Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 03-MAC Authentication Commands | 109.83 KB |
MAC authentication configuration commands
mac-authentication user-name-format
reset mac-authentication statistics
display mac-authentication
Use display mac-authentication to display MAC authentication settings and statistics, including global settings, and port-specific settings and MAC authentication and online user statistics.
Syntax
display mac-authentication[ interfaceinterface-list ] [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
2: System level
Parameters
interface interface-list: Specifies aport list, in the format of { interface-type interface-number [ tointerface-type interface-number ] }&<1-10>, where &<1-10> indicates that you can specify up to 10 port ranges. The start port and end port of a port range must be of the same type and the end port number must be greater than the start port number. A port range defined without the tointerface-type interface-number portion comprises only one port.
|: Filters command output by specifying a regular expression. For more information about regular expressions, seeFundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Usage guidelines
If you specify a list of ports, the command displays global settings, and port-specific settings and statistics only for the specified ports.
If you do not specify any port, the command displaysglobal settings, and port-specific settings and statistics for all ports.
Examples
# Display all MAC authenticationsettings and statistics.
<Sysname>display mac-authentication
MAC address authentication is enabled.
User name format is MAC addressin lowercase, like xxxxxxxxxxxx
Fixed username:mac
Fixed password:not configured
Offline detect period is 300s
Quiet period is 60s.
Server response timeout value is 100s
the max allowed user number is 128 per slot
Current user number amounts to 0
Current domain: not configured, use default domain
Silent Mac User info:
MAC Addr From Port Port Index
GigabitEthernet1/0/1 is link-up
MAC address authentication is enabled
Authenticate success: 0, failed: 0
Max number of on-line users is 128
Current online user number is 0
MAC Addr Authenticate state AuthIndex
…(outputomitted)
Table 1 Command output
|
Field |
Description |
|
MAC address authentication is enabled |
Whether MAC authentication is enabled. |
|
User name format is MAC addressin lowercase, like xxxxxxxxxxxx |
Type of user account, which can be MAC-based or shared. · If MAC-based accounts are used, this field displays "User name format is MAC address…"and the format settings for usernamesand passwords. For example, MAC addresses without hyphensin lower case. · If a shared account is used, this field displays "User name format is fixed account." |
|
Fixed username: |
Username of the shared account for MAC authentication users. If MAC-based accounts are used, this field displays mac. |
|
Fixed password: |
Password of the shared account for MAC authentication users. · If MAC-based accounts are used or if a shared account is used but no password is configured, this field displays not configured. · If a shared account is used and a password is configured, this field displays ******. |
|
Offline detect period |
Setting of the offlinedetect timer. |
|
Quiet period |
Setting of the quiet timer. |
|
Server response timeout value |
Setting of the servertimeout timer. |
|
the max allowed user number |
Maximum number of users each slotsupports. |
|
Current user number amounts to |
Number of onlineusers. |
|
Current domain: not configured, use default domain |
Authentication domain that is currently used. |
|
Silent Mac User info |
Information about silentMAC addresses. A MAC address is marked silent when it fails a MAC authentication, and at the same time, a quiet timer starts. Before the timer expires, the device drops any packet from the MAC address and does not perform MAC authentication for the MAC address. |
|
GigabitEthernet1/0/1 is link-up |
Status of the link on port GigabitEthernet 1/0/1. In this example, the link is up. |
|
MAC address authentication is enabled |
Whether MAC authentication is enabled onport GigabitEthernet 1/0/1. |
|
Authenticate success: 0, failed: 0 |
MAC authentication statistics, including the number of successful and unsuccessful authentication attempts. |
|
Max number of on-line users |
Maximum number of concurrent online users allowed on the port. If MAC authentication is not enabled on the port, the field displays 0. |
|
Current online user number |
Number of online users on the port. |
|
MAC Addr |
MAC address of the online user. |
|
Authenticate state |
User status. Possible values include the following: · MAC_AUTHENTICATOR_CONNECT—The user islogging in. · MAC_AUTHENTICATOR_SUCCESS—The user has passed the authentication. · MAC_AUTHENTICATOR_FAIL—The user failed the authentication. · MAC_AUTHENTICATOR_LOGOFF—The user has logged off. |
|
AuthIndex |
Authenticatorindex. |
mac-authentication
Use mac-authentication in system view to enable MAC authenticationglobally.
Use mac-authentication interfaceinterface-list in system view to enable MAC authentication on a list of ports, or usemac-authentication in interface view to enable MAC authentication on a port.
