Table of Contents

Related Documents

02-802.1X Commands

Title	Size	Download
02-802.1X Commands	144.07 KB

802.1X commands

display dot1x

Use display dot1x to display information about 802.1X.

Syntax

display dot1x [ sessions | statistics ] [ interface interface-list ] [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

sessions: Displays 802.1X session information.

statistics: Displays 802.1X statistics.

interface interface-list: Specifies a port list, which can contain multiple ports. The interface-list argument is in the format of interface-list = { interface-type interface-number [ to interface-type interface-number ] } & <1-10>, where interface-type represents the port type, interface-number represents the port number, and & <1-10> means that you can provide up to 10 ports or port ranges. The start port number must be smaller than the end number and the two ports must be the same type.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Usage guidelines

If you do not specify the sessions or statistics keyword, the command displays all information about 802.1X, including session information, statistics, and configurations.

Examples

# Display all information about 802.1X.

<Sysname> display dot1x

Equipment 802.1X protocol is enabled

EAP authentication is enabled

Proxy trap checker is disabled

Proxy logoff checker is disabled

Configuration: Transmit Period 30 s, Handshake Period 15 s

Quiet Period 60 s, Quiet Period Timer is disabled

Supp Timeout 30 s, Server Timeout 100 s

Reauth Period 3600 s

The maximal retransmitting times 2

The maximum 802.1X user resource number is 20480 per slot

Total current used 802.1X resource number is 1

Ten-GigabitEthernet1/0/1 is link-up

802.1X protocol is disabled

Proxy trap checker is disabled

Proxy logoff checker is disabled

Handshake is enabled

Handshake secure is disabled

802.1X unicast-trigger is disabled

Periodic reauthentication is disabled

The port is an authenticator

Authentication Mode is Auto

Port Control Type is Mac-based

802.1X Multicast-trigger is enabled

Mandatory authentication domain: NOT configured

Guest VLAN: NOT configured

Auth-Fail VLAN: NOT configured

Critical VLAN: NOT configured

Critical recovery-action: NOT configured

Max number of on-line users is 20480

EAPOL Packet: Tx 0, Rx 0

Sent EAP Request/Identity Packets : 0

EAP Request/Challenge Packets: 0

Received EAPOL Start Packets : 0

EAPOL LogOff Packets: 0

EAP Response/Identity Packets : 0

EAP Response/Challenge Packets: 0

Error Packets: 0

Controlled User(s) amount to 0

Ten-GigabitEthernet1/0/2 is link-up

802.1X protocol is disabled

Proxy trap checker is disabled

Proxy logoff checker is disabled

Handshake is enabled

Handshake secure is disabled

802.1X unicast-trigger is disabled

Periodic reauthentication is disabled

The port is an authenticator

Authentication Mode is Auto

Port Control Type is Mac-based

802.1X Multicast-trigger is enabled

Mandatory authentication domain: NOT configured

Guest VLAN: NOT configured

Auth-Fail VLAN: NOT configured

Critical VLAN: NOT configured

Critical recovery-action: NOT configured

Max number of on-line users is 20480

EAPOL Packet: Tx 0, Rx 0

Sent EAP Request/Identity Packets : 0

EAP Request/Challenge Packets: 0

Received EAPOL Start Packets : 0

EAPOL LogOff Packets: 0

EAP Response/Identity Packets : 0

EAP Response/Challenge Packets: 0

Error Packets: 0

Controlled User(s) amount to 0

WLAN-ESS1 is link-up

802.1X protocol is disabled

Proxy trap checker is disabled

Proxy logoff checker is disabled

Handshake is enabled

Handshake secure is disabled

802.1X unicast-trigger is disabled

Periodic reauthentication is disabled

The port is an authenticator

Authentication Mode is Auto

Port Control Type is Mac-based

802.1X Multicast-trigger is enabled

Mandatory authentication domain: NOT configured

Guest VLAN: NOT configured

Auth-Fail VLAN: NOT configured

Critical VLAN: NOT configured

Critical recovery-action: NOT configured

Max number of on-line users is 20480

EAPOL Packet: Tx 0, Rx 0

Sent EAP Request/Identity Packets : 0

EAP Request/Challenge Packets: 0

Received EAPOL Start Packets : 0

EAPOL LogOff Packets: 0

EAP Response/Identity Packets : 0

EAP Response/Challenge Packets: 0

Error Packets: 0

Controlled User(s) amount to 0

WLAN-DBSS1:6826 is link-up

802.1X protocol is disabled

Proxy trap checker is disabled

Proxy logoff checker is disabled

Handshake is enabled

Handshake secure is disabled

802.1X unicast-trigger is disabled

Periodic reauthentication is disabled

The port is an authenticator

Authentication Mode is Auto

Port Control Type is Mac-based

802.1X Multicast-trigger is enabled

Mandatory authentication domain: NOT configured

Guest VLAN: NOT configured

Auth-Fail VLAN: NOT configured

Critical VLAN: NOT configured

Critical recovery-action: NOT configured

Max number of on-line users is 20480

EAPOL Packet: Tx 0, Rx 0

Sent EAP Request/Identity Packets : 0

EAP Request/Challenge Packets: 0

Received EAPOL Start Packets : 0

EAPOL LogOff Packets: 0

EAP Response/Identity Packets : 0

EAP Response/Challenge Packets: 0

Error Packets: 0

Controlled User(s) amount to 0

Table 1 Command output

Field	Description
Equipment 802.1X protocol is enabled	Whether 802.1X is enabled globally.
EAP authentication is enabled	Whether EAP authentication is enabled.
Proxy trap checker is disabled	The device does not send a trap when detecting that a user is accessing the network through a proxy.
