Contents

WLAN authentication commands· 1

client url-redirect acl 1

client url-redirect enable· 1

client-security aaa attribute ip-snooping-method· 3

client-security accounting-delay time· 3

client-security accounting-restart trigger ipv4· 4

client-security accounting-start trigger 5

client-security accounting-update trigger 6

client-security authentication critical-vlan· 7

client-security authentication fail-vlan· 8

client-security authentication-mode· 9

client-security authorization-fail offline· 10

client-security authorization trigger byod· 11

client-security ignore-authentication· 11

client-security ignore-authorization· 12

client-security intrusion-protection action· 13

client-security intrusion-protection enable· 14

client-security intrusion-protection timer temporary-block· 15

client-security intrusion-protection timer temporary-service-stop· 15

display wlan client-security block-mac· 16

display wlan statistics accounting· 17

dot1x domain· 18

dot1x eap· 19

dot1x handshake enable· 19

dot1x handshake secure enable· 20

dot1x max-user 21

dot1x re-authenticate enable· 21

fail-permit enable· 22

fail-permit template· 24

mac-authentication domain· 25

mac-authentication max-user 26

wlan authentication optimization· 27

wlan client-security authentication clear-previous-connection· 27

 

WLAN authentication commands

client url-redirect acl

Use client url-redirect acl to specify an ACL to match traffic that triggers URL redirection.

Use undo client url-redirect acl to restore the default.

Syntax

client url-redirect acl acl-number

undo client url-redirect acl

Default

No ACL is specified to match traffic that triggers URL redirection.

Views

Service template view

Predefined user roles

network-admin

Parameters

acl-number: Specifies an ACL by its number, in the range of 2000 to 3999.

Usage guidelines

By default, the device uses the authorization ACL deployed by the RADIUS server to match traffic that triggers URL redirection. Rule conflicts might exist if the authorization ACL is used by multiple features. To avoid undesirable redirection results, specify a dedicated ACL to match traffic that triggers URL redirection.

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

Examples

# In service template service1, specify ACL 3111 to match traffic that triggers URL redirection.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] client url-redirect acl 3111

Related commands

client url-redirect enable

client url-redirect enable

Use client url-redirect enable to enable URL redirection for WLAN clients.

Use undo client url-redirect enable to disable URL redirection for WLAN clients.

Syntax

client url-redirect enable [ mode native [ https [ redirect-stop-timer seconds ] [ count number ] ] ]

undo client url-redirect enable

Default

URL redirection is disabled for WLAN clients

Views

Service template view

Predefined user roles

network-admin

Parameters

mode native: Sets the URL redirection mode to native mode. In this mode, the device redirects a MAC authentication client if it does not have a redirect URL access record for that client in the local cache.

https: Stops redirecting an HTTPS client if the number of its visits to the IP addresses of the redirect URL has reached the limit before the redirect stop timer expires.

redirect-stop-timer seconds: Sets the redirect stop timer in seconds. The value range for the seconds argument is 1 to 30 seconds and the default setting is 5 seconds.

count number: Sets the minimum number of visits to the IP addresses of the redirect URL. The value range for the number argument is 3 to 60 and the default setting is 3.

Usage guidelines

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

This command takes effect only on clients that use RADIUS-based MAC authentication.

In RADIUS-based MAC authentication, a client can pass authentication only if the RADIUS server has its credential information (username and password) and MAC address.

URL redirection facilitates a client to authenticate to the RADIUS server after it has failed a MAC authentication because the server does not have its credential information and MAC address. This feature redirects the client to a specified authentication webpage URL for portal authentication. After the client passes portal authentication, the RADIUS server records the client's credential information and MAC address. At the same time, the server uses DM requests to log off the client. At the next MAC authentication attempt, the client can pass MAC authentication. For information about DMs, see AAA configuration in User Access and Authentication Configuration Guide.

Typically, redirect decisions are made on the RADIUS server. If the RADIUS server contains MAC authentication information about a client, the client can pass authentication without being redirected to the redirect URL. To make sure all clients visit the redirect URL for purposes such as advertisement, set the URL redirection mode to native mode. In this mode, the device maintains a redirect URL access records for clients and makes a URL redirection decision based on the records, as follows:

·     Redirects the client if no URL access record is found for the client.

·     Stops redirecting an HTTP client if an URL access record exists for the client.

·     Stops redirecting an HTTPS client if the number of its visits to the IP addresses of the redirect URL has reached the specified limit before the redirect stop timer expires.

Examples

# Enable native URL redirection for WLAN clients in service template service1. Stop redirecting an HTTPS client if that client has visited the IP addresses of the redirect URL for 10 times or more within 10 seconds.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] client url-redirect enable mode native https redirect-stop-timer 10 count 10

Related commands

client url-redirect acl

client-security aaa attribute ip-snooping-method

Use client-security aaa attribute ip-snooping-method to include the client IP snooping method in RADIUS packets.

Use undo client-security aaa attribute ip-snooping-method to restore the default.

Syntax

client-security aaa attribute ip-snooping-method

undo client-security aaa attribute ip-snooping-method

Default

The device does not include the client IP snooping method in RADIUS packets.

