Login
- Table of Contents
-
- 11-Security Command Reference
- 00-Preface
- 01-AAA Commands
- 02-802.1X_Commands
- 03-MAC Authentication Commands
- 04-Portal Commands
- 05 Password Control Commands
- 06-Public Key Commands
- 07-IPsec Commands
- 08-SSH Commands
- 09-Blacklist Commands
- 10-TCP and ICMP Attack Protection Commands
- 11-IP Source Guard Commands
- 12-ARP Attack Protection Commands
- 13-ND Attack Defense Commands
- 14-URPF Commands
- 15-PKI Commands
- 16-SSL Commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 03-MAC Authentication Commands | 110.28 KB |
Contents
MAC authentication configuration commands
mac-authentication user-name-format
reset mac-authentication statistics
display mac-authentication
Syntax
display mac-authentication [ interface interface-list ] [ | { begin | exclude | include } regular-expression ]
View
Any view
Default level
2: System level
Parameters
interface interface-list: Specifies a port list, in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1-10>, where &<1-10> indicates that you can specify up to 10 port ranges. The start port and end port of a port range must be of the same type and the end port number must be greater than the start port number. A port range defined without the to interface-type interface-number portion comprises only one port.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use the display mac-authentication command to display MAC authentication settings and statistics, including the global settings, and port-specific settings and MAC authentication and online user statistics.
If you specify a list of ports, the command displays port-specific settings and statistics only for the specified ports.
If you do not specify any port, the command displays port-specific settings and statistics for all ports.
Examples
# Display all MAC authentication settings and statistics.
<Sysname> display mac-authentication
MAC address authentication is enabled.
User name format is MAC address in lowercase, like xxxxxxxxxxxx
Fixed username:mac
Fixed password:not configured
Offline detect period is 300s
Quiet period is 60s.
Server response timeout value is 100s
the max allowed user number is 1024 per slot
Current user number amounts to 0
Current domain: not configured, use default domain
Silent Mac User info:
Silent Mac User info:
MAC Addr From Port Port Index
GigabitEthernet3/0/1 is link-up
MAC address authentication is enabled
Authenticate success: 0, failed: 0
Current online user number is 0
MAC Addr Authenticate state AuthIndex
……(output omitted)
Table 1 Output description
|
Field |
Description |
|
MAC address authentication is enabled |
Whether MAC authentication is enabled |
|
User name format is MAC address in lowercase, like xxxxxxxxxxxx |
Type of user account, MAC-based or shared. · If MAC-based accounts are used, this field displays “User name format is MAC address…” and the format settings for usernames and passwords. For example, MAC addresses without hyphens in lower case. · If a shared account is used, this field displays ”User name format is fixed account.” |
|
Fixed username: |
Username of the shared account for MAC authentication users. If MAC-based accounts are used, this field displays mac. |
|
Fixed password: |
Password of the shared account for MAC authentication users. If MAC-based accounts are used, this field displays not configured. |
|
Offline detect period |
Setting of the offline detect timer |
|
Quiet period |
Setting of the quiet timer |
|
Server response timeout value |
Setting of the server timeout timer |
|
the max allowed user number |
Maximum number of users each slot supports |
|
Current user number amounts to |
Number of online users |
|
Current domain: not configured, use default domain |
Authentication domain that is currently used |
|
Silent Mac User info |
Information about silent MAC addresses. A MAC address is marked silent when it fails a MAC authentication, and at the same time, a quiet timer starts. Before the timer expires, the device drops any packet from the MAC address and does not perform MAC authentication for the MAC address. |
|
GigabitEthernet3/0/1 is link-up |
Status of the link on port GigabitEthernet 3/0/1. In this example, the link is up. |
|
MAC address authentication is enabled |
Whether MAC authentication is enabled on port GigabitEthernet 3/0/1. |
|
Authenticate success: 0, failed: 0 |
MAC authentication statistics, including the number of successful and unsuccessful authentication attempts |
|
Current online user number |
Number of online users on the port. |
|
MAC Addr |
MAC address of the online user. |
|
Authenticate state |
User status. Possible values include the following: · MAC_AUTHENTICATOR_CONNECT—The user is logging in. · MAC_AUTHENTICATOR_SUCCESS—The user has passed the authentication. · MAC_AUTHENTICATOR_FAIL—The user failed the authentication. · MAC_AUTHENTICATOR_LOGOFF—The user has logged off. |
|
AuthIndex |
Authenticator index. |
mac-authentication
Syntax
In system view:
mac-authentication [ interface interface-list ]
undo mac-authentication [ interface interface-list ]
In Ethernet interface view:
mac-authentication
undo mac-authentication
View
System view, Ethernet interface view
Default level
2: System level
Parameters
interface interface-list: Specifies an Ethernet port list, in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1-10>, where &<1-10> indicates that you can specify up to 10 port ranges. The start port and end port of a port range must be of the same type and the end port number must be greater than the start port number. A port range defined without the to interface-type interface-number portion comprises only one port.
