802.1Xcommands· 1

display dot1x· 1

dot1x· 5

dot1xauthentication-method· 6

dot1x domain-delimiter 7

dot1x handshake· 8

dot1x handshake secure· 9

dot1x mandatory-domain· 9

dot1x max-user 10

dot1x multicast-trigger 11

dot1x port-control 12

dot1x port-method· 13

dot1x quiet-period· 14

dot1x re-authenticate· 15

dot1x retry· 15

dot1x supp-proxy-check· 16

dot1x timer 17

dot1x unicast-trigger 19

reset dot1x statistics 19

 

display dot1x

Use display dot1xto display information about 802.1X.

Syntax

display dot1x [sessions|statistics ] [ interface interface-list ] [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

sessions: Displays 802.1X session information.

statistics: Displays 802.1X statistics.

interface interface-list: Specifies a port list, which can contain multiple ports. The interface-list argument is in the format of interface-list= {interface-typeinterface-number [ tointerface-typeinterface-number ] } &<1-10>, where interface-type represents the port type, interface-number represents the port number, and &<1-10> means that you can provide up to 10 portsor port ranges.The start port number must be smaller than the end number and the two ports must be the same type.

|: Filters command output by specifying a regular expression. For more information about regular expressions, seeFundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Usage guidelines

If you do not specify the sessionsorstatistics keyword, the command displaysall information about 802.1X, including session information, statistics, and configurations.

Examples

# Display all information about 802.1X.

<Sysname> display dot1x

 Equipment 802.1X protocol is enabled

 CHAP authentication is enabled

 Proxy trap checker is disabled

 Proxy logoff checker is disabled

 

 Configuration: Transmit Period   30 s,  Handshake Period       15 s

                Quiet Period      60 s,  Quiet Period Timer is disabled

                Supp Timeout      30 s,  Server Timeout        100 s

                Reauth Period   3600 s

                The maximal retransmitting times    2

 

 The maximum 802.1X user resource number is 128 per slot

 Total current used 802.1X resource number is 0

 

 GigabitEthernet1/0/1  is link-down

   802.1X protocol is disabled

   Proxy trap checker is   disabled

   Proxy logoff checker is disabled

   Handshake is enabled

   Handshake secure is disabled

   802.1X unicast-trigger is disabled

   Periodic reauthentication is disabled

   The port is an authenticator

   Authentication Mode is Auto

   Port Control Type is Mac-based

   802.1X Multicast-trigger is enabled

   Mandatory authentication domain: NOT configured

   Guest VLAN: NOT configured

   Auth-Fail VLAN: NOT configured

   Critical VLAN: NOT configured

   Critical recovery-action: NOT configured

   Max number of on-line users is 128

 

   EAPOL Packet: Tx 0, Rx 0

   Sent EAP Request/Identity Packets : 0

        EAP Request/Challenge Packets: 0

        EAP Request/Challenge Packets: 0

   Received EAPOL Start Packets : 0

            EAPOL LogOff Packets: 0

            EAP Response/Identity Packets : 0

            EAP Response/Challenge Packets: 0

            Error Packets: 0

 

   Controlled User(s) amount to 0

 

WLAN-BSS2  is link-down

   802.1X protocol is enabled

   Proxy trap checker is   disabled

   Proxy logoff checker is disabled

   Handshake is disabled

   Handshake secure is disabled

   802.1X unicast-trigger is disabled

   Periodic reauthentication is disabled

   The port is an authenticator

   Authentication Mode is Auto

   Port Control Type is Mac-based

   802.1X Multicast-trigger is disabled

   Mandatory authentication domain: NOT configured

   Guest VLAN: NOT configured

   Auth-Fail VLAN: NOT configured

   Critical VLAN: NOT configured

   Critical recovery-action: NOT configured

   Max number of on-line users is 128

 