Use undo mac-authentication in system view to disable MAC authenticationglobally.
Use undo mac-authentication interfaceinterface-list in system view to disable MAC authentication on a list of ports, or useundo mac-authentication in interface view to disable MAC authentication on a port.
Syntax
In system view:
mac-authentication[ interfaceinterface-list ]
undo mac-authentication[ interfaceinterface-list ]
In Ethernet interface view:
mac-authentication
undo mac-authentication
Default
MAC authentication is not enabled globally or on any port.
Views
System view, Ethernet interfaceview
Default command level
2: System level
Parameters
interface interface-list: Specifies an Ethernet port list, in the format of { interface-type interface-number [ tointerface-type interface-number ] }&<1-10>, where &<1-10> indicates that you can specify up to 10 port ranges. The start port and end port of a port range must be of the same type and the end port number must be greater than the start port number. A port range defined without the tointerface-type interface-number portion comprises only one port.
Usage guidelines
To use MAC authentication on a port, you must enable the function both globally and on the port.
Examples
# Enable MAC authentication globally.
<Sysname>system-view
[Sysname] mac-authentication
Mac-auth is enabled globally.
# Enable MAC authentication onportGigabitEthernet 1/0/1.
<Sysname>system-view
[Sysname] mac-authentication interface gigabitethernet 1/0/1
Mac-auth is enabled on port GigabitEthernet1/0/1.
Or
<Sysname>system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] mac-authentication
Mac-auth is enabled on port GigabitEthernet1/0/1.
mac-authentication domain
Use mac-authentication domain to specifya global authentication domain in system view or a port specific authentication domain in interface view for MAC authentication users.
Use undo mac-authentication domain to restore the default.
Syntax
mac-authenticationdomain domain-name
undo mac-authenticationdomain
Default
The default authentication domain is used for MAC authentication users. For more information about the default authentication domain, see the domaindefaultenable command in "AAAconfiguration commands."
Views
System view, Ethernet interface view, WLAN-BSS interface view.
Default command level
2: System level
Parameters
domain-name: Specifies an authentication domain name, a case-insensitive string of 1 to 24 characters. The domain name cannot contain any forward slash (/), colon (:), asterisk (*), question mark (?), less-than sign (<), greater-than sign (>), orat sign (@).
Usage guidelines
The global authentication domain is applicable to all MAC authentication enabled ports. A port specific authentication domain is applicable only to the port. You can specify different authentication domains on different ports.
A port chooses an authentication domain for MAC authentication users in this order:port specific domain, global domain, and the default authentication domain.
Examples
# Specifythe domain1 domain as the global authentication domain for MAC authentication users.
<Sysname>system-view
[Sysname] mac-authenticationdomain domain1
# Specify the aabbcc domain as the authentication domain for MAC authentication users on port GigabitEthernet 1/0/1.
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] mac-authenticationdomain aabbcc
Related commands
display mac-authentication
mac-authentication max-user
Use mac-authenticationmax-user to set the maximum number of concurrent MAC authentication users on a port.
Use undo mac-authenticationmax-user to restore the default.
Syntax
mac-authenticationmax-user user-number
undo mac-authentication max-user
Default
The default is 128.
Views
Ethernet interface view
Default command level
2: System level
Parameters
user-number: Specifies a maximum number of concurrent MAC authentication users on the port. The value range is 1 to 128.
Examples
# Configure port GigabitEthernet 1/0/1 to support up to 32 concurrent MAC authentication users.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] mac-authentication max-user 32
mac-authentication timer
Use mac-authenticationtimer to set the MAC authenticationtimers.
Use undo mac-authenticationtimer to restore the defaultsettings.
Syntax
mac-authenticationtimer { offline-detectoffline-detect-value | quietquiet-value | server-timeoutserver-timeout-value }
undo mac-authenticationtimer { offline-detect | quiet | server-timeout }
Default
The offline detect timer is 300 seconds, the quiet timer is 60 seconds, and the server timeout timer is 100 seconds.
Views
System view
Default command level
2: System level
Parameters
offline-detectoffline-detect-value: Sets the offline detect timer, in the range of 60 to 65535 seconds. This timer sets the interval that the device waits for traffic from a user before it regards the user idle. If a user connection has been idle fortwoconsecutive intervals, the device logs the user out and stops accounting for the user.
quietquiet-value: Sets the quiet timer, in the range of 1 to 3600seconds. This timer sets the interval that the device must wait before it can perform MAC authentication for a user that has failed MAC authentication. All packets from the MAC address are dropped during the quiet time. This quiet mechanism prevents repeated authenticationfrom affecting system performance.
server-timeoutserver-timeout-value: Sets the server timeout timer in seconds, in the range of 100 to 300. This timer sets the interval that the access device waits for a response from a RADIUS server before it regards the RADIUS server unavailable. If the timer expires during MAC authentication, the usercannot access the network.