Description
Use the mac-authentication command in system view to enable MAC authentication globally.
Use the mac-authentication interface interface-list in system view to enable MAC authentication on a list of ports, or the mac-authentication command in interface view to enable MAC authentication on a port.
Use the undo mac-authentication command in system view to disable MAC authentication globally.
Use the undo mac-authentication interface interface-list in system view to disable MAC authentication on a list of ports, or the undo mac-authentication in interface view to disable MAC authentication on a port.
By default, MAC authentication is not enabled globally or on any port.
To use MAC authentication on a port, you must enable the function both globally and on the port.
Examples
# Enable MAC authentication globally.
<Sysname> system-view
[Sysname] mac-authentication
Mac-auth is enabled globally.
# Enable MAC authentication on port GigabitEthernet 3/0/1.
<Sysname> system-view
[Sysname] mac-authentication interface GigabitEthernet3/0/1
Mac-auth is enabled on port GigabitEthernet3/0/1.
Or
<Sysname> system-view
[Sysname] interface GigabitEthernet 3/0/1
[Sysname-GigabitEthernet3/0/1] mac-authentication
Mac-auth is enabled on port GigabitEthernet3/0/1.
mac-authentication domain
Syntax
mac-authentication domain domain-name
undo mac-authentication domain
View
System view, interface view
Default level
2: System level
Parameters
domain-name: Specifies an authentication domain by its name. The domain name takes a case-insensitive string of 1 to 24 characters. The domain name cannot contain any forward slash (/), colon (:), asterisk (*), question mark (?), less-than sign (<), greater-than sign (>), or at sign (@).
Description
Use the mac-authentication domain command to specify a global authentication domain in system view or a port specific authentication domain in interface view for MAC authentication users.
Use the undo mac-authentication domain command to restore the default.
By default, the default authentication domain is used for MAC authentication users. For more information about the default authentication domain, see the domain default enable command in the chapter “AAA configuration commands.”
The global authentication domain is applicable to all MAC authentication enabled ports. A port specific authentication domain is applicable only to the port. You can specify different authentication domains on different ports.
A port chooses an authentication domain for MAC authentication users in this order: port specific domain, global domain, and the default authentication domain.
Related commands: display mac-authentication.
Examples
# Specify the domain1 domain as the global authentication domain for MAC authentication users.
<Sysname> system-view
[Sysname] mac-authentication domain domain1
# Specify the aabbcc domain as the authentication domain for MAC authentication users on port GigabitEthernet 3/0/1.
[Sysname] interface Gigabitethernet 3/0/1
[Sysname-GigabitEthernet3/0/1] mac-authentication domain aabbcc
mac-authentication max-user
Syntax
mac-authentication max-user user-number
undo mac-authentication max-user
View
Ethernet interface view
Default level
2: System level
Parameters
user-number: Specifies a maximum number of concurrent MAC authentication users on the port. The value is in the range of 1 to 4096.
Parameters
Use the mac-authentication max-user command to set the maximum number of concurrent MAC authentication users on a port.
Use the undo mac-authentication max-user command to restore the default.
By default, a port allows up to 4096 concurrent MAC authentication users.
Examples
# Configure port GigabitEthernet 3/0/1 to support up to 32 concurrent MAC authentication users.
<Sysname> system-view
[Sysname] interface GigabitEthernet 3/0/1
[Sysname-GigabitEthernet3/0/1] mac-authentication max-user 32
mac-authentication timer
Syntax
mac-authentication timer { offline-detect offline-detect-value | quiet quiet-value | server-timeout server-timeout-value }
undo mac-authentication timer { offline-detect | quiet | server-timeout }
View
System view
Default level
2: System level
Parameters
offline-detect offline-detect-value: Sets the offline detect timer, in the range of 60 to 65535 seconds. This timer sets the interval that the device waits for traffic from a user before it regards the user idle. If a user connection has been idle for two consecutive intervals, the device logs the user out and stops accounting for the user.
quiet quiet-value: Sets the quiet timer, in the range of 1 to 3600 seconds. This timer sets the interval that the device must wait before it can perform MAC authentication for a user that has failed MAC authentication. All packets from the MAC address are dropped during the quiet time. This quiet mechanism prevents repeated authentication from affecting system performance.
server-timeout server-timeout-value: Sets the server timeout timer in seconds, in the range of 100 to 300. This timer sets the interval that the access device waits for a response from a RADIUS server before it regards the RADIUS server unavailable. If the timer expires during MAC authentication, the user cannot access the network.
