Contents

MAC authentication configuration commands· 1

display mac-authentication· 1

mac-authentication accounting-delay· 3

mac-authentication· 4

mac-authentication bypass-portal enable· 5

mac-authentication domain· 5

mac-authentication guest-vlan· 6

mac-authentication max-user 7

mac-authentication timer 8

mac-authentication trigger after-portal 8

mac-authentication user-name-format 9

reset mac-authentication statistics· 10

 

MAC authentication configuration commands

display mac-authentication

Use display mac-authentication to display MAC authentication settings and statistics, including global settings, and port-specific settings and MAC authentication and online user statistics.

Syntax

display mac-authentication [ interface interface-list ] [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

2: System level

Parameters

interface interface-list: Specifies a port list, in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1-10>, where &<1-10> indicates that you can specify up to 10 port ranges. The start port and end port of a port range must be of the same type and the end port number must be greater than the start port number. A port range defined without the to interface-type interface-number portion comprises only one port.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Usage guidelines

If you specify a list of ports, the command displays port-specific settings and statistics only for the specified ports.

If you do not specify any port, the command displays port-specific settings and statistics for all ports.

Examples

# Display all MAC authentication settings and statistics.

<Sysname> display mac-authentication

MAC address authentication is enabled.

 User name format is MAC address in lowercase, like xxxxxxxxxxxx

 Fixed username:mac

 Fixed password:not configured

          Offline detect period is 300s

          Quiet period is 60s.

          Server response timeout value is 100s

          The max allowed user number is 1024 per slot

          Current user number amounts to 0

          Current domain: not configured, use default domain

 

Silent Mac User info:

         MAC Addr         From Port           Port Index

GigabitEthernet1/0/1 is link-up

  MAC address authentication is enabled

  Authenticate success: 0, failed: 0

 Max number of on-line users is 128

  Current online user number is 0

MAC Addr         Authenticate state           AuthIndex

…

Table 1 Command output

Field	Description
MAC address authentication is enabled	Whether MAC authentication is enabled.
User name format is MAC address in lowercase, like xxxxxxxxxxxx	Type of user account, which can be MAC-based or shared. ·     If MAC-based accounts are used, this field displays "User name format is MAC address…" and the format settings for usernames and passwords. For example, MAC addresses without hyphens in lower case. ·     If a shared account is used, this field displays "User name format is fixed account."
Fixed username:	Username of the shared account for MAC authentication users. If MAC-based accounts are used, this field displays mac.
Fixed password:	Password of the shared account for MAC authentication users. ·     If MAC-based accounts are used or if a shared account is used but no password is configured, this field displays not configured. ·     If a shared account is used and a password is configured, this field displays ******.
Offline detect period	Setting of the offline detect timer.
Quiet period	Setting of the quiet timer.
Server response timeout value	Setting of the server timeout timer.
The max allowed user number	Maximum number of users the device supports. The value depends on the device model. For more information, see About the H3C Access Controllers Command References.
Current user number amounts to	Number of online users.
Current domain: not configured, use default domain	Authentication domain that is currently used.
Silent Mac User info	Information about silent MAC addresses. A MAC address is marked silent when it fails a MAC authentication, and at the same time, a quiet timer starts. Before the timer expires, the device drops any packet from the MAC address and does not perform MAC authentication for the MAC address.
GigabitEthernet1/0/1 is link-up	Status of the link on port GigabitEthernet 1/0/1. In this example, the link is up.
MAC address authentication is enabled	Whether MAC authentication is enabled on port GigabitEthernet 1/0/1.
Authenticate success: 0, failed: 0	MAC authentication statistics, including the number of successful and unsuccessful authentication attempts.
Max number of on-line users	Maximum number of concurrent online users allowed on the port. If MAC authentication is not enabled on the port, the field displays 0.
Current online user number	Number of online users on the port.
MAC Addr	MAC address of the online user.
Authenticate state	User status. Possible values include the following: ·     MAC_AUTHENTICATOR_CONNECT—The user is logging in. ·     MAC_AUTHENTICATOR_SUCCESS—The user has passed the authentication. ·     MAC_AUTHENTICATOR_FAIL—The user failed the authentication. ·     MAC_AUTHENTICATOR_LOGOFF—The user has logged off.
AuthIndex	Authenticator index.

 

mac-authentication accounting-delay

Use mac-authentication accounting-delay to enable accounting delay for MAC authentication users on an interface.

Use undo mac-authentication accounting-delay to restore the default.