Views

Service template view

Predefined user roles

network-admin

Usage guidelines

The device can obtain the IP address of a client by snooping packets such as DHCP and ARP packets. To help the RADIUS server determine whether the IP address of an 802.1X or MAC authentication client is assigned by a DHCP server, send the IP snooping method in RADIUS packets to the server.

The IP snooping method is encapsulated in the H3c-Ip-Source-Mod attribute (an extended RADIUS attribute with ID 221).

To identify the IP snooping method, the RADIUS server must support extended RADIUS attributes with a vendor ID of 25506. For more information, see AAA configuration in User Access and Authentication Configuration Guide.

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

Examples

# In service template service1, include the client IP snooping method in RADIUS packets.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] client-security aaa attribute ip-snooping-method

client-security accounting-delay time

Use client-security accounting-delay time to configure the accounting delay.

Use undo client-security accounting-delay time to restore the default.

Syntax

client-security accounting-delay time time [ no-ip-logoff ]

undo client-security accounting-delay time

Default

The device sends a start-accounting request for a client only when the device learns the IP address of that client.

Views

Service template view

Predefined user roles

network-admin

Parameters

time: Sets the accounting delay timer. The value range for the time argument is 1 to 600 seconds.

no-ip-logoff: Logs off a client if the device has failed to obtain the client IP address before the delay timer expires. If you do not specify this keyword, the device sends a start-accounting request immediately after the accounting delay timer expires.

Usage guidelines

The accounting delay timer operates in conjunction with an IP-based accounting-start trigger. The timer specifies the maximum interval for the device to learn the IP address of an 802.1X or MAC authenticated client before it takes the specified action.

The timer starts when a client passes 802.1X or MAC authentication. If the device has failed to learn an IP address that matches the IP-based accounting-start trigger before the accounting delay timer expires, the device takes either of the following actions:

·     Sends a start-accounting request immediately if the no-ip-logoff action is not specified.

·     Logs off the client if the no-ip-logoff action is specified.

Configure the accounting delay timer depending on the typical amount of time for the device to learn the IP address of a client. As a best practice, increase the delay timer on a low-performance network.

The timer takes effect only on clients that come online after the timer is configured.

Examples

# Set the accounting delay timer to 15 seconds in service template service1. Configure the device to log off a client if it has failed to learn the required client IP address before the delay timer expires.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] client-security accounting-delay time 15 no-ip-logoff

Related commands

client-security accounting-start trigger

client-security accounting-restart trigger ipv4

Use client-security accounting-restart trigger ipv4 to enable the IPv4 address-based accounting-restart trigger for clients.

Use undo client-security accounting-restart trigger ipv4 to disable the IPv4 address-based accounting-restart trigger for clients.

Syntax

client-security accounting-restart trigger ipv4 [ delay interval ]

undo client-security accounting-restart trigger ipv4

Default

The IPv4 address-based accounting-restart trigger is disabled.

Views

Service template view

Predefined user roles

network-admin

Parameters

delay interval: Sets the delay for the device to send a start-accounting request for a new accounting cycle after it sends a stop-accounting request. The value range for the interval argument is 0 to 20 seconds. The default delay time is 15 seconds.

Usage guidelines

The IPv4 address-based accounting-restart trigger applies to 802.1X and MAC authentication clients.

This trigger restarts accounting for a client by sending a stop-accounting request and then a start-accounting request to the accounting server when the IPv4 address of the client changes.

This trigger has higher priority than the accounting-update trigger configured for IPv4 by using the client-security accounting-update trigger command.

This trigger is configurable when the service template is disabled, and it takes effect after the service template is enabled.

Examples

# Enable the IPv4 address-based accounting-restart trigger in service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] client-security accounting-restart trigger ipv4 delay 10

client-security accounting-start trigger

Use client-security accounting-start trigger to configure an accounting-start trigger for clients.

Use undo client-security accounting-start trigger to restore the default.

Syntax

client-security accounting-start trigger { ipv4 | ipv4-ipv6 [ separate ] | ipv6 | none }

undo client-security accounting-start trigger

Default

The accounting-start trigger is based on IPv4 address type.

Views

Service template view

Predefined user roles

network-admin

Parameters

ipv4: Triggers accounting for an authenticated client when the device detects that the client has obtained an IPv4 address.

ipv4-ipv6: Triggers accounting for an authenticated client when the device detects that the client has obtained an IPv4 or IPv6 address.

separate: Triggers accounting for each IP address of an authenticated client. If you do not specify this keyword, the device triggers accounting only for the first learned IP address.

ipv6: Triggers accounting for an authenticated client when the device detects that the client has obtained an IPv6 address.

none: Triggers accounting for an authenticated client immediately after the client passes authentication.

Usage guidelines

This command takes effect only on clients that have passed 802.1X or MAC authentication.

For the accounting-start trigger to take effect, follow these guidelines:

·     If the trigger is IP address type based, you must enable learning IP addresses of that type. For information about wireless client IP address learning, see WLAN IP snooping configuration in User Access and Authentication Configuration Guide.

·     The IP-based trigger must match the requirement of the accounting server for the IP version.

The trigger takes effect only on clients that come online after the trigger is configured.

