13-User Access and Authentication Command Reference

HomeSupportResource CenterReference GuidesCommand ReferencesH3C Access Controllers Command References(R5426P02)-6W10413-User Access and Authentication Command Reference
02-802.1X commands
Title Size Download
02-802.1X commands 197.16 KB

802.1X commands

The WX1800H series, WX2500H series, and WX3000H series access controllers do not support parameters or commands that are available only in IRF mode.

display dot1x

Use display dot1x to display information about 802.1X.

Syntax

display dot1x [ sessions | statistics ] [ ap ap-name [ radio radio-id ] | interface interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

sessions: Displays 802.1X session information.

statistics: Displays 802.1X statistics.

ap ap-name: Specifies an AP by its name, a case-insensitive string of 1 to 64 characters. The string can contain letters, digits, underscores (_), dots (.), left brackets ([), right brackets (]), forward slashes (/), and hyphens (-).

radio radio-id: Specifies a radio by its ID. The value range for the radio-id argument varies by AP model. If you do not specify a radio, this command displays 802.1X information for all radios on the specified AP.

interface interface-type interface-number: Specifies a port by its type and number.

Usage guidelines

If you do not specify the sessions keyword or the statistics keyword, this command displays all information about 802.1X, including session information, statistics, and settings.

If you do not specify the ap ap-name [ radio radio-id ] option or the interface interface-type interface-number option, this command displays all 802.1X information, including wired 802.1X information and wireless 802.1X information.

If you do not specify any parameters, this command displays all 802.1X information.

Examples

# Display all information about 802.1X.

<Sysname> display dot1x

Global 802.1X parameters:

   802.1X authentication  : Enabled

   CHAP authentication    : Enabled

   Max-tx period          : 30 s

   Handshake period       : 15 s

   Quiet timer            : Disabled

         Quiet period     : 60 s

   Supp timeout           : 30 s

   Server timeout         : 100 s

   Reauth period          : 3600 s

   Max auth requests      : 2

   SmartOn switch ID      : 30

   SmartOn supp timeout   : 30 s

   SmartOn retry counts   : 3

   EAD assistant function : Disabled

       URL                : http://www.dwsoft.com

       Free IP            : 6.6.6.0         255.255.255.0

       EAD timeout        : 30 min

   Domain delimiter       : @

 Online 802.1X wired users    : 1

 Online 802.1X wireless users : 1

 

 GigabitEthernet1/0/1  is link-up

   802.1X authentication      : Enabled

   Handshake                  : Enabled

   Handshake reply            : Disabled

   Handshake security         : Disabled

   Unicast trigger            : Disabled

   Periodic reauth            : Disabled

   Port role                  : Authenticator

   Authorization mode         : Auto

   Port access control        : Port-based

   Multicast trigger          : Enabled

   Mandatory auth domain      : Not configured

   Guest VLAN                 : 3

   Auth-Fail VLAN             : Not configured

   Critical VLAN              : Not configured

   Critical voice VLAN        : Disabled

   Re-auth server-unreachable : Logoff

   Max online users           : 256

   SmartOn                    : Disabled

 

   EAPOL packets: Tx 3, Rx 4

   Sent EAP Request/Identity packets : 1

        EAP Request/Challenge packets: 1

        EAP Success packets: 1

        EAP Failure packets: 0

   Received EAPOL Start packets : 1

            EAPOL LogOff packets: 1

            EAP Response/Identity packets : 1

            EAP Response/Challenge packets: 1

            Error packets: 0

   Online 802.1X users: 1

          MAC address         Auth state

          0001-0000-0000      Authenticated

AP name: AP1  Radio ID: 1  SSID: wlan_dot1x_ssid

   BSSID                      : 1111-1111-1111

   802.1X authentication      : Enabled

   Handshake                  : Enabled

   Handshake security         : Disabled

   Periodic reauth            : Disabled

   Mandatory auth domain      : Not configured

   Max online users           : 256

 

   EAPOL packets: Tx 3, Rx 4

   Sent EAP Request/Identity packets : 1

        EAP Request/Challenge packets: 1

        EAP Success packets: 1

        EAP Failure packets: 0

   Received EAPOL Start packets : 1

        EAPOL LogOff packets: 1

        EAP Response/Identity packets : 1

        EAP Response/Challenge packets: 1

        Error packets: 0

   Online 802.1X users: 1

          MAC address         Auth state

          0001-0000-0002      Authenticated

Table 1 Command output

Field

Description

Global 802.1X parameters

Global 802.1X configuration.

802.1X authentication

Whether 802.1X is enabled globally.

CHAP authentication

Performs EAP termination and uses CHAP to communicate with the RADIUS server.

EAP authentication

Relays EAP packets and supports any of the EAP authentication methods to communicate with the RADIUS server.

PAP authentication

Performs EAP termination and uses PAP to communicate with the RADIUS server.

Max-tx period

Username request timeout timer in seconds.

Handshake period

Handshake timer in seconds.

Quiet timer

Status of the quiet timer, enabled or disabled.

Quiet period

Quiet timer in seconds.

Supp timeout

Client timeout timer in seconds.

Server timeout

Server timeout timer in seconds.

Reauth period

Periodic reauthentication timer in seconds.

Max auth requests

Maximum number of attempts for sending an authentication request to a client.

SmartOn switch ID

Switch ID for SmartOn authentication.

SmartOn supp timeout

SmartOn client timeout timer in seconds.

SmartOn retry counts

Maximum number of attempts for retransmitting an EAP-Request/Notification packet to a client.

EAD assistant function

Whether EAD assistant is enabled.

URL

Redirect URL for unauthenticated users using a Web browser to access the network.

Free IP

Network segment accessible to unauthenticated users.

EAD timeout

EAD rule timer in minutes.

Domain delimiter

Domain delimiters supported by the device.

Online 802.1X wired users

Number of wired online 802.1X users, including users that have passed 802.1X authentication and users that are performing 802.1X authentication.

Online 802.1X wireless users

Number of wireless online 802.1X users, including users that have passed 802.1X authentication and users that are performing 802.1X authentication.

GigabitEthernet1/0/1 is link-up

Status of the port. In this example, GigabitEthernet 1/0/1 is up.

802.1X authentication

Whether 802.1X is enabled on the port.

Handshake

Whether the online user handshake feature is enabled on the port.

Handshake reply

Whether the online user handshake reply feature is enabled on the port.

Handshake security

Whether the online user handshake security feature is enabled on the port.

Unicast trigger

Whether the 802.1X unicast trigger is enabled on the port.

Periodic reauth

Whether 802.1X periodic reauthentication is enabled on the port.

Port role

Role of the port. The port functions only as an Authenticator.

Authorization mode

Authorization state of the port, which can be Force-Authorized, Auto, or Force-Unauthorized.