Syntax

mac-authentication accounting-delay [ logoff | time time ] *

undo mac-authentication accounting-delay

Default

The accounting delay feature is disabled. When a user passes MAC authentication, the device immediately sends an accounting request to the accounting server, regardless of whether it has obtained the user's IP address.

Views

Interface view

Default command level

2: System level

Parameters

logoff: Cancels the accounting procedure for a MAC authentication user if the device fails to get the user's IP address within the delay time. As a result, the user cannot come online. If this option is not specified, the device sends an accounting request once the delay time is reached.

time time: Specifies a delay time in seconds. The value range for the time argument is 1 to 600. If no delay time is specified, a 10-second delay applies.

Usage guidelines

The accounting delay feature enables the device to delay sending the accounting request for an authenticated MAC authentication user. If the device gets the user's IP address within the delay period, it includes the IP address in the accounting request and starts the accounting process for the user. If the device fails to get the user's IP address, it starts the accounting process or logs off the user depending on your configuration.

H3C recommends that you enable the accounting delay feature when the following conditions exist:

·     MAC authentication users obtain IP addresses through DHCP.

·     The accounting server requires user IP addresses for accounting management.

Set the delay depending on how long it takes for users to obtain an IP address on your network.

Examples

# On interface WLAN-ESS 1, configure a 15-second accounting delay for MAC authentication users and enable the device to perform the logoff action when the delay expires.

<Sysname> system-view

[Sysname] interface wlan-ess 1

[Sysname-WLAN-ESS1] mac-authentication accounting-delay logoff time 15

mac-authentication

Use mac-authentication in system view to enable MAC authentication globally.

Use mac-authentication interface interface-list in system view to enable MAC authentication on a list of ports, or use mac-authentication in interface view to enable MAC authentication on a port.

Use undo mac-authentication in system view to disable MAC authentication globally.

Use undo mac-authentication interface interface-list in system view to disable MAC authentication on a list of ports, or use undo mac-authentication in interface view to disable MAC authentication on a port.

Syntax

In system view:

mac-authentication [ interface interface-list ]

undo mac-authentication [ interface interface-list ]

In Ethernet interface view:

mac-authentication

undo mac-authentication

Default

MAC authentication is not enabled globally or on any port.

Views

System view, Ethernet interface view

Default command level

2: System level

Parameters

interface interface-list: Specifies an Ethernet port list, in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1-10>, where &<1-10> indicates that you can specify up to 10 port ranges. The start port and end port of a port range must be of the same type and the end port number must be greater than the start port number. A port range defined without the to interface-type interface-number portion comprises only one port.

Usage guidelines

To use MAC authentication on a port, you must enable the function both globally and on the port.

Examples

# Enable MAC authentication globally.

<Sysname> system-view

[Sysname] mac-authentication

Mac-auth is enabled globally.

# Enable MAC authentication on port GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] mac-authentication interface gigabitethernet 1/0/1

Mac-auth is enabled on port GigabitEthernet1/0/1.

Or

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] mac-authentication

Mac-auth is enabled on port GigabitEthernet1/0/1.

mac-authentication bypass-portal enable

Use mac-authentication bypass-portal enable to enable portal authentication bypass for MAC-authenticated users.

Use undo mac-authentication bypass-portal enable to restore the default.

Syntax

mac-authentication bypass-portal enable

undo mac-authentication bypass-portal enable

Default

Portal authentication bypass for MAC-authenticated users is disabled.

Views

WLAN-ESS interface view

Default command level

2: System view

Examples

# Enable portal authentication bypass for MAC-authenticated users.

<Sysname> system-view

[Sysname] interface wlan-ess 1

[Sysname-WLAN-ESS1] mac-authentication bypass-portal enable

mac-authentication domain

Use mac-authentication domain to specify a global or port specific authentication domain.

Use undo mac-authentication domain to restore the default.

Syntax

mac-authentication domain domain-name

undo mac-authentication domain

Default

The default authentication domain is used for MAC authentication users. For more information about the default authentication domain, see the domain default enable command in "AAA configuration commands."

Views

System view, Layer 2 Ethernet interface view, WLAN-ESS interface view

Default command level

2: System level

Parameters

domain-name: Specifies an authentication domain name, a case-insensitive string of 1 to 24 characters. The domain name cannot contain any forward slash (/), colon (:), asterisk (*), question mark (?), less-than sign (<), greater-than sign (>), or at sign (@).

Usage guidelines

The global authentication domain is applicable to all MAC authentication enabled ports. A port specific authentication domain is applicable only to the port. You can specify different authentication domains on different ports.

