- Table of Contents
-
- 10-Security
- 00-Preface
- 01-AAA commands
- 02-802.1X commands
- 03-802.1X client commands
- 04-MAC authentication commands
- 05-Portal commands
- 06-User profile commands
- 07-Password control commands
- 08-Public key management commands
- 09-PKI commands
- 10-IPsec commands
- 11-SSH commands
- 12-SSL commands
- 13-Session management commands
- 14-Connection limit commands
- 15-Attack detection and prevention commands
- 16-IP source guard commands
- 17-ARP attack protection commands
- 18-ND attack defense commands
- 19-User isolation commands
- 20-ASPF commands
- Related Documents
-
Title | Size | Download |
---|---|---|
02-802.1X commands | 100.96 KB |
802.1X commands
The WX1800H series, WX2500H series, and WX3000H series access controllers do not support the slot keyword or the slot-number argument.
display dot1x
Use display dot1x to display information about 802.1X.
Syntax
display dot1x [ sessions | statistics ] [ ap ap-name [ radio radio-id ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
sessions: Displays 802.1X session information.
statistics: Displays 802.1X statistics.
ap ap-name: Specifies an AP by its name, a case-insensitive string of 1 to 64 characters. The string can contain letters, digits, underscores (_), dots (.), left brackets ([), right brackets (]), forward slashes (/), and minus signs (-).
radio radio-id: Specifies a radio by its ID. The value range for the radio-id argument varies by device model. If you do not specify a radio, this command displays 802.1X information for all radios on the specified AP.
Usage guidelines
If you do not specify the sessions or statistics keyword, this command displays all information about 802.1X, including session information, statistics, and settings.
If you do not specify the ap ap-name [ radio radio-id ] option, this command displays all 802.1X information.
Examples
# Display all information about 802.1X.
<Sysname> display dot1x
Global 802.1X parameters:
802.1X authentication : Enabled
CHAP authentication : Enabled
Max-tx period : 30 s
Handshake period : 15 s
Quiet timer : Disabled
Quiet period : 60 s
Supp timeout : 30 s
Server timeout : 100 s
Reauth period : 3600 s
Max auth requests : 2
EAD assistant function : Disabled
URL : http://www.dwsoft.com
Free IP : 6.6.6.0 255.255.255.0
EAD timeout : 30 min
Domain delimiter : @
Online 802.1X wired users : 1
Online 802.1X wireless users : 1
EAPOL packets: Tx 3, Rx 3
Sent EAP Request/Identity packets : 1
EAP Request/Challenge packets: 1
EAP Success packets: 1
EAP Failure packets: 0
Received EAPOL Start packets : 1
EAPOL LogOff packets: 1
EAP Response/Identity packets : 1
EAP Response/Challenge packets: 1
Error packets: 0
Online 802.1X users: 1
MAC address Auth state
0001-0000-0000 Authenticated
AP name: AP1 Radio ID: 1 SSID: wlan_dot1x_ssid
BSSID : 1111-1111-1111
802.1X authentication : Enabled
Handshake : Enabled
Handshake security : Disabled
Periodic reauth : Disabled
Mandatory auth domain : Not configured
Max online users : 4096
EAPOL packets: Tx 3, Rx 3
Sent EAP Request/Identity packets : 1
EAP Request/Challenge packets: 1
EAP Success packets: 1
EAP Failure packets: 0
Received EAPOL Start packets : 1
EAPOL LogOff packets: 1
EAP Response/Identity packets : 1
EAP Response/Challenge packets: 1
Error packets: 0
Online 802.1X users: 1
MAC address Auth state
0001-0000-0002 Authenticated
Field |
Description |
Global 802.1X parameters |
Global 802.1X configuration. |
802.1X authentication |
Whether 802.1X is enabled globally. |
CHAP authentication |
Performs EAP termination and uses CHAP to communicate with the RADIUS server. If EAP or PAP is enabled, this field is not available. |
EAP authentication |
Relays EAP packets and supports any of the EAP authentication methods to communicate with the RADIUS server. If CHAP or PAP is enabled, this field is not available. |
PAP authentication |
Performs EAP termination and uses PAP to communicate with the RADIUS server. If CHAP or EAP is enabled, this field is not available. |
Max-tx period |
Username request timeout timer in seconds. |
Handshake period |
Handshake timer in seconds. |
Quiet timer |
Status of the quiet timer, enabled or disabled. |
Quiet period |
Quiet timer in seconds. |
Supp timeout |
Client timeout timer in seconds. |
Server timeout |
Server timeout timer in seconds. |
Reauth period |
Periodic reauthentication timer in seconds. |
Max auth requests |
Maximum number of attempts for sending an authentication request to a client. |
EAD assistant function |
Whether EAD assistant is enabled. |
URL |
Redirect URL for unauthenticated users using a Web browser to access the network. |
Free IP |
Network segment accessible to unauthenticated users. |
EAD timeout |
EAD rule timer in minutes. |
Domain delimiter |
Domain delimiters supported by the device. |
Online 802.1X wired users |
Number of wired online 802.1X users, including users that have passed 802.1X authentication and users that are performing 802.1X authentication. |
Online 802.1X wireless users |
Number of wireless online 802.1X users, including users that have passed 802.1X authentication and users that are performing 802.1X authentication. |
EAPOL packets |
Number of sent (Tx) and received (Rx) EAPOL packets. |
Sent EAP Request/Identity packets |
