- Table of Contents
-
- 10-Security
- 00-Preface
- 01-AAA commands
- 02-802.1X commands
- 03-802.1X client commands
- 04-MAC authentication commands
- 05-Portal commands
- 06-User profile commands
- 07-Password control commands
- 08-Public key management commands
- 09-PKI commands
- 10-IPsec commands
- 11-SSH commands
- 12-SSL commands
- 13-Session management commands
- 14-Connection limit commands
- 15-Attack detection and prevention commands
- 16-IP source guard commands
- 17-ARP attack protection commands
- 18-ND attack defense commands
- 19-User isolation commands
- 20-ASPF commands
- Related Documents
-
Title | Size | Download |
---|---|---|
04-MAC authentication commands | 83.32 KB |
display mac-authentication connection
mac-authentication timer server-timeout
mac-authentication user-name-format
reset mac-authentication statistics
MAC authentication commands
The WX1800H series, WX2500H series, and WX3000H series access controllers do not support the slot keyword or the slot-number argument.
display mac-authentication
Use display mac-authentication to display MAC authentication settings and statistics. The output includes configuration information, MAC authentication statistics, and online user statistics.
Syntax
display mac-authentication [ ap ap-name [ radio radio-id ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ap ap-name: Specifies an AP by its name, a case-insensitive string of 1 to 64 characters. The string can contain letters, digits, underscores (_), dots (.), left brackets ([), right brackets (]), forward slashes (/), and minus signs (-).
radio radio-id: Specifies a radio by its ID. The value range for the radio-id argument varies by device model. If you do not specify a radio, this command displays MAC authentication settings and statistics for all radios on the specified AP.
Usage guidelines
If you do not specify any parameters, this command displays all MAC authentication settings and statistics.
Examples
# Display all MAC authentication settings and statistics.
<Sysname> display mac-authentication
Global MAC authentication parameters:
MAC authentication : Enabled
User name format : MAC address in lowercase(xxxxxxxxxxxx)
Username : mac
Password : Not configured
Offline detect period : 300 s
Quiet period : 60 s
Server timeout : 100 s
Authentication domain : Not configured, use default domain
Online MAC-auth wired users : 0
Online MAC-auth wireless users : 1
Silent MAC users:
MAC address VLAN ID From port Port index
AP name: AP1 Radio ID: 1 SSID: wlan_maca_ssid
BSSID : 487a-daa0-74f0
MAC authentication : Enabled
Authentication domain : Not configured
Max online users : 4096
Authentication attempts : successful 1, failed 0
Current online users : 1
MAC address Auth state
2477-032b-db8c Authenticated
Table 1 Command output
Field |
Description |
MAC authentication |
Whether MAC authentication is enabled globally. |
User name format |
User account type: MAC-based or shared. · If MAC-based accounts are used, this field displays the format settings for the username. For example, MAC address in lowercase(xxxxxxxxxxxx) indicates that the MAC address is in the hexadecimal notation without hyphens, and letters are in lower case. · If a shared account is used, this field displays Fixed account. |
Username |
Username for MAC authentication. · If MAC-based accounts are used, this field displays mac. The device uses the MAC address of each user as the username and password for MAC authentication. · If a shared account is used, this field displays the username of the shared account for MAC authentication users. By default, the username is mac. |
Password |
Password for MAC authentication. · If MAC-based accounts are used or if a shared account is used but no password is configured, this field displays Not configured. · If a shared account is used and a password is configured, this field displays a string of asterisks (******). |
Offline detect period |
Offline detect timer. |
Quiet period |
Quiet timer. |
Server timeout |
Server timeout timer. |
Authentication domain |
MAC authentication domain specified in system view. If no authentication domain is specified in system view, this field displays Not configured, use default domain. |
Online MAC-auth wired users |
Number of wired online MAC authentication users, including users that have passed MAC authentication and users that are performing MAC authentication. |
Online MAC-auth wireless users |
Number of wireless online MAC authentication users, including users that have passed MAC authentication and users that are performing MAC authentication. |
Silent MAC users |
Information about silent MAC addresses. |
MAC address |
Silent MAC address. |
VLAN ID |
ID of the VLAN to which the silent MAC address belongs. |
From port |
Name of the port that marks the MAC address as a silent MAC address. |
Port index |
Index of the port that marks the MAC address as a silent MAC address. |
Name of the AP with which users are associated. |
|
ID of the radio with which users are associated. |
|
SSID with which users are associated. |
|
ID of the BSS with which users are associated. |
display mac-authentication connection
Use display mac-authentication connection to display information about online MAC authentication users.