Examples

# Configure an IPv4 address-based accounting-start trigger in service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] client-security accounting-start trigger ipv4

Related commands

client ipv4-snooping arp-learning enable

client ipv4-snooping dhcp-learning enable

client ipv6-snooping dhcpv6-learning enable

client ipv6-snooping nd-learning enable

client ipv6-snooping snmp-nd-report enable

client-security accounting-delay time

client-security accounting-update trigger

client-security accounting-update trigger

Use client-security accounting-update trigger to specify an event-based accounting-update trigger.

Use undo client-security accounting-update trigger to restore the default.

Syntax

client-security accounting-update trigger { ipv4 | ipv4-ipv6 | ipv6 }

undo client-security accounting-update trigger

Default

No event-based accounting-update trigger is configured. The device sends update-accounting requests to the accounting server only regularly at server-assigned or user-defined real-time accounting intervals.

Views

Service template view

Predefined user roles

network-admin

Parameters

ipv4: Sends an update-accounting request when the IPv4 address of an online 802.1X or MAC authenticated client changes.

ipv4-ipv6: Sends an update-accounting request when the IPv4 or IPv6 address of an online 802.1X or MAC authenticated client changes.

ipv6: Sends an update-accounting request when the IPv6 address of an online 802.1X or MAC authenticated client changes.

Usage guidelines

Use the accounting-update trigger in conjunction with the accounting-start trigger. The accounting-update trigger takes effect only if you have configured the accounting-start trigger by using the client-security accounting-start trigger command.

In addition to the event-based accounting-update trigger, you can set a regular accounting-update interval by using the timer realtime-accounting command.

The accounting-update trigger takes effect only on clients that come online after the trigger is configured.

Examples

# Configure an IPv4 address change-based accounting-update trigger in service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] client-security accounting-update trigger ipv4

Related commands

client-security accounting-start trigger

timer realtime-accounting

client-security authentication critical-vlan

Use client-security authentication critical-vlan to configure a critical VLAN for a service template.

Use undo client-security authentication critical-vlan to restore the default.

Syntax

client-security authentication critical-vlan vlan-id

undo client-security authentication critical-vlan

Default

No critical VLAN exists for a service template.

Views

Service template view

Predefined user roles

network-admin

Parameters

vlan-id: Specifies the ID of the critical VLAN, in the range of 1 to 4094.

Usage guidelines

The WLAN critical VLAN accommodates clients that have failed WLAN authentication because all RADIUS servers in their ISP domains are unreachable. Clients in the critical VLAN can access a limited set of network resources depending on the configuration.

The authenticator reauthenticates a client in the critical VLAN at the interval of 30 seconds.

·     If the client passes the reauthentication, the authenticator assigns the client to the authorization VLAN. If no authorization VLAN is configured, the client is assigned to the initial VLAN.

·     If the client fails the reauthentication because all the RADIUS servers are unreachable, the client is still in the critical VLAN.

·     If the client fails the reauthentication for any reason other than unreachable servers, the device assigns the client to the Auth-Fail VLAN. If no Auth-Fail VLAN is configured, the device handles the client depending on the intrusion protection setting. If the intrusion protection feature is not configured, the device logs off the client.

The critical VLAN feature does not take effect on clients that use RSNA. When these clients fail authentication because all the RADIUS servers are unreachable, the authenticator directly logs off the clients.

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

Examples

# Configure VLAN 10 as the critical VLAN in service template 1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] client-security authentication critical-vlan 10

client-security authentication fail-vlan

Use client-security authentication fail-vlan to configure an Auth-Fail VLAN for a service template.

Use undo client-security authentication fail-vlan to restore the default.

Syntax

client-security authentication fail-vlan vlan-id

undo client-security authentication fail-vlan

Default

No Auth-Fail VLAN exists for a service template.

Views

Service template view

Predefined user roles

network-admin

Parameters

vlan-id: Specifies the ID of the Auth-Fail VLAN, in the range of 1 to 4094. Make sure the VLAN has been created.

Usage guidelines

The WLAN Auth-Fail VLAN accommodates clients that have failed WLAN authentication because of the failure to comply with the organization security strategy. For example, the VLAN accommodates clients that have entered invalid passwords. The Auth-Fail VLAN does not accommodate WLAN clients that have failed authentication for authentication timeouts or network connection problems.

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

Examples

# Configure VLAN 10 as the Auth-Fail VLAN in service template 1.

<Sysname> system-view

[Sysname] wlan service-template 1

[Sysname-wlan-st-1] client-security authentication fail-vlan 10

client-security authentication-mode

Use client-security authentication-mode to set the authentication mode for WLAN clients.

Use undo client-security authentication-mode to restore the default.

Syntax

client-security authentication-mode { dot1x | dot1x-then-mac | mac | mac-and-dot1x | mac-then-dot1x | oui-then-dot1x }

undo client-security authentication-mode

Default

The WLAN authentication mode is Bypass. The device does not perform authentication for WLAN clients.