Port access control

Access control method of the port:

·     MAC-based—MAC-based access control.

·     Port-based—Port-based access control.

Multicast trigger

Whether the 802.1X multicast trigger feature is enabled.

Mandatory auth domain

Mandatory authentication domain on the port.

Guest VLAN

802.1X guest VLAN configured on the port.

If no 802.1X guest VLAN is configured on the port, this field displays Not configured.

Auth-Fail VLAN

802.1X Auth-Fail VLAN configured on the port.

If no 802.1X Auth-Fail VLAN is configured on the port, this field displays Not configured.

Critical VLAN

802.1X critical VLAN configured on the port.

If no 802.1X critical VLAN is configured on the port, this field displays Not configured.

Critical voice VLAN

Whether the 802.1X critical voice VLAN feature is enabled on the port.

Re-auth server-unreachable

Whether to log off online 802.1X users or keep them online when no server is reachable for 802.1X reauthentication.

Max online users

Maximum number of concurrent 802.1X users on the port.

SmartOn

Whether SmartOn authentication is enabled on the port.

EAPOL packets

Number of sent (Tx) and received (Rx) EAPOL packets.

Sent EAP Request/Identity packets

Number of sent EAP-Request/Identity packets.

EAP Request/Challenge packets

Number of sent EAP-Request/MD5-Challenge packets.

EAP Success packets

Number of sent EAP-Success packets.

EAP Failure packets

Number of sent EAP-Failure packets.

Received EAPOL Start packets

Number of received EAPOL-Start packets.

EAPOL LogOff packets

Number of received EAPOL-LogOff packets.

EAP Response/Identity packets

Number of received EAP-Response/Identity packets.

EAP Response/Challenge packets

Number of received EAP-Response/MD5-Challenge packets.

Error packets

Number of received error packets.

Online 802.1X users

Number of online 802.1X users on the port, including users that have passed 802.1X authentication and users that are performing 802.1X authentication.

MAC address

MAC addresses of the online 802.1X users.

Auth state

Authentication status of the online 802.1X users.

AP name

Name of the AP with which users are associated.

Radio ID

ID of the radio with which users are associated.

SSID

SSID with which users are associated.

BSSID

ID of the BSS with which users are associated.

 

display dot1x connection

Use display dot1x connection to display information about online 802.1X users.

Syntax

In standalone mode:

display dot1x connection [ ap ap-name [ radio radio-id ] | interface interface-type interface-number | user-mac mac-address | user-name name-string ]

In IRF mode:

display dot1x connection [ ap ap-name [ radio radio-id ] | interface interface-type interface-number | slot slot-number | user-mac mac-address | user-name name-string ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ap ap-name: Specifies an AP by its name, a case-insensitive string of 1 to 64 characters. The string can contain letters, digits, underscores (_), dots (.), left brackets ([), right brackets (]), forward slashes (/), and hyphens (-). If you do not specify an AP, this command displays information about online 802.1X users for all APs.

radio radio-id: Specifies a radio by its ID. The value range for the radio-id argument varies by AP model. If you do not specify a radio, this command displays information about online 802.1X users for all radios on the specified AP.

interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command displays online 802.1X user information for all ports.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays online 802.1X user information for all member devices. (In IRF mode.)

user-mac mac-address: Specifies an 802.1X user by MAC address. The mac-address argument represents the MAC address of the user, in the form of H-H-H. If you do not specify an 802.1X user, this command displays online user information for all 802.1X users.

user-name name-string: Specifies an 802.1X user by its name. The name-string argument represents the username, a case-sensitive string of 1 to 253 characters. If you do not specify an 802.1X user, this command displays online user information for all 802.1X users.

Usage guidelines

(In standalone mode.) If you do not specify any parameters, this command displays information about online 802.1X users for all ports.

(In IRF mode.) If you do not specify any parameters, this command displays information about online 802.1X users for all member devices.

Examples

# (In standalone mode.) Display all online 802.1X user information.

<Sysname> display dot1x connection

Total connections: 1

 

User MAC address: 0015-e9a6-7cfe

Access interface: GigabitEthernet1/0/1

Username: ias

Authentication domain: abc

IPv4 address: 192.168.1.1

IPv6 address: 2000:0:0:0:1:2345:6789:abcd

Authentication method: CHAP

Initial VLAN: 1

Authorization untagged VLAN: 6

Authorization tagged VLAN list: 1 to 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 29 31 33

                                35 37 40 to 100

Authorization ACL number/name: 3001

Authorization user profile: N/A

Termination action: Default

Session timeout period: 2 s

Online from: 2013/03/02  13:14:15

Online duration: 0h 2m 15s

Level flow statistic            :

Level-0     Sent packets/bytes  : 0/0

        Received packets/bytes  : 272/13445

Level-1     Sent packets/bytes  : 0/0

        Received packets/bytes  : 45/1248

 

User MAC address                : 0016-ecb7-a879

AP name                         : ap1

Radio ID                        : 1

SSID                            : wlan_dot1x_ssid

BSSID                           : 0015-e9a6-7cf0

User name                       : ias

Authentication domain           : 1

IPv4 address                    : 192.168.1.1

IPv6 address                    : 2000:0:0:0:1:2345:6789:abcd

Authentication method           : CHAP

Initial VLAN                    : 1

Authorization VLAN              : N/A

Authorization ACL number        : 3001

Authorization user profile      : N/A

Authorization CAR               :

  Average input rate            : 102400 bps

  Average output rate           : 102400 bps

Termination action              : Default

Session timeout period          : 2 sec

Online from                     : 2013/03/02 13:14:15

Online duration                 : 0 h 2 m 15 s

Level flow statistic            :

Level-0    Sent  packets/bytes  : 1/54

        Received packets/bytes  : 0/0

Level-1     Sent packets/bytes  : 0/0

        Received packets/bytes  : 45/1248

# (In IRF mode.) Display all online 802.1X user information.

<Sysname> display dot1x connection

Total connections: 1

 

Slot ID: 0

User MAC address: 0015-e9a6-7cfe

Access interface: GigabitEthernet1/0/1

Username: ias

Authentication domain: abc

IPv4 address: 192.168.1.1

IPv6 address: 2000:0:0:0:1:2345:6789:abcd

Authentication method: CHAP

Initial VLAN: 1

Authorization untagged VLAN: 6

Authorization tagged VLAN list: 1 to 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 29 31 33

                                35 37 40 to 100

Authorization ACL number/name: 3001

Authorization user profile: N/A

Termination action: Default

Session timeout period: 2 s

Online from: 2013/03/02  13:14:15

Online duration: 0h 2m 15s

Level flow statistic            :