A port chooses an authentication domain for MAC authentication users in this order:

1.     Authentication domain specified on the port.

2.     Global authentication domain specified in system view.

3.     Default authentication domain.

Examples

# Specify the domain1 domain as the global authentication domain for MAC authentication users.

<Sysname> system-view

[Sysname] mac-authentication domain domain1

# Specify the aabbcc domain as the authentication domain for MAC authentication users on port WLAN-ESS 1.

[Sysname] interface wlan-ess 1

[Sysname-WLAN-ESS1] mac-authentication domain aabbcc

Related commands

display mac-authentication

mac-authentication guest-vlan

Use mac-authentication guest-vlan to specify a MAC authentication guest VLAN on a port. Any users that have failed MAC authentication on the port are assigned to this VLAN, so they can access a limited set of network resources, such as a software server, to download anti-virus software, and system patches. After a user in the guest VLAN passes MAC authentication, the user is removed from the guest VLAN and can access all authorized network resources.

Use undo mac-authentication guest-vlan to remove the MAC authentication guest VLAN from the port.

Syntax

mac-authentication guest-vlan guest-vlan-id

undo mac-authentication guest-vlan

Default

No MAC authentication guest VLAN is configured on a port.

Views

WLAN-ESS interface view

Default command level

2: System level

Parameters

guest-vlan-id: Specifies a VLAN as the MAC authentication guest VLAN. The value range for the VLAN ID is 1 to 4094. Make sure the VLAN has been created and is not a super VLAN. For more information about super VLANs, see Layer 2 Configuration Guide.

Usage guidelines

To use the MAC authentication guest VLAN function on a port, you must enable MAC-based VLAN on the port, in addition to enabling MAC authentication both globally and on the port.

To delete a VLAN that has been set as a MAC authentication guest VLAN, remove the guest VLAN configuration first.

Examples

# Configure VLAN 5 as the MAC authentication guest VLAN on port WLAN-ESS 1.

<Sysname> system-view

[Sysname] interface wlan-ess 1

[Sysname-WLAN-ESS1] mac-authentication guest-vlan 5

Related commands

·     mac-authentication

·     mac-vlan enable (Layer 2 Command Reference)

mac-authentication max-user

Use mac-authentication max-user to set the maximum number of concurrent MAC authentication users on a port.

Use undo mac-authentication max-user to restore the default.

Syntax

mac-authentication max-user user-number

undo mac-authentication max-user

Views

Layer 2 Ethernet interface view, WLAN-ESS interface view

Default command level

2: System level

Parameters

user-number: Specifies a maximum number of concurrent MAC authentication users on the port. The value range varies with devices. For more information, see About the H3C Access Controllers Command References.

Parameters

The default maximum number of concurrent MAC authentication users on a port depends on the device model (see About the H3C Access Controllers Command References).

Examples

# Configure port WLAN-ESS 1 to support up to 32 concurrent MAC authentication users.

<Sysname> system-view

[Sysname] interface wlan-ess 1

[Sysname-WLAN-ESS1] mac-authentication max-user 32

mac-authentication timer

Use mac-authentication timer to set the MAC authentication timers.

Use undo mac-authentication timer to restore the default settings.

Syntax

mac-authentication timer { offline-detect offline-detect-value | quiet quiet-value | server-timeout server-timeout-value }

undo mac-authentication timer { offline-detect | quiet | server-timeout }

Default

The offline detect timer is 300 seconds, the quiet timer is 60 seconds, and the server timeout timer is 100 seconds.

Views

System view

Default command level

2: System level

Parameters

offline-detect offline-detect-value: Sets the offline detect timer in the range of 60 to 65535 seconds. This timer sets the interval that the device waits for traffic from a user before it regards the user as idle. If a user connection has been idle within the interval, the device logs the user out and stops accounting for the user.

quiet quiet-value: Sets the quiet timer in the range of 1 to 3600 seconds. This timer sets the interval that the device must wait before it can perform MAC authentication for a user that has failed MAC authentication. All packets from the MAC address are dropped during the quiet time. This quiet mechanism prevents repeated authentication from affecting system performance.

server-timeout server-timeout-value: Sets the server timeout timer in the range of 100 to 300 seconds. This timer sets the interval that the access device waits for a response from a RADIUS server before it regards the RADIUS server unavailable. If the timer expires during MAC authentication, the user cannot access the network.

Examples

# Set the server timeout timer to 150 seconds.

<Sysname> system-view

[Sysname] mac-authentication timer server-timeout 150

Related commands

display mac-authentication

mac-authentication trigger after-portal

Use mac-authentication trigger after-portal to enable the MAC-after-portal feature.

Use undo mac-authentication trigger to restore the default.