Proxy logoff checker is disabled	The device does not log off the user when detecting that the user is accessing the network through a proxy.
Transmit Period	Username request timeout timer in seconds.
Handshake Period	Handshake timer in seconds.
Reauth Period	Periodic online user re-authentication timer in seconds.
Quiet Period	Quiet timer in seconds.
Quiet Period Timer is disabled	Status of the quiet timer. In this example, the quiet timer is enabled.
Supp Timeout	Client timeout timer in seconds.
Server Timeout	Server timeout timer in seconds.
The maximal retransmitting times	Maximum number of attempts for sending an authentication request to a client.
The maximum 802.1X user resource number per slot	Maximum number of concurrent 802.1X users on the device. The value depends on the device model. For more information, see About the H3C Access Controllers Command References.
Total current used 802.1X resource number	Total number of online 802.1X users.
Ten-GigabitEthernet1/0/1 is link-up	Status of the port. In this example, Ten-GigabitEthernet 1/0/1 is up.
802.1X protocol is disabled	Whether 802.1X is enabled on the port.
Proxy trap checker is disabled	The device does not send a trap when detecting that a user is accessing the network through a proxy.
Proxy logoff checker is disabled	The device does not log off a user when detecting the user is accessing the networking through a proxy.
Handshake is disabled	Whether handshake is enabled on the port.
Handshake secure is disabled	Whether handshake security is enabled on the port.
802.1X unicast-trigger is disabled	Whether unicast trigger is enabled on the port.
Periodic reauthentication is disabled	Whether periodic online user re-authentication is enabled on the port.
The port is an authenticator	Role of the port.
Authenticate Mode is Auto	Authorization state of the port.
Port Control Type is Port-based	Access control method of the port.
802.1X Multicast-trigger is enabled	Whether the 802.1X multicast-trigger feature is enabled.
Mandatory authentication domain	Mandatory authentication domain on the port.
Guest VLAN	802.1X guest VLAN configured on the port. NOT configured is displayed if no guest VLAN is configured.
Auth-fail VLAN	Auth-Fail VLAN configured on the port. NOT configured is displayed if no Auth-Fail VLAN is configured.
Critical VLAN	802.1X critical VLAN configured on the port. This field always displays NOT configured, because the device does not support 802.1X critical VLANs at the current release.
Critical recovery-action	Action that the port takes when an active (reachable) authentication server is detected available for the 802.1X users in the critical VLAN: · Reinitialize—The port triggers authentication. · NOT configured—The port does not trigger authentication. This field always displays NOT configured, because the device does not support 802.1X critical recovery actions at the current release.
Max number of on-line users	Maximum number of concurrent 802.1X users on the port. The value varies with devices. For more information, see About the H3C Access Controllers Command References.
EAPOL Packet	Number of sent (Tx) and received (Rx) EAPOL packets.
Sent EAP Request/Identity Packets	Number of sent EAP-Request/Identity packets.
EAP Request/Challenge Packets	Number of sent EAP-Request/Challenge packets.
EAP Success Packets	Number of sent EAP Success packets.
Fail Packets	Number of sent EAP-Failure packets.
Received EAPOL Start Packets	Number of received EAPOL-Start packets.
EAPOL LogOff Packets	Number of received EAPOL-LogOff packets.
EAP Response/Identity Packets	Number of received EAP-Response/Identity packets.
EAP Response/Challenge Packets	Number of received EAP-Response/Challenge packets.
Error Packets	Number of received error packets.
Authenticated user	User that has passed 802.1X authentication.
Controlled User(s) amount	Number of authenticated users on the port.

Related commands

· reset dot1x statistics

· dot1x retry

· dot1x max-user

· dot1x port-control

· dot1x port-method

· dot1x timer

display dot1x synchronization

Use display dot1x synchronization to display stateful failover information for 802.1X sessions.

Syntax

display dot1x synchronization { connection | statistics | status } [ interface interface-type interface-number ] [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

connection: Displays stateful failover information for all 802.1X sessions.

statistics: Displays 802.1X stateful failover message statistics.

status: Displays the 802.1X stateful failover state of interfaces. "Both running" indicates that 802.1X stateful failover is running correctly between a pair of failover interfaces. For more information about other states, see Table 3.

interface interface-type interface-number: Displays stateful failover information for 802.1X sessions on the interface specified by its type and number. If no interface is specified, the command displays the total number of sent and received packets and those on each interface for 802.1X stateful failover.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Usage guidelines

Support for this command depends on the device model. For more information, see About the H3C Access Controllers Command References.

The system typically sends multiple 802.1X stateful failover messages in one packet to the failover peer. As a result, the sum of stateful failover messages sent and received on each interface might be greater than the total number of stateful failover packets sent and received by the device.

