to set the maximum number of attempts for sending an authentication request to a client.

Use the undo dot1x retry command to restore the default.

After the network access device sends an authentication request to a client, if the device receives no response from the client within the username request timeout timer (set with the dot1x timer tx-period tx-period-value command) or the client timeout timer (set with the dot1x timer supp-timeout supp-timeout-value command), the device retransmits the authentication request. The network access device stops retransmitting the request, if it has made the maximum number of request transmission attempts but still received no response.

This command applies to all ports of the device.

Related commands: display dot1x.

Examples

# Set the maximum number of attempts to send an authentication request to a client as 9.

<Sysname> system-view

[Sysname] dot1x retry 9

dot1x timer

Syntax

dot1x timer { handshake-period handshake-period-value | quiet-period quiet-period-value | reauth-period reauth-period-value | server-timeout server-timeout-value | supp-timeout supp-timeout-value | tx-period tx-period-value }

undo dot1x timer { handshake-period | quiet-period | reauth-period | server-timeout | supp-timeout | tx-period }

View

System view

Default level

2: System level

Parameters

handshake-period-value: Sets the handshake timer in seconds. It is in the range of 5 to 1024.

quiet-period-value: Sets the quiet timer in seconds. It is in the range of 10 to 120.

reauth-period-value: Sets the periodic re-authentication timer in seconds. It is in the range of 60 to 7200.

server-timeout-value: Sets the server timeout timer in seconds. It is in the range of 100 to 300.

supp-timeout-value: Sets the client timeout timer in seconds. It is in the range of 1 to 120.

tx-period-value: Sets the username request timeout timer in seconds. It is in the range of 10 to 120.

Description

Use the dot1x timer command to set 802.1X timers.

Use the undo dot1x timer command to restore the defaults.

By default, the handshake timer is 15 seconds, the quiet timer is 60 seconds, the periodic re-authentication timer is 3600 seconds, the server timeout timer is 100 seconds, the client timeout timer is 30 seconds, and the username request timeout timer is 30 seconds.

You can set the client timeout timer to a high value in a low-performance network, set the quiet timer to a high value in a vulnerable network or a low value for quicker authentication response, or adjust the server timeout timer to adapt to the performance of different authentication servers. In most cases, the default settings are sufficient.

The network device uses the following 802.1X timers:

·           Handshake timer (handshake-period)—Sets the interval at which the access device sends client handshake requests to check the online status of a client that has passed authentication. If the device receives no response after sending the maximum number of handshake requests, it considers that the client has logged off..

·           Quiet timer (quiet-period)—Starts when a client fails authentication. The access device must wait the time period before it can process the authentication attempts from the client.

·           Periodic re-authentication timer (reauth-period)—Sets the interval at which the network device periodically re-authenticates online 802.1X users. To enable periodic online user re-authentication on a port, use the dot1x re-authenticate command. The change to the periodic re-authentication timer does not apply to the users that are already online until the old timer expires.

·           Server timeout timer (server-timeout)—Starts when the access device sends a RADIUS Access-Request packet to the authentication server. If no response is received when this timer expires, the access device retransmits the request to the server.

·           Client timeout timer (supp-timeout)—Starts when the access device sends an EAP-Request/MD5 Challenge packet to a client. If no response is received when this timer expires, the access device retransmits the request to the client.

·           Username request timeout timer (tx-period)—Starts when the device sends an EAP-Request/Identity packet to a client in response to an authentication request. If the device receives no response before this timer expires, it retransmits the request. The timer also sets the interval at which the network device sends multicast EAP-Request/Identity packets to detect clients that cannot actively request authentication.

Related commands: display dot1x.

Examples

# Set the server timeout timer to 150 seconds.

<Sysname> system-view

[Sysname] dot1x timer server-timeout 150

dot1x unicast-trigger

Syntax

dot1x unicast-trigger

undo dot1x unicast-trigger

View

Ethernet interface view

Default level

2: System level

Parameters

None

Description

Use the dot1x unicast-trigger command to enable the 802.1X unicast trigger function.

Use the undo dot1x unicast-trigger command to disable the function.

By default, the unicast trigger function is disabled.

The unicast trigger function enables the network device to initiate 802.1X authentication when it receives a data frame from an unknown source MAC address. The device resends the packet if it receives no response within a period of time (set with the dot1x timer tx-period command). This process continues until the maximum number of retries (set with the dot1x retry command) is reached.

Related commands: display dot1x, dot1x timer tx-period, and dot1x retry.

Examples

# Enable the unicast trigger function for interface GigabitEthernet 3/0/1.

<Sysname> system-view

[Sysname] interface GigabitEthernet 3/0/1

[Sysname-GigabitEthernet3/0/1] dot1x unicast-trigger

reset dot1x statistics

Syntax

reset dot1x statistics [ interface interface-list ]

View

User view

Default level

2: System level

Parameters

interface interface-list: Specifies an Ethernet port list, which can contain multiple Ethernet ports. The interface-list argument is in the format of interface-list = { interface-type interface-number [ to interface-type interface-number ] } & <1-10>, where interface-type represents the port type, interface-number represents the port number, and & <1-10> means that you can provide up to 10 ports or port ranges. The start port number must be smaller than the end number and the two ports must be of the same type.

Description

Use the reset dot1x statistics command to clear 802.1X statistics.

If a list of ports is specified, the command clears 802.1X statistics for all the specified ports. If no ports are specified, the command clears all 802.1X statistics.

Related commands: display dot1x.

Examples

# Clear 802.1X statistics on port GigabitEthernet 3/0/1.

<Sysname> reset dot1x statistics interface GigabitEthernet 3/0/1