   EAPOL Packet: Tx 0, Rx 0

   Sent EAP Request/Identity Packets : 0

        EAP Request/Challenge Packets: 0

        EAP Success Packets: 0, Fail Packets: 0

   Received EAPOL Start Packets : 0

            EAPOL LogOff Packets: 0

            EAP Response/Identity Packets : 0

            EAP Response/Challenge Packets: 0

            Error Packets: 0

 

   Controlled User(s) amount to 0

Table 1 Command output

Field	Description
Equipment802.1X protocol is enabled	Specifieswhether 802.1X is enabled globally.
CHAP authentication is enabled	Specifieswhether CHAP authentication is enabled.
Proxy trap checker is disabled	Specifieswhether the devicesends a trap when detecting that a user is accessing the network through a proxy.
Proxy logoff checker is disabled	Specifieswhether the devicelogs off the user when detecting that the user is accessing the networkthrough a proxy.
Transmit Period	Usernamerequest timeout timer in seconds.
Handshake Period	Handshake timer in seconds.
Quiet Period	Quiet timerin seconds.
Quiet Period Timer is disabled	Status of the quiet timer. In this example, the quiet timer is enabled.
Supp Timeout	Client timeout timer in seconds.
Server Timeout	Server timeout timer in seconds.
Reauth Period	Periodic online user re-authentication timer in seconds.
The maximal retransmitting times	Maximum number of attempts for sending an authentication request to aclient.
Themaximum 802.1X user resource number per slot	Maximum number of concurrent 802.1X user per card.
Total current used 802.1X resource number	Total number of online 802.1X users.
XXX is link-down.	Status of the port.In this example, the port status is down.
802.1X protocol is disabled	Specifieswhether 802.1X is enabled on the port.
Proxy trap checker is disabled	Specifieswhether the port sends a trap when detecting that a user is accessing the network through a proxy.
Proxy logoff checker is disabled	Specifieswhether the portlogs off the userwhen detecting the user is accessing the networking through a proxy.
Handshake is disabled	Specifieswhether handshake is enabled on the port.
Handshake secure is disabled	Specifieswhether handshake security is enabled on the port.
802.1X unicast-trigger is disabled	Specifieswhether unicast trigger is enabled on the port.
Periodic reauthentication is disabled	Specifieswhether periodic online user re-authentication is enabled on the port.
The port is an authenticator	Role of the port.
Authenticate Mode is Auto	Authorization stateofthe port.
Port Control Type is Mac-based	Access control method ofthe port.
802.1X Multicast-trigger is enabled	Specifieswhether the 802.1X multicast-trigger function is enabled.
Mandatory authentication domain	Mandatory authentication domain on the port.
Guest VLAN	802.1X guest VLAN configured on the port. NOT configuredis displayed if no guest VLAN is configured. The device does not support this field in the current software version.
Auth-fail VLAN	Auth-Fail VLAN configured on the port. NOT configuredis displayed ifno Auth-Fail VLAN is configured. The device does not support this field in the current software version.
Critical VLAN	802.1X critical VLAN configured on the port. NOT configured is displayed ifno 802.1X critical VLAN is configured on the port. The device does not support this field in the current software version.
Critical recovery-action	Action that the port takes when an active (reachable) authentication server is detected available for the 802.1X users in the critical VLAN: ·         reinitialize—The port triggers authentication. ·         NOT configured—The port does not trigger authentication. The device does not support this field in the current software version.
Max number of on-line users	Maximum number of concurrent 802.1X users on the port.
EAPOL Packet	Numberof sent (Tx) and received (Rx)EAPOL packets.
Sent EAP Request/Identity Packets	Number of sent EAP-Request/Identity packets.
EAP Request/Challenge Packets	Number of sent EAP-Request/Challenge packets.
EAP Success Packets	Number of sentEAP Success packets.
Fail Packets	Number of sent EAP-Failure packets.
Received EAPOL Start Packets	Number of received EAPOL-Start packets.
EAPOL LogOff Packets	Number of receivedEAPOL-LogOff packets.
EAP Response/Identity Packets	Number of receivedEAP-Response/Identity packets.
EAP Response/Challenge Packets	Number of receivedEAP-Response/Challenge packets.
Error Packets	Number of receivederrorpackets.
Authenticated user	User that has passed 802.1X authentication.
Controlled User(s) amount	Number of authenticated users on the port.