Examples

# Display stateful failover information for all 802.1X sessions.

<Sysname> display dot1x synchronization connection

WLAN-DBSS1:1 has 1 connection(s)

MAC AAA Link-Status Auth-Status

0000-0007-0001 Y Active Authenticated(9)

WLAN-DBSS1:2 has 1 connection(s)

MAC AAA Link-Status Auth-Status

0000-0008-0001 Y Active Authenticated(9)

# Display stateful failover information for 802.1X sessions on interface WLAN-DBSS 1:2.

<Sysname> display dot1x synchronization connection interface WLAN-DBSS1:2

WLAN-DBSS1:2 has 2 connection(s)

MAC AAA Link-Status Auth-Status

0000-0008-0001 Y Active Authenticated(5)

0000-0008-0002 Y Standby Authenticated(5)

Table 2 Command output

Field	Description
WLAN-DBSS1:1 has 1 connection(s)	Number of 802.1X sessions on a WLAN-DBSS interface. In the sample output, one 802.1X session is present on port WLAN-DBSS 1:1.
MAC	MAC address of the 802.1X user.
AAA	Whether AAA authentication is initiated by the user: · Y—AAA authentication is successfully initiated. · N—AAA authentication is not initiated by the user. For example, the WLAN Only11Key user that is not able to initiate AAA authentication.
Link-Status	Failover state of the physical access link for the 802.1X user: · Active—The link is the primary link. · Standby—The link is the secondary link.
Auth-Status	802.1X user authentication state: · Authenticating—The 802.1X user is being authenticated. · Authenticated—The 802.1X user has been authenticated and is online. · Quiet—The 802.1X user has failed authentication and cannot initiate 802.1X authentication during the quiet timer period. · Deauthenticating—The 802.1X user is logging off. · GuestVlan—The 802.1X user is in the guest VLAN. The bracketed value that follows the authentication state is an internal value used by H3C technicians for troubleshooting.

# Display the 802.1X stateful failover state of each interface.

<Sysname> display dot1x synchronization status

WLAN-ESS0 : Not Configured

WLAN-ESS1 : Configured

WLAN-ESS2 : Ready

WLAN-ESS3 : Local running

WLAN-DBSS3:1 : Local running

WLAN-ESS4 : Both running

WLAN-DBSS4:1 : Both running

# Display the 802.1X stateful failover state of WLAN-DBSS 3:1.

<Sysname> display dot1x synchronization status interface WLAN-DBSS3:1

WLAN-DBSS3:1 : Local running

Table 3 Command output

Field	Description
Not Configured	802.1X stateful failover (port-security synchronization) is not enabled on the interface.
Configured	802.1X stateful failover (port-security synchronization) is enabled on the interface, but other 802.1X stateful failover configuration is incomplete. For example, port security mode is not correct.
Ready	The interface is ready for 802.1X stateful failover, but it is not available for one of the following reasons: · The interface is down. · The interface is removed. · The interface is being removed. · 802.1X is being disabled. · The stateful failover (DHBK) state is not synchronized between the current system and the peer system.
Local running	The local interface is available and its 802.1X stateful failover feature is running. However, the peer interface's 802.1X stateful failover configuration is incomplete or incorrect.
Both running	802.1X stateful failover is running correctly on the local and peer failover interfaces.

# Display 802.1X stateful failover message and packet statistics.

<Sysname> display dot1x synchronization statistics

Backup Packet Statistics total

Send-packets Send-fail Recv-packets

10 0 4

Backup Message Statistics on interface WLAN-DBSS1:1

Msg-Name SendTotal RcvTotal

MSG_USR_BACKUP 26 1

MSG_USR_DETELE 24 0

MSG_REQ_BATCH 1 1

MSG_UPDATE_USRIP 0 0

MSG_USR_COMPARE 0 0

MSG_NTF_STATUS 3 2

MSG_REQ_USER 0 0

MSG_DEL_ACK 0 24

Backup Message Statistics on interface WLAN-DBSS1:2

Msg-Name SendTotal RcvTotal

MSG_USR_BACKUP 0 0

MSG_USR_DETELE 0 0

MSG_REQ_BATCH 0 0

MSG_UPDATE_USRIP 0 0

MSG_USR_COMPARE 0 0

MSG_NTF_STATUS 0 0

MSG_REQ_USER 0 0

MSG_DEL_ACK 0 0

# Display 802.1X stateful failover message statistics for interface WLAN-DBSS 1:1.

<Sysname> display dot1x synchronization statistics interface WLAN-DBSS1:1

Backup Message Statistics on interface WLAN-DBSS1:1

Msg-Name SendTotal RcvTotal

MSG_USR_BACKUP 26 1

MSG_USR_DETELE 24 0

MSG_REQ_BATCH 1 1

MSG_UPDATE_USRIP 0 0

MSG_USR_COMPARE 0 0

MSG_NTF_STATUS 3 2

MSG_REQ_USER 0 0

MSG_DEL_ACK 0 24

Table 4 Command output

Field	Description
Backup Packet Statistics total	802.1X stateful failover packet statistics of the system.
Send-packets	Number of sent 802.1X stateful failover packets.
Send-fail	Number of 802.1X stateful failover packets failed to be sent.
Recv-packets	Number of received 802.1X stateful failover packets.
Backup Message Statistics on interface WLAN-DBSS1:1	802.1X stateful failover message statistics for an interface. In this example, the interface is WLAN-DBSS 1:1.
Msg-Name	Types of 802.1X stateful failover messages: · MSG_USR_BACKUP—Notifies the peer interface to synchronize the user information. · MSG_USR_DETELE—Notifies the peer interface to delete the user. · MSG_REQ_BATCH—Requests the peer interface to synchronize user information in batch. · MSG_UPDATE_USRIP—Notifies the peer interface to update the user information. · MSG_USR_COMPARE—Notifies the peer interface to compare the user list. · MSG_NTF_STATUS—Notifies the peer interface of the local stateful failover status. · MSG_REQ_USER—Notifies the peer interface to back up a specific user information. · MSG_DEL_ACK—Acknkowledgement for the message MSG_USR_DETELE.
SendTotal	Number of messages sent on the interface by message type.
RcvTotal	Number of messages received on the interface by message type.

