Hardware	MAC authentication and port compatibility
MSR810, MSR810-W, MSR810-W-DB, MSR810-LM, MSR810-W-LM, MSR810-10-PoE, MSR810-LM-HK, MSR810-W-LM-HK, MSR810-LMS-EA	Fixed Layer 2 Ethernet ports.
MSR810-LMS, MSR810-LUS	Fixed Layer 2 Ethernet ports.
MSR2600-6-X1, MSR2600-10-X1	Fixed Layer 2 Ethernet ports.
MSR3600-28, MSR3600-51, MSR3600-28-SI, MSR3600-51-SI	Fixed Layer 2 Ethernet ports.
MSR3600-28-X1, MSR3600-28-X1-DP, MSR3600-51-X1, MSR3600-51-X1-DP	Fixed Layer 2 Ethernet ports.
MSR3610-I-DP, MSR3610-IE-DP	Fixed Layer 2 Ethernet ports.
Routers installed with an Ethernet switching module	Layer 2 Ethernet ports on the following modules: · HMIM-8GSW. · HMIM-8GSWF. · HMIM-24GSW. · HMIM-24GSW-PoE. · SIC-4GSW. For more information about the support of the routers for these modules, see H3C MSR Router Series Comware 7 Interface Module Guide.

‌

The following routers can function as ACs:

· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK.

· MSR2600-6-X1/2600-10-X1.

· MSR 2630.

· MSR3600-28/3600-51.

· MSR3600-28-X1/3600-28-X1-DP/3600-51-X1/3600-51-X1-DP.

· MSR3610-I-DP/3610-IE-DP.

· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.

· MSR 3610/3620/3620-DP/3640/3660.

The following routers can function as APs:

· MSR810-W.

· MSR810-W-DB.

· MSR810-W-LM.

· MSR810-W-LM-HK.

display mac-authentication

Use display mac-authentication to display MAC authentication settings and statistics.

Syntax

display mac-authentication [ ap ap-name [ radio radio-id ] | interface interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

radio radio-id: Specifies a radio by its ID. The value range for the radio-id argument varies by AP model. If you do not specify a radio, this command displays MAC authentication information for all radios on the specified AP.

interface interface-type interface-number: Specifies a port by its type and number. If the specified port is not enabled with MAC authentication, this command displays only global MAC authentication information.

Usage guidelines

If you do not specify any parameters, this command displays all MAC authentication information including the global settings, port-specific settings, MAC authentication statistics, and online user statistics.

Examples

# Display all MAC authentication settings and statistics.

<Sysname> display mac-authentication

Global MAC authentication parameters:

MAC authentication : Enabled

User name format : MAC address in lowercase(xx-xx-xx-xx-xx-xx)

Username : mac

Password : Not configured

Offline detect period : 300 s

Quiet period : 60 s

Server timeout : 100 s

Authentication domain : Not configured, use default domain

Online MAC-auth wired users : 1

Online MAC-auth wireless users : 2

Silent MAC users:

