Login
- Table of Contents
-
- 07-Security Command Reference
- 00-Preface
- 01-AAA Commands
- 02-802.1X Commands
- 03-MAC Authentication Commands
- 04-Portal Commands
- 05-Port Security Commands
- 06-User Profile Commands
- 07-Password Control Commands
- 08-Public Key Commands
- 09-PKI Commands
- 10-SSH2.0 Commands
- 11-SSL Commands
- 12-TCP and ICMP Attack Protection Commands
- 13-ARP Attack Protection Commands
- 14-FIPS Commands
- 15-IPsec Commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 02-802.1X Commands | 135.43 KB |
display dot1x
Syntax
display dot1x [ sessions | statistics ] [ interface interface-list ] [ | { begin | exclude | include } regular-expression ]
View
Any view
Default level
1: Monitor level
Parameters
sessions: Displays 802.1X session information.
statistics: Displays 802.1X statistics.
interface interface-list: Specifies an Ethernet port list, which can contain multiple Ethernet ports. The interface-list argument is in the format of interface-list = { interface-type interface-number [ to interface-type interface-number ] } & <1-10>, where interface-type represents the port type, interface-number represents the port number, and & <1-10> means that you can provide up to 10 ports or port ranges. The start port number must be smaller than the end number and the two ports must be the same type.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use display dot1x to display information about 802.1X.
If you specify neither the sessions keyword nor the statistics keyword, the command displays all information about 802.1X, including session information, statistics, and configurations.
Related commands: reset dot1x statistics, dot1x, dot1x retry, dot1x max-user, and dot1x timer.
Examples
# Display all information about 802.1X.
<Sysname> display dot1x
Equipment 802.1X protocol is enabled
CHAP authentication is enabled
Proxy trap checker is disabled
Proxy logoff checker is disabled
Configuration: Transmit Period 30 s, Handshake Period 15 s
Quiet Period 60 s, Quiet Period Timer is disabled
Supp Timeout 30 s, Server Timeout 100 s
Reauth Period 3600 s
The maximal retransmitting times 2
The maximum 802.1X user resource number is 1024 per slot
Total current used 802.1X resource number is 0
GigabitEthernet1/0/1 is link-up
802.1X protocol is disabled
Proxy trap checker is disabled
Proxy logoff checker is disabled
Handshake is enabled
Periodic reauthentication is disabled
The port is an authenticator
Authentication Mode is Auto
Port Control Type is Mac-based
802.1X Multicast-trigger is enabled
Mandatory authentication domain: NOT configured
Guest VLAN: NOT configured
Auth-Fail VLAN: NOT configured
Max number of on-line users is 1024
EAPOL Packet: Tx 0, Rx 0
Sent EAP Request/Identity Packets : 0
EAP Request/Challenge Packets: 0
EAP Request/Challenge Packets: 0
Received EAPOL Start Packets : 0
EAPOL LogOff Packets: 0
EAP Response/Identity Packets : 0
EAP Response/Challenge Packets: 0
Error Packets: 0
Controlled User(s) amount to 0
WLAN-ESS2 is link-up
802.1X protocol is enabled
Proxy trap checker is disabled
Proxy logoff checker is disabled
Handshake is disabled
Periodic reauthentication is disabled
The port is an authenticator
Authentication Mode is Auto
Port Control Type is Mac-based
802.1X Multicast-trigger is disabled
Mandatory authentication domain: NOT configured
Guest VLAN: NOT configured
Auth-Fail VLAN: NOT configured
Max number of on-line users is 1024
EAPOL Packet: Tx 0, Rx 0
Sent EAP Request/Identity Packets : 0
EAP Request/Challenge Packets: 0
EAP Success Packets: 0, Fail Packets: 0
Received EAPOL Start Packets : 0
EAPOL LogOff Packets: 0
EAP Response/Identity Packets : 0
EAP Response/Challenge Packets: 0
Error Packets: 0
Controlled User(s) amount to 0
WLAN-DBSS2:0 is link-up
802.1X protocol is enabled
Proxy trap checker is disabled
Proxy logoff checker is disabled
Handshake is disabled
Periodic reauthentication is disabled
The port is an authenticator
Authentication Mode is Auto
Port Control Type is Mac-based
802.1X Multicast-trigger is disabled
Mandatory authentication domain: NOT configured
Guest VLAN: NOT configured
Auth-Fail VLAN: NOT configured
Max number of on-line users is 1024
EAPOL Packet: Tx 0, Rx 0
Sent EAP Request/Identity Packets : 0
EAP Request/Challenge Packets: 0
EAP Success Packets: 0, Fail Packets: 0
Received EAPOL Start Packets : 0
EAPOL LogOff Packets: 0
EAP Response/Identity Packets : 0
EAP Response/Challenge Packets: 0
Error Packets: 0
Controlled User(s) amount to 0
Table 1 Command output
|