Related commands

· port-security synchronization enable

· reset dot1x synchronization statistics

dot1x accounting-delay

Use dot1x accounting-delay to enable accounting delay for 802.1X users on an interface.

Use undo dot1x accounting-delay to restore the default.

Syntax

dot1x accounting-delay [ logoff | time time ] *

undo dot1x accounting-delay

Default

The accounting delay feature is disabled. The device sends an accounting request to the accounting server for an 802.1X user immediately after the user passes authentication, regardless of whether it has obtained the user's IP.

Views

Interface view

Default command level

2: System level

Parameters

logoff: Cancels the accounting procedure for an 802.1X user if the device fails to get the user's IP address within the delay time. As a result, the user cannot get online. If this option is not specified, the device sends an accounting request when the delay time is reached.

time time: Specifies a delay time in seconds. The value range for the time argument is 1 to 600. If no delay time is specified, a 10-second delay applies.

Usage guidelines

The accounting delay feature enables the device to delay sending the accounting request for an authenticated 802.1X user. If the device gets the user's IP address within the delay period, it includes the IP address in the accounting request and starts the accounting process for the user. If the device fails to get the user's IP address, it starts the accounting process or logs off the user depending on your configuration.

H3C recommends that you enable the accounting delay feature when the following conditions exist:

· 802.1X users obtain IP addresses through DHCP.

· The accounting server requires user IP addresses for accounting management.

Set the delay depending on how long it takes for users to obtain an IP address on your network.

Examples

# On interface WLAN-ESS 1, configure a 15-second accounting delay for 802.1X users and enable the device to perform the logoff action when the delay expires.

<Sysname> system-view

[Sysname] interface wlan-ess 1

[Sysname-WLAN-ESS1] dot1x accounting-delay logoff time 15

dot1x authentication-method

Use dot1x authentication-method to specify an EAP message handling method.

Use undo dot1x authentication-method to restore the default.

Syntax

dot1x authentication-method { chap | eap | pap }

undo dot1x authentication-method

Default

The network access device performs EAP termination and uses CHAP to communicate with the RADIUS server.

Views

System view

Default command level

2: System level

Parameters

chap: Sets the access device to perform EAP termination and use the CHAP to communicate with the RADIUS server.

eap: Sets the access device to relay EAP packets, and supports any of the EAP authentication methods to communicate with the RADIUS server.

pap: Sets the access device to perform EAP termination and use the Password Authentication Protocol (PAP) to communicate with the RADIUS server.

Usage guidelines

The network access device terminates or relays EAP packets:

· In EAP termination mode—The access device re-encapsulates and sends the authentication data from the client in standard RADIUS packets to the RADIUS server. It performs either CHAP or PAP authentication with the RADIUS server. In this mode the RADIUS server supports only MD5-Challenge EAP authentication, and "username+password" EAP authentication initiated by an iNode client.

¡ PAP transports usernames and passwords in clear text. The authentication method applies to scenarios that do not require high security. To use PAP, the client must be an H3C iNode 802.1X client.

¡ CHAP transports username in plaintext and encrypted password over the network. It is more secure than PAP.

· In EAP relay mode—The access device relays EAP messages between the client and the RADIUS server. The EAP relay mode supports multiple EAP authentication methods, such as MD5-Challenge, EAP-TL, and PEAP. To use this mode, you must make sure that the RADIUS server supports the EAP-Message and Message-Authenticator attributes and uses the same EAP authentication method as the client. If this mode is used, the user-name-format command configured in RADIUS scheme view does not take effect. For more information about the user-name-format command, see "RADIUS configuration commands."

Local authentication supports PAP, CHAP, and EAP.

If RADIUS authentication is used, you must configure the network access device to use the same authentication method (PAP, CHAP, or EAP) as the RADIUS server.

Examples

# Enable the access device to terminate EAP packets and perform PAP authentication with the RADIUS server.

<Sysname> system-view

[Sysname] dot1x authentication-method pap

Related commands

display dot1x

dot1x auth-fail vlan

Use dot1x auth-fail vlan to configure an Auth-Fail VLAN on a port for users that have failed 802.1X authentication because of the failure to comply with the organization security strategy, such as using a wrong password.

Use undo dot1x auth-fail vlan to restore the default.

Syntax

dot1x auth-fail vlan authfail-vlan-id

undo dot1x auth-fail vlan

Default

No Auth-Fail VLAN is configured on a port.

Views

Layer 2 Ethernet interface view, WLAN-ESS interface view

Default command level

2: System level

Parameters

authfail-vlan-id: Specifies the ID of the Auth-Fail VLAN for the port, in the range of 1 to 4094. Make sure that the VLAN has been created.