Views

Service template view

Predefined user roles

network-admin

Parameters

dot1x: Performs only 802.1X authentication for the attached clients. A client cannot access the network if it fails 802.1X authentication.

dot1x-then-mac: Performs 802.1X authentication for the attached clients first, and then performs MAC authentication if they fail 802.1X authentication. A client can access the network if it passes either authentication.

mac: Performs only MAC authentication for the attached clients. A client cannot access the network if it fails MAC authentication.

mac-and-dot1x: Performs MAC authentication and then 802.1X authentication for the attached clients. The attached clients must pass both MAC authentication and 802.1X authentication before they can access the network. A client cannot access the network if it fails MAC authentication or 802.1X authentication.

mac-then-dot1x: Performs MAC authentication for the attached clients first, and then 802.1X authentication if they fail MAC authentication. A client can access the network if it passes either authentication.

oui-then-dot1x: Performs OUI authentication for the attached clients first, and then 802.1X authentication if they fail OUI authentication. A client can access the network if it passes either authentication.

Usage guidelines

A service template allows access of multiple authenticated clients in any authentication mode. To set the maximum number of 802.1X clients, use the dot1x max-user command. To set the maximum number of MAC authentication clients, use the mac-authentication max-user command.

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

Examples

# Set the authentication mode to mac for WLAN clients in service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] client-security authentication-mode mac

client-security authorization-fail offline

Use client-security authorization-fail offline to enable the authorization-fail-offline feature.

Use undo client-security authorization-fail offline to disable the authorization-fail-offline feature.

Syntax

client-security authorization-fail offline

undo client-security authorization-fail offline

Default

The authorization-fail-offline feature is disabled.

Views

Service template view

Predefined user roles

network-admin

Usage guidelines

The authorization-fail-offline feature logs off WLAN clients that fail ACL or user profile authorization.

A WLAN client fails ACL or user profile authorization in the following situations:

·     The device or server fails to authorize the specified ACL or user profile to the client.

·     The authorized ACL or user profile does not exist.

If this feature is disabled, the device does not log off WLAN clients that fail ACL or user profile authorization. However, the device outputs logs to report the failure.

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

Examples

# Enable the authorization-fail-offline feature for service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] client-security authorization-fail offline

client-security authorization trigger byod

Use client-security authorization trigger byod to enable the BYOD authorization trigger.

Use undo client-security authorization trigger byod to disable the BYOD authorization trigger.

Syntax

client-security authorization trigger byod

undo client-security authorization trigger byod

Default

The BYOD authorization trigger is disabled.

Views

Service template view

Predefined user roles

network-admin

Usage guidelines

This command enables the access device to trigger BYOD authorization for an authenticated client after the device obtains that client's BYOD information, including its IP address. When BYOD authorization is triggered, the session-timeout timer assigned to the client restarts, extending the amount of time that the client can stay online before a reauthentication is required. On a low performance network, it might take so much time for the device to obtain the IP address of a client that the client's extended amount of online time becomes undesirable.

As a best practice to avoid this undesirable issue, use this command only if BYOD authorization is required and make sure the network performance is good. For more information about BYOD authorization, see AAA in User Access and Authentication Configuration Guide.

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

Examples

# Enable the BYOD authorization trigger in service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] client-security authorization trigger byod

client-security ignore-authentication

Use client-security ignore-authentication to configure the device to ignore the 802.1X or MAC authentication failures.

Use undo client-security ignore-authentication to restore the default.

Syntax

client-security ignore-authentication

undo client-security ignore-authentication

Default

The device does not ignore the authentication failures for wireless clients that use 802.1X authentication or RADIUS-based MAC authentication.

Views

Service template view

Predefined user roles

network-admin

Usage guidelines

This command applies to the following clients:

·     Clients that use 802.1X authentication.

This command enables the device to ignore the 802.1X authentication failures and allow clients that have failed 802.1X authentication to come online.

·     Clients that use both RADIUS-based MAC authentication and portal authentication.

Typically, a client must pass MAC authentication and portal authentication in turn to access network resources. The client provides username and password each time portal authentication is performed.

This command simplifies the authentication process for a client as follows:

¡     If the RADIUS server already records the client's MAC authentication information, the client passes MAC authentication. The device allows the client to access network resources without performing portal authentication.

¡     If the RADIUS server does not record the client's MAC authentication information, the client fails MAC authentication. The device ignores the MAC authentication failure and performs portal authentication for the client. If the client passes portal authentication, it can access network resources. The MAC address of the portal authenticated client will be recorded as MAC authentication information on the RADIUS server.

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

For 802.1X clients that use RSN to roam to a new AP, do not use this command.

Examples

# Configure the device to ignore 802.1X or MAC authentication failures in service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] client-security ignore-authentication

client-security ignore-authorization

Use client-security ignore-authorization to configure the device to ignore the authorization information received from the authentication server (a RADIUS server or the local device).

Use undo client-security ignore-authorization to restore the default.

Syntax

client-security ignore-authorization

undo client-security ignore-authorization

Default

The device uses the authorization information from the server.

Views

Service template view

Predefined user roles

network-admin

Usage guidelines

After a client passes RADIUS or local authentication, the server performs authorization based on the authorization attributes configured for the user account. For example, the server can assign a VLAN. If you do not want the device to use these authorization attributes for clients, configure this command to ignore the authorization information from the server.

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

Examples

# Configure the device to ignore the authorization information from the authentication server for service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] client-security ignore-authorization

client-security intrusion-protection action

Use client-security intrusion-protection action to configure the intrusion protection action that the device takes when intrusion protection detects illegal frames.

Use undo client-security intrusion-protection action to restore the default.