Field |
Description |
|
Equipment 802.1X protocol is enabled |
Specifies whether 802.1X is enabled globally. |
|
CHAP authentication is enabled |
Specifies whether CHAP authentication is enabled. |
|
Proxy trap checker is disabled |
Specifies whether the device sends a trap when detecting that a user is accessing the network through a proxy. |
|
Proxy logoff checker is disabled |
Specifies whether the device logs off the user when detecting that the user is accessing the network through a proxy. |
|
Transmit Period |
Username request timeout timer in seconds. |
|
Handshake Period |
Handshake timer in seconds. |
|
Reauth Period |
Periodic online user re-authentication timer in seconds |
|
Quiet Period |
Quiet timer in seconds. |
|
Quiet Period Timer is disabled |
Status of the quiet timer. In this example, the quiet timer is enabled. |
|
Supp Timeout |
Client timeout timer in seconds. |
|
Server Timeout |
Server timeout timer in seconds. |
|
The maximal retransmitting times |
Maximum number of attempts for sending an authentication request to a client. |
|
The maximum 802.1X user resource number per slot |
Maximum number of concurrent 802.1X users per card Support for the maximum number of concurrent 802.1X users per card depends on the device model. For more information, see About the WX Series Access Controllers Command References. |
|
Total current used 802.1X resource number |
Total number of online 802.1X users. |
|
GigabitEthernet1/0/1 is link-up |
Status of the port. In this example, GigabitEthernet 1/0/1 is up. |
|
802.1X protocol is disabled |
Specifies whether 802.1X is enabled on the port. |
|
Proxy trap checker is disabled |
Specifies whether the port sends a trap when detecting that a user is accessing the network through a proxy. |
|
Proxy logoff checker is disabled |
Specifies whether the port logs off the user when detecting the user is accessing the networking through a proxy. |
|
Handshake is disabled |
Specifies whether handshake is enabled on the port. |
|
Handshake secure is disabled |
Specifies whether handshake security is enabled on the port. |
|
802.1X unicast-trigger is disabled |
Specifies whether unicast trigger is enabled on the port. |
|
Periodic reauthentication is disabled |
Specifies whether periodic online user re-authentication is enabled on the port. |
|
The port is an authenticator |
Role of the port. |
|
Authenticate Mode is Auto |
Authorization state of the port. |
|
Port Control Type is Mac-based |
Access control method of the port. |
|
802.1X Multicast-trigger is enabled |
Specifies whether the 802.1X multicast-trigger function is enabled. |
|
Mandatory authentication domain |
Mandatory authentication domain on the port. |
|
Guest VLAN |
802.1X guest VLAN configured on the port. NOT configured is displayed if no guest VLAN is configured. |
|
Auth-fail VLAN |
Auth-Fail VLAN configured on the port. NOT configured is displayed if no Auth-Fail VLAN is configured. |
|
Max number of on-line users |
Maximum number of concurrent 802.1X users on the port |
|
EAPOL Packet |
Number of sent (Tx) and received (Rx) EAPOL packets |
|
Sent EAP Request/Identity Packets |
Number of sent EAP-Request/Identity packets |
|
EAP Request/Challenge Packets |
Number of sent EAP-Request/Challenge packets |
|
EAP Success Packets |
Number of sent EAP Success packets |
|
Fail Packets |
Number of sent EAP-Failure packets |
|
Received EAPOL Start Packets |
Number of received EAPOL-Start packets |
|
EAPOL LogOff Packets |
Number of received EAPOL-LogOff packets |
|
EAP Response/Identity Packets |
Number of received EAP-Response/Identity packets |
|
EAP Response/Challenge Packets |
Number of received EAP-Response/Challenge packets |
|
Error Packets |
Number of received error packets |
|
Authenticated user |
User that has passed 802.1X authentication |
|
Controlled User(s) amount |
Number of authenticated users on the port |
dot1x accounting-delay
Syntax
dot1x accounting-delay [ action logoff | time time ] *
undo dot1x accounting-delay
View
Interface view
Default level
2: System level
Parameters
action logoff: Cancels the accounting procedure for an 802.1X user if the device fails to get the user's IP address within the delay time. As a result, the user cannot get online. If this option is not specified, the device sends an accounting request when the delay time is reached.
time time: Specifies a delay time in seconds. The value for the time argument ranges from 1 to 600. If no delay time is specified, a 10-second delay applies.