 

Related commands

·          reset dot1x statistics

·          dot1x

·          dot1x retry

·          dot1x max-user

·          dot1x port-control

·          dot1x port-method

·          dot1x timer

dot1x

Use dot1xto enable 802.1X.

Use undodot1xto disable 802.1X.

Syntax

In system view:

dot1x[ interfaceinterface-list ]

undo dot1x[ interfaceinterface-list ]

In Ethernet interface view:

dot1x

undo dot1x

Default

802.1X is neither enabled globally nor enabled for any port.

Views

System view, Ethernet interface view

Default command level

2: System level

Parameters

interface interface-list: Specifies a port list, which can contain multiple ports. The interface-list argument is in the format of interface-list= {interface-typeinterface-number [ tointerface-typeinterface-number ] } &<1-10>, where interface-type represents the port type, interface-number represents the port number, and &<1-10> means that you can provide up to 10 portsor port ranges. The start port number must be smaller than the end number and the two ports must be of the same type.

Usage guidelines

Use the dot1x command in system view to enable 802.1Xglobally.

Use the undo dot1x command in system view to disable 802.1Xglobally.

Use the dot1x interface command in system view or the dot1x command in interface view to enable 802.1X for specified ports.

Use the undo dot1x interface command in system view or the undo dot1x command in interface view to disable 802.1X for specified ports.

802.1X must be enabled both globally in system view and for the intended ports in system view or interface view. Otherwise, it does not function.

You can configure 802.1X parameters either before or after enabling 802.1X.

Do not configure this command on the uplink Ethernetports.

Examples

# Enable 802.1X for the port GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] dot1x interface gigabitethernet 1/0/1

# Enable 802.1Xglobally.

<Sysname> system-view

[Sysname] dot1x

Related commands

display dot1x

dot1xauthentication-method

Use dot1x authentication-methodto specify an EAP message handling method.

Use undo dot1x authentication-methodto restore the default.

Syntax

dot1xauthentication-method {chap| eap| pap}

undo dot1x authentication-method

Default

The network access device performs EAP termination and uses CHAP to communicate with the RADIUS server.

Views

System view

Default command level

2: System level

Parameters

chap: Sets the access device to perform Extensible Authentication Protocol (EAP) termination and usethe Challenge Handshake Authentication Protocol (CHAP) to communicate with the RADIUS server.

eap: Sets the access device to relay EAP packets, and supports any of the EAP authentication methods to communicate with the RADIUS server.

pap: Sets the access device to perform EAP termination and usethe Password Authentication Protocol (PAP) to communicate with the RADIUS server.

Usage guidelines

The network access device terminates or relays EAP packets:

1.        In EAP termination mode—The access devicere-encapsulates and sends the authentication data from the client in standard RADIUS packets to the RADIUS server, and performs either CHAP or PAP authentication with the RADIUS server. In this mode the RADIUS server supports only MD5-Challenge EAP authentication, and "username+password" EAP authentication initiated by an iNode client.

¡  PAP transports usernames and passwords in clear text. The authenticationmethodapplies to scenarios that do not require high security. To use PAP, the client must be an H3C iNode 802.1X client.

¡  CHAP transports username in plaintext and encrypted password over the network.It is more secure than PAP.

2.        In EAP relay mode—The access device relays EAP messages between the client and the RADIUS server. The EAP relay mode supports multiple EAP authentication methods, such as MD5-Challenge, EAP-TL, and PEAP. To use this mode, you must make sure that the RADIUS server supports the EAP-Message and Message-Authenticator attributes and uses the same EAP authentication method as the client.If this mode is used, the user-name-format command configured in RADIUS scheme view does not take effect. For more information about the user-name-format command, see"RADIUS configuration commands."