Syntax

client-security intrusion-protection action { service-stop | temporary-block | temporary-service-stop }

undo client-security intrusion-protection action

Default

The intrusion protection action is temporary-block.

Views

Service template view

Predefined user roles

network-admin

Parameters

service-stop: Stops the BSS where an illegal frame is received until the BSS is enabled manually on the radio interface.

temporary-block: Adds the source MAC address of an illegal frame to the blocked MAC address list for a period. To set the period, use the client-security intrusion-protection timer temporary-block command.

temporary-service-stop: Stops the BSS where an illegal frame is received for a period. To set the period, use the client-security intrusion-protection timer temporary-service-stop command.

Usage guidelines

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

For this command to take effect, you must also use the client-security intrusion-protection enable command to enable the intrusion protection feature.

Examples

# Configure the device to stop the BSS where intrusion protection detects illegal frames for service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] client-security intrusion-protection enable

[Sysname-wlan-st-service1] client-security intrusion-protection action service-stop

Related commands

client-security intrusion-protection enable

client-security intrusion-protection timer temporary-block

client-security intrusion-protection timer temporary-service-stop

client-security intrusion-protection enable

Use client-security intrusion-protection enable to enable the intrusion protection feature.

Use undo client-security intrusion-protection enable to disable the intrusion protection feature.

Syntax

client-security intrusion-protection enable

undo client-security intrusion-protection enable

Default

The intrusion protection feature is disabled.

Views

Service template view

Predefined user roles

network-admin

Usage guidelines

When the device receives an association request from an illegal client, the device takes the predefined protection action on the BSS where the request is received. A client is illegal if its MAC address fails WLAN authentication. To set the protection action, use the client-security intrusion-protection action command.

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

Examples

# Enable the intrusion protection feature for service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] client-security intrusion-protection enable

Related commands

client-security intrusion-protection action

client-security intrusion-protection timer temporary-block

Use client-security intrusion-protection timer temporary-block to set the period during which a MAC address is blocked by intrusion protection.

Use undo client-security intrusion-protection timer temporary-block to restore the default.

Syntax

client-security intrusion-protection timer temporary-block time

undo client-security intrusion-protection timer temporary-block

Default

An illegal MAC address is blocked for 180 seconds.

Views

Service template view

Predefined user roles

network-admin

Parameters

time: Specifies the period during which a MAC address is blocked. The value range is 60 to 300 seconds.

Usage guidelines

This command takes effect only when the intrusion protection action is temporary-block.

If you change the blocking period after the service template is enabled, the new setting takes effect on the subsequent detected illegal packets.

Examples

# Configure service template service1 to block illegal MAC addresses for 120 seconds.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] client-security intrusion-protection enable

[Sysname-wlan-st-service1] client-security intrusion-protection action temporary-block

[Sysname-wlan-st-service1] client-security intrusion-protection timer temporary-block 120

Related commands

client-security intrusion-protection action

client-security intrusion-protection enable

client-security intrusion-protection timer temporary-service-stop

Use client-security intrusion-protection timer temporary-service-stop to set the BSS silence period for intrusion protection.

Use undo client-security intrusion-protection timer temporary-service-stop to restore the default.

Syntax

client-security intrusion-protection timer temporary-service-stop time

undo client-security intrusion-protection timer temporary-service-stop

Default

The BSS silence period for intrusion protection is 20 seconds.

Views

Service template view

Predefined user roles

network-admin

Parameters

time: Specifies the period during which a BSS is disabled. The value range is 10 to 300 seconds.

Usage guidelines

This command takes effect only when the intrusion protection action is temporary-service-stop.

If you change the BSS silence period after the service template is enabled, the new setting takes effect on the subsequent detected illegal packets.

Examples

# Set the BSS silence period to 30 seconds for intrusion protection in service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] client-security intrusion-protection enable

[Sysname-wlan-st-service1] client-security intrusion-protection action temporary-service-stop

[Sysname-wlan-st-service1] client-security intrusion-protection timer temporary-service-stop 30

Related commands

client-security intrusion-protection action

client-security intrusion-protection enable

display wlan client-security block-mac

Use display wlan client-security block-mac to display blocked MAC address information for WLAN clients.

Syntax

display wlan client-security block-mac

Views

Any view

Predefined user roles

network-admin

network-operator

Usage guidelines

A MAC address that fails authentication is added to the blocked MAC address list when the intrusion protection action is temporary-block.

Examples

# Display information about all blocked MAC addresses.

<Sysname> display wlan client-security block-mac

MAC address         AP ID       RADIO ID     BSSID

0002-0002-0002      1           1            00ab-0de1-0001

000d-88f8-0577      1           1            0ef1-0001-02c1

 

Total entries: 2

Table 1 Command output

Field	Description
MAC address	Blocked MAC address, in the format of H-H-H.
AP ID	AP ID of the blocked MAC address.
RADIO ID	Radio ID of the blocked MAC address.
BSSID	BSS ID of the blocked MAC address, in the format of H-H-H.
Total entries	Number of blocked MAC addresses.

 

Related commands:

client-security intrusion-protection action

client-security intrusion-protection timer temporary-block

display wlan statistics accounting

Use display wlan statistics accounting to display RADIUS accounting packet statistics about wireless clients.