Description
Use dot1x accounting-delay to enable accounting delay for 802.1X users on an interface.
Use undo dot1x accounting-delay to restore the default.
By default, the accounting delay feature is disabled. The device sends an accounting request to the accounting server for an 802.1X user immediately after the user passes authentication, regardless of whether an IP address has been assigned to the user.
The accounting delay feature enables the device to wait a period of time for an authenticated 802.1X user to obtain an IP address before sending an accounting request. If getting the IP address of the user before the delay expires, the device sends an accounting request for the user. If not, the device proceeds to the accounting procedure or ends the procedure depending on your configuration.
Enable the accounting delay feature if 802.1X users obtain IP addresses through DHCP and the accounting server requires user IP addresses. Set the delay depending on how long it takes for users to obtain an IP address on your network.
Examples
# On interface WLAN-ESS 1, configure a 15-second accounting delay for 802.1X users and enable the device to perform the logoff action when the delay expires.
<Sysname> system-view
[Sysname] interface WLAN-ESS 1
[Sysname-WLAN-ESS1] dot1x accounting-delay action logoff time 15
dot1x authentication-method
Syntax
dot1x authentication-method { chap | eap | pap }
undo dot1x authentication-method
View
System view
Default level
2: System level
Parameters
chap: Sets the access device to perform Extensible Authentication Protocol (EAP) termination and use the Challenge Handshake Authentication Protocol (CHAP) to communicate with the RADIUS server.
eap: Sets the access device to relay EAP packets, and supports any of the EAP authentication methods to communicate with the RADIUS server.
pap: Sets the access device to perform EAP termination and use the Password Authentication Protocol (PAP) to communicate with the RADIUS server.
Description
Use dot1x authentication-method to specify an EAP message handling method.
Use undo dot1x authentication-method to restore the default.
By default, the network access device performs EAP termination and uses CHAP to communicate with the RADIUS server.
The network access device terminates or relays EAP packets:
1. In EAP termination mode, the access device re-encapsulates and sends the authentication data from the client in standard RADIUS packets to the RADIUS server, and performs either CHAP or PAP authentication with the RADIUS server. In this mode the RADIUS server supports only MD5-Challenge EAP authentication, and "username+password" EAP authentication initiated by an iNode client.
· PAP transports usernames and passwords in clear text. The authentication method applies to scenarios that do not require high security. To use PAP, the client must be an H3C iNode 802.1X client.
· CHAP transports username in plaintext and encrypted password over the network. It is more secure than PAP.
2. In EAP relay mode, the access device relays EAP messages between the client and the RADIUS server. The EAP relay mode supports multiple EAP authentication methods, such as MD5-Challenge, EAP-TL, and PEAP. To use this mode, you must make sure that the RADIUS server supports the EAP-Message and Message-Authenticator attributes, and uses the same EAP authentication method as the client. If this mode is used, the user-name-format command configured in RADIUS scheme view does not take effect. For more information about the user-name-format command, see "RADIUS configuration commands."
Local authentication supports PAP, CHAP, and EAP.
If RADIUS authentication is used, you must configure the network access device to use the same authentication method (PAP, CHAP, or EAP) as the RADIUS server.
Related commands: display dot1x.
Examples
# Enable the access device to terminate EAP packets and perform PAP authentication with the RADIUS server.
<Sysname> system-view
[Sysname] dot1x authentication-method pap
dot1x auth-fail vlan
Syntax
dot1x auth-fail vlan authfail-vlan-id
undo dot1x auth-fail vlan
View
Layer 2 Ethernet interface view, WLAN-ESS interface view
Default level
2: System level
Parameters
authfail-vlan-id: Specifies the ID of the Auth-Fail VLAN for the port, in the range of 1 to 4094. The VLAN must already exist.
Descriptions
Use dot1x auth-fail vlan to configure an Auth-Fail VLAN for a port. An Auth-Fail VLAN accommodates users that have failed 802.1X authentication because of the failure to comply with the organization security strategy, such as using a wrong password.