Examples
# Set the server timeout timer to 150 seconds.
<Sysname>system-view
[Sysname] mac-authentication timer server-timeout 150
Related commands
display mac-authentication
mac-authentication user-name-format
Use mac-authentication user-name-formatto configure the type of user accounts for MAC authentication users.
Use undo mac-authentication user-name-formatto restore the default.
Syntax
mac-authentication user-name-format{ fixed [ accountname ] [ password {cipher | simple } password ]|mac-address [ { with-hyphen | without-hyphen }[ lowercase | uppercase ]] }
undo mac-authentication user-name-format
Default
Each user's MAC address is used as the username and password for MAC authentication, and letters must be input in lower case. The MAC addresses are not hyphenated.
Views
System view
Default command level
2: System level
Parameters
fixed:Usesa shared account for all MAC authentication users.
accountname: Specifies the username for the shared account. The nametakes a case-insensitive string of 1 to 55 characters. If no username is specified,the default namemac applies.
password: Specifies the password for theshared user account:
cipher:Sets a ciphertext password.
simple: Sets a plaintext password.
password: Specifies the password. This argument is case sensitive. If simple is specified, it must be a string of 1 to 63 characters. If cipher is specified, it must be a ciphertext string of 1 to 117 characters.
mac-address: Uses MAC-based user accounts for MAC authentication users. If this option is specified, you must create one user account for each user, and use the MAC address of the user as both the usernameand password for the account. You can also specify the format of username and password:
· with-hyphen—Hyphenates the MAC address, for examplexx-xx-xx-xx-xx-xx.
· without-hyphen—Excludes hyphens fromthe MAC address, for example, xxxxxxxxxxxx.
· lowercase—Enters lettersin lower case.
· uppercase—Capitalizes letters.
Usage guidelines
MAC authentication supports the followingtypes of user account:
· One MAC-based user account for each user. A user can pass MAC authentication only when its MAC address matches a MAC-based user account. This approach is suitable for an insecure environment.
· One shared user account for all users. Any user can pass MAC authentication on any MAC authentication enabled port. You can use this approach in a secure environment to limitnetwork resources accessible to MAC authentication users, for example, by assigning an authorized ACL or VLAN for the shared account.
For secrecy, all passwords, including passwords configured in plaintext, are saved in cipher text.
Examples
# Configure a shared account for MAC authentication users: set the username as abc and password as a plaintext string of xyz.
<Sysname> system-view
[Sysname] mac-authentication user-name-format fixed account abc password simple xyz
# Configure a shared account for MAC authentication users: set the username as abc and password as a ciphertext string of $c$3$Uu9Dh4xRKWa8RHW3TFnNTafBbhdPAg.
<Sysname> system-view
[Sysname] mac-authentication user-name-format fixed account abc password cipher$c$3$Uu9Dh4xRKWa8RHW3TFnNTafBbhdPAg
# Use MAC-based user accounts for MAC authentication users, and each MAC addressmust be hyphenated, and in uppercase.
<Sysname> system-view
[Sysname] mac-authentication user-name-format mac-address with-hyphenuppercase
Related commands
display mac-authentication
reset mac-authentication statistics
Use reset mac-authenticationstatisticsto clear MAC authentication statistics.
Syntax
reset mac-authenticationstatistics [ interfaceinterface-list ]
Views
User view
Default command level
2: System level
Parameters
interface interface-list: Specifies a port list, in the format of { interface-type interface-number [ tointerface-type interface-number ] }&<1-10>, where &<1-10> indicates that you can specify up to 10 port ranges. The start port and end port of a port range must be of the same type and the end port number must be greater than the start port number.A port range defined without the tointerface-type interface-number portion comprises only one port.
Usage guidelines
If no port list is specified, thecommand clears all global and port-specific MAC authenticationstatistics. If a port list is specified, thecommand clears the MAC authentication statistics on the specified ports.
Examples
# Clear MAC authentication statistics on port GigabitEthernet 1/0/1.
<Sysname> reset mac-authentication statistics interface gigabitethernet 1/0/1
Related commands
display mac-authentication