If RADIUS authentication is used, you must configure the network access device to use the same authentication method (PAP, CHAP, or EAP) as the RADIUS server.

Examples

# Enable the access device to terminate EAP packets and perform PAP authentication with the RADIUS server.

<Sysname> system-view

[Sysname] dot1x authentication-method pap

Related commands

display dot1x

dot1x domain-delimiter

Use dot1x domain-delimiterto specify a set of domain name delimiters supported by the access device. Any characterin the configured set can be used as the domain name delimiter for 802.1X authentication users.

Use undo dot1x domain-delimiter to restore the default.

Syntax

dot1x domain-delimiter string

undo dot1x domain-delimiter

Default

The access device supports only the at sign (@) delimiter for 802.1X users.

Views

System view

Default command level

2: System level

Parameters

string: Specifies a set of 1 to 16 domain name delimiters for 802.1X users. No space is required between delimiters. Available delimitersincludethe at sign (@), backslash (/), and forward slash (\).

Usage guidelines

The delimiter set you configured overrides the default setting. If @ is not included in the delimiter set, the access device doesnot support the 802.1X users that use @ as the domain name delimiter.

If ausername string contains multiple configured delimiters, the leftmost delimiter is the domain name delimiter.For example, if you configure @, /, and \ as delimiters, the domain name delimiter for the username string 123/22\@abcis the forward slash (/).

The cut connectionuser-name user-name and display connectionuser-name user-namecommands are not available for 802.1X users that use / or \ as the domain name delimiter. For more information about the two commands, see "AAA configuration commands."

Examples

# Specify the characters @, /, and \ as domain name delimiters.

<Sysname> system-view

[Sysname] dot1x domain-delimiter @\/

dot1x handshake

Use dot1x handshaketo enable the online user handshake function. The function enables the device to periodically send handshake messages to the client to check whether a user is online.

Use undo dot1x handshaketo disable the function.

Syntax

dot1x handshake

undo dot1x handshake

Default

The function is enabled.

Views

Ethernet interface view, WLAN-BSS interface view

Default command level

2: System level

Usage guidelines

The 802.1X proxy detectionfunction depends on the online user handshake function.Enable handshake before enabling proxy detectionand disable proxy detectionbefore disabling handshake.

H3C recommends that you use the iNode client software to ensure the normal operation of the online user handshake function.

Examples

# Enable the online user handshake function.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dot1x handshake

dot1x handshake secure

Use dot1x handshakesecureto enable the online user handshake security function. The function enables the device to prevent users from using illegal client software.

Use undo dot1x handshakesecureto disable the function.

Syntax

dot1x handshake secure

undo dot1x handshake secure

Default

The function is disabled.

Views

Ethernet interface view, WLAN-BSS interface view

Default command level

2: System level

Usage guidelines

The online user handshake security function is implemented based on the online user handshake function. To bring the securityfunction into effect, make surethe online user handshake function is enabled.

H3C recommends you use the iNode client software and iMC server to ensure the normal operation of the online user handshake security function.

Examples

# Enable the online user handshake security function.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dot1x handshake secure

Related commands

dot1x handshake

dot1x mandatory-domain

Use dot1x mandatory-domain to specify a mandatory 802.1X authentication domain on a port.

Use undodot1x mandatory-domain to remove the mandatory authentication domain.

Syntax

dot1x mandatory-domaindomain-name

undo dot1xmandatory-domain

Default

No mandatory authentication domain is specified.

Views

Ethernet interface view, WLAN-BSS interface view

Default command level

2: System level

Parameters

domain-name: Specifies the ISP domain name, a case-insensitive string of 1 to 24 characters.

Usage guidelines

When authenticating an802.1X user trying to access the port,the system selects an authentication domain in the following order: the mandatory domain,the ISP domainspecified in the username,and the default ISP domain.