Use undo dot1x auth-fail vlan to restore the default.
By default, no Auth-Fail VLAN is configured on a port.
You must enable MAC-based VLAN for an Auth-Fail VLAN to take effect on a port that performs MAC-based access control. You can use the display mac-vlan command to display MAC-to-VLAN mappings.
Auth-Fail VLAN is not supported on WLAN ports that perform port-based access control.
To delete a VLAN that has been configured as an Auth-Fail VLAN, you must remove the Auth-Fail VLAN configuration first.
You can configure both an Auth-Fail VLAN and a guest VLAN for a port.
Related commands: dot1x.
Examples
# Configure VLAN 3 as the Auth-Fail VLAN for port WLAN-ESS 11.
<Sysname> system-view
[Sysname] interface WLAN-ESS11
[Sysname-WLAN-ESS11] dot1x auth-fail vlan 3
dot1x domain-delimiter
Syntax
dot1x domain-delimiter string
undo dot1x domain-delimiter
View
System view
Default level
2: System level
Parameters
string: Specifies a set of 1 to 16 domain name delimiters for 802.1X users. No space is required between delimiters. Available delimiters include the at sign (@), backslash (/), and forward slash (\).
Description
Use dot1x domain-delimiter to specify a set of domain name delimiters supported by the access device. Any character in the configured set can be used as the domain name delimiter for 802.1X authentication users.
Use undo dot1x domain-delimiter to restore the default.
By default, the access device supports only the at sign (@) delimiter for 802.1X users.
The delimiter set you configured overrides the default setting. If @ is not included in the delimiter set, the access device will not support the 802.1X users that use @ as the domain name delimiter.
If a username string contains multiple configured delimiters, the leftmost delimiter is the domain name delimiter. For example, if you configure @, /, and \ as delimiters, the domain name delimiter for the username string 123/22\@abc is the forward slash (/).
The cut connection user-name user-name and display connection user-name user-name commands are not available for 802.1X users that use / or \ as the domain name delimiter. For more information about the two commands, see "AAA configuration commands."
Examples
# Specify the characters @, /, and \ as domain name delimiters.
<Sysname> system-view
[Sysname] dot1x domain-delimiter @\/
dot1x guest-vlan
Syntax
In system view:
dot1x guest-vlan guest-vlan-id [ interface interface-list ]
undo dot1x guest-vlan [ interface interface-list ]
In Layer 2 Ethernet or WLAN-ESS interface view:
dot1x guest-vlan guest-vlan-id
undo dot1x guest-vlan
View
System view, Layer 2 Ethernet interface view, WLAN-ESS interface view
Default level
2: System level
Parameters
guest-vlan-id: Specifies the ID of the VLAN to be specified as the 802.1X guest VLAN, in the range 1 to 4094. It must already exist.
interface interface-list: Specifies a port list. The interface-list argument is in the format of interface-list = { interface-type interface-number [ to interface-type interface-number ] } & <1-10>, where interface-type represents the port type, interface-number represents the port number, and & <1-10> means that you can provide up to 10 ports or port ranges. The start port number must be smaller than the end number and the two ports must be of the same type. If no interface is specified, you configure an 802.1X guest VLAN for all Layer 2 Ethernet ports.
Description
Use dot1x guest-vlan to configure an 802.1X guest VLAN for the specified or all ports.
Use undo dot1x guest-vlan to remove the 802.1X guest VLAN on the specified or all ports.
By default, no 802.1X guest VLAN is configured on a port.
You must enable port security to enable 802.1X for an 802.1X guest VLAN to take effect.
To have the 802.1X guest VLAN take effect on a port that performs MAC-based access control, configure the MAC-based VLAN function on the port. You can use the display mac-vlan command to display MAC-to-VLAN mappings.
Guest VLAN is not supported on ports that perform port-based access control.
To delete a VLAN that has been configured as a guest VLAN, you must remove the guest VLAN configuration first.
You can configure both an Auth-Fail VLAN and an 802.1X guest VLAN on a port.
Related commands: dot1x, and dot1x multicast-trigger; mac-vlan enable and display mac-vlan (Layer 2 Command Reference).