Number of sent EAP-Request/Identity packets. |
EAP Request/Challenge packets |
Number of sent EAP-Request/MD5-Challenge packets. |
EAP Success packets |
Number of sent EAP-Success packets. |
EAP Failure packets |
Number of sent EAP-Failure packets. |
Received EAPOL Start packets |
Number of received EAPOL-Start packets. |
EAPOL LogOff packets |
Number of received EAPOL-LogOff packets. |
EAP Response/Identity packets |
Number of received EAP-Response/Identity packets. |
EAP Response/Challenge packets |
Number of received EAP-Response/MD5-Challenge packets. |
Error packets |
Number of received error packets. |
Online 802.1X users |
Number of online 802.1X users on the service template, including users that have passed 802.1X authentication and users that are performing 802.1X authentication. |
MAC address |
MAC addresses of the online 802.1X users. |
Auth state |
Authentication status of the online 802.1X users. |
AP name |
Name of the AP with which users are associated. |
Radio ID |
ID of the radio with which users are associated. |
SSID |
SSID with which users are associated. |
BSSID |
ID of the BSS with which users are associated. |
display dot1x connection
Use display dot1x connection to display information about online 802.1X users.
Syntax
display dot1x connection [ ap ap-name [ radio radio-id ] | slot slot-number | user-mac mac-address | user-name name-string ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ap ap-name: Specifies an AP by its name, a case-insensitive string of 1 to 64 characters. The string can contain letters, digits, underscores (_), dots (.), left brackets ([), right brackets (]), forward slashes (/), and minus signs (-).
radio radio-id: Specifies a radio by its ID. The value range for the radio-id argument varies by device model. If you do not specify a radio, this command displays information about online 802.1X users that are connected to all radios on the specified AP.
slot slot-number: Specifies an IRF member device by its member ID.
user-mac mac-address: Specifies an 802.1X user by MAC address. The mac-address argument represents the MAC address of the user, in the form of H-H-H.
user-name name-string: Specifies an 802.1X user by its name. The name-string argument represents the username, a case-sensitive string of 1 to 253 characters.
Usage guidelines
If you do not specify any parameters, this command displays information about all online 802.1X users.
Examples
# Display information about all online 802.1X users.
<Sysname> display dot1x connection
Total connections: 1
Slot ID: 1
User MAC address : 0015-e9a6-7cfe
AP name : ap1
Radio ID : 1
SSID : wlan_dot1x_ssid
BSSID : 0015-e9a6-7cf0
User name : ias
Authentication domain : 1
IPv4 address : 192.168.1.1
IPv6 address : 2000:0:0:0:1:2345:6789:abcd
Authentication method : CHAP
Initial VLAN : 1
Authorization VLAN : N/A
Authorization ACL number : 3001
Authorization user profile : N/A
Termination action : Default
Session timeout period : 2 sec
Online from : 2013/03/02 13:14:15
Online duration : 0 h 2 m 15 s
Table 2 Command output
Field |
Description |
Total connections |
Number of online 802.1X users. |
Slot ID |
Member ID of the device. |
User MAC address |
MAC address of the user. |
Name of the AP with which the user is associated. |
|
ID of the radio with which the user is associated. |
|
SSID with which the user is associated. |
|
ID of the BSS with which the user is associated. |
|
Authentication domain |
ISP domain used for 802.1X authentication. |
IPv4 address |
IPv4 address of the user. If the device does not get the IPv4 address of the user, this field is not available. |
IPv6 address |
IPv6 address of the user. If the device does not get the IPv6 address of the user, this field is not available. |
Authentication method |
EAP message handling method: · CHAP—Performs EAP termination and uses CHAP to communicate with the RADIUS server. · EAP—Relays EAP packets and supports any of the EAP authentication methods to communicate with the RADIUS server. · PAP—Performs EAP termination and uses PAP to communicate with the RADIUS server. |
Initial VLAN |
VLAN to which the user belongs before 802.1X authentication. |
Authorization VLAN |
VLAN authorized to the user. |
Authorization ACL number |
ACL authorized to the user. |
Authorization user profile |
User profile authorized to the user. |
Termination action |
Action attribute assigned by the server when the session timeout timer expires: · Default—Logs off the online authenticated 802.1X user. This attribute does not take effect when periodic online user reauthentication is enabled and the periodic reauthentication timer is shorter than the session timeout timer. · Radius-request—Reauthenticates the online user when the session timeout timer expires, regardless of whether the periodic online reauthentication feature is enabled or not. If the device performs local authentication, this field displays N/A. |
Session timeout period |
Session timeout timer assigned by the server. If the device performs local authentication, this field displays N/A. |
Online from |
Time from which the 802.1X user came online. |
Online duration |
Online duration of the 802.1X user. |
dot1x authentication-method
Use dot1x authentication-method to specify an EAP message handling method.