Syntax
display mac-authentication connection [ ap ap-name [ radio radio-id ] | slot slot-number | user-mac mac-address | user-name user-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ap ap-name: Specifies an AP by its name, a case-insensitive string of 1 to 64 characters. The string can contain letters, digits, underscores (_), dots (.), left brackets ([), right brackets (]), forward slashes (/), and minus signs (-).
radio radio-id: Specifies a radio by its ID. The value range for the radio-id argument varies by device model. If you do not specify this option, the command displays information about all online MAC authentication users that are connected to the specified AP.
slot slot-number: Specifies an IRF member device by its member ID.
user-mac mac-address: Specifies an online MAC authentication user by its MAC address. The mac-address argument represents the MAC address of the user, in the form of H-H-H.
user-name user-name: Specifies an online MAC authentication user by its username. The user name is a case-sensitive string of 1 to 55 characters, and it can include the domain name.
Usage guidelines
If you do not specify any parameters, this command displays information about all online MAC authentication users.
Examples
# Display information about all online MAC authentication users.
<Sysname> display mac-authentication connection
Total connections: 1
Slot ID: 1
User MAC address : 0015-e9a6-7cfe
AP name : ap1
Radio ID : 1
SSID : wlan_dot1x_ssid
BSSID : 0015-e9a6-7cf0
User name : ias
Authentication domain : 1
Initial VLAN : 1
Authorization VLAN : 100
Authorization ACL number : 3001
Authorization user profile : N/A
Authorization URL : N/A
Termination action : Radius-request
Session timeout period : 2 sec
Online from : 2016/06/02 13:14:15
Online duration : 0h 2m 15s
Table 2 Command output
Field |
Description |
Total connections |
Total number of online MAC authentication users. |
Slot ID |
Member ID of the device. |
User MAC address |
MAC address of the user. |
AP name |
Name of the AP with which the user is associated. |
Radio ID |
ID of the radio with which the user is associated. |
SSID |
SSID with which the user is associated. |
BSSID |
ID of the BSS with which the user is associated. |
Authentication domain |
MAC authentication domain to which the user belongs. |
Initial VLAN |
VLAN that holds the user before MAC authentication. |
Authorization VLAN |
VLAN authorized to the user. |
Authorization ACL number |
This field is not supported in the current software version. ACL authorized to the user. |
Authorization user profile |
This field is not supported in the current software version. User profile authorized to the user. |
This field is not supported in the current software version. Redirect URL authorized to the user. |
|
Termination action |
Action attribute assigned by the server when the session timeout timer expires. The following server-assigned action attributes are available: · Default—Logs off the online authenticated user when the session timeout timer expires. · Radius-request—Reauthenticates the online user when the session timeout timer expires. If the device performs local authentication, this field displays N/A. |
Session timeout period |
Session timeout timer assigned by the server. If the device performs local authentication, this field displays N/A. |
Online from |
Time from which the MAC authentication user came online. |
Online duration |
Online duration of the MAC authentication user. |
mac-authentication domain
Use mac-authentication domain to specify a global or service template-specific authentication domain.
Use undo mac-authentication domain to restore the default.
Syntax
mac-authentication domain domain-name
undo mac-authentication domain
Default
No authentication domain is specified for MAC authentication users. The system default authentication domain is used. For more information about the default authentication domain, see the domain default enable command in "AAA commands."
Views
System view
Service template view
Predefined user roles
network-admin
Parameters
domain-name: Specifies the name of an ISP domain, a case-insensitive string of 1 to 255 characters.
Usage guidelines
A service template chooses an authentication domain for MAC authentication users in the following order:
1. Authentication domain specified on the service template.
2. Global authentication domain specified in system view.
3. Default authentication domain.
Examples
# Specify domain domain1 as the global MAC authentication domain.
<Sysname> system-view
[Sysname] mac-authentication domain domain1
· display mac-authentication
· domain default enable
mac-authentication timer server-timeout
Use mac-authentication timer server-timeout to set the server timeout timer for MAC authentication.
Use undo mac-authentication timer server-timeout to restore the default.