Syntax

display wlan statistics accounting

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display RADIUS accounting packet statistics about wireless clients.

<Sysname> display wlan statistics accounting

Account start request         : 1

Account start response        : 1

Account update request        : 3

Account update response       : 3

Account stop request          : 1

Account stop response         : 1

Table 2 Command output

Field	Description
Account start request	Number of sent RADIUS start-accounting request packets.
Account start response	Number of received RADIUS start-accounting response packets.
Account update request	Number of sent RADIUS real-time accounting request packets.
Account update response	Number of received RADIUS real-time accounting response packets.
Account stop request	Number of sent RADIUS stop-accounting request packets.
Account stop response	Number of received RADIUS stop-accounting response packets.

‌

dot1x domain

Use dot1x domain to specify an authentication domain for 802.1X clients in a service template.

Use undo dot1x domain to restore the default.

Syntax

dot1x domain domain-name

undo dot1x domain

Default

No authentication domain is specified for 802.1X clients in a service template.

Views

Service template view

Predefined user roles

network-admin

Parameters

domain-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters.

Usage guidelines

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

802.1X chooses an authentication domain for WLAN clients in the following order:

1.     Authentication domain specified in the service template.

2.     Domain specified by username.

3.     Default authentication domain.

Examples

# Specify ISP domain my-domain as the authentication domain for 802.1X clients in service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] dot1x domain my-domain

dot1x eap

Use dot1x eap to specify the EAP mode for 802.1X authentication.

Use undo dot1x eap to restore the default.

Syntax

dot1x eap { extended | standard }

undo dot1x eap

Default

The EAP mode is standard for 802.1X authentication.

Views

Service template view

Predefined user roles

network-admin

Parameters

extended: Specifies the extended EAP mode. This mode requires the device to interact with clients according to the provisions and packet format defined by the proprietary EAP protocol.

standard: Specifies the standard EAP mode. This mode requires the device to interact with clients according to the provisions and packet format defined by the standard EAP protocol.

Usage guidelines

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

When you configure this command, specify the extended keyword for iNode clients and the standard keyword for other clients.

This command is required only when an IMC server is used as the RADIUS server.

Examples

# Set the EAP mode to extended for service template 1.

<Sysname> system-view

[Sysname] wlan service-template 1

[Sysname-wlan-st-1] dot1x eap extended

dot1x handshake enable

Use dot1x handshake enable to enable the 802.1X online user handshake feature.

Use undo dot1x handshake enable to disable the 802.1X online user handshake feature.

Syntax

dot1x handshake enable

undo dot1x handshake enable

Default

The 802.1X online user handshake feature is disabled.

Views

Service template view

Predefined user roles

network-admin

Usage guidelines

The online user handshake feature checks the connection status of online 802.1X clients by periodically sending handshake messages to the clients. The device sets a client to the offline state if it does not receive responses from the client after making the maximum handshake attempts within the handshake timer. To set the handshake timer, use the dot1x timer handshake-period command. To set the maximum handshake attempts, use the dot1x retry command.

The device does not respond to a client after it receives handshake responses from that client. Some clients might initiate reauthentication or go offline if they do not receive the device's responses to their handshake responses. If your network has such clients, you can disable the online user handshake feature.

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

Examples

# Enable the online user handshake feature for 802.1X clients in service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] dot1x handshake enable

Related commands

dot1x handshake secure enable

dot1x retry

dot1x timer handshake-period

dot1x handshake secure enable

Use dot1x handshake secure enable to enable the 802.1X online user handshake security feature.

Use undo dot1x handshake secure enable to disable the 802.1X online user handshake security feature.

Syntax

dot1x handshake secure enable

undo dot1x handshake secure enable

Default

The 802.1X online user handshake security feature is disabled.

Views

Service template view

Predefined user roles

network-admin

Usage guidelines

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

For the 802.1X online user handshake security feature to take effect, you must enable the 802.1X online user handshake feature.

The online user handshake security feature protects only authenticated online 802.1X clients.

Examples

# Enable the 802.1X online user handshake security feature in service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] dot1x handshake enable

[Sysname-wlan-st-service1] dot1x handshake secure enable

Related commands

dot1x handshake enable

dot1x max-user

Use dot1x max-user to set the maximum number of concurrent 802.1X clients that a service template supports on a radio.

Use undo dot1x max-user to restore the default.

Syntax

dot1x max-user count

undo dot1x max-user

Default

A service template permits a maximum of 512 concurrent 802.1X clients to access the network on a radio.

Views

Service template view

Predefined user roles

network-admin

Parameters

count: Specifies the maximum number of concurrent 802.1X clients. The value range is 1 to 512.

Usage guidelines

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

This setting takes effect on a per-radio basis. If the number of 802.1X clients of the service template reaches the limit on a radio, no additional 802.1X clients can access the network through the service template on that radio.

Examples

# In service template service1, set the maximum number of concurrent 802.1X clients on a radio to 32.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] dot1x max-user 500

dot1x re-authenticate enable

Use dot1x re-authenticate enable to enable the 802.1X periodic online user reauthentication feature.

Use undo dot1x re-authenticate enable to disable the 802.1X periodic online user reauthentication feature.

Syntax

dot1x re-authenticate enable

undo dot1x re-authenticate enable

Default

The 802.1X periodic online user reauthentication feature is disabled.