Examples
# Specify VLAN 3 as the 802.1X guest VLAN for port WLAN-ESS 1.
<Sysname> system-view
[Sysname] interface WLAN-ESS1
[Sysname-WLAN-ESS1] dot1x guest-vlan 3
dot1x handshake
Syntax
dot1x handshake
undo dot1x handshake
View
Layer 2 Ethernet Interface view, WLAN-ESS interface view
Default level
2: System level
Parameters
None
Description
Use dot1x handshake to enable the online user handshake function. The function enables the device to periodically send handshake messages to the client to check whether a user is online.
Use undo dot1x handshake to disable the function.
By default, the function is enabled.
H3C recommends that you use the iNode client software to guarantee the normal operation of the online user handshake function.
Examples
# Enable the online user handshake function.
<Sysname> system-view
[Sysname] interface WLAN-ESS1
[Sysname-WLAN-ESS1] dot1x handshake
dot1x handshake secure
Syntax
dot1x handshake secure
undo dot1x handshake secure
View
Layer 2 Ethernet Interface view, WLAN-ESS interface view
Default level
2: System level
Parameters
None
Description
Use dot1x handshake secure to enable the online user handshake security function. The function enables the device to prevent users from using illegal client software.
Use undo dot1x handshake secure to disable the function.
By default, the function is disabled.
The online user handshake security function is implemented based on the online user handshake function. To bring the security function into effect, make sure the online user handshake function is enabled.
H3C recommends you use the iNode client software and IMC server to guarantee the normal operation of the online user handshake security function.
Related commands: dot1x handshake.
Examples
# Enable the online user handshake security function.
<Sysname> system-view
[Sysname] interface WLAN-ESS4
[Sysname-WLAN-ESS4] dot1x handshake secure
dot1x mandatory-domain
Syntax
dot1x mandatory-domain domain-name
undo dot1x mandatory-domain
View
Layer 2 Ethernet Interface view, WLAN-ESS interface view
Default level
2: System level
Parameters
domain-name: Specifies the ISP domain name, a case-insensitive string of 1 to 24 characters.
Description
Use dot1x mandatory-domain to specify a mandatory 802.1X authentication domain on a port.
Use undo dot1x mandatory-domain to remove the mandatory authentication domain.
By default, no mandatory authentication domain is specified.
When authenticating an 802.1X user trying to access the port, the system selects an authentication domain in the following order: the mandatory domain, the ISP domain specified in the username, and the default ISP domain.
To display or cut all 802.1X connections in a mandatory domain, use the display connection domain isp-name or cut connection domain isp-name command. The output from the display connection command without any parameters displays domain names input by users at login. For more information about the display connection command or the cut connection command, see "AAA configuration commands."
Related commands: display dot1x.
Examples
# Configure the mandatory authentication domain my-domain for 802.1X users on WLAN-ESS 1.
<Sysname> system-view
[Sysname] interface WLAN-ESS1
[Sysname-WLAN-ESS1] dot1x mandatory-domain my-domain
# After 802.1X user usera passes the authentication, execute the display connection command to display the user connection information on WLAN-ESS 1. For more information about the display connection command, see "AAA configuratio commands."
<Sysname> display connection interface WLAN-DBSS 0:3
Index=43 ,Username=8021x@system
MAC=00-12-F0-CC-E0-A2
IP=N/A
IPv6=N/A
Total 1 connection(s) matched
dot1x max-user
Syntax
In system view:
dot1x max-user user-number [ interface interface-list ]
undo dot1x max-user [ interface interface-list ]
In Layer 2 Ethernet or WLAN-ESS interface view:
dot1x max-user user-number
undo dot1x max-user
View
System view, Layer 2 Ethernet interface view, WLAN-ESS interface view
Default level
2: System level
Parameters
user-number: Specifies the maximum number of concurrent 802.1X users on a port. The valid settings may vary by device. For more information, see About the WX Series Access Controllers Command References.
interface interface-list: Specifies a port list, which can contain multiple ports. The interface-list argument is in the format of interface-list = { interface-type interface-number [ to interface-type interface-number ] } & <1-10>, where interface-type represents the port type, interface-number represents the port number, and & <1-10> means that you can provide up to 10 ports or port ranges. The start port number must be smaller than the end number and the two ports must be of the same type.
Description
Use dot1x max-user to set the maximum number of concurrent 802.1X users on a port.
Use undo dot1x max-user to restore the default.
By default, the maximum number of concurrent 802.1X users on a port is 1024.
In system view:
· If you do not specify the interface interface-list option, the command applies to all ports.