Level-0     Sent packets/bates  : 1/54

        Received packets/bates  : 0/0

Level-1     Sent packets/bates  : 0/0

        Received packets/bates  : 45/1248

 

User MAC address                : 0016-ecb7-a879

AP name                         : ap1

Radio ID                        : 1

SSID                            : wlan_dot1x_ssid

BSSID                           : 0015-e9a6-7cf0

User name                       : ias

Authentication domain           : 1

IPv4 address                    : 192.168.1.1

IPv6 address                    : 2000:0:0:0:1:2345:6789:abcd

Authentication method           : CHAP

Initial VLAN                    : 1

Authorization VLAN              : N/A

Authorization ACL number        : 3001

Authorization user profile      : N/A

Authorization CAR               :

  Average input rate            : 102400 bps

  Average output rate           : 102400 bps

Termination action              : Default

Session timeout period          : 2 sec

Online from                     : 2013/03/02 13:14:15

Online duration                 : 0 h 2 m 15 s

Level flow statistic            :

Level-0     Sent packets/bates  : 1/54

        Received packets/bates  : 0/0

Level-1     Sent packets/bates  : 0/0

        Received packets/bates  : 45/1248

Table 2 Command output

Field

Description

Total connections

Number of online 802.1X users.

User MAC address

MAC address of the user.

Access interface

Interface through which the user access the device.

AP name

Name of the AP with which the user is associated.

Radio ID

ID of the radio with which the user is associated.

SSID

SSID with which the user is associated.

BSSID

ID of the BSS with which the user is associated.

Authentication domain

ISP domain used for 802.1X authentication.

IPv4 address

IPv4 address of the user.

If the device does not get the IPv4 address of the user, this field is not available.

IPv6 address

IPv6 address of the user.

If the device does not get the IPv6 address of the user, this field is not available.

Authentication method

EAP message handling method:

·     CHAP—Performs EAP termination and uses CHAP to communicate with the RADIUS server.

·     EAP—Relays EAP packets and supports any of the EAP authentication methods to communicate with the RADIUS server.

·     PAP—Performs EAP termination and uses PAP to communicate with the RADIUS server.

Initial VLAN

VLAN to which the user belongs before 802.1X authentication.

Authorization untagged VLAN

Untagged VLAN authorized to the user.

Authorization tagged VLAN list

Tagged VLANs authorized to the user.

Authorization ACL number/name

Number or name of the ACL authorized to the user.

If no ACL is authorized, this field displays N/A.

If the ACL authorization fails, this field displays (Not effective) after the ACL number or name.

Authorization user profile

User profile authorized to the user.

Authorization CAR

Authorization CAR attributes assigned by the server.

·     Average input rate—Average rate of inbound traffic in bps.

·     Average output rate—Average rate of outbound traffic in bps.

If no authorization CAR attributes are assigned, this field displays N/A.

Termination action

Action attribute assigned by the server to terminate the user session:

·     Default—Logs off the online authenticated 802.1X user when the session timeout timer expires. This attribute does not take effect when 802.1X periodic reauthentication is enabled and the periodic reauthentication timer is shorter than the session timeout timer.

·     Radius-request—Reauthenticates the online user when the session timeout timer expires, regardless of whether the 802.1X periodic reauthentication feature is enabled or not.

If the device performs local authentication, this field displays N/A.

Session timeout period

Session timeout timer assigned by the server.

If the device performs local authentication, this field displays N/A.

Online from

Time from which the 802.1X user came online.

Online duration

Online duration of the 802.1X user.

Level flow statistic

Statistics about traffic flows at each accounting level:

·     Level-n—Traffic accounting level. Available levels include level-0 to level-8. Accounting levels are defined in the WLAN accounting policy.

·     Sent packets/bytes—Number of sent packets and bytes.

·     Received packets/bytes—Number of received packets and bytes.

This field is not displayed for a user if no WLAN accounting policy has been assigned to the user.

This field does not display statistics for an accounting level if no traffic of that level has been sent or received.

For more information about how to assign a WLAN accounting policy to a user, see WLAN access in WLAN Configuration Guide.

dot1x

Use dot1x to enable 802.1X globally or on a port.

Use undo dot1x to disable 802.1X globally or on a port.

Syntax

dot1x

undo dot1x

Default

802.1X is neither enabled globally nor enabled for any port.

Views

System view

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Usage guidelines

For the 802.1X feature to take effect on a port, you must enable the feature both globally and on the port.

Examples

# Enable 802.1X globally.

<Sysname> system-view

[Sysname] dot1x

# Enable 802.1X on GigabitEthernet 1/0/1.

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dot1x

[Sysname-GigabitEthernet1/0/1] quit

Related commands

display dot1x

dot1x authentication-method

Use dot1x authentication-method to specify an EAP message handling method.

Use undo dot1x authentication-method to restore the default.

Syntax

dot1x authentication-method { chap | eap | pap }

undo dot1x authentication-method

Default

The access device performs EAP termination and uses CHAP to communicate with the RADIUS server.

Views

System view

Predefined user roles

network-admin

Parameters

chap: Configures the access device to perform Extensible Authentication Protocol (EAP) termination and use the Challenge Handshake Authentication Protocol (CHAP) to communicate with the RADIUS server.

eap: Configures the access device to relay EAP packets, and supports any of the EAP authentication methods to communicate with the RADIUS server.

pap: Configures the access device to perform EAP termination and use the Password Authentication Protocol (PAP) to communicate with the RADIUS server.

Usage guidelines

The access device terminates or relays EAP packets.

·     In EAP termination mode—The access device re-encapsulates and sends the authentication data from the client in standard RADIUS packets to the RADIUS server. The device performs either CHAP or PAP authentication with the RADIUS server. In this mode, the RADIUS server supports only MD5-Challenge EAP authentication and the username and password EAP authentication initiated by an iNode client.

¡     PAP transports usernames and passwords in plain text. The authentication method applies to scenarios that do not require high security. To use PAP, the client can be an iNode 802.1X client.

¡     CHAP transports usernames in plain text and passwords in encrypted form over the network. CHAP is more secure than PAP.

·     In EAP relay mode—The access device relays EAP messages between the client and the RADIUS server. The EAP relay mode supports multiple EAP authentication methods, such as MD5-Challenge, EAP-TLS, and PEAP. To use this mode, make sure the RADIUS server meets the following requirements:

¡     Supports the EAP-Message and Message-Authenticator attributes.

¡     Uses the same EAP authentication method as the client.

If this mode is used, the user-name-format command configured in RADIUS scheme view does not take effect. For more information about the user-name-format command, see "RADIUS commands."

If RADIUS authentication is used, you must configure the access device to use the same authentication method (PAP, CHAP, or EAP) as the RADIUS server.