To display or cut all 802.1X connections in a mandatory domain, use the display connectiondomain isp-nameorcut connectiondomain isp-name command. The output from thedisplay connection command without any parameters displays domain names enteredby users at login. For more information about the display connection command or the cut connection command, see"AAA configuration commands."

Examples

# Configure the mandatory authentication domainmy-domain for802.1X users on GigabitEthernet1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1]dot1x mandatory-domain my-domain

# After 802.1X user userapasses the authentication, execute the display connection command to display the user connection information on GigabitEthernet1/0/1.For more information about the display connection command, see "AAAconfiguration commands."

[Sysname-GigabitEthernet1/0/1]display connection interface gigabitethernet 1/0/1

 

Index=68  ,Username=usera@my-domian

MAC=0015-e9a6-7cfe

IP=3.3.3.3

IPv6=N/A

 Total 1 connection(s) matched.

Related commands

display dot1x

dot1x max-user

Use dot1xmax-userto set the maximum number of concurrent 802.1X users on a port.

Use undo dot1xmax-userto restore the default.

Syntax

In system view:

dot1xmax-user user-number[ interface interface-list ]

undo dot1xmax-user [ interface interface-list ]

In interface view:

dot1xmax-user user-number

undo dot1xmax-user

Default

The default is 128.

Views

System view, Ethernet interface view, WLAN-BSS interface view

Default command level

2: System level

Parameters

user-number: Specifies the maximum number of concurrent 802.1X userson a port. The value range is 1 to 128.

interface interface-list: Specifies a port list, which can contain multiple ports. The interface-list argument is in the format of interface-list= {interface-typeinterface-number [ tointerface-typeinterface-number ] } &<1-10>, where interface-type represents the port type, interface-number represents the port number, and &<1-10> means that you can provide up to 10 ports or port ranges. The start port number must be smaller than the end number and the two ports must be of the same type.If you do not specify the interface-list argument, the command applies to all ports.

Examples

# Set the maximum number of concurrent 802.1X users to 32 on port GigabitEthernet1/0/1.

<Sysname> system-view

[Sysname] dot1x max-user 32 interface gigabitethernet 1/0/1

Or

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dot1x max-user 32

Related commands

display dot1x

dot1x multicast-trigger

Use dot1x multicast-trigger to enable the 802.1X multicast trigger function. The device acts as the initiator and periodicallymulticasts Identify EAP-Request packetsout of a port to detect 802.1X clients and trigger authentication.

Use undo dot1x multicast-trigger to disable the function.

Syntax

dot1x multicast-trigger

undo dot1x multicast-trigger

Default

The multicast trigger function is enabled.

Views

Ethernet interface view, WLAN-BSS interface view

Default command level

2: System level

Usage guidelines

You can use the dot1x timer tx-period command to set the interval for sending multicast Identify EAP-Request packets.

Examples

# Enable the multicast trigger function on interface GigabitEthernet1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dot1x multicast-trigger

Related commands

display dot1x

dot1x port-control

Use dot1xport-controlto set the authorization state for the specified or all ports.

Use undo dot1xport-controlto restore the default.

Syntax

In system view:

dot1xport-control {authorized-force | auto | unauthorized-force }[ interface interface-list ]

undo dot1xport-control [ interface interface-list ]

In interface view:

dot1xport-control {authorized-force | auto | unauthorized-force }

undo dot1xport-control

Default

The default port authorization state is auto.

Views

System view, Ethernet interface view, WLAN-BSSS interface view

Default command level

2: System level

Parameters

authorized-force: Places the specified or all ports in the authorized state, enablingusers on the ports to access the network without authentication.

auto: Places the specified or all ports initially in the unauthorized state to allow only EAPOL packets to pass, and after a user passes authentication, sets the port in the authorized state to allow access to the network.You can use this option in most scenarios.

unauthorized-force: Places the specified or all ports in the unauthorized state, denying any access requests from users onthe ports.

interface interface-list: Specifies a port list, which can contain multiple ports. The interface-list argument is in the format of interface-list= {interface-typeinterface-number [ tointerface-typeinterface-number ] } &<1-10>, where interface-type represents the port type, interface-number represents the port number, and &<1-10> means that you can provide up to 10 ports or port ranges. The start port number must be smaller than the end number and the two ports must be of the same type.