MAC address VLAN ID From port Port index

0001-0000-0001 100 GigabitEthernet1/0/2 21

0001-0000-0003 12 GigabitEthernet1/0/4 301

GigabitEthernet1/0/1 is link-up

MAC authentication : Enabled

Carry User-IP : Disabled

Authentication domain : Not configured

Auth-delay timer : Enabled

Auth-delay period : 60 s

Re-auth server-unreachable : Logoff

Guest VLAN : 100

Guest VLAN auth-period : 150 s

Critical VLAN : Not configured

Critical voice VLAN : Disabled

Host mode : Multiple VLAN

Max online users : 256

Authentication attempts : successful 2, failed 3

Current online users : 1

MAC address Auth state

0001-0000-0001 Unauthenticated

AP name: AP1 Radio ID: 1 SSID: wlan_maca_ssid

BSSID : 1111-1111-1111

MAC authentication : Enabled

Authentication domain : Not configured

Max online users : 256

Authentication attempts : successful 1, failed 0

Current online users : 2

MAC address Auth state

0001-0000-0002 Authenticated

0001-0000-0003 Unauthenticated

Table 1 Command output

Field	Description
MAC authentication	Whether MAC authentication is enabled globally.
User name format	User account type: MAC-based or shared. · If MAC-based accounts are used, this field displays the format settings for the username. For example, MAC address in lowercase(xx-xx-xx-xx-xx-xx) indicates that the MAC address is in six-section format, and letters are in lower case. · If a shared account is used, this field displays Fixed account.
Username	Username for MAC authentication. · If MAC-based accounts are used, this field displays mac. The device uses the MAC address of each user as the username and password for MAC authentication. · If a shared account is used, this field displays the username of the shared account for MAC authentication users. By default, the username is mac.
Password	Password for MAC authentication. · If MAC-based accounts are used or if a shared account is used but no password is configured, this field displays Not configured. · If a shared account is used and a password is configured, this field displays a string of asterisks (******).
Offline detect period	Offline detect timer.
Quiet period	Quiet timer.
Server timeout	Server timeout timer.
Authentication domain	MAC authentication domain specified in system view. If no authentication domain is specified in system view, this field displays Not configured, use default domain.
Online MAC-auth wired users	Number of wired online MAC authentication users, including users that have passed MAC authentication and users that are performing MAC authentication.
Online MAC-auth wireless users	Number of wireless online MAC authentication users, including users that have passed MAC authentication and users that are performing MAC authentication.
Silent MAC users	Information about silent MAC addresses.
MAC address	Silent MAC address.
VLAN ID	ID of the VLAN to which the silent MAC address belongs.
From port	Name of the port that marks the MAC address as a silent MAC address.
Port index	Index of the port that marks the MAC address as a silent MAC address.
GigabitEthernet1/0/1 is link-up	Status of the link on GigabitEthernet 1/0/1. In this example, the link is up.
MAC authentication	Whether MAC authentication is enabled on the port.
Carry User-IP	This field is not supported in the current software version. Whether user IP addresses are included in MAC authentication requests.
Authentication domain	MAC authentication domain specified for the port.
Auth-delay timer	Whether MAC authentication delay is enabled on the port.
Auth-delay period	MAC authentication delay timer.
Re-auth server-unreachable	Action taken when no server is reachable for MAC reauthentication: · Logoff—Logs off online MAC authentication users. · Online—Keeps MAC authenticated users online.
Guest VLAN	MAC authentication guest VLAN configured on the port. If no MAC authentication guest VLAN is configured, this field displays Not configured.
Guest VLAN auth-period	Authentication interval for users in the MAC authentication guest VLAN on the port.
Critical VLAN	MAC authentication critical VLAN configured on the port. If no MAC authentication critical VLAN is configured, this field displays Not configured.
Critical voice VLAN	Whether the MAC authentication critical voice VLAN feature is enabled on the port.
Host mode	· If multi-VLAN mode is disabled, this field displays Single VLAN. · If multi-VLAN mode is enabled, this field displays Multiple VLAN.
Max online users	Maximum number of concurrent online users allowed on the port.
Authentication attempts: successful 1, failed 0	MAC authentication statistics, including the number of successful and unsuccessful authentication attempts.
MAC address	MAC address of the online user.
Auth state	User status: · Authenticated—The user has passed MAC authentication. · Unauthenticated—The user failed MAC authentication.
AP name	Name of the AP with which users are associated.
Radio ID	ID of the radio with which users are associated.
SSID	SSID with which users are associated.
BSSID	ID of the BSS with which users are associated.

display mac-authentication connection

Use display mac-authentication connection to display information about online MAC authentication users.

Syntax

In standalone mode:

display mac-authentication connection [ ap ap-name [ radio radio-id ] | interface interface-type interface-number | user-mac mac-addr | user-name user-name ]

In IRF mode:

display mac-authentication connection [ ap ap-name [ radio radio-id ] | interface interface-type interface-number | slot slot-number | user-mac mac-addr | user-name user-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ap ap-name: Specifies an AP by its name, a case-insensitive string of 1 to 64 characters. The string can contain letters, digits, underscores (_), dots (.), left brackets ([), right brackets (]), forward slashes (/), and hyphens (-). If you do not specify an AP, this command displays information about online MAC authentication users for all APs.

radio radio-id: Specifies a radio by its ID. The value range for the radio-id argument varies by AP model. If you do not specify a radio, this command displays information about online MAC authentication users for all radios on the specified AP.

interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command displays information about online MAC authentication users for all ports.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays information about online MAC authentication users for all member devices. (In IRF mode.)

user-mac mac-address: Specifies an online MAC authentication user by its MAC address. The mac-address argument represents the MAC address of the user, in the form of H-H-H. If you do not specify an online MAC authentication user, this command displays online user information for all MAC authentication users.

user-name user-name: Specifies an online MAC authentication user by its username. The user name is a case-sensitive string of 1 to 55 characters, and it can include the domain name. If you do not specify an online MAC authentication user, this command displays online user information for all MAC authentication users.