Examples

# Enable the access device to terminate EAP packets and perform PAP authentication with the RADIUS server.

<Sysname> system-view

[Sysname] dot1x authentication-method pap

Related commands

display dot1x

dot1x auth-fail vlan

Use dot1x auth-fail vlan to configure an 802.1X Auth-Fail VLAN on a port.

Use undo dot1x auth-fail vlan to restore the default.

Syntax

dot1x auth-fail vlan authfail-vlan-id

undo dot1x auth-fail vlan

Default

No 802.1X Auth-Fail VLAN exists on a port.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Parameters

authfail-vlan-id: Specifies the ID of the 802.1X Auth-Fail VLAN on the port. The value range for the VLAN ID is 1 to 4094. Make sure the VLAN has been created. If the port type is hybrid, verify that the VLAN to be specified as the Auth-Fail VLAN is not in the tagged VLAN list on the port.

Usage guidelines

An 802.1X Auth-Fail VLAN accommodates users that have failed 802.1X authentication for any reason other than unreachable servers. Users in the Auth-Fail VLAN can access a limited set of network resources.

To delete a VLAN that has been configured as an 802.1X Auth-Fail VLAN, you must first use the undo dot1x auth-fail vlan command.

Examples

# Configure VLAN 100 as the Auth-Fail VLAN on GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dot1x auth-fail vlan 100

Related commands

display dot1x

dot1x critical vlan

Use dot1x critical vlan to configure an 802.1X critical VLAN on a port.

Use undo dot1x critical vlan to restore the default.

Syntax

dot1x critical vlan critical-vlan-id

undo dot1x critical vlan

Default

No 802.1X critical VLAN exists on a port.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Parameters

critical-vlan-id: Specifies the ID of the 802.1X critical VLAN on the port. The value range for the VLAN ID is 1 to 4094. Make sure the VLAN has been created. If the port type is hybrid, verify that the VLAN to be specified as the critical VLAN is not in the tagged VLAN list on the port.

Usage guidelines

An 802.1X critical VLAN accommodates users that fail 802.1X authentication because all the RADIUS servers in their ISP domains are unreachable. Users in the critical VLAN can access a limited set of network resources depending on the configuration.

To delete a VLAN that has been configured as an 802.1X critical VLAN, you must first use the undo dot1x critical vlan command.

Examples

# Specify VLAN 100 as the 802.1X critical VLAN on GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dot1x critical vlan 100

Related commands

display dot1x

dot1x domain-delimiter

Use dot1x domain-delimiter to specify a set of domain name delimiters supported by the device.

Use undo dot1x domain-delimiter to restore the default.

Syntax

dot1x domain-delimiter string

undo dot1x domain-delimiter

Default

The device supports only the at sign (@) delimiter for 802.1X users.

Views

System view

Predefined user roles

network-admin

Parameters

string: Specifies a set of 1 to 16 domain name delimiters for 802.1X users. No space is required between delimiters. Available delimiters include the at sign (@), backslash (\), dot (.), and forward slash (/). If you want to use backslash (\) as the domain name delimiter, you must enter the escape character (\) along with the backslash (\) sign.

Usage guidelines

Any character in the configured set can be used as the domain name delimiter for 802.1X authentication users. Usernames that include domain names can use the format of username@domain-name, domain-name\username, username.domain-name, or username/domain-name.

The delimiter set you configured overrides the default setting. If the at sign (@) is not included in the delimiter set, the device does not support the 802.1X users that use this sign as the domain name delimiter.

If a username string contains multiple configured delimiters, the device takes the rightmost delimiter in the username string as the domain name delimiter. For example, if you configure the forward slash (/), dot (.), and backslash (\) as delimiters, the domain name delimiter for the username string 121.123/22\@abc is the backslash (\). The username is @abc and the domain name is 121.123/22.

Examples

# Specify the at sign (@) and forward slash (/) as domain name delimiters.

<Sysname> system-view

[Sysname] dot1x domain-delimiter @/

Related commands

display dot1x

dot1x ead-assistant enable

Use dot1x ead-assistant enable to enable the EAD assistant feature.

Use undo dot1x ead-assistant enable to disable the EAD assistant feature.

Syntax

dot1x ead-assistant enable

undo dot1x ead-assistant enable

Default

The EAD assistant feature is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

The EAD assistant feature enables the access device to redirect the HTTP requests of a user to a URL to download and install EAD client. This feature eliminates the tedious job of the administrator to deploy EAD clients.

For the EAD assistant feature to take effect on a port, you must set the port authorization mode to auto.

The feature is mutually exclusive with MAC authentication and port security. You must disable MAC authentication and port security globally before you enable the EAD assistant feature.

Examples

# Enable the EAD assistant feature.

<Sysname> system-view

[Sysname] dot1x ead-assistant enable

Related commands

display dot1x

dot1x ead-assistant free-ip

dot1x ead-assistant url

dot1x ead-assistant free-ip

Use dot1x ead-assistant free-ip to configure a free IP.

Use undo dot1x ead-assistant free-ip to remove the specified or all free IP addresses.

Syntax

dot1x ead-assistant free-ip ip-address { mask-address | mask-length }

undo dot1x ead-assistant free-ip { ip-address { mask-address | mask-length } | all }

Default

No free IPs exist. Users cannot access any segments before they pass 802.1X authentication.

Views

System view

Predefined user roles

network-admin

Parameters

ip-address: Specifies a freely accessible IP address segment, also called a free IP.

mask: Specifies an IP address mask.

mask-length: Specifies IP address mask length in the range of 1 to 32.

all: Removes all free IP addresses.

Usage guidelines

With EAD assistant enabled on the device, unauthenticated 802.1X users can access the network resources in the free IP segments before they pass 802.1X authentication.

Execute this command multiple times to configure multiple free IPs.

Examples

# Configure 192.168.1.1/16 as a free IP.

<Sysname> system-view

[Sysname] dot1x ead-assistant free-ip 192.168.1.1 255.255.0.0

Related commands

display dot1x

dot1x ead-assistant enable

dot1x ead-assistant url

dot1x ead-assistant url

Use dot1x ead-assistant url to configure a redirect URL for EAD assistant.

Use undo dot1x ead-assistant url to restore the default.

Syntax

dot1x ead-assistant url url-string

undo dot1x ead-assistant url

Default

No redirect URL exists for EAD assistant.

Views

System view

Predefined user roles

network-admin

Parameters

url-string: Specifies the redirect URL, a case-sensitive string of 1 to 256 characters.

Usage guidelines

When an unauthenticated user uses a Web browser to access any network other than the free IP, the device redirects the HTTP requests of the user to the redirect URL.

The redirect URL must be on the free IP subnet.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Configure the redirect URL as http://test.com.