Usage guidelines

In system view, if no interface is specified, thecommand applies to all ports.

Examples

# Set the authorization stateof port GigabitEthernet1/0/1 to unauthorized-force.

<Sysname> system-view

[Sysname] dot1x port-control unauthorized-force interface gigabitethernet 1/0/1

Or

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dot1x port-control unauthorized-force

Related commands

display dot1x

dot1x port-method

Use dot1xport-methodto specify an access control method for the specified or all ports.

Use undo dot1xport-methodto restore the default.

Syntax

In system view:

dot1xport-method {macbased | portbased }[ interface interface-list ]

undo dot1xport-method [ interface interface-list ]

In interface view:

dot1xport-method {macbased | portbased }

undo dot1xport-method

Default

MAC-based access control applies.

Views

System view, Ethernet interface view, WLAN-BSS interface view

Default command level

2: System level

Parameters

macbased: Uses MAC-based access control on a port to separately authenticate each user attempting to access the network. In this approach, when an authenticated user logs off, no other online users are affected.

portbased: Uses port-based access control on a port. In this approach, once an 802.1X user passes authentication on the port, any subsequent user can access the network through the port without authentication. When the authenticated user logs off, all other users are logged off.

interface interface-list: Specifies a port list, which can contain multiple ports. The interface-list argument is in the format of interface-list= {interface-typeinterface-number [ tointerface-typeinterface-number ] } &<1-10>, where interface-type represents the port type, interface-number represents the port number, and &<1-10> means that you can provide up to 10 portsor port ranges for this argument. The start port number must be smaller than the end number and the two ports must be the same type.

Usage guidelines

In system view, if no interface is specified, thecommand applies to all ports.

Examples

# Configure port GigabitEthernet1/0/1 to implement port-based access control.

<Sysname> system-view

[Sysname] dot1x port-method portbased interface gigabitethernet 1/0/1

Or

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dot1x port-method portbased

Related commands

display dot1x

dot1x quiet-period

Use dot1xquiet-periodto enable the quiet timer. When a client fails 802.1X authentication, the device must wait a period of time before it can process authentication requests from the client.

Use undo dot1xquiet-periodto disable the timer.

Syntax

dot1xquiet-period

undo dot1xquiet-period

Default

The quiet timer is disabled.

Views

System view

Default command level

2: System level

Examples

# Enable the quiet timer.

<Sysname> system-view

[Sysname] dot1xquiet-period

Related commands

·          display dot1x

·          dot1x timer

dot1x re-authenticate

Use dot1x re-authenticateto enable the periodic online user re-authentication function.

Use undo dot1x re-authenticateto disable the function.

Syntax

dot1x re-authenticate

undo dot1x re-authenticate

Default

The periodic online user re-authentication function is disabled.

Views

Ethernet interface view, WLAN-BSS interface view

Default command level

2: System level

Usage guidelines

Periodic re-authentication enables the access device to periodically authenticateonline 802.1X users on a port.This function tracks the connection status of online users and updates the authorization attributes assigned by the server, such as the ACL and VLAN.

You can use the dot1x timer reauth-period command to configure the interval for re-authentication.

Examples

# Enable the 802.1X periodic online user re-authentication function on GigabitEthernet1/0/1 and setthe periodic re-authentication interval to 1800 seconds.

<Sysname> system-view

[Sysname]dot1xtimer reauth-period 1800

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dot1x re-authenticate

Related commands

dot1x timer reauth-period

dot1x retry

Use dot1xretryto set the maximum number of attempts for sendingan authentication request to a client.

Use undo dot1xretryto restore the default.