Use undo dot1x authentication-method to restore the default.
Syntax
dot1x authentication-method { chap | eap | pap }
undo dot1x authentication-method
Default
The access device performs EAP termination and uses CHAP to communicate with the RADIUS server.
Views
System view
Predefined user roles
network-admin
Parameters
chap: Sets the access device to perform Extensible Authentication Protocol (EAP) termination and use the Challenge Handshake Authentication Protocol (CHAP) to communicate with the RADIUS server.
eap: Sets the access device to relay EAP packets, and supports any of the EAP authentication methods to communicate with the RADIUS server.
pap: Sets the access device to perform EAP termination and use the Password Authentication Protocol (PAP) to communicate with the RADIUS server.
Usage guidelines
The access device terminates or relays EAP packets.
· In EAP termination mode—The access device re-encapsulates and sends the authentication data from the client in standard RADIUS packets to the RADIUS server. The device performs either CHAP or PAP authentication with the RADIUS server. In this mode the RADIUS server supports only MD5-Challenge EAP authentication, and the username and password EAP authentication initiated by an iNode client.
¡ PAP transports usernames and passwords in plain text. The authentication method applies to scenarios that do not require high security. To use PAP, the client can be an iNode 802.1X client.
¡ CHAP transports usernames in plain text and passwords in encrypted form over the network. CHAP is more secure than PAP.
· In EAP relay mode—The access device relays EAP messages between the client and the RADIUS server. The EAP relay mode supports multiple EAP authentication methods, such as MD5-Challenge, EAP-TLS, and PEAP. To use this mode, make sure the RADIUS server meets the following requirements:
¡ Supports the EAP-Message and Message-Authenticator attributes.
¡ Uses the same EAP authentication method as the client.
If this mode is used, the user-name-format command configured in RADIUS scheme view does not take effect. For more information about the user-name-format command, see "RADIUS commands."
If RADIUS authentication is used, you must configure the access device to use the same authentication method (PAP, CHAP, or EAP) as the RADIUS server.
Examples
# Enable the access device to terminate EAP packets and perform PAP authentication with the RADIUS server.
<Sysname> system-view
[Sysname] dot1x authentication-method pap
Related commands
display dot1x
dot1x domain-delimiter
Use dot1x domain-delimiter to specify a set of domain name delimiters supported by the device.
Use undo dot1x domain-delimiter to restore the default.
Syntax
dot1x domain-delimiter string
undo dot1x domain-delimiter
Default
The device supports only the at sign (@) delimiter for 802.1X users.
Views
System view
Predefined user roles
network-admin
Parameters
string: Specifies a set of 1 to 16 domain name delimiters for 802.1X users. No space is required between delimiters. Available delimiters include the at sign (@), backslash (\), dot (.), and forward slash (/). If you want to use backslash (\) as the domain name delimiter, you must enter the escape character (\) along with the backslash (\) sign.
Usage guidelines
Any character in the configured set can be used as the domain name delimiter for 802.1X authentication users. Usernames that include domain names can use the format of username@domain-name, domain-name\username, username.domain-name, or username/domain-name.
The delimiter set you configured overrides the default setting. If the at sign (@) is not included in the delimiter set, the device does not support the 802.1X users who use this sign as the domain name delimiter.
If a username string contains multiple configured delimiters, the device takes the rightmost delimiter in the username string as the domain name delimiter. For example, if you configure the forward slash (/), dot (.), and backslash (\) as delimiters, the domain name delimiter for the username string 121.123/22\@abc is the backslash (\). The username is @abc and the domain name is 121.123/22.