Usage guidelines

(In standalone mode.) If you do not specify any parameters, this command displays information about online MAC authentication users for all ports.

(In IRF mode.) If you do not specify any parameters, this command displays information about online MAC authentication users for all member devices.

Examples

# (In standalone mode.) Display all online MAC authentication user information.

<Sysname> display mac-authentication connection

Total connections: 1

User MAC address: 0015-e9a6-7cfe

Access interface: GigabitEthernet1/0/1

Username: ias

Authentication domain: h3c

Initial VLAN: 1

Authorization untagged VLAN: 100

Authorization tagged VLAN: N/A

Authorization ACL number/name: 3001

Authorization user profile: N/A

Termination action: Radius-request

Session timeout period: 2 s

Online from: 2013/03/02 13:14:15

Online duration: 0h 2m 15s

User MAC address : 0015-e9a6-7cfe

AP name : ap1

Radio ID : 1

SSID : wlan_dot1x_ssid

BSSID : 0015-e9a6-7cf0

User name : ias

Authentication domain : 1

Initial VLAN : 1

Authorization VLAN : 100

Authorization ACL number : 3001

Authorization user profile : N/A

Authorization URL : N/A

Termination action : Radius-request

Session timeout period : 2 sec

Online from : 2014/06/02 13:14:15

Online duration : 0h 2m 15s

# (In IRF mode.) Display all online MAC authentication user information.

<Sysname> display mac-authentication connection

Total connections: 1

Slot ID: 0

User MAC address: 0015-e9a6-7cfe

Access interface: GigabitEthernet1/0/1

Username: ias

Authentication domain: h3c

Initial VLAN: 1

Authorization untagged VLAN: 100

Authorization tagged VLAN: N/A

Authorization ACL number/name: 3001

Authorization user profile: N/A

Termination action: Radius-request

Session timeout period: 2 s

Online from: 2013/03/02 13:14:15

Online duration: 0h 2m 15s

User MAC address : 0015-e9a6-7cfe

AP name : ap1

Radio ID : 1

SSID : wlan_dot1x_ssid

BSSID : 0015-e9a6-7cf0

User name : ias

Authentication domain : 1

Initial VLAN : 1

Authorization VLAN : 100

Authorization ACL number : 3001

Authorization user profile : N/A

Authorization URL : N/A

Termination action : Radius-request

Session timeout period : 2 sec

Online from : 2014/06/02 13:14:15

Online duration : 0h 2m 15s

Table 2 Command output

Field	Description
Total connections	Total number of online MAC authentication users.
User MAC address	MAC address of the user.
Access interface	Interface through which the user accesses the device.
AP name	Name of the AP with which the user is associated.
Radio ID	ID of the radio with which the user is associated.
SSID	SSID with which the user is associated.
BSSID	ID of the BSS with which the user is associated.
Authentication domain	MAC authentication domain to which the user belongs.
IPv4 address	IPv4 address of the user. If no user IPv4 address is available, this field is not displayed.
IPv6 address	IPv6 address of the user. If no user IPv6 address is available, this field is not displayed.
Initial VLAN	VLAN that holds the user before MAC authentication.
Authorization untagged VLAN	Untagged VLAN authorized to the user.
Authorization tagged VLAN	Tagged VLAN authorized to the user.
Authorization VLAN	VLAN authorized to the user.
Authorization ACL number/name	Number or name of the ACL authorized to the user. If no ACL is authorized, this field displays N/A. If ACL authorization fails, this field displays (NOT effective) after the ACL number or name.
Authorization user profile	User profile authorized to the user.
Authorization URL	URL authorized to the user.
Termination action	Action attribute assigned by the server to terminate the user session: · Default—Logs off the online authenticated user when the session timeout timer expires. · Radius-request—Reauthenticates the online user when the session timeout timer expires. If the device performs local authentication, this field displays N/A.
Session timeout period	Session timeout timer assigned by the server. If the device performs local authentication, this field displays N/A.
Online from	Time from which the MAC authentication user came online.
Online duration	Online duration of the MAC authentication user.

mac-authentication

Use mac-authentication to enable MAC authentication globally or on a port.