· If you specify the interface interface-list option, the command applies to the specified ports.
In Ethernet port view, the interface interface-list option is not available and the command applies to only the Ethernet port.
Related commands: display dot1x.
Examples
# Set the maximum number of concurrent 802.1X users on port WLAN-ESS 1 to 32.
<Sysname> system-view
[Sysname] dot1x max-user 32 interface WLAN-ESS1
Or
<Sysname> system-view
[Sysname] interface WLAN-ESS1
[Sysname-WLAN-ESS1] dot1x max-user 32
dot1x multicast-trigger
Syntax
dot1x multicast-trigger
undo dot1x multicast-trigger
View
Layer 2 Ethernet interface view, WLAN-ESS interface view
Default level
2: System level
Parameters
None
Description
Use dot1x multicast-trigger to enable the 802.1X multicast trigger function. The device acts as the initiator and periodically multicasts Identify EAP-Request packets out of a port to detect 802.1X clients and trigger authentication.
Use undo dot1x multicast-trigger to disable the function.
By default, the multicast trigger function is enabled.
You can use the dot1x timer tx-period command to set the interval for sending multicast Identify EAP-Request packets.
Related commands: display dot1x.
Examples
# Enable the multicast trigger function on interface WLAN-ESS 1.
<Sysname> system-view
[Sysname] interface Wlan-ESS1
[Sysname-Wlan-ESS1] dot1x multicast-trigger
dot1x quiet-period
Syntax
dot1x quiet-period
undo dot1x quiet-period
View
System view
Default level
2: System level
Parameters
None
Description
Use dot1x quiet-period to enable the quiet timer. When a client fails 802.1X authentication, the device must wait a period of time before it can process authentication requests from the client.
Use undo dot1x quiet-period to disable the timer.
By default, the quiet timer is disabled.
Related commands: display dot1x and dot1x timer.
Examples
# Enable the quiet timer.
<Sysname> system-view
[Sysname] dot1x quiet-period
dot1x re-authenticate
Syntax
dot1x re-authenticate
undo dot1x re-authenticate
View
Layer 2 Ethernet interface view, WLAN-ESS interface view
Default level
2: System level
Parameters
None
Description
Use dot1x re-authenticate to enable the periodic online user re-authentication function.
Use undo dot1x re-authenticate to disable the function.
By default, the periodic online user re-authentication function is disabled.
Periodic re-authentication enables the access device to periodically authenticate online 802.1X users on a port. This function tracks the connection status of online users and updates the authorization attributes assigned by the server, such as the ACL, VLAN, and user profile-based QoS.
You can use the dot1x timer reauth-period command to configure the interval for re-authentication.
Related commands: dot1x timer reauth-period.
Examples
# Enable the 802.1X periodic online user re-authentication function on WLAN-ESS 1 and set the periodic re-authentication interval to 1800 seconds.
<Sysname> system-view
[Sysname] dot1x timer reauth-period 1800
[Sysname] interface WLAN-ESS1
[Sysname-WLAN-ESS1] dot1x re-authenticate
dot1x retry
Syntax
dot1x retry max-retry-value
undo dot1x retry
View
System view
Default level
2: System level
Parameters
max-retry-value: Specifies the maximum number of attempts for sending an authentication request to a client, in the range 1 to 10.
Description
Use dot1x retry to set the maximum number of attempts for sending an authentication request to a client.
Use undo dot1x retry to restore the default.
By default, the device sends an authentication request to a client twice at most.
After the network access device sends an authentication request to a client, if the device receives no response from the client within the username request timeout timer (set with the dot1x timer tx-period tx-period-value command) or the client timeout timer (set with the dot1x timer supp-timeout supp-timeout-value command), the device retransmits the authentication request. The network access device stops retransmitting the request, if it has made the maximum number of request transmission attempts but still received no response.
This command applies to all ports of the device.
Related commands: display dot1x.