Views

Service template view

Predefined user roles

network-admin

Usage guidelines

Periodic reauthentication enables the device to periodically authenticate online 802.1X clients in a service template. This feature checks the connection status of online clients and updates the authorization attributes assigned by the server, such as the ACL, VLAN, and user profile.

You can use the dot1x timer reauth-period command to configure the interval for reauthentication.

The server-assigned session timeout timer (Session-Timeout attribute) and termination action (Termination-Action attribute) can affect the periodic online user reauthentication feature. To display the server-assigned Session-Timeout and Termination-Action attributes, use the display dot1x connection command (see Security Command Reference).

·     If the termination action is Default (logoff), periodic online user reauthentication on the template takes effect only when the periodic reauthentication timer is shorter than the session timeout timer.

·     If the termination action is Radius-request, the periodic online user reauthentication configuration on the template does not take effect. The device reauthenticates the online 802.1X clients after the session timeout timer expires.

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

Examples

# Enable the 802.1X periodic online user reauthentication feature in service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] dot1x re-authenticate enable

Related commands

dot1x timer

fail-permit enable

Use fail-permit enable to enable authentication fail-permit.

Use undo fail-permit enable to disable authentication fail-permit.

Syntax

fail-permit enable [ keep-online ]

undo fail-permit enable

Default

Authentication fail-permit is disabled.

Views

Service template view

Predefined user roles

network-admin

Parameters

keep-online: Allows online fail-permit users to stay online when an authentication fail-permit event occurs. If you do not specify this keyword, the device disconnects online fail-permit users when an authentication fail-permit event occurs.

Usage guidelines

Authentication fail-permit (also called fail-open) allows 802.1X, MAC authentication, and Bypass clients to access the network after the AC disconnects from the RADIUS server or the AP. When either event occurs, the AP continues to provide access services and forward traffic for those clients.

The impact of an authentication fail-permit event on clients differs depending on their authentication method and depending on whether a fail-permit service template has been configured.

·     Bypass clients:

¡     If a fail-permit service template has been configured, the Bypass clients will be logged off. To access the network, the Bypass clients must manually reconnect to the SSID in the preconfigured fail-permit service template.

¡     If no fail-permit service template has been configured, the Bypass clients can continue to access the network with the existing service template without interruption.

·     MAC authentication clients:

¡     If a fail-permit service template has been configured, the MAC authentication clients will be logged off. To access the network, the MAC authentication clients must manually reconnect to the SSID in the preconfigured fail-permit service template.

¡     If no fail-permit service template has been configured, the MAC authentication clients can continue to access the network with the existing service template after a transient interruption. In this situation, the clients will be logged off and then automatically connected to the network.

·     The 802.1X clients will be logged off. To access the network, the 802.1X clients must manually reconnect to the SSID in a preconfigured fail-permit service template.

When you configure authentication fail-permit for clients, follow these restrictions and guidelines:

·     Enable authentication fail-permit in the service template to be protected.

·     Configure another service template as the fail-permit service template to be used when authentication fail-permit occurs.

For authentication fail-permit to take effect, perform the following steps:

1.     Execute the radius-server test-profile command to configure a RADIUS test profile to test the reachability of the RADIUS server.

In the profile, set the interval for sending detection packets as needed. The shorter the interval is, the quicker the response to the change will be.

2.     Apply the profile to the RADIUS server in the RADIUS scheme for the authentication ISP domain.

Fail-permit will occur when the RADIUS server is determined to be unreachable.

For more information about configuring RADIUS test profiles, see AAA configuration in User Access and Authentication Configuration Guide.

The fail-permit enable command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

The fail-permit enable command is mutually exclusive with the fail-permit template command in the same service template.

Examples

# Enable authentication fail-permit in a WLAN service template.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] fail-permit enable

Related commands

fail-permit template

fail-permit template

Use fail-permit template to specify a service template as a fail-permit service template.

Use undo fail-permit template to remove the fail-permit attribute of a fail-permit service template.

Syntax

fail-permit template

undo fail-permit template

Default

No service templates are specified as fail-permit service templates.

Views

Service template view

Predefined user roles

network-admin

Usage guidelines

You can use this command for the following purposes:

·     Authentication fail-permit—To use the authentication fail-permit feature for clients associated with one service template, specify another service template as a fail-permit service template. If the protected service template has 802.1X clients, you must specify a fail-permit service template. This requirement is optional for other types of authentication clients. For more information about the authentication fail-permit feature, see the usage guidelines for the fail-permit enable command.

·     5G radio silence fail-permit—Allows an AP to move the clients of a service template on a 5G radio to a different 5G radio for network access when radio silence is imposed on the former radio.

You can execute the fail-permit template command only when the service template is disabled, and it takes effect after the service template is enabled.

The fail-permit template command is mutually exclusive with the fail-permit enable command in the same service template.

To ensure a successful fail-permit, follow these restrictions and guidelines:

·     Enable APs to forward client data traffic in the fail-permit service template by using the client forwarding-location command.

·     If APs are configured as the authenticator in a service template by using the client-security authentication-location command, the authenticator in the fail-permit service template of this service template must also be APs.

