Login
- Table of Contents
-
- 15-WLAN Command Reference (AC)
- 00-Preface
- 01-Compatibility of hardware and AC functionality
- 02-AP management commands
- 03-Radio management commands
- 04-WLAN access commands
- 05-WLAN security commands
- 06-WLAN authentication commands
- 07-WIPS commands
- 08-WLAN QoS commands
- 09-WLAN roaming commands
- 10-WLAN radio resource measurement commands
- 11-Channel scanning commands
- 12-Band navigation commands
- 13-WLAN multicast optimization commands
- 14-Cloud connection commands
- 15-WLAN RRM commands
- 16-WLAN IP snooping commands
- 17-WLAN load balancing commands
- 18-WLAN probe commands
- 19-Spectrum management commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 06-WLAN authentication commands | 150.98 KB |
client-security accounting-delay time
client-security accounting-start trigger
client-security accounting-update trigger
client-security authentication critical-vlan
client-security authentication fail-vlan
client-security authentication-location
client-security authentication-mode
client-security authorization-fail offline
client-security ignore-authentication
client-security ignore-authorization
client-security intrusion-protection action
client-security intrusion-protection enable
client-security intrusion-protection timer temporary-block
client-security intrusion-protection timer temporary-service-stop
display wlan client-security block-mac
mac-authentication fast-connect enable
wlan authentication optimization
wlan client-security authentication clear-previous-connection
WLAN authentication commands
The term "AC" in this document refers to MSR routers that can function as ACs. For more information, see "Compatibility of hardware and AC functionality."
client url-redirect enable
Use client url-redirect enable to enable URL redirection for WLAN clients.
Use undo client url-redirect enable to disable URL redirection for WLAN clients.
Syntax
client url-redirect enable
undo client url-redirect enable
Default
URL redirection is disabled for WLAN clients
Views
Service template view
Predefined user roles
network-admin
Usage guidelines
This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.
This command takes effect only on clients that use RADIUS-based MAC authentication.
A client is allowed to pass RADIUS-based MAC authentication only when its credential information (username and password) and MAC address are recorded on the RADIUS server.
This command facilitates MAC authentication for a client whose credential information and MAC address are not recorded on the RADIUS server. After this command is enabled, the client will perform Web authentication on the Web interface specified by the RADIUS server-assigned redirect URL. After the client passes Web authentication, the RADIUS server records the client's credential information and MAC address. At the same time, the server uses DM requests to log off the client. At the next MAC authentication attempt, the client can pass MAC authentication. For information about DMs, see AAA in Security Configuration Guide.
Examples
# Enable URL redirection for WLAN clients in service template service1.
<Sysname> system-view
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] client url-redirect enable
client-security accounting-delay time
Use client-security accounting-delay time to configure the accounting delay.
Use undo client-security accounting-delay time to restore the default.
Syntax
client-security accounting-delay time time [ no-ip-logoff ]
undo client-security accounting-delay time
Default
The device sends a start-accounting request for a client only when the device learns the IP address of that client.
Views
Service template view
Predefined user roles
network-admin
Parameters
time: Sets the accounting delay timer. The value range for the time argument is 1 to 60 seconds.
no-ip-logoff: Logs off a client if the device has failed to obtain the client IP address before the delay timer expires. If you do not specify this keyword, the device sends a start-accounting request immediately after the accounting delay timer expires.
Usage guidelines
The accounting delay timer operates in conjunction with an IP-based accounting-start trigger. The timer specifies the maximum interval for the device to learn the IP address of an 802.1X or MAC authenticated client before it takes the specified action.
The timer starts when a client passes 802.1X or MAC authentication. If the device has failed to learn an IP address that matches the IP-based accounting-start trigger before the accounting delay timer expires, the device takes either of the following actions:
· Sends a start-accounting request immediately if the no-ip-logoff action is not specified.
· Logs off the client if the no-ip-logoff action is specified.
Configure the accounting delay timer depending on the typical amount of time for the device to learn the IP address of a client. As a best practice, increase the delay timer on a low-performance network.
The timer takes effect only on clients that come online after the timer is configured.
Examples
# Set the accounting delay timer to 15 seconds in service template service1. Configure the device to log off a client if it has failed to learn the required client IP address before the delay timer expires.
<Sysname> system-view
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] client-security accounting-delay time 15 no-ip-logoff
Related commands
client-security accounting-start trigger
client-security accounting-start trigger
Use client-security accounting-start trigger to configure an accounting-start trigger for clients.
Use undo client-security accounting-start trigger to restore the default.
Syntax
client-security accounting-start trigger { ipv4 | ipv4-ipv6 | ipv6 | none }
undo client-security accounting-start trigger
Default
The accounting-start trigger is based on IPv4 address type.
Views
Service template view
Predefined user roles
network-admin
Parameters
ipv4: Sends a start-accounting request if an 802.1X or MAC authenticated client uses an IPv4 address.
ipv4-ipv6: Sends a start-accounting request if an 802.1X or MAC authenticated client uses an IPv4 or IPv6 address.
ipv6: Sends a start-accounting request if an 802.1X or MAC authenticated client uses an IPv6 address.
none: Sends a start-accounting request when a client passes authentication without examining its IP address type.