Examples
# Specify the at sign (@) and forward slash (/) as domain name delimiters.
<Sysname> system-view
[Sysname] dot1x domain-delimiter @/
Related commands
display dot1x
dot1x ead-assistant enable
Use dot1x ead-assistant enable to enable the EAD assistant feature.
Use undo dot1x ead-assistant enable to disable the EAD assistant feature.
Syntax
dot1x ead-assistant enable
undo dot1x ead-assistant enable
Default
The EAD assistant feature is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
The EAD assistant feature enables the access device to redirect a user seeking to access the network to download and install EAD client. This feature eliminates the tedious job of the administrator to deploy EAD clients.
The feature is mutually exclusive with MAC authentication and OUI authentication. For EAD assistant to take effect on a service template, you must first disable MAC authentication on the service template and delete all OUIs configured for OUI configuration.
To make the EAD assistant feature take effect on a service template, you must enable 802.1X on the service template.
Examples
# Enable the EAD assistant feature.
<Sysname> system-view
[Sysname] dot1x ead-assistant enable
Related commands
· display dot1x
· dot1x ead-assistant free-ip
· dot1x ead-assistant url
dot1x ead-assistant free-ip
Use dot1x ead-assistant free-ip to configure a free IP.
Use undo dot1x ead-assistant free-ip to remove the specified or all free IP addresses.
Syntax
dot1x ead-assistant free-ip ip-address { mask-address | mask-length }
undo dot1x ead-assistant free-ip { ip-address { mask-address | mask-length } | all }
Default
No free IP is configured. Users cannot access any segments before they pass 802.1X authentication.
Views
System view
Predefined user roles
network-admin
Parameters
ip-address: Specifies a freely accessible IP address segment, also called a free IP.
mask: Specifies an IP address mask.
mask-length: Specifies IP address mask length in the range of 1 to 32.
all: Removes all free IP addresses.
Usage guidelines
Execute this command multiple times to configure multiple free IPs.
With EAD assistant enabled on the device, unauthenticated 802.1X users can access the network resources in the free IP segments before they pass 802.1X authentication.
Examples
# Configure 192.168.1.1/16 as a free IP.
<Sysname> system-view
[Sysname] dot1x ead-assistant free-ip 192.168.1.1 255.255.0.0
Related commands
· display dot1x
· dot1x ead-assistant enable
· dot1x ead-assistant url
dot1x ead-assistant url
Use dot1x ead-assistant url to configure a redirect URL.
Use undo dot1x ead-assistant url to restore the default.
Syntax
dot1x ead-assistant url url-string
undo dot1x ead-assistant url
Default
No redirect URL is configured.
Views
System view
Predefined user roles
network-admin
Parameters
url-string: Specifies the redirect URL, a case-insensitive string of 1 to 64 characters in the format http://string.
Usage guidelines
When an unauthenticated user uses a Web browser to access networks other than the free IP, the device redirects the user to the redirect URL.
The redirect URL must be on the free IP subnet.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Configure the redirect URL as http://test.com.
<Sysname> system-view
[Sysname] dot1x ead-assistant url http://test.com
Related commands
· display dot1x
· dot1x ead-assistant enable
· dot1x ead-assistant free-ip
dot1x retry
Use dot1x retry to set the maximum number of attempts for sending an authentication request to a client.
Use undo dot1x retry to restore the default.
Syntax
dot1x retry retries
undo dot1x retry
Default
The maximum number of attempts is 2.
Views
System view
Predefined user roles
network-admin
Parameters
retries: Sets the maximum number of attempts for sending an authentication request to a client. The value range is 1 to 10.
Usage guidelines
The access device retransmits an authentication request to a client in any of the following situations:
· The device does not receive any responses from the client within the username request timeout timer. The timer is set by using the dot1x timer tx-period tx-period-value command for the EAP-Request/Identity packet.
· The device does not receive any responses from the client within the client timeout timer. The timer is set by using the dot1x timer supp-timeout supp-timeout-value command for the EAP-Request/MD5-Challenge packet.
The access device stops retransmitting the request, if it has made the maximum number of request transmission attempts but still received no response.
Examples
# Set the maximum number of attempts to 9 for sending an authentication request to a client.
<Sysname> system-view
[Sysname] dot1x retry 9
Related commands
· display dot1x
· dot1x timer
dot1x timer
Use dot1x timer to set 802.1X timers.
Use undo dot1x timer to restore the defaults.