Use undo mac-authentication to disable MAC authentication globally or on a port.

Syntax

mac-authentication

undo mac-authentication

Default

MAC authentication is disabled globally or on any port.

Views

System view

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Usage guidelines

To use MAC authentication on a port, you must enable the feature both globally and on the port.

Examples

# Enable MAC authentication globally.

<Sysname> system-view

[Sysname] mac-authentication

# Enable MAC authentication on GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] mac-authentication

Related commands

display mac-authentication

mac-authentication critical vlan

Use mac-authentication critical vlan to configure a MAC authentication critical VLAN on a port.

Use undo mac-authentication critical vlan to restore the default.

Syntax

mac-authentication critical vlan critical-vlan-id

undo mac-authentication critical vlan

Default

No MAC authentication critical VLAN exists on a port.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Parameters

critical-vlan-id: Specifies a VLAN as the MAC authentication critical VLAN. The value range for the VLAN ID is 1 to 4094. Make sure the VLAN has been created.

Usage guidelines

The MAC authentication critical VLAN accommodates users that have failed MAC authentication because all the servers in their ISP domains are unreachable. Users in the critical VLAN can access network resources in the critical VLAN.

You cannot specify a VLAN as both a super VLAN and a MAC authentication critical VLAN on a port. For more information about super VLANs, see Layer 2—LAN Switching Configuration Guide.

The critical VLAN feature takes effect when MAC authentication is performed only through RADIUS servers. If a MAC authentication user fails local authentication after RADIUS authentication, the user is not assigned to the critical VLAN.

Before you delete a VLAN that has been set as a MAC authentication critical VLAN, use the undo mac-authentication critical vlan command to remove the critical VLAN configuration.

Examples

# Configure VLAN 100 as the MAC authentication critical VLAN on GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] mac-authentication critical vlan 100

Related commands

display mac-authentication

reset mac-authentication critical-vlan

mac-authentication critical-voice-vlan

Use mac-authentication critical-voice-vlan to enable the MAC authentication critical voice VLAN feature on a port.

Use undo mac-authentication critical-voice-vlan to disable the MAC authentication critical voice VLAN feature on a port.

Syntax

mac-authentication critical-voice-vlan

undo mac-authentication critical-voice-vlan

Default

The MAC authentication critical voice VLAN feature is disabled on a port.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Usage guidelines

The MAC authentication critical voice VLAN on a port accommodates MAC authentication voice users that have failed authentication because none of the RADIUS servers in their ISP domain are reachable.

Before you enable the MAC authentication critical voice VLAN feature on the port, make sure the following requirements are met:

· The port is configured with the voice VLAN.

To configure a voice VLAN on a port, use the voice-vlan enable command (see Layer 2—LAN Switching Command Reference).

· LLDP is enabled both globally and on the port.

The device uses LLDP to identify voice users. For information about LLDP commands, see Layer 2—LAN Switching Command Reference.

Examples

# Enable the MAC authentication critical voice VLAN feature on GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] mac-authentication critical-voice-vlan

Related commands

display mac-authentication

lldp enable (Layer 2—LAN Switching Command Reference)

lldp global enable (Layer 2—LAN Switching Command Reference)

voice-vlan enable (Layer 2—LAN Switching Command Reference)

mac-authentication domain

Use mac-authentication domain to specify a global or port-specific authentication domain.

Use undo mac-authentication domain to restore the default.

Syntax

mac-authentication domain domain-name

undo mac-authentication domain

Default

The system default authentication domain is used. For more information about the default authentication domain, see the domain default enable command in "AAA commands."

Views

System view

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Parameters

domain-name: Specifies the name of an ISP domain, a case-insensitive string of 1 to 255 characters.

Usage guidelines

The global authentication domain applies to all MAC authentication-enabled ports. An authentication domain specified in Layer 2 Ethernet interface view applies only to the port. You can specify different authentication domains on different ports.

A port chooses an authentication domain for MAC authentication users in the following order:

1. Authentication domain specified on the port.

2. Global authentication domain specified in system view.

3. Default authentication domain.

Examples

# Specify ISP domain domain1 as the global MAC authentication domain.

<Sysname> system-view

[Sysname] mac-authentication domain domain1

# Specify ISP domain aabbcc as the MAC authentication domain on GigabitEthernet 1/0/1.

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] mac-authentication domain aabbcc

Related commands

display mac-authentication

domain default enable

mac-authentication guest-vlan

Use mac-authentication guest-vlan to configure a MAC authentication guest VLAN on a port.