Usage guidelines
This command takes effect only on clients that have passed 802.1X or MAC authentication. For more information about accounting, see AAA in Security Configuration Guide.
For the accounting-start trigger to take effect, follow these guidelines:
· If the trigger is IP address type based, you must enable learning IP addresses of that type. For information about wireless client IP address learning, see WLAN IP snooping in WLAN Configuration Guide.
· The IP-based trigger must match the requirement of the accounting server for the IP version.
The trigger takes effect only on clients that come online after the trigger is configured.
Examples
# Configure an IPv4 address-based accounting-start trigger in service template service1.
<Sysname> system-view
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] client-security accounting-start trigger ipv4
Related commands
client ipv4-snooping arp-learning enable
client ipv4-snooping dhcp-learning enable
client ipv6-snooping dhcpv6-learning enable
client ipv6-snooping nd-learning enable
client ipv6-snooping snmp-nd-report enable
client-security accounting-delay time
client-security accounting-update trigger
client-security accounting-update trigger
Use client-security accounting-update trigger to specify an event-based accounting-update trigger.
Use undo client-security accounting-update trigger to restore the default.
Syntax
client-security accounting-update trigger { ipv4 | ipv4-ipv6 | ipv6 }
undo client-security accounting-update trigger
Default
No event-based accounting-update trigger is configured. The device sends update-accounting requests to the accounting server only regularly at server-assigned or user-defined real-time accounting intervals.
Views
Service template view
Predefined user roles
network-admin
Parameters
ipv4: Sends an update-accounting request when the IPv4 address of an online 802.1X or MAC authenticated client changes.
ipv4-ipv6: Sends an update-accounting request when the IPv4 or IPv6 address of an online 802.1X or MAC authenticated client changes.
ipv6: Sends an update-accounting request when the IPv6 address of an online 802.1X or MAC authenticated client changes.
Usage guidelines
Use the accounting-update trigger in conjunction with the accounting-start trigger. The accounting-update trigger takes effect only if you have configured the accounting-start trigger by using the client-security accounting-start trigger command.
In addition to the event-based accounting-update trigger, you can set a regular accounting-update interval by using the timer realtime-accounting command.
The accounting-update trigger takes effect only on clients that come online after the trigger is configured.
Examples
# Configure an IPv4 address change-based accounting-update trigger in service template service1.
<Sysname> system-view
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] client-security accounting-update trigger ipv4
Related commands
client-security accounting-start trigger
timer realtime-accounting (Security Command Reference)
client-security authentication critical-vlan
Use client-security authentication critical-vlan to configure a critical VLAN for a service template.
Use undo client-security authentication critical-vlan to restore the default.
Syntax
client-security authentication critical-vlan vlan-id
undo client-security authentication critical-vlan
Default
No critical VLAN exists for a service template.
Views
Service template view
Predefined user roles
Parameters
vlan-id: Specifies the ID of the critical VLAN, in the range of 1 to 4094.
Usage guidelines
The WLAN critical VLAN accommodates clients that have failed WLAN authentication because all RADIUS servers in their ISP domains are unreachable. Clients in the critical VLAN can access a limited set of network resources depending on the configuration.
The authenticator reauthenticates a client in the critical VLAN at the interval of 30 seconds.
· If the client passes the reauthentication, the authenticator assigns the client to the authorization VLAN. If no authorization VLAN is configured, the client is assigned to the initial VLAN.
· If the client fails the reauthentication because all the RADIUS servers are unreachable, the client is still in the critical VLAN.
· If the client fails the reauthentication for any reason other than unreachable servers, the device assigns the client to the Auth-Fail VLAN. If no Auth-Fail VLAN is configured, the device handles the client depending on the intrusion protection setting. If the intrusion protection feature is not configured, the device logs off the client.
The critical VLAN feature does not take effect on clients that use RSNA. When these clients fail authentication because all the RADIUS servers are unreachable, the authenticator directly logs off the clients.
This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.
Examples
# Configure VLAN 10 as the critical VLAN in service template 1.
<Sysname> system-view
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] client-security authentication critical-vlan 10
client-security authentication fail-vlan
Use client-security authentication fail-vlan to configure an Auth-Fail VLAN for a service template.
Use undo client-security authentication fail-vlan to restore the default.
Syntax
client-security authentication fail-vlan vlan-id
undo client-security authentication fail-vlan
Default
No Auth-Fail VLAN exists for a service template.
Views
Service template view
Predefined user roles
network-admin
Parameters
vlan-id: Specifies the ID of the Auth-Fail VLAN, in the range of 1 to 4094. Make sure the VLAN has been created.
Usage guidelines
The WLAN Auth-Fail VLAN accommodates clients that have failed WLAN authentication because of the failure to comply with the organization security strategy. For example, the VLAN accommodates clients that have entered invalid passwords. The Auth-Fail VLAN does not accommodate WLAN clients that have failed authentication for authentication timeouts or network connection problems.
This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.
Examples
# Configure VLAN 10 as the Auth-Fail VLAN in service template 1.
[Sysname] wlan service-template