Syntax
dot1x timer { ead-timeout ead-timeout-value | handshake-period handshake-period-value | quiet-period quiet-period-value | reauth-period reauth-period-value | server-timeout server-timeout-value | supp-timeout supp-timeout-value | tx-period tx-period-value }
undo dot1x timer { ead-timeout | handshake-period | quiet-period | reauth-period | server-timeout | supp-timeout | tx-period }
Default
The following 802.1X timers apply:
· EAD rule timer: 30 minutes.
· Handshake timer: 15 seconds.
· Quiet timer: 60 seconds.
· Periodic reauthentication timer: 3600 seconds.
· Server timeout timer: 100 seconds.
· Client timeout timer: 30 seconds.
· Username request timeout timer: 30 seconds.
Views
System view
Predefined user roles
network-admin
Parameters
ead-timeout ead-timeout-value: Sets the EAD rule timer in minutes. The value range for the ead-timeout-value argument is 1 to 1440.
handshake-period handshake-period-value: Sets the handshake timer in seconds. The value range for the handshake-period-value argument is 5 to 1024.
quiet-period quiet-period-value: Sets the quiet timer in seconds. The value range for the quiet-period-value argument is 10 to 120.
reauth-period reauth-period-value: Sets the periodic reauthentication timer in seconds. The value range for the reauth-period-value argument is 60 to 7200.
server-timeout server-timeout-value: Sets the server timeout timer in seconds. The value range for the server-timeout-value argument is 100 to 300.
supp-timeout supp-timeout-value: Sets the client timeout timer in seconds. The value range for the supp-timeout-value argument is 1 to 120.
tx-period tx-period-value: Sets the username request timeout timer in seconds. The value range for the tx-period-value argument is 1 to 120.
Usage guidelines
In most cases, the default settings are sufficient. You can edit the timers, depending on the network conditions.
· In a low-speed network, increase the client timeout timer.
· In a vulnerable network, set the quiet timer to a high value.
· In a high-performance network with quick authentication response, set the quiet timer to a low value.
· In a network with authentication servers of different performance, adjust the server timeout timer.
The periodic reauthentication timer does not take effect if the server has assigned a session timeout timer to the device.
The change to the periodic reauthentication timer applies to the users who have been online only after the old timer expires. Other timer changes take effect immediately on the device.
The network device uses the following 802.1X timers:
· EAD rule timer (EAD timeout)—Sets the lifetime of each EAD rule. When the timer expires or the user passes authentication, the rule is removed. If users fail to download the EAD client or fail to pass authentication within the timer, they must reconnect to the network to access the free IP.
· Handshake timer (handshake-period)—Sets the interval at which the access device sends client handshake requests to check the online status of a client that has passed authentication. If the device receives no response after sending the maximum number of handshake requests, it considers that the client has logged off.
· Quiet timer (quiet-period)—Starts when a client fails authentication. The access device must wait the time period before it can process the authentication attempts from the client.
· Periodic reauthentication timer (reauth-period)—Sets the interval at which the network device periodically reauthenticates online 802.1X users. To enable periodic online user reauthentication on a service template, use the dot1x re-authenticate command.
· Server timeout timer (server-timeout)—Starts when the access device sends a RADIUS Access-Request packet to the authentication server. If no response is received when this timer expires, the access device retransmits the request to the server.
· Client timeout timer (supp-timeout)—Starts when the access device sends an EAP-Request/MD5-Challenge packet to a client. If no response is received when this timer expires, the access device retransmits the request to the client.
· Username request timeout timer (tx-period)—Starts when the device sends an EAP-Request/Identity packet to a client in response to an authentication request. If the device receives no response before this timer expires, it retransmits the request. The timer also sets the interval at which the network device sends multicast EAP-Request/Identity packets to detect clients that cannot actively request authentication.
Examples
# Set the server timeout timer to 150 seconds.
<Sysname> system-view
[Sysname] dot1x timer server-timeout 150
Related commands
display dot1x
reset dot1x statistics
Use reset dot1x statistics to clear 802.1X statistics.
Syntax
reset dot1x statistics [ ap ap-name [ radio radio-id ] ]
Views
User view
Predefined user roles
network-admin
Parameters
ap ap-name: Specifies an AP by its name, a case-insensitive string of 1 to 64 characters. The string can contain letters, digits, underscores (_), dots (.), left brackets ([), right brackets (]), forward slashes (/), and minus signs (-).
radio radio-id: Specifies a radio by its ID. The value range for the radio-id argument varies by device model. If you do not specify a radio, this command clears 802.1X statistics for all radios on the specified AP.
Usage guidelines
If you do not specify any parameters, this command clears all 802.1X statistics.
Examples
# Clear all 802.1X statistics.
<Sysname> reset dot1x statistics
display dot1x