Use undo mac-authentication guest-vlan to restore the default.

Syntax

mac-authentication guest-vlan guest-vlan-id

undo mac-authentication guest-vlan

Default

No MAC authentication guest VLAN exists on a port.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Parameters

guest-vlan-id: Specifies a VLAN as the MAC authentication guest VLAN. The value range for the VLAN ID is 1 to 4094. Make sure the VLAN has been created.

Usage guidelines

The MAC authentication guest VLAN accommodates users that have failed MAC authentication for any reason other than server unreachable. For example, the VLAN accommodates users with invalid passwords entered. You can deploy a limited set of network resources in the MAC authentication guest VLAN. For example, a software server for downloading software and system patches.

You cannot specify a VLAN as both a super VLAN and a MAC authentication guest VLAN on a port. For more information about super VLANs, see Layer 2—LAN Switching Configuration Guide.

Before you delete a VLAN that has been set as a MAC authentication guest VLAN, use the undo mac-authentication guest-vlan command to remove the guest VLAN configuration.

Examples

# Configure VLAN 100 as the MAC authentication guest VLAN on GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] mac-authentication guest-vlan 100

Related commands

display mac-authentication

reset mac-authentication guest-vlan

mac-authentication guest-vlan auth-period

Use mac-authentication guest-vlan auth-period to set the interval at which the device authenticates users in the MAC authentication guest VLAN.

Use undo mac-authentication guest-vlan auth-period to restore the default.

Syntax

mac-authentication guest-vlan auth-period period-value

undo mac-authentication guest-vlan auth-period

Default

The device authenticates users in the MAC authentication guest VLAN every 30 seconds.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Parameters

period-value: Specifies the authentication interval for users in the MAC authentication guest VLAN. The value range is 1 to 3600, in seconds.

Examples

# Set the authentication interval to 150 seconds for users in the MAC authentication guest VLAN on GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] mac-authentication guest-vlan auth-period 150

Related commands

display mac-authentication

mac-authentication guest-vlan

mac-authentication host-mode

Use mac-authentication host-mode multi-vlan to enable MAC authentication multi-VLAN mode on a port.

Use undo mac-authentication host-mode to restore the default.

Syntax

mac-authentication host-mode multi-vlan

undo mac-authentication host-mode

Default

MAC authentication multi-VLAN mode is disabled on a port. When the port receives a packet sourced from an authenticated MAC address in a VLAN not matching the existing MAC-VLAN mapping, the device logs off and reauthenticates the user.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Usage guidelines

The MAC authentication multi-VLAN mode prevents an authenticated online user from service interruption caused by VLAN changes on a port. When the port receives a packet sourced from the user in a VLAN not matching the existing MAC-VLAN mapping, the device neither logs off the user nor reauthenticates the user. The device creates a new MAC-VLAN mapping for the user, and traffic transmission is not interrupted. The original MAC-VLAN mapping for the user remains on the device until it dynamically ages out. As a best practice, configure this feature on hybrid or trunk ports.

This feature improves transmission of data that is vulnerable to delay and interference. It is typically applicable to IP phone users.

Examples

# Enable MAC authentication multi-VLAN mode on GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] mac-authentication host-mode multi-vlan

Related commands

display mac-authentication

mac-authentication max-user

Use mac-authentication max-user to set the maximum number of concurrent MAC authentication users on a port.

Use undo mac-authentication max-user to restore the default.

Syntax

mac-authentication max-user max-number

undo mac-authentication max-user

Default

The default is 4294967295.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Parameters

max-number: Sets the maximum number of concurrent MAC authentication users on the port. The value range for this argument is 1 to 4294967295.

Usage guidelines

Set the maximum number of concurrent MAC authentication users on a port to prevent the system resources from being overused. When the maximum number is reached, the port denies subsequent MAC authentication users.

Examples

# Configure GigabitEthernet 1/0/1 to support a maximum of 32 concurrent MAC authentication users.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] mac-authentication max-user 32

Related commands

display mac-authentication

mac-authentication re-authenticate server-unreachable keep-online

Use mac-authentication re-authenticate server-unreachable keep-online to enable the keep-online feature on a port.