Syntax

dot1xretry max-retry-value

undo dot1xretry

Default

The maximum number of attempts that the device can send an authentication request to a client is twice.

Views

System view

Default command level

2: System level

Parameters

max-retry-value: Specifies the maximum number of attempts forsendingan authentication request to aclient, in the range of 1 to 10.

Usage guidelines

After the network access device sends an authentication request to a client, if the device receives no response from the clientwithin the username request timeout timer (set with the dot1x timertx-period tx-period-valuecommand) or the client timeout timer (set withthe dot1x timer supp-timeoutsupp-timeout-valuecommand), the device retransmits the authentication request. The network access device stops retransmitting the request, if it has made the maximum number of request transmission attempts but still received no response.

This command applies to all ports of the device.

Examples

# Set the maximum number of attempts forsendingan authentication request to aclient as 9.

<Sysname> system-view

[Sysname] dot1x retry 9

Related commands

display dot1x

dot1x supp-proxy-check

Use dot1xsupp-proxy-checkto enable the proxy detection function and set the processing method on the specified ports or all ports.

Use undo dot1xsupp-proxy-checkto disable the functionon the specified ports or all ports.

Syntax

In system view:

dot1xsupp-proxy-check {logoff | trap }[ interface interface-list ]

undo dot1xsupp-proxy-check {logoff | trap }[ interface interface-list ]

In interface view:

dot1xsupp-proxy-check {logoff | trap }

undo dot1xsupp-proxy-check {logoff | trap }

Default

The proxy detection function is disabled. Users can use an authenticated 802.1X client as a network access proxy to bypass monitoring and accounting.

Views

System view, Ethernet interface view, WLAN-BSS interface view

Default command level

2: System level

Parameters

logoff: Logs offa user accessing the networkthrough a proxy.

trap:Sends a trap to the network management system when a user is detected accessing the network through a proxy.

interface interface-list: Specifies a port list, which can contain multiple ports. The interface-list argument is in the format of interface-list= {interface-typeinterface-number [ tointerface-typeinterface-number ] } &<1-10>, where interface-type represents the port type, interface-number represents the port number, and &<1-10> means that you can provide up to 10 portsor port ranges. The start port number must be smaller than the end number and the two ports must be of the same type. If no port list is specified, the command applies to all ports.

Usage guidelines

This function requires the cooperation of the iNode client software.

The proxy detection function must be enabled both globally in system view and for the intended ports in system view or interface view. Otherwise, it does not work.

Examples

# Configureport GigabitEthernet 1/0/1 to send a trap when a user is detected accessing the networkthrough a proxy.

<Sysname> system-view

[Sysname] dot1x supp-proxy-check trap

[Sysname] dot1x supp-proxy-check trap interface gigabitethernet 1/0/1

Or

<Sysname> system-view

[Sysname] dot1x supp-proxy-check trap

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dot1x supp-proxy-check trap

Related commands

display dot1x

dot1x timer

Use dot1xtimerto set 802.1X timers.

Use undo dot1xtimerto restore the defaults.

Syntax

dot1x timer { handshake-period handshake-period-value | quiet-period quiet-period-value| reauth-period reauth-period-value | server-timeoutserver-timeout-value | supp-timeoutsupp-timeout-value | tx-period tx-period-value }

undo dot1x timer { handshake-period | quiet-period | reauth-period|server-timeout |supp-timeout | tx-period }

Default

The handshake timer is 15 seconds, the quiet timer is 60 seconds, the periodic re-authentication timer is 3600 seconds, the server timeout timer is 100 seconds, the client timeout timer is 30 seconds, and the username request timeout timer is 30 seconds.

Views

System view

Default command level

2: System level

Parameters

handshake-period-value: Sets the handshake timer in seconds.Itis in the range of 5 to 1024.

quiet-period-value: Sets the quiet timer in seconds.Itis in the range of 10 to 120.

reauth-period-value: Sets the periodic re-authentication timer in seconds. It is in the range of 60 to 7200.

server-timeout-value: Sets the server timeout timer in seconds.Itis in the range of 100 to 300.

supp-timeout-value: Sets the clienttimeout timer in seconds.Itis in the range of 1 to 120.

tx-period-value: Setsthe username request timeout timer in seconds.Itis in the range of 10 to 120.