Usage guidelines

Auth-Fail VLAN is supported only on ports that implement MAC-based access control. You must enable MAC-based VLAN for an Auth-Fail VLAN to take effect on a port that performs MAC-based access control.

When you change the access control method from MAC-based to port-based on a port that carries an Auth-Fail VLAN, the mappings between MAC addresses and the 802.1X Auth-Fail VLAN are removed. You can use the display mac-vlan command to display MAC-to-VLAN mappings.

To delete a VLAN that has been configured as an Auth-Fail VLAN, you must remove the Auth-Fail VLAN configuration first.

You can configure both an Auth-Fail VLAN and a guest VLAN for a port.

Examples

# Configure VLAN 3 as the Auth-Fail VLAN for WLAN-ESS 1.

<Sysname> system-view

[Sysname] interface wlan-ess 1

[Sysname-WLAN-ESS1] dot1x auth-fail vlan 3

Related commands

dot1x port-method

dot1x domain-delimiter

Use dot1x domain-delimiter to specify a set of domain name delimiters supported by the access device. You can use any character in the configured set as the domain name delimiter for 802.1X authentication users.

Use undo dot1x domain-delimiter to restore the default.

Syntax

dot1x domain-delimiter string

undo dot1x domain-delimiter

Default

The access device supports only the at sign (@) delimiter for 802.1X users.

Views

System view

Default command level

2: System level

Parameters

string: Specifies a set of 1 to 16 domain name delimiters for 802.1X users. No space is required between delimiters. Available delimiters include the at sign (@), backslash (/), and forward slash (\).

Usage guidelines

The delimiter set you configured overrides the default setting. If @ is not included in the delimiter set, the access device does not support the 802.1X users that use @ as the domain name delimiter.

If a username string contains multiple configured delimiters, the leftmost delimiter is the domain name delimiter. For example, if you configure @, /, and \ as delimiters, the domain name delimiter for the username string 123/22\@abc is the forward slash (/).

The cut connection user-name user-name and display connection user-name user-name commands are not available for 802.1X users that use / or \ as the domain name delimiter. For more information about the two commands, see "AAA configuration commands."

Examples

# Specify the characters @, /, and \ as domain name delimiters.

<Sysname> system-view

[Sysname] dot1x domain-delimiter @\/

dot1x guest-vlan

Use dot1x guest-vlan to configure an 802.1X guest VLAN for the specified or all ports. A guest VLAN on a port accommodates users that have not performed 802.1X authentication. In the guest VLAN, users can access a limited set of network resources, such as a software server, to download anti-virus software and system patches.

Use undo dot1x guest-vlan to remove the 802.1X guest VLAN on the specified or all ports.

Syntax

In system view:

dot1x guest-vlan guest-vlan-id [ interface interface-list ]

undo dot1x guest-vlan [ interface interface-list ]

In Layer 2 interface view, WLAN-ESS interface view:

dot1x guest-vlan guest-vlan-id

undo dot1x guest-vlan

Default

No 802.1X guest VLAN is configured on a port.

Views

System view, Layer 2 Ethernet interface view, WLAN-ESS interface view

Default command level

2: System level

Parameters

guest-vlan-id: Specifies the ID of the VLAN to be specified as the 802.1X guest VLAN, in the range of 1 to 4094. Make sure that the VLAN has been created.

interface interface-list: Specifies a port list. The interface-list argument is in the format of interface-list = { interface-type interface-number [ to interface-type interface-number ] } & <1-10>, where interface-type represents the port type, interface-number represents the port number, and & <1-10> means that you can provide up to 10 ports or port ranges. The start port number must be smaller than the end number and the two ports must be of the same type. If no interface is specified, you configure an 802.1X guest VLAN for all Layer 2 Ethernet ports.

Usage guidelines

Guest VLAN is supported only on ports that implement MAC-based access control.

You must enable 802.1X for an 802.1X guest VLAN to take effect.

To have the 802.1X guest VLAN take effect, complete the following tasks:

· Enable 802.1X both globally and on the interface.

· On the port that performs MAC-based access control, configure the MAC-based VLAN feature on the port.

When you change the access control method from MAC-based to port-based on a port that carries a guest VLAN, the mappings between MAC addresses and the 802.1X guest VLAN are removed. You can use the display mac-vlan command to display MAC-to-VLAN mappings.

To delete a VLAN that has been configured as a guest VLAN, you must remove the guest VLAN configuration first.

You can configure both an Auth-Fail VLAN and an 802.1X guest VLAN on a port.

Examples

# Specify VLAN 3 as the 802.1X guest VLAN for WLAN-ESS 1.

<Sysname> system-view

[Sysname] interface wlan-ess 1

[Sysname-WLAN-ESS1] dot1x guest-vlan 3

Related commands

· dot1x port-method

· dot1x multicast-trigger

· mac-vlan enable and display mac-vlan (Layer 2 Command Reference)

dot1x handshake

Use dot1x handshake to enable the online user handshake feature. The feature enables the device to periodically send handshake messages to the client to check whether a user is online.

Use undo dot1x handshake to disable the feature.

Syntax

dot1x handshake

undo dot1x handshake

Default

The feature is enabled.