<Sysname> system-view

[Sysname] dot1x ead-assistant url http://test.com

Related commands

display dot1x

dot1x ead-assistant enable

dot1x ead-assistant free-ip

dot1x guest-vlan

Use dot1x guest-vlan to configure an 802.1X guest VLAN on a port.

Use undo dot1x guest-vlan to restore the default.

Syntax

dot1x guest-vlan guest-vlan-id

undo dot1x guest-vlan

The following compatibility matrixes show the support of hardware platforms for this command:

Hardware series

Model

Product code

Command compatibility

WX1800H series

WX1804H

EWP-WX1804H-PWR-CN

No

WX2500H series

WX2508H-PWR-LTE

WX2510H

WX2510H-F

WX2540H

WX2540H-F

WX2560H

EWP-WX2508H-PWR-LTE

EWP-WX2510H-PWR

EWP-WX2510H-F-PWR

EWP-WX2540H

EWP-WX2540H-F

EWP-WX2560H

No

WX3000H series

WX3010H

WX3010H-X

WX3010H-L

WX3024H

WX3024H-L

WX3024H-F

EWP-WX3010H

EWP-WX3010H-X-PWR

EWP-WX3010H-L-PWR

EWP-WX3024H

EWP-WX3024H-L-PWR

EWP-WX3024H-F

Yes

WX3500H series

WX3508H

WX3510H

WX3520H

WX3520H-F

WX3540H

EWP-WX3508H

EWP-WX3510H

EWP-WX3520H

EWP-WX3520H-F

EWP-WX3540H

No

WX5500E series

WX5510E

WX5540E

EWP-WX5510E

EWP-WX5540E

Yes

WX5500H series

WX5540H

WX5560H

WX5580H

EWP-WX5540H

EWP-WX5560H

EWP-WX5580H

Yes

Access controller modules

LSUM1WCME0

EWPXM1WCME0

LSQM1WCMX20

LSUM1WCMX20RT

LSQM1WCMX40

LSUM1WCMX40RT

EWPXM2WCMD0F

EWPXM1MAC0F

LSUM1WCME0

EWPXM1WCME0

LSQM1WCMX20

LSUM1WCMX20RT

LSQM1WCMX40

LSUM1WCMX40RT

EWPXM2WCMD0F

EWPXM1MAC0F

Yes

Hardware series

Model

Product code

Command compatibility

WX1800H series

WX1804H

WX1810H

WX1820H

WX1840H

EWP-WX1804H-PWR

EWP-WX1810H-PWR

EWP-WX1820H

EWP-WX1840H-GL

No

WX3800H series

WX3820H

WX3840H

EWP-WX3820H-GL

EWP-WX3840H-GL

Yes

WX5800H series

WX5860H

EWP-WX5860H-GL

Yes

Default

No 802.1X guest VLAN exists on a port.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Parameters

guest-vlan-id: Specifies the ID of the 802.1X guest VLAN. The value range for the VLAN ID is 1 to 4094. Make sure the VLAN has been created. If the port type is hybrid, verify that the VLAN to be specified as the guest VLAN is not in the tagged VLAN list on the port.

Usage guidelines

An 802.1X guest VLAN accommodates users that have not performed 802.1X authentication. In the guest VLAN, users can access a limited set of network resources, such as a software server, to download anti-virus software and system patches.

To delete a VLAN that has been configured as a guest VLAN, you must use the undo dot1x guest-vlan command first.

Examples

# Specify VLAN 100 as the 802.1X guest VLAN on GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dot1x guest-vlan 100

Related commands

display dot1x

dot1x handshake

Use dot1x handshake to enable the online user handshake feature.

Use undo dot1x handshake to disable the online user handshake feature.

Syntax

dot1x handshake

undo dot1x handshake

Default

The online user handshake feature is enabled.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Usage guidelines

The online user handshake feature enables the device to periodically send EAP-Request/Identity packets to the client for verifying the connectivity status of online 802.1X users. The device sets a user to the offline state if it does not receive an EAP-Response/Identity packet from the user after making the maximum attempts within the handshake period. To set the handshake timer, use the dot1x timer handshake-period command. To set the maximum handshake attempts, use the dot1x retry command.

Examples

# Enable the online user handshake feature on GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dot1x handshake

Related commands

display dot1x

dot1x timer handshake-period

dot1x retry

dot1x handshake reply enable

Use dot1x handshake reply enable to enable the 802.1X online user handshake reply feature.

Use undo dot1x handshake reply enable to disable the 802.1X online user handshake reply feature.

Syntax

dot1x handshake reply enable

undo dot1x handshake reply enable

Default

The 802.1X online user handshake reply feature is disabled.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Usage guidelines

This command enables the device to reply to 802.1X clients' EAP-Response/Identity packets with EAP-Success packets during the online handshake process.

Use this command only if 802.1X clients will go offline without receiving EAP-Success packets from the device.

Examples

# Enable the 802.1X online user handshake reply feature on GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dot1x handshake reply enable

Related commands

dot1x handshake

dot1x handshake secure

Use dot1x handshake secure to enable the online user handshake security feature.

Use undo dot1x handshake secure to disable the online user handshake security feature.

Syntax

dot1x handshake secure

undo dot1x handshake secure

Default

The online user handshake security feature is disabled.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Usage guidelines

The online user handshake security feature enables the device to prevent users from using illegal client software.

The feature is implemented based on the online user handshake feature. To bring the security function into effect, make sure the online user handshake feature is enabled.

The online user handshake security feature takes effect only on the network where the iNode client and IMC server are used.

Examples

# Enable the online user handshake security feature on GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dot1x handshake secure

Related commands

display dot1x

dot1x handshake

dot1x mandatory-domain

Use dot1x mandatory-domain to specify a mandatory 802.1X authentication domain on a port.

Use undo dot1x mandatory-domain to restore the default.

Syntax

dot1x mandatory-domain domain-name

undo dot1x mandatory-domain

Default

No mandatory 802.1X authentication domain is specified on a port.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Parameters

domain-name: Specifies the ISP domain name, a case-insensitive string of 1 to 255 characters.

Usage guidelines

When the system authenticates an 802.1X user trying to access a port, it selects an authentication domain in the following order:

1.     Mandatory domain.

2.     ISP domain specified in the username.

3.     Default ISP domain.

Examples

# Specify my-domain as the mandatory authentication domain for 802.1X users on GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dot1x mandatory-domain my-domain

Related commands

display dot1x

dot1x max-user

Use dot1x max-user to set the maximum number of concurrent 802.1X users on a port.

Use undo dot1x max-user to restore the default.

Syntax

dot1x max-user max-number

undo dot1x max-user

Default

The default is 4294967295.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Parameters

max-number: Sets the maximum number of concurrent 802.1X users on a port. The value range is 1 to 4294967295.