Usage guidelines

You can set the client timeout timer to a high value in a low-performance network, set the quiet timer to a high value in a vulnerable network or a low value for quicker authentication response, or adjust the server timeout timer to adapt to the performance of different authentication servers. In most cases, the default settings are sufficient.

The network device uses the following 802.1X timers:

·          Handshake timer (handshake-period)—Sets the interval at which the access device sends client handshake requests to check the online status of a client that has passed authentication.If the device receives no response after sending the maximum number of handshake requests, it considers that the client has logged off.

·          Quiet timer (quiet-period)—Starts when a client fails authentication. The access device must wait the time period before it can process the authentication attempts from the client.

·          Periodic re-authentication timer (reauth-period)—Sets the interval at which the network device periodically re-authenticates online 802.1X users.To enable periodic online user re-authentication on a port, use the dot1x re-authenticate command.The change to the periodicre-authentication timerapplies to the users that have been onlineonly after the old timer expires.

·          Server timeout timer (server-timeout)—Starts when the access device sends a RADIUS Access-Requestpacket to the authentication server. If no response is received when this timer expires, the access device retransmits the request to the server.

·          Client timeout timer (supp-timeout)—Starts when the access device sends anEAP-Request/MD5 Challenge packet to a client. If no response is received when this timer expires, the access device retransmits the request to the client.

·          Username request timeout timer (tx-period)—Starts when the device sends an EAP-Request/Identity packet to a client in response to an authentication request. If the device receives no response before this timer expires, it retransmits the request. The timer also sets the interval at which the network device sends multicast EAP-Request/Identity packets to detect clients that cannot actively request authentication.

Examples

# Set the server timeout timer to 150 seconds.

<Sysname> system-view

[Sysname] dot1xtimer server-timeout 150

Related commands

display dot1x

dot1x unicast-trigger

Use dot1x unicast-trigger to enable the 802.1X unicast trigger function.

Use undo dot1x unicast-trigger to disable the function.

Syntax

dot1x unicast-trigger

undo dot1x unicast-trigger

Default

The unicast trigger function is disabled.

Views

Ethernet interface view

Default command level

2: System level

Usage guidelines

The unicast trigger function enables the network access device to initiate 802.1X authentication when it receives a data frame from an unknown source MAC address. The device sends a unicast Identity EAP/Request packet to the unknown source MAC address, and retransmits the packet if it has received no response within a period of time(set with the dot1x timer tx-period command). This process continues until the maximum number of request attempts (set with the dot1x retry command) is reached.

Examples

# Enable the unicast trigger function for interface GigabitEthernet1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dot1x unicast-trigger

Related commands

·          display dot1x

·          dot1x retry

·          dot1x timer tx-period

reset dot1x statistics

Use reset dot1xstatisticsto clear 802.1X statistics.

Syntax

reset dot1xstatistics[ interfaceinterface-list ]

Views

User view

Default command level

2: System level

Parameters

interface interface-list: Specifies a port list, which can contain multiple ports. The interface-list argument is in the format of interface-list= {interface-typeinterface-number [ tointerface-typeinterface-number ] } &<1-10>, where interface-type represents the port type, interface-number represents the port number, and &<1-10> means that you can provide up to 10 portsor port ranges. The start port number must be smaller than the end number and the two ports must be of the same type.

Usage guidelines

Ifa list of ports is specified, the command clears 802.1X statistics for all the specified ports. If no ports are specified, the command clears all802.1X statistics.

Examples

# Clear 802.1X statistics on port GigabitEthernet1/0/1.

<Sysname> reset dot1x statistics interface gigabitethernet 1/0/1

Related commands

display dot1x