Description
Use the mac-authentication timer command to set the MAC authentication timers.
Use the undo mac-authentication timer command to restore the defaults.
By default, the offline detect timer is 300 seconds, the quiet timer is 60 seconds, and the server timeout timer is 100 seconds.
Related commands: display mac-authentication.
Examples
# Set the server timeout timer to 150 seconds.
<Sysname> system-view
[Sysname] mac-authentication timer server-timeout 150
mac-authentication user-name-format
Syntax
mac-authentication user-name-format { fixed [ account name ] [ password { cipher | simple } password ] | mac-address [ { with-hyphen | without-hyphen } [ lowercase | uppercase ] ] }
undo mac-authentication user-name-format
View
System view
Default level
2: System level
Parameters
fixed: Uses a shared account for all MAC authentication users.
account name: Specifies the username for the shared account. The name takes a case-insensitive string of 1 to 55 characters. If no username is specified, the default name mac applies.
password { cipher | simple } password: Specifies the password for the shared user account:
· The cipher option specifies an encrypted password, which is saved in cipher text. You can input 1 to 63 characters in plain text, or 24 or 88 characters in cipher text, for the password. If you input no more than 16 characters in plain text, the string is encrypted into a 24-character password. If you input 16 to 63 characters in plain text, the string is encrypted into an 88-character password. The system treats a 24-character password as a cipher text password, if it can decrypt the password. If not, the system treats the password as a plain text password.
· The simple option specifies a plain text password. You can type a password of 1 to 63 characters only in plain text. The password is saved in plain text.
mac-address: Uses MAC-based user accounts for MAC authentication users. If this option is specified, you must create one user account for each user, and use the MAC address of the user as both the username and password for the account. You can also specify the format of username and password:
· with-hyphen—Hyphenates the MAC address, for example xx-xx-xx-xx-xx-xx.
· without-hyphen—Excludes hyphens from the MAC address, for example, xxxxxxxxxxxx.
· lowercase—Inputs letters in lower case.
· uppercase—Capitalizes letters.
Description
Use the mac-authentication user-name-format command to configure the type of user accounts for MAC authentication users.
Use the undo mac-authentication user-name-format command to restore the default.
By default, each user's MAC address is used as the username and password for MAC authentication, and letters must be input in lower case without hyphens.
MAC authentication supports the following types of user account:
· One MAC-based user account for each user. A user can pass MAC authentication only when its MAC address matches a MAC-based user account. This approach is suitable for an insecure environment.
· One shared user account for all users. Any user can pass MAC authentication on any MAC authentication enabled port. You can use this approach in a secure environment to limit network resources accessible to MAC authentication users, for example, by assigning an authorized ACL or VLAN for the shared account.
Related commands: display mac-authentication.
Examples
# Configure a shared account for MAC authentication users: set the username as abc and password as xyz, and display the password in plain text.
<Sysname> system-view
[Sysname] mac-authentication user-name-format fixed account abc password simple xyz
[Sysname] display this
#
mac-authentication user-name-format fixed account abc password simple xyz
#
# Configure a shared account for MAC authentication users: set the username as abc and password as xyz, and display the password in cipher text.
<Sysname> system-view
[Sysname] mac-authentication user-name-format fixed account abc password cipher xyz
[Sysname] display this
#
mac-authentication user-name-format fixed account abc password cipher 5Q4$,*^18
N'Q=^Q`MAF4<1!!
#
# Configure a shared account for MAC authentication users: set the username as abc and password as 5Q4$,*^18N'Q=^Q`MAF4<1!!, and display the password in cipher text.
<Sysname> system-view
[Sysname] mac-authentication user-name-format fixed account abc password cipher 5Q4$,*^18
N'Q=^Q`MAF4<1!!
# Use MAC-based user accounts for MAC authentication users, and each MAC address must be hyphenated, and in upper case.
<Sysname> system-view
[Sysname] mac-authentication user-name-format mac-address with-hyphen uppercase
reset mac-authentication statistics
Syntax
reset mac-authentication statistics [ interface interface-list ]
View
User view
Default level
2: System level
Parameters
interface interface-list: Specifies a port list, in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1-10>, where &<1-10> indicates that you can specify up to 10 port ranges. The start port and end port of a port range must be of the same type and the end port number must be greater than the start port number. A port range defined without the to interface-type interface-number portion comprises only one port.
Description
Use the reset mac-authentication statistics command to clear MAC authentication statistics.
If no port list is specified, the command clears all global and port-specific MAC authentication statistics. If a port list is specified, the command clears the MAC authentication statistics on the specified ports.
Related commands: display mac-authentication.
Examples
# Clear MAC authentication statistics on port GigabitEthernet 3/0/1.
<Sysname> reset mac-authentication statistics interface GigabitEthernet 3/0/1