Use undo mac-authentication re-authenticate server-unreachable to restore the default.

Syntax

mac-authentication re-authenticate server-unreachable keep-online

undo mac-authentication re-authenticate server-unreachable

Default

The keep-online feature is disabled on a port. The device logs off online MAC authentication users if no server is reachable for MAC reauthentication.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Usage guidelines

The keep-online feature keeps authenticated MAC authentication users online when no server is reachable for MAC reauthentication.

Examples

# Enable the keep-online feature for authenticated MAC authentication users on GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] mac-authentication re-authenticate server-unreachable keep-online

Related commands

display mac-authentication

mac-authentication timer

Use mac-authentication timer to configure a MAC authentication timer.

Use undo mac-authentication timer to restore the default of a MAC authentication timer.

Syntax

mac-authentication timer { offline-detect offline-detect-value | quiet quiet-value | server-timeout server-timeout-value }

undo mac-authentication timer { offline-detect | quiet | server-timeout }

Default

The following MAC authentication timers apply:

· The offline detect timer is 300 seconds.

· The quiet timer is 60 seconds.

· The server timeout timer is 100 seconds.

Views

System view

Predefined user roles

network-admin

Parameters

offline-detect offline-detect-value: Specifies the offline detect timer in the range of 60 to 65535, in seconds.

quiet quiet-value: Specifies the quiet timer in the range of 1 to 3600, in seconds.

server-timeout server-timeout-value: Specifies the server timeout timer in the range of 100 to 300, in seconds.

Usage guidelines

MAC authentication uses the following timers:

· Offline detect timer—Sets the interval that the device waits for traffic from a user before the device determines that the user is idle. If the device has not received traffic from a user before the timer expires, the device logs off that user and requests the accounting server to stop accounting for the user.

· Quiet timer—Sets the interval that the device must wait before the device can perform MAC authentication for a user that has failed MAC authentication. All packets from the MAC address are dropped during the quiet time. This quiet mechanism prevents repeated authentication from affecting system performance.

· Server timeout timer—Sets the interval that the device waits for a response from a RADIUS server before the device determines that the RADIUS server is unavailable. If the timer expires during MAC authentication, the user cannot access the network.

Examples

# Set the server timeout timer to 150 seconds.

<Sysname> system-view

[Sysname] mac-authentication timer server-timeout 150

Related commands

display mac-authentication

mac-authentication timer auth-delay

Use mac-authentication timer auth-delay to enable MAC authentication delay and set the delay time.

Use undo mac-authentication timer auth-delay to restore the default.

Syntax

mac-authentication timer auth-delay time

undo mac-authentication timer auth-delay

Default

MAC authentication delay is disabled. MAC authentication starts immediately after it is triggered by a user packet.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Parameters

time: Specifies the delay time for MAC authentication in seconds. The value range is 1 to 180.

Usage guidelines

When both 802.1X authentication and MAC authentication are enabled on a port, you can delay MAC authentication so that 802.1X authentication is preferentially triggered. If no 802.1X authentication is triggered or if 802.1X authentication fails within the delay period, the port continues to process MAC authentication.

Do not set the port security mode to mac-else-userlogin-secure or mac-else-userlogin-secure-ext when you want to use MAC authentication delay. The delay does not take effect on a port in either of the two modes. For more information about port security modes, see "Port security commands."

Examples

# Enable MAC authentication delay on interface GigabitEthernet 1/0/1 and set the delay time to 10 seconds.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] mac-authentication timer auth-delay 10

Related commands

display mac-authentication

port-security port-mode

mac-authentication user-name-format

Use mac-authentication user-name-format to configure the type of user accounts for MAC authentication users.

Use undo mac-authentication user-name-format to restore the default.

Syntax

mac-authentication user-name-format { fixed [ account name ] [ password { cipher | simple } string ] | mac-address [ { with-hyphen [ six-section | three-section ] | without-hyphen } [ lowercase | uppercase ] ] }

undo mac-authentication user-name-format

Default

Each user's MAC address is used as the username and password for MAC authentication. A MAC address is in the hexadecimal notation without hyphens, and letters are in lower case.