Use the following guidelines when you configure an authentication fail-permit service template:

·     As a best practice, configure only one fail-permit service template for clients on an AP. If you configure multiple fail-permit service templates, only the one that is first bound to a radio on the AP will take effect.

·     To ensure a successful fail-permit for clients, set the AKM mode to PSK or do not specify any AKM mode in the fail-permit service template.

Use the following guidelines when you configure a 5G silence fail-permit service template for 5G clients:

·     Specify one 5G silence fail-permit service template for each 5G service template on a 5G radio. These 5G silence fail-permit service templates must contain the same settings as their protected 5G service templates except that the protected 5G service templates cannot contain the fail-permit template command.

·     Bind a 5G silence fail-permit service template to a different radio than its protected 5G service template on the same AP.

Examples

# Specify a service template as a fail-permit service template.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] fail-permit template

Related commands

akm mode

fail-permit enable

mac-authentication domain

Use mac-authentication domain to specify an authentication domain for MAC authentication clients in a service template.

Use undo mac-authentication domain to restore the default.

Syntax

mac-authentication domain domain-name

undo mac-authentication domain

Default

No authentication domain is specified for MAC authentication clients in a service template.

Views

Service template view

Predefined user roles

network-admin

Parameters

domain-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters.

Usage guidelines

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

MAC authentication chooses an authentication domain for WLAN clients in the following order:

1.     Authentication domain specified in the service template.

2.     Global authentication domain specified in system view.

3.     Default authentication domain.

Examples

# Specify ISP domain my-domain as the authentication domain for MAC authentication clients in service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] mac-authentication domain my-domain

mac-authentication max-user

Use mac-authentication max-user to set the maximum number of concurrent MAC authentication clients that a service template supports on a radio.

Use undo mac-authentication max-user to restore the default.

Syntax

mac-authentication max-user count

undo mac-authentication max-user

Default

A service template permits a maximum of 4096 concurrent MAC authentication clients to access the network on a radio.

Views

Service template view

Predefined user roles

network-admin

Parameters

count: Specifies the maximum number of concurrent MAC authentication clients. The value range for this argument is 1 to 4096.

Usage guidelines

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

This command takes effect on a per-radio basis. If the number of MAC authentication clients of a service template reaches the limit on a radio, no additional MAC authentication clients can access the network through the service template on that radio.

Examples

# Configure service template service1 to support a maximum of 32 concurrent MAC authentication clients on a radio.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] mac-authentication max-user 32

wlan authentication optimization

Use wlan authentication optimization to configure a modifier to adjust the authentication success ratio and abnormal offline ratio for 802.1X authentication, MAC authentication, and Layer 2 portal authentication.

Use undo wlan authentication optimization to restore the default.

Syntax

wlan authentication optimization value

undo wlan authentication optimization

Default

The modifier is 0. The device does not adjust the authentication success ratio and abnormal offline ratio for 802.1X authentication, MAC authentication, and Layer 2 portal authentication.

Views

System view

Predefined user roles

network-admin

Parameters

value: Sets the modifier, in the range of 900 to 1000. The lower the value, the lower the authentication success ratio, and the higher the abnormal offline ratio.

Usage guidelines

The authentication success ratio is the ratio of the number of authentication success times to the total number of authentication times. The abnormal offline ratio is calculated by using the following formula: abnormal offline ratio = number of times that clients go offline abnormally ÷ (number of authentication success times + number of current online users).

WLAN authentication statistics optimization uses a modifier to adjust the authentication success ratio and abnormal offline ratio of 802.1X authentication, MAC authentication, and Layer 2 portal authentication.

The modifier takes effect only on RADIUS-based 802.1X authentication, MAC authentication, and Layer 2 portal authentication.

Examples

# Set the modifier to 950 to adjust the authentication success ratio and abnormal offline ratio of 802.1X authentication, MAC authentication, and Layer 2 portal authentication.

<Sysname> system-view

[Sysname] wlan authentication optimization 950

wlan client-security authentication clear-previous-connection

Use wlan client-security authentication clear-previous-connection to enable the clear-previous-connection feature for WLAN authentication.

Use undo wlan client-security authentication clear-previous-connection to disable the clear-previous-connection feature for WLAN authentication.

Syntax

wlan client-security authentication clear-previous-connection

undo wlan client-security authentication clear-previous-connection

Default

The clear-previous-connection feature is disabled for WLAN authentication.

Views

System view

Predefined user roles

network-admin

Usage guidelines

IMPORTANT: When this feature is enabled, the 802.1X reauthentication, WLAN Auth-Fail VLAN, and WLAN critical VLAN features cannot take effect.

 

Some RADIUS servers reject to authenticate a client if they have an online user entry for that client. If they fail to remove the online user entry for a client that has gone offline incorrectly, that client will be unable to get authenticated and come online again.

To resolve this issue, use the clear-previous-connection feature.

With this feature, the device checks the local online user entries before it sends an authentication request to the RADIUS server for an 802.1X or MAC authentication client. If an entry is found, the device removes the entry and sends a stop-accounting request to the RADIUS server. Upon receipt of the stop-accounting request, the RADIUS server removes the online user entry. Then, the client can be authenticated correctly.

Examples

# Enable the clear-previous-connection feature.

<Sysname> system-view

[Sysname] wlan client-security authentication clear-previous-connection