Views

Layer 2 Ethernet Interface view, WLAN-ESS interface view

Default command level

2: System level

Usage guidelines

H3C recommends that you use the iNode client software to ensure the normal operation of the online user handshake feature.

Examples

# Enable the online user handshake feature.

<Sysname> system-view

[Sysname] interface wlan-ess 1

[Sysname-WLAN-ESS1] dot1x handshake

dot1x handshake secure

Use dot1x handshake secure to enable the online user handshake security feature. The feature enables the device to prevent users from using illegal client software.

Use undo dot1x handshake secure to disable the feature.

Syntax

dot1x handshake secure

undo dot1x handshake secure

Default

The feature is disabled.

Views

Layer 2 Ethernet Interface view, WLAN-ESS interface view

Default command level

2: System level

Usage guidelines

The online user handshake security feature is implemented based on the online user handshake feature. To bring the security feature into effect, make sure the online user handshake feature is enabled.

H3C recommends you use the iNode client software and IMC server to ensure the normal operation of the online user handshake security feature.

Examples

# Enable the online user handshake security feature.

<Sysname> system-view

[Sysname] interface wlan-ess 1

[Sysname-WLAN-ESS1] dot1x handshake secure

Related commands

dot1x handshake

dot1x mandatory-domain

Use dot1x mandatory-domain to specify a mandatory 802.1X authentication domain on a port.

Use undo dot1x mandatory-domain to remove the mandatory authentication domain.

Syntax

dot1x mandatory-domain domain-name

undo dot1x mandatory-domain

Default

No mandatory authentication domain is specified.

Views

Layer 2 Ethernet Interface view, WLAN-ESS interface view

Default command level

2: System level

Parameters

domain-name: Specifies the ISP domain name, a case-insensitive string of 1 to 24 characters.

Usage guidelines

When the system authenticates an 802.1X user trying to access the port, it selects an authentication domain in the following order:

1. Mandatory domain.

2. ISP domain specified in the username.

3. Default ISP domain.

To display or cut all 802.1X connections in a mandatory domain, use the display connection domain isp-name or cut connection domain isp-name command. The output from the display connection command without any parameters displays domain names entered by users at login. For more information about the display connection command or the cut connection command, see "AAA configuration commands."

Examples

# Configure the mandatory authentication domain my-domain for 802.1X users on WLAN-ESS 1.

<Sysname> system-view

[Sysname] interface wlan-ess 1

[Sysname-WLAN-ESS1] dot1x mandatory-domain my-domain

Related commands

display dot1x

dot1x max-user

Use dot1x max-user to set the maximum number of concurrent 802.1X users on a port.

Use undo dot1x max-user to restore the default.

Syntax

In system view:

dot1x max-user user-number [ interface interface-list ]

undo dot1x max-user [ interface interface-list ]

In Layer 2 Ethernet Interface view, WLAN-ESS interface view:

dot1x max-user user-number

undo dot1x max-user

Views

System view, Layer 2 Ethernet Interface view, WLAN-ESS interface view

Default command level

2: System level

Parameters

user-number: Specifies the maximum number of concurrent 802.1X users on a port. The value range and default value vary with devices. For more information, see About the H3C Access Controllers Command References.

Usage guidelines

In system view:

· If you do not specify the interface-list argument, the command applies to all ports.

· If you specify the interface-list argument, the command applies to the specified ports.

In interface view, the interface interface-list option is not available and the command applies to only the port.

Examples

# Set the maximum number of concurrent 802.1X users on port WLAN-ESS 1 to 32.

<Sysname> system-view

[Sysname] dot1x max-user 32 interface wlan-ess 1

<Sysname> system-view

[Sysname] interface wlan-ess 1

[Sysname-WLAN-ESS1] dot1x max-user 32

Related commands

display dot1x

dot1x multicast -trigger

Use dot1x multicast-trigger to enable the 802.1X multicast trigger feature. The device acts as the initiator and periodically multicasts Identify EAP-Request packets out of a port to detect 802.1X clients and trigger authentication.

Use undo dot1x multicast-trigger to disable the feature.

Syntax

dot1x multicast-trigger

undo dot1x multicast-trigger

Default

The multicast trigger feature is enabled.

Views

Layer 2 Ethernet Interface view, WLAN-ESS interface view

Default command level

2: System level

Usage guidelines

You can use the dot1x timer tx-period command to set the interval for sending multicast Identify EAP-Request packets.

Examples

# Enable the multicast trigger feature on interface WLAN-ESS 1.

<Sysname> system-view

[Sysname] interface wlan-ess 1

[Sysname-WLAN-ESS1] dot1x multicast-trigger

Related commands

display dot1x

dot1x port-control

Use dot1x port-control to set the authorization state for the specified or all ports.

Use undo dot1x port-control to restore the default.

Syntax

In system view:

dot1x port-control { authorized-force | auto | unauthorized-force } [ interface interface-list ]

undo dot1x port-control [ interface interface-list ]

In Layer 2 Ethernet interface view, WLAN-ESS interface view:

dot1x port-control { authorized-force | auto | unauthorized-force }

undo dot1x port-control

Default

The default port authorization state is auto.

Views

System view, Layer 2 Ethernet interface view, WLAN-ESS interface view

Default command level

2: System level

Parameters

authorized-force: Places the specified or all ports in authorized state, enabling users on the ports to access the network without authentication.

auto: Places the specified or all ports initially in unauthorized state to allow only EAPOL packets to pass, and after a user passes authentication, sets the port in the authorized state to allow access to the network. You can use this option in most scenarios.

unauthorized-force: Places the specified or all ports in unauthorized state, denying any access requests from users on the ports.