Views

System view

Predefined user roles

network-admin

Parameters

fixed: Uses a shared account for all MAC authentication users.

account name: Specifies the username for the shared account. The name is a case-sensitive string of 1 to 55 characters, excluding the at sign (@). If you do not specify a username, the default name mac applies.

password: Specifies the password for the shared user account.

cipher: Specifies a password in encrypted form.

simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.

string: Specifies the password. Its plaintext form is a case-sensitive string of 1 to 63 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.

mac-address: Uses MAC-based user accounts for MAC authentication users. You can also specify the format of username and password by using the following keywords:

· with-hyphen: Includes hyphens in the MAC address.

¡ six-section: Hyphenates the MAC address into six groups of two hexadecimal digits, for example, xx-xx-xx-xx-xx-xx or XX-XX-XX-XX-XX-XX.

¡ three-section: Hyphenates the MAC address into three groups of four hexadecimal digits, for example, xxxx-xxxx-xxxx or XXXX-XXXX-XXXX.

If you do not specify the six-section or three-section keyword, the MAC address is in six-section format.

· without-hyphen: Excludes hyphens from the MAC address, for example, xxxxxxxxxxxx or XXXXXXXXXXXX.

· lowercase: Specifies letters in lower case.

· uppercase: Specifies letters in upper case.

Usage guidelines

If you specify the MAC-based user account, the device uses the MAC address of a user as the username and password for MAC authentication of the user. This user account type ensures high authentication security. However, you must create on the authentication server a user account for each user, using the MAC address of the user as both the username and password.

If you specify a shared user account, the device uses the specified username and password for MAC authentication of all users. Because all MAC authentication users use a single account for authentication, you only need to create one account on the authentication server. This user account type is suitable for trusted networks.

Examples

# Configure a shared account for MAC authentication users, and set the username to abc and password to plaintext string of xyz.

<Sysname> system-view

[Sysname] mac-authentication user-name-format fixed account abc password simple xyz

# Use MAC-based user accounts for MAC authentication users. Each MAC address must be in the hexadecimal notation without hyphens, and letters are in upper case.

<Sysname> system-view

[Sysname] mac-authentication user-name-format mac-address without-hyphen uppercase

Related commands

display mac-authentication

reset mac-authentication critical-vlan

Use reset mac-authentication critical-vlan to remove users from the MAC authentication critical VLAN on a port.

Syntax

reset mac-authentication critical-vlan interface interface-type interface-number [ mac-address mac-address ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies a port by its type and number.

mac-address mac-address: Specifies a user by its MAC address. If you do not specify this option, the command removes all users from the MAC authentication critical VLAN on the port.

Examples

# Remove the user with MAC address 1-1-1 from the MAC authentication critical VLAN on GigabitEthernet 1/0/1.

<Sysname> reset mac-authentication critical-vlan interface gigabitethernet 1/0/1 mac-address 1-1-1

Related commands

display mac-authentication

mac-authentication critical vlan

reset mac-authentication guest-vlan

Use reset mac-authentication guest-vlan to remove users from the MAC authentication guest VLAN on a port.

Syntax

reset mac-authentication guest-vlan interface interface-type interface-number [ mac-address mac-address ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies a port by its type and number.

mac-address mac-address: Specifies a user by its MAC address. If you do not specify this option, the command removes all users from the MAC authentication guest VLAN on the port.

Examples

# Remove the user with MAC address 1-1-1 from the MAC authentication guest VLAN on GigabitEthernet 1/0/1.

<Sysname> reset mac-authentication guest-vlan interface gigabitethernet 1/0/1 mac-address 1-1-1

Related commands

display mac-authentication

mac-authentication guest-vlan

reset mac-authentication statistics

Use reset mac-authentication statistics to clear MAC authentication statistics.

Syntax

reset mac-authentication statistics [ ap ap-name [ radio radio-id ] | interface interface-type interface-number ]

Views

User view

Predefined user roles

network-admin

Parameters

radio radio-id: Specifies a radio by its ID. The value range for the radio-id argument varies by AP model. If you do not specify a radio, this command clears MAC authentication statistics for all radios on the specified AP.

interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command clears both global and port-specific MAC authentication statistics.

Usage guidelines

If you do not specify any parameters, this command clears all MAC authentication statistics.

Examples

# Clear MAC authentication statistics on GigabitEthernet 1/0/1.

<Sysname> reset mac-authentication statistics interface gigabitethernet 1/0/1

Related commands

display mac-authentication

12-Security Command Reference

MAC authentication commands

mac-authentication critical vlan

mac-authentication guest-vlan

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us