Usage guidelines

Set the maximum number of concurrent 802.1X users on a port to prevent the system resources from being overused. When the maximum number is reached, the port denies subsequent 802.1X users.

Examples

# Set the maximum number of concurrent 802.1X users to 32 on GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dot1x max-user 32

dot1x multicast-trigger

Use dot1x multicast-trigger to enable the 802.1X multicast trigger feature.

Use undo dot1x multicast-trigger to disable the 802.1X multicast trigger feature.

Syntax

dot1x multicast-trigger

undo dot1x multicast-trigger

Default

The 802.1X multicast trigger feature is enabled.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Usage guidelines

The multicast trigger feature enables the device to act as the initiator. The device periodically multicasts EAP-Request/Identity packets out of a port to detect 802.1X clients and trigger authentication. You can use the dot1x timer tx-period command to set the interval for sending multicast EAP-Request/Identity packets.

Disable the multicast trigger in a wireless LAN. Wireless clients and the wireless module of the access device can both initiate 802.1X authentication.

Examples

# Enable the multicast trigger feature on GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dot1x multicast-trigger

Related commands

display dot1x

dot1x timer tx-period

dot1x unicast-trigger

dot1x port-control

Use dot1x port-control to set the authorization state for the port.

Use undo dot1x port-control to restore the default.

Syntax

dot1x port-control { authorized-force | auto | unauthorized-force }

undo dot1x port-control

Default

The default port authorization state is auto.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Parameters

authorized-force: Places the port in authorized state, enabling users on the port to access the network without authentication.

auto: Places the port initially in unauthorized state to allow only EAPOL packets to pass, and places the port in authorized state after a user passes authentication. You can use this option in most scenarios.

unauthorized-force: Places the port in unauthorized state, denying any access requests from users on the port.

Usage guidelines

You can use this command to set the port authorization state to determine whether a client is granted access to the network.

Examples

# Set the authorization state of GigabitEthernet 1/0/1 to unauthorized-force.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dot1x port-control unauthorized-force

Related commands

display dot1x

dot1x port-method

Use dot1x port-method to specify an access control method for the port.

Use undo dot1x port-method to restore the default.

Syntax

dot1x port-method { macbased | portbased }

undo dot1x port-method

Default

MAC-based access control applies.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Parameters

macbased: Uses MAC-based access control on the port to separately authenticate each user attempting to access the network. Using this method, when an authenticated user logs off, no other online users are affected.

portbased: Uses port-based access control on the port. Using this method, once an 802.1X user passes authentication on the port, any subsequent user can access the network through the port without authentication. When the authenticated user logs off, all other users are logged off.

Examples

# Configure GigabitEthernet 1/0/1 to implement port-based access control.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dot1x port-method portbased

Related commands

display dot1x

dot1x quiet-period

Use dot1x quiet-period to enable the quiet timer.

Use undo dot1x quiet-period to disable the quiet timer.

Syntax

dot1x quiet-period

undo dot1x quiet-period

Default

The quiet timer is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

When a client fails 802.1X authentication, the device must wait a period of time before it can process authentication requests from the client. You can use the dot1x timer quiet-period command to set the quiet timer.

Examples

# Enable the quiet timer and set the quiet timer to 100 seconds.

<Sysname> system-view

[Sysname] dot1x quiet-period

[Sysname] dot1x timer quiet-period 100

Related commands

display dot1x

dot1x timer

dot1x re-authenticate

Use dot1x re-authenticate to enable the 802.1X periodic reauthentication feature.

Use undo dot1x re-authenticate to disable the 802.1X periodic reauthentication feature.

Syntax

dot1x re-authenticate

undo dot1x re-authenticate

Default

The 802.1X periodic reauthentication feature is disabled.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Usage guidelines

Periodic reauthentication enables the access device to periodically authenticate online 802.1X users on a port. This feature tracks the connection status of online users and updates the authorization attributes assigned by the server, such as the ACL and VLAN.

You can use the dot1x timer reauth-period command to configure the interval for reauthentication.

Examples

# Enable the 802.1X periodic reauthentication feature on GigabitEthernet 1/0/1, and set the periodic reauthentication interval to 1800 seconds.

<Sysname> system-view

[Sysname] dot1x timer reauth-period 1800

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dot1x re-authenticate

Related commands

display dot1x

dot1x timer

dot1x re-authenticate server-unreachable keep-online

Use dot1x re-authenticate server-unreachable keep-online to enable the keep-online feature on a port.

Use undo dot1x re-authenticate server-unreachable to restore the default.

Syntax

dot1x re-authenticate server-unreachable keep-online

undo dot1x re-authenticate server-unreachable

Default

The keep-online feature is disabled on a port. The device logs off online 802.1X authenticated users if no server is reachable for 802.1X reauthentication.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Usage guidelines

This feature keeps authenticated 802.1X users online when no server is reachable for 802.1X reauthentication.

Examples

# Enable the keep-online feature on GigabitEthernet 1/0/1 for 802.1X reauthentication.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dot1x re-authenticate server-unreachable keep-online

Related commands

display dot1x

dot1x re-authenticate

dot1x retry

Use dot1x retry to set the maximum number of attempts for sending an authentication request to a client.

Use undo dot1x retry to restore the default.

Syntax

dot1x retry retries

undo dot1x retry

Default

A maximum of two attempts are made to send an authentication request to a client.

Views

System view

Predefined user roles

network-admin

Parameters

retries: Specifies the maximum number of attempts for sending an authentication request to a client. The value range is 1 to 10.

Usage guidelines

The access device retransmits an authentication request to a client in any of the following situations:

·     The device does not receive any responses from the client within the username request timeout interval. The timer is set by using the dot1x timer tx-period tx-period-value command for the EAP-Request/Identity packet.

·     The device does not receive any responses from the client within the client timeout interval. The timer is set by using the dot1x timer supp-timeout supp-timeout-value command for the EAP-Request/MD5-Challenge packet.

The access device stops retransmitting the request, if it has made the maximum number of request transmission attempts but still received no response.

Examples

# Set the maximum number of attempts to 9 for sending an authentication request to a client.

<Sysname> system-view

[Sysname] dot1x retry 9

Related commands

display dot1x

dot1x timer

dot1x smarton

Use dot1x smarton to enable the SmartOn feature on a port.

Use undo dot1x smarton to disable the SmartOn feature on a port.

Syntax

dot1x smarton

undo dot1x smarton

Default

The SmartOn feature is disabled on a port.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Usage guidelines

When a SmartOn-enabled port receives an EAPOL-Start packet from an 802.1X client, it sends a unicast EAP-Request/Notification packet to the client. The client will respond with an EAP-Response/Notification packet, which contains the SmartOn switch ID and the MD5 digest of the SmartOn password. The device compares the digest in the packet with the digest on the device. If they are the same, the device continues to perform 802.1X authentication for the client. Otherwise, the device denies the client's 802.1X authentication request.