Syntax

mac-authentication trigger after-portal [ wait-time wait-time-value ]

undo mac-authentication trigger

Default

This feature is disabled.

Views

WLAN-ESS interface view

Default command level

2: System level

Parameters

wait-time wait-time-value: Sets the period of time for which the device waits before the MAC authentication is triggered for portal-authenticated users. The value range for the wait-time-value argument is 1 to 30 seconds.

Usage guidelines

The MAC-after-portal feature triggers MAC authentication for only portal-authenticated users. The AC allows only these users to pass MAC authentication and assigns them to VLANs that perform local forwarding on an AP. For more information about local forwarding, see WLAN Configuration Guide.

Examples

# Enable the MAC-after-portal feature on WLAN-ESS 1.

<Sysname> system-view

[Sysname] interface wlan-ess 1

[Sysname-wlan-ess1] mac-authentication trigger after-portal

mac-authentication user-name-format

Use mac-authentication user-name-format to configure the type of user accounts for MAC authentication users.

Use undo mac-authentication user-name-format to restore the default.

Syntax

mac-authentication user-name-format { fixed [ account name ] [ password { cipher | simple } password ] | mac-address [ { with-hyphen | without-hyphen } [ lowercase | uppercase ] ] }

undo mac-authentication user-name-format

Default

Each user's MAC address is used as the username and password for MAC authentication. MAC addresses must use lower case without hyphens.

Views

System view

Default command level

2: System level

Parameters

fixed: Uses a shared account for all MAC authentication users.

account name: Specifies the username for the shared account. The name takes a case-insensitive string of 1 to 55 characters. If no username is specified, the default name mac applies.

password: Specifies the password for the shared user account:

cipher: Sets a ciphertext password.

simple: Sets a plaintext password.

password: Specifies the password. This argument is case sensitive. If simple is specified, it must be a string of 1 to 63 characters. If cipher is specified, it must be a ciphertext string of 1 to 117 characters.

mac-address: Uses MAC-based user accounts for MAC authentication users. If this option is specified, you must create one user account for each user, and use the MAC address of the user as both the username and password for the account. You can also specify the format of username and password:

·     with-hyphen—Hyphenates the MAC address, for example xx-xx-xx-xx-xx-xx.

·     without-hyphen—Excludes hyphens from the MAC address, for example, xxxxxxxxxxxx.

·     lowercase—Enters letters in lower case.

·     uppercase—Capitalizes letters.

Usage guidelines

MAC authentication supports the following types of user account:

·     One MAC-based user account for each user. A user can pass MAC authentication only when its MAC address matches a MAC-based user account. This approach is suitable for an insecure environment.

·     One shared user account for all users. Any user can pass MAC authentication on any MAC authentication enabled port. You can use this approach in a secure environment to limit network resources accessible to MAC authentication users, for example, by assigning an authorized ACL or VLAN for the shared account.

For secrecy, all passwords, including passwords configured in plaintext, are saved in cipher text.

Examples

# Configure a shared account for MAC authentication users: set the username as abc and password as a plaintext string of xyz.

<Sysname> system-view

[Sysname] mac-authentication user-name-format fixed account abc password simple xyz

# Configure a shared account for MAC authentication users: set the username as abc and password as a ciphertext string of $c$3$Uu9Dh4xRKWa8RHW3TFnNTafBbhdPAg.

<Sysname> system-view

[Sysname] mac-authentication user-name-format fixed account abc password cipher $c$3$Uu9Dh4xRKWa8RHW3TFnNTafBbhdPAg

# Use MAC-based user accounts for MAC authentication users, and each MAC address must be hyphenated and in upper case.

<Sysname> system-view

[Sysname] mac-authentication user-name-format mac-address with-hyphen uppercase

Related commands

display mac-authentication

reset mac-authentication statistics

Use reset mac-authentication statistics to clear MAC authentication statistics.

Syntax

reset mac-authentication statistics [ interface interface-list ]

Views

User view

Default command level

2: System level

Parameters

interface interface-list: Specifies a port list, in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1-10>, where &<1-10> indicates that you can specify up to 10 port ranges. The start port and end port of a port range must be of the same type and the end port number must be greater than the start port number. A port range defined without the to interface-type interface-number portion comprises only one port.

Usage guidelines

If no port list is specified, the command clears all global and port-specific MAC authentication statistics.

If a port list is specified, the command clears the MAC authentication statistics on the specified ports.

Examples

# Clear MAC authentication statistics on port WLAN-ESS 1.

<Sysname> reset mac-authentication statistics interface wlan-ess 1

Related commands

display mac-authentication