Usage guidelines

In system view, if no interface is specified, the command applies to all ports.

Examples

# Set the authorization state of port WLAN-ESS 1 to unauthorized-force.

<Sysname> system-view

[Sysname] dot1x port-control unauthorized-force interface wlan-ess 1

<Sysname> system-view

[Sysname] interface wlan-ess 1

[Sysname-WLAN-ESS1] dot1x port-control unauthorized-force

Related commands

display dot1x

dot1x port-method

Use dot1x port-method to specify an access control method for the specified or all ports.

Use undo dot1x port-method to restore the default.

Syntax

In system view:

dot1x port-method { macbased | portbased } [ interface interface-list ]

undo dot1x port-method [ interface interface-list ]

In Layer 2 Ethernet interface view, WLAN-ESS interface view:

dot1x port-method { macbased | portbased }

undo dot1x port-method

Default

MAC-based access control applies.

Views

System view, Layer 2 Ethernet interface view, WLAN-ESS interface view

Default command level

2: System level

Parameters

macbased: Uses MAC-based access control on a port to separately authenticate each user attempting to access the network. In this approach, when an authenticated user logs off, no other online users are affected.

portbased: Uses port-based access control on a port. In this approach, once an 802.1X user passes authentication on the port, any subsequent user can access the network through the port without authentication. When the authenticated user logs off, all other users are logged off.

interface interface-list: Specifies a port list, which can contain multiple ports. The interface-list argument is in the format of interface-list = { interface-type interface-number [ to interface-type interface-number ] } & <1-10>, where interface-type represents the port type, interface-number represents the port number, and & <1-10> means that you can provide up to 10 ports or port ranges for this argument. The start port number must be smaller than the end number and the two ports must be the same type.

Usage guidelines

In system view, if no interface is specified, the command applies to all ports.

Examples

# Configure port WLAN-ESS 1 to implement port-based access control.

<Sysname> system-view

[Sysname] dot1x port-method macbased interface wlan-ess 1

<Sysname> system-view

[Sysname] interface wlan-ess 1

[Sysname-WLAN-ESS1] dot1x port-method macbased

Related commands

display dot1x

dot1x quiet-period

Use dot1x quiet-period to enable the quiet timer. When a client fails 802.1X authentication, the device must wait a period of time before it can process authentication requests from the client.

Use undo dot1x quiet-period to disable the timer.

Syntax

dot1x quiet-period

undo dot1x quiet-period

Default

The quiet timer is disabled.

Views

System view

Default command level

2: System level

Examples

# Enable the quiet timer.

<Sysname> system-view

[Sysname] dot1x quiet-period

Related commands

· display dot1x

· dot1x timer

dot1x re-authenticate

Use dot1x re-authenticate to enable the periodic online user re-authentication feature.

Use undo dot1x re-authenticate to disable the feature.

Syntax

dot1x re-authenticate

undo dot1x re-authenticate

Default

The periodic online user re-authentication feature is disabled.

Views

Layer 2 Ethernet interface view, WLAN-ESS interface view

Default command level

2: System level

Usage guidelines

Periodic re-authentication enables the access device to periodically authenticate online 802.1X users on a port. This feature tracks the connection status of online users and updates the authorization attributes assigned by the server, such as the ACL, VLAN, and user profile.

You can use the dot1x timer reauth-period command to configure the interval for re-authentication.

Examples

# Enable the 802.1X periodic online user re-authentication feature on interface WLAN-ESS 1 and set the periodic re-authentication interval to 1800 seconds.

<Sysname> system-view

[Sysname] dot1x timer reauth-period 1800

[Sysname] interface wlan-ess 1

[Sysname-WLAN-ESS1] dot1x re-authenticate

Related commands

dot1x timer reauth-period

dot1x retry

Use dot1x retry to set the maximum number of attempts for sending an authentication request to a client.

Use undo dot1x retry to restore the default.

Syntax

dot1x retry max-retry-value

undo dot1x retry

Default

The maximum number of attempts that the device can send an authentication request to a client is twice.

Views

System view

Default command level

2: System level

Parameters

max-retry-value: Specifies the maximum number of attempts for sending an authentication request to a client, in the range of 1 to 10.

Usage guidelines

After the network access device sends an authentication request to a client, if the device receives no response from the client within the username request timeout timer (set with the dot1x timer tx-period tx-period-value command) or the client timeout timer (set with the dot1x timer supp-timeout supp-timeout-value command), the device retransmits the authentication request. The network access device stops retransmitting the request, if it has made the maximum number of request transmission attempts but still received no response.

This command applies to all ports of the device.

Examples

# Set the maximum number of attempts for sending an authentication request to a client as 9.

<Sysname> system-view

[Sysname] dot1x retry 9

Related commands

display dot1x

dot1x timer

Use dot1x timer to set 802.1X timers.

Use undo dot1x timer to restore the defaults.

Syntax

dot1x timer { handshake-period handshake-period-value | quiet-period quiet-period-value | reauth-period reauth-period-value | server-timeout server-timeout-value | supp-timeout supp-timeout-value | tx-period tx-period-value }

undo dot1x timer { handshake-period | quiet-period | reauth-period | server-timeout | supp-timeout | tx-period }

Default

The following timers apply:

· Handshake timer: 15 seconds.