The SmartOn feature and the online user handshake feature are mutually exclusive.

Examples

# Enable the SmartOn feature on GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dot1x smarton

Related commands

display dot1x

dot1x smarton switched

dot1x smarton password

dot1x smarton password

Use dot1x smarton password to set a SmartOn password.

Use undo dot1x smarton password to restore the default.

Syntax

dot1x smarton password { cipher | simple } string

undo dot1x smarton password

Default

No SmartOn password is set.

Views

System view

Predefined user roles

network-admin

Parameters

cipher: Specifies a password in encrypted form.

simple: Specifies password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.

string: Specifies the password. Its plaintext form is a case-sensitive string of 1 to 16 characters. Its encrypted form is a case-sensitive string of 1 to 53 characters

Usage guidelines

The device checks the MD5 digest of the SmartOn password in each received EAP-Response/Notification packet. If the digest is different from the SmartOn password digest on the device, the device stops the 802.1X authentication process for the client that sends this packet.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Set the SmartOn password to abc in plaintext form.

<Sysname> system-view

[Sysname] dot1x smarton password simple abc

Related commands

display dot1x

dot1x smarton

dot1x smarton switched

dot1x smarton retry

Use dot1x smarton retry to set the maximum number of attempts for retransmitting an EAP-Request/Notification packet to a client.

Use undo dot1x smarton retry to restore the default.

Syntax

dot1x smarton retry retries

undo dot1x smarton retry

Default

A maximum of three attempts are made to retransmit an EAP-Request/Notification packet to a client.

Views

System view

Predefined user roles

network-admin

Parameters

retries: Specifies the maximum attempts for retransmitting an EAP-Request/Notification packet to a client. The value range is 1 to 10.

Usage guidelines

When the device sends an EAP-Request/Notification packet to the client, the SmartOn client timeout timer (set by using the dot1x smarton timer supp-timeout command) starts. If the device does not receive any EAP-Response/Notification packets from the client before the timer expires, it retransmits the EAP-Request/Notification packet to the client. After the device has made the maximum retransmission attempts but received no response, it stops the 802.1X authentication process for the client.

Examples

# Set the maximum attempts to 5 for retransmitting an EAP-Request/Notification packet.

<Sysname> system-view

[Sysname] dot1x smarton retry 5

Related commands

display dot1x

dot1x smarton timer supp-timeout

dot1x smarton switchid

Use dot1x smarton switchid to set a SmartOn switch ID.

Use undo dot1x smarton switchid to restore the default.

Syntax

dot1x smarton switchid switch-string

undo dot1x smarton switchid

Default

No SmartOn switch ID exists.

Views

System view

Predefined user roles

network-admin

Parameters

switch-string: Specifies the SmartOn switch ID, a case-sensitive string of 1 to 30 characters.

Usage guidelines

The device checks the SmartOn switch ID in each received EAP-Response/Notification packet. If the switch ID is not the same as the switch ID on the device, the device stops the 802.1X authentication process for the client that sends this packet.

Examples

# Set the SmartOn switch ID to abc.

<Sysname> system-view

[Sysname] dot1x smarton switchid abc

Related commands

display dot1x

dot1x smarton

dot1x smarton password

dot1x smarton timer supp-timeout

Use dot1x smarton timer supp-timeout to set the SmartOn client timeout timer.

Use undo dot1x smarton timer supp-timeout to restore the default.

Syntax

dot1x smarton timer supp-timeout supp-timeout-value

undo dot1x smarton timer supp-timeout

Default

The SmartOn client timeout timer is 30 seconds.

Views

System view

Predefined user roles

network-admin

Parameters

supp-timeout-value: Specifies the SmartOn client timeout timer in seconds. The value range is 10 to 120.

Usage guidelines

The SmartOn client timeout timer starts when the device sends an EAP-Request/Notification packet to the client. If the device does not receive any EAP-Response/Notification packets from the client within the timer interval, it retransmits the EAP-Request/Notification packet. After the device has made the maximum retransmission attempts but received no response, it stops the 802.1X authentication process for the client. To set the maximum retransmission attempts, use the dot1x smarton retry command.

Examples

# Set the SmartOn client timeout timer to 20 seconds.

<Sysname> system-view

[Sysname] dot1x smarton timer supp-timeout 20

Related commands

display dot1x

dot1x smarton retry

dot1x timer

Use dot1x timer to set an 802.1X timer.

Use undo dot1x timer to restore the default of an 802.1X timer.

Syntax

dot1x timer { ead-timeout ead-timeout-value | handshake-period handshake-period-value | quiet-period quiet-period-value | reauth-period reauth-period-value | server-timeout server-timeout-value | supp-timeout supp-timeout-value | tx-period tx-period-value }

undo dot1x timer { ead-timeout | handshake-period | quiet-period | reauth-period | server-timeout | supp-timeout | tx-period }

Default

The following 802.1X timers apply:

·     EAD rule timer: 30 minutes.

·     Handshake timer: 15 seconds.

·     Quiet timer: 60 seconds.

·     Periodic reauthentication timer: 3600 seconds.

·     Server timeout timer: 100 seconds.

·     Client timeout timer: 30 seconds.

·     Username request timeout timer: 30 seconds.

Views

System view

Predefined user roles

network-admin

Parameters

ead-timeout ead-timeout-value: Specifies the EAD rule timer in minutes. The value range for the ead-timeout-value argument is 1 to 1440.

handshake-period handshake-period-value: Specifies the handshake timer in seconds. The value range for the handshake-period-value argument is 5 to 1024.

quiet-period quiet-period-value: Specifies the quiet timer in seconds. The value range for the quiet-period-value argument is 10 to 120.

reauth-period reauth-period-value: Specifies the periodic reauthentication timer in seconds. The value range for the reauth-period-value argument is 60 to 7200.

server-timeout server-timeout-value: Specifies the server timeout timer in seconds. The value range for the server-timeout-value argument is 100 to 300.

supp-timeout supp-timeout-value: Specifies the client timeout timer in seconds. The value range for the supp-timeout-value argument is 1 to 120.

tx-period tx-period-value: Specifies the username request timeout timer in seconds. The value range for the tx-period-value argument is 1 to 120.

Usage guidelines

In most cases, the default settings are sufficient. You can edit the timers, depending on the network conditions.

·     In a low-speed network, increase the client timeout timer.

·     In a vulnerable network, set the quiet timer to a high value.

·     In a high-performance network with quick authentication response, set the quiet timer to a low value.

·     In a network with authentication servers of different performance, adjust the server timeout timer.