Syntax
mac-authentication timer server-timeout server-timeout-value
undo mac-authentication timer server-timeout
Default
The server timeout timer is 100 seconds.
Views
System view
Predefined user roles
network-admin
Parameters
server-timeout-value: Sets the server timeout timer in the range of 100 to 300, in seconds.
Usage guidelines
The server timeout timer sets the interval that the device waits for a response from a RADIUS server before the device regards the RADIUS server unavailable. If the timer expires during MAC authentication, the user cannot access the network.
Examples
# Set the server timeout timer to 150 seconds.
<Sysname> system-view
[Sysname] mac-authentication timer server-timeout 150
Related commands
display mac-authentication
mac-authentication user-name-format
Use mac-authentication user-name-format to configure the type of user accounts for MAC authentication users.
Use undo mac-authentication user-name-format to restore the default.
Syntax
mac-authentication user-name-format { fixed [ account name ] [ password { cipher | simple } string ] | mac-address [ { with-hyphen [ six-section | three-section ] | without-hyphen } [ lowercase | uppercase ] ] }
undo mac-authentication user-name-format
Default
Each user's MAC address is used as the username and password for MAC authentication. A MAC address is in six-section format, and letters are in lower case.
Views
System view
Predefined user roles
network-admin
Parameters
fixed: Uses a shared account for all MAC authentication users.
account name: Specifies the username for the shared account. The name is a case-sensitive string of 1 to 55 characters, excluding the at sign (@). If you do not specify a username, the default name mac applies.
password: Specifies a password for the shared user account.
cipher: Specifies the password in encrypted form.
simple: Specifies the password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.
string: Specifies the password. Its plaintext form is a case-sensitive string of 1 to 63 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.
mac-address: Uses MAC-based user accounts for MAC authentication users. You can also specify the format of username and password by using the following keywords:
· with-hyphen: Includes hyphens in the MAC address.
¡ six-section: Hyphenates the MAC address into six groups of two hexadecimal digits, for example, xx-xx-xx-xx-xx-xx or XX-XX-XX-XX-XX-XX.
¡ three-section: Hyphenates the MAC address into three groups of four hexadecimal digits, for example, xxxx-xxxx-xxxx or XXXX-XXXX-XXXX.
If you do not specify the six-section or three-section keyword, the MAC address is in six-section format.
· without-hyphen: Excludes hyphens from the MAC address, for example, xxxxxxxxxxxx or XXXXXXXXXXXX.
· lowercase: Specifies letters in lower case.
· uppercase: Specifies letters in upper case.
Usage guidelines
If you specify the MAC-based user account, the device uses the MAC address of a user as the username and password for MAC authentication of the user. This user account type ensures high authentication security. However, you must create on the authentication server a user account for each user, using the MAC address of the user as both the username and password.
If you specify a shared user account, the device uses the specified username and password for MAC authentication of all users. Because all MAC authentication users use a single account for authentication, you only need to create one account on the authentication server. This user account type is suitable for trusted networks.
Examples
# Configure a shared account for MAC authentication users, set the username to abc and password to plaintext string of xyz.
<Sysname> system-view
[Sysname] mac-authentication user-name-format fixed account abc password simple xyz
# Use MAC-based user accounts for MAC authentication users. Each MAC address must be in the hexadecimal notation with hyphens, and letters are in upper case.
<Sysname> system-view
[Sysname] mac-authentication user-name-format mac-address with-hyphen uppercase
display mac-authentication
reset mac-authentication statistics
Use reset mac-authentication statistics to clear MAC authentication statistics.
Syntax
reset mac-authentication statistics [ ap ap-name [ radio radio-id ] ]
Views
User view
Predefined user roles
network-admin
Parameters
ap ap-name: Specifies an AP by its name, a case-insensitive string of 1 to 64 characters. The string can contain letters, digits, underscores (_), dots (.), left brackets ([), right brackets (]), forward slashes (/), and minus signs (-).
radio radio-id: Specifies a radio by its ID. The value range for the radio-id argument varies by device model. If you do not specify a radio, this command clears MAC authentication statistics for all radios on the specified AP.
Usage guidelines
If you do not specify any parameters, this command clears all MAC authentication statistics.
Examples
# Clear all MAC authentication statistics.
<Sysname> reset mac-authentication statistics
Related commands
display mac-authentication