Examples
# Set the maximum number of attempts for sending an authentication request to a client as 9.
<Sysname> system-view
[Sysname] dot1x retry 9
dot1x timer
Syntax
dot1x timer { handshake-period handshake-period-value | quiet-period quiet-period-value | reauth-period reauth-period-value | server-timeout server-timeout-value | supp-timeout supp-timeout-value | tx-period tx-period-value }
undo dot1x timer { handshake-period | quiet-period | reauth-period | server-timeout | supp-timeout | tx-period }
View
System view
Default level
2: System level
Parameters
handshake-period-value: Sets the handshake timer in seconds. It is in the range of 5 to 1024.
quiet-period-value: Sets the quiet timer in seconds. It is in the range of 10 to 120.
reauth-period-value: Sets the periodic re-authentication timer in seconds. It is in the range of 60 to 7200.
server-timeout-value: Sets the server timeout timer in seconds. It is in the range of 100 to 300.
supp-timeout-value: Sets the client timeout timer in seconds. It is in the range of 1 to 120.
tx-period-value: Sets the username request timeout timer in seconds. It is in the range of 10 to 120.
Description
Use dot1x timer to set 802.1X timers.
Use undo dot1x timer to restore the defaults.
By default, the handshake timer is 15 seconds, the quiet timer is 60 seconds, the periodic re-authentication timer is 3600 seconds, the server timeout timer is 100 seconds, the client timeout timer is 30 seconds, and the username request timeout timer is 30 seconds.
You can set the client timeout timer to a high value in a low-performance network, set the quiet timer to a high value in a vulnerable network or a low value for quicker authentication response, or adjust the server timeout timer to adapt to the performance of different authentication servers. In most cases, the default settings are sufficient.
The network device uses the following 802.1X timers:
· Handshake timer (handshake-period)—Sets the interval at which the access device sends client handshake requests to check the online status of a client that has passed authentication. If the device receives no response after sending the maximum number of handshake requests, it considers that the client has logged off.
· Quiet timer (quiet-period)—Starts when a client fails authentication. The access device must wait the time period before it can process the authentication attempts from the client.
· Periodic re-authentication timer (reauth-period)—Sets the interval at which the network device periodically re-authenticates online 802.1X users. To enable periodic online user re-authentication on a port, use the dot1x re-authenticate command. The change to the periodic re-authentication timer applies to the users that have been online only after the old timer expires.
· Server timeout timer (server-timeout)—Starts when the access device sends a RADIUS Access-Request packet to the authentication server. If no response is received when this timer expires, the access device retransmits the request to the server.
· Client timeout timer (supp-timeout)—Starts when the access device sends an EAP-Request/MD5 Challenge packet to a client. If no response is received when this timer expires, the access device retransmits the request to the client.
· Username request timeout timer (tx-period)—Starts when the device sends an EAP-Request/Identity packet to a client in response to an authentication request. If the device receives no response before this timer expires, it retransmits the request. The timer also sets the interval at which the network device sends multicast EAP-Request/Identity packets to detect clients that cannot actively request authentication.
Related commands: display dot1x.
Examples
# Set the server timeout timer to 150 seconds.
<Sysname> system-view
[Sysname] dot1x timer server-timeout 150
dot1x unicast-trigger
Syntax
dot1x unicast-trigger
undo dot1x unicast-trigger
View
Layer 2 Ethernet interface view
Default level
2: System level
Parameters
None
Description
Use dot1x unicast-trigger to enable the 802.1X unicast trigger function.
Use undo dot1x unicast-trigger to disable the function.
By default, the unicast trigger function is disabled.
The unicast trigger function enables the network access device to initiate 802.1X authentication when it receives a data frame from an unknown source MAC address. The device sends a unicast Identity EAP/Request packet to the unknown source MAC address, and retransmits the packet if it has received no response within a period of time (set with the dot1x timer tx-period command). This process continues until the maximum number of request attempts (set with the dot1x retry command) is reached.
Related commands: display dot1x, dot1x timer tx-period, and dot1x retry.
Examples
# Enable the unicast trigger function for interface GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface GigabitEthernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dot1x unicast-trigger
reset dot1x statistics
Syntax
reset dot1x statistics [ interface interface-list ]
View
User view
Default level
2: System level
Parameters
interface interface-list: Specifies a port list, which can contain multiple ports. The interface-list argument is in the format of interface-list = { interface-type interface-number [ to interface-type interface-number ] } & <1-10>, where interface-type represents the port type, interface-number represents the port number, and & <1-10> means that you can provide up to 10 ports or port ranges. The start port number must be smaller than the end number and the two ports must be of the same type.
Description
Use reset dot1x statistics to clear 802.1X statistics.
If a list of ports is specified, the command clears 802.1X statistics for all the specified ports. If no ports are specified, the command clears all 802.1X statistics.
Related commands: display dot1x.
Examples
# Clear 802.1X statistics on port WLAN-ESS 1.