The network device uses the following 802.1X timers:

·     EAD rule timer (ead-timeout)—Sets the lifetime of each EAD rule. When the timer expires or the user passes authentication, the rule is removed. If users fail to download the EAD client or fail to pass authentication within the timer interval, they must reconnect to the network to access the free IP.

·     Handshake timer (handshake-period)—Sets the interval at which the access device sends client handshake requests to check the online status of a client that has passed authentication. If the device does not receive a response after sending the maximum number of handshake requests, it considers that the client has logged off.

·     Quiet timer (quiet-period)—Starts when a client fails authentication. The access device must wait the time period before it can process the authentication attempts from the client.

·     Periodic reauthentication timer (reauth-period)—Sets the interval at which the access device periodically reauthenticates online 802.1X users. To enable 802.1X periodic reauthentication on a port, use the dot1x re-authenticate command.

·     Server timeout timer (server-timeout)—Starts when the access device sends a RADIUS Access-Request packet to the authentication server. If no response is received when this timer expires, 802.1X authentication fails.

·     Client timeout timer (supp-timeout)—Starts when the access device sends an EAP-Request/MD5-Challenge packet to a client. If no response is received when this timer expires, the access device retransmits the request to the client.

·     Username request timeout timer (tx-period)—Starts when the access device sends an EAP-Request/Identity packet to a client in response to an authentication request. If the device does not receive a response before this timer expires, it retransmits the request. The timer also sets the interval at which the access device sends multicast EAP-Request/Identity packets to detect clients that cannot actively request authentication.

The change to the periodic reauthentication timer applies to the users that have been online only after the old timer expires. Other timer changes take effect immediately on the device.

Examples

# Set the server timeout timer to 150 seconds.

<Sysname> system-view

[Sysname] dot1x timer server-timeout 150

Related commands

display dot1x

dot1x unicast-trigger

Use dot1x unicast-trigger to enable the 802.1X unicast trigger feature.

Use undo dot1x unicast-trigger to disable the 802.1X unicast trigger feature.

Syntax

dot1x unicast-trigger

undo dot1x unicast-trigger

The following compatibility matrixes show the support of hardware platforms for this command:

 

Hardware series

Model

Product code

Command compatibility

WX1800H series

WX1804H

EWP-WX1804H-PWR-CN

No

WX2500H series

WX2508H-PWR-LTE

WX2510H

WX2510H-F

WX2540H

WX2540H-F

WX2560H

EWP-WX2508H-PWR-LTE

EWP-WX2510H-PWR

EWP-WX2510H-F-PWR

EWP-WX2540H

EWP-WX2540H-F

EWP-WX2560H

No

WX3000H series

WX3010H

WX3010H-X

WX3010H-L

WX3024H

WX3024H-L

WX3024H-F

EWP-WX3010H

EWP-WX3010H-X-PWR

EWP-WX3010H-L-PWR

EWP-WX3024H

EWP-WX3024H-L-PWR

EWP-WX3024H-F

Yes

WX3500H series

WX3508H

WX3510H

WX3520H

WX3520H-F

WX3540H

EWP-WX3508H

EWP-WX3510H

EWP-WX3520H

EWP-WX3520H-F

EWP-WX3540H

No

WX5500E series

WX5510E

WX5540E

EWP-WX5510E

EWP-WX5540E

Yes

WX5500H series

WX5540H

WX5560H

WX5580H

EWP-WX5540H

EWP-WX5560H

EWP-WX5580H

Yes

Access controller modules

LSUM1WCME0

EWPXM1WCME0

LSQM1WCMX20

LSUM1WCMX20RT

LSQM1WCMX40

LSUM1WCMX40RT

EWPXM2WCMD0F

EWPXM1MAC0F

LSUM1WCME0

EWPXM1WCME0

LSQM1WCMX20

LSUM1WCMX20RT

LSQM1WCMX40

LSUM1WCMX40RT

EWPXM2WCMD0F

EWPXM1MAC0F

Yes

Hardware series

Model

Product code

Command compatibility

WX1800H series

WX1804H

WX1810H

WX1820H

WX1840H

EWP-WX1804H-PWR

EWP-WX1810H-PWR

EWP-WX1820H

EWP-WX1840H-GL

No

WX3800H series

WX3820H

WX3840H

EWP-WX3820H-GL

EWP-WX3840H-GL

Yes

WX5800H series

WX5860H

EWP-WX5860H-GL

Yes

Default

The 802.1X unicast trigger feature is disabled.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Usage guidelines

The unicast trigger feature enables the access device to initiate 802.1X authentication when the device receives a data frame from an unknown source MAC address. The device sends a unicast EAP-Request/Identity packet to the unknown source MAC address. It will retransmit the packet if it does not receive any responses within a period of time (set by using the dot1x timer tx-period command). This process continues until the maximum number of request attempts (set by using the dot1x retry command) is reached.

Examples

# Enable the unicast trigger feature on GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dot1x unicast-trigger

Related commands

display dot1x

dot1x multicast-trigger

dot1x retry

dot1x timer

reset dot1x guest-vlan

Use reset dot1x guest-vlan to remove users from the 802.1X guest VLAN on a port.

Syntax

reset dot1x guest-vlan interface interface-type interface-number [ mac-address mac-address ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies a port by its type and number.

mac-address mac-address: Specifies the MAC address of an 802.1X user in the guest VLAN. If you do not specify this option, the command removes all 802.1X users from the 802.1X guest VLAN on the port.

Examples

# Remove the 802.1X user with MAC address 1-1-1 from the 802.1X guest VLAN on GigabitEthernet 1/0/1.

<Sysname> reset dot1x guest-vlan interface gigabitethernet 1/0/1 mac-address 1-1-1

Related commands

dot1x guest-vlan

reset dot1x statistics

Use reset dot1x statistics to clear 802.1X statistics.

Syntax

reset dot1x statistics [ ap ap-name [ radio radio-id ] | interface interface-type interface-number ]

Views

User view

Predefined user roles

network-admin

Parameters

ap ap-name: Specifies an AP by its name, a case-insensitive string of 1 to 64 characters. The string can contain letters, digits, underscores (_), dots (.), left brackets ([), right brackets (]), forward slashes (/), and hyphens (-).If you do not specify an AP, this command clears statistics of 802.1X users for all APs.

radio radio-id: Specifies a radio by its ID. The value range for the radio-id argument varies by AP model. If you do not specify a radio, this command clears 802.1X statistics for all radios on the specified AP.

interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command clears 802.1X statistics on all ports.

Usage guidelines

If you do not specify any parameters, this command clears all 802.1X statistics.

Examples

# Clear 802.1X statistics on GigabitEthernet 1/0/1.

<Sysname> reset dot1x statistics interface gigabitethernet 1/0/1

Related commands

display dot1x