· Quiet timer: 60 seconds.

· Periodic re-authentication timer: 3600 seconds.

· Server timeout timer: 100 seconds.

· Client timeout timer: 30 seconds.

· Username request timeout timer: 30 seconds.

Views

System view

Default command level

2: System level

Parameters

handshake-period-value: Sets the handshake timer in seconds. It is in the range of 5 to 1024.

quiet-period-value: Sets the quiet timer in seconds. It is in the range of 10 to 120.

reauth-period-value: Sets the periodic re-authentication timer in seconds. It is in the range of 60 to 7200.

server-timeout-value: Sets the server timeout timer in seconds. It is in the range of 100 to 300.

supp-timeout-value: Sets the client timeout timer in seconds. It is in the range of 1 to 120.

tx-period-value: Sets the username request timeout timer in seconds. It is in the range of 1 to 120.

Usage guidelines

In most cases, the default settings are sufficient. You can edit the timers depends on your network conditions:

· In a low-speed network, increase the client timeout timer.

· In a vulnerable network, set the quiet timer to a high value.

· In a high-performance network with quick authentication response, set the quiet timer to a low value.

· In a network with authentication servers of different performance, adjust the server timeout timer.

The network device uses the following 802.1X timers:

· Handshake timer (handshake-period)—Sets the interval at which the access device sends client handshake requests to check the online status of a client that has passed authentication. If the device receives no response after sending the maximum number of handshake requests, it considers that the client has logged off.

· Quiet timer (quiet-period)—Starts when a client fails authentication. The access device must wait the time period before it can process the authentication attempts from the client.

· Periodic re-authentication timer (reauth-period)—Sets the interval at which the network device periodically re-authenticates online 802.1X users. To enable periodic online user re-authentication on a port, use the dot1x re-authenticate command. The change to the periodic re-authentication timer applies to the users that have been online only after the old timer expires.

· Server timeout timer (server-timeout)—Starts when the access device sends a RADIUS Access-Request packet to the authentication server. If no response is received when this timer expires, the access device retransmits the request to the server.

· Client timeout timer (supp-timeout)—Starts when the access device sends an EAP-Request/MD5 Challenge packet to a client. If no response is received when this timer expires, the access device retransmits the request to the client.

· Username request timeout timer (tx-period)—Starts when the device sends an EAP-Request/Identity packet to a client in response to an authentication request. If the device receives no response before this timer expires, it retransmits the request. The timer also sets the interval at which the network device sends multicast EAP-Request/Identity packets to detect clients that cannot actively request authentication.

Examples

# Set the server timeout timer to 150 seconds.

<Sysname> system-view

[Sysname] dot1x timer server-timeout 150

Related commands

display dot1x

dot1x unicast-trigger

Use dot1x unicast-trigger to enable the 802.1X unicast trigger feature.

Use undo dot1x unicast-trigger to disable the feature.

Syntax

dot1x unicast-trigger

undo dot1x unicast-trigger

Default

The unicast trigger feature is disabled.

Views

Layer 2 Ethernet interface view

Default command level

2: System level

Usage guidelines

The unicast trigger feature enables the network access device to initiate 802.1X authentication when it receives a data frame from an unknown source MAC address. The device sends a unicast Identity EAP/Request packet to the unknown source MAC address, and retransmits the packet if it has received no response within a period of time (set with the dot1x timer tx-period command). This process continues until the maximum number of request attempts (set with the dot1x retry command) is reached.

Examples

# Enable the unicast trigger feature for interface Ten-GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] dot1x unicast-trigger

Related commands

· display dot1x

· dot1x timer tx-period

· dot1x retry

reset dot1x statistics

Use reset dot1x statistics to clear 802.1X statistics.

Syntax

reset dot1x statistics [ interface interface-list ]

Views

User view

Default command level

2: System level

Parameters

Usage guidelines

If a list of ports is specified, the command clears 802.1X statistics for all the specified ports.

If no ports are specified, the command clears all 802.1X statistics.

Examples

# Clear 802.1X statistics on port WLAN-ESS 1.

<Sysname> reset dot1x statistics interface wlan-ess 1

Related commands

display dot1x

reset dot1x synchronization statistics

Use reset dot1x synchronization statistics to clear 802.1X stateful failover packet statistics.

Syntax

reset dot1x synchronization statistics [ interface interface-type interface-number ]

Views

User view

Default command level

2: System level

Parameters

interface interface-type interface-number: Specifies an interface by its type and number.

Usage guidelines

Support for this command depends on the device model. For more information, see About the H3C Access Controllers Command References.

If no interface is specified, the command clears global and port-specific 802.1X stateful failover packet statistics.

Examples

# Clear 802.1X stateful failover packet statistics for WLAN-DBSS 1:1.

<Sysname> reset dot1x synchronization statistics interface wlan-dbss 1:1

Related commands

· display dot1x synchronization statistics

· port-security synchronization enable

07-Security Command Reference

display dot1x

dot1x domain-delimiter

dot1x handshake secure

dot1x multicast-trigger

dot1x re-authenticate

dot1x timer

dot1x unicast-trigger

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us

dot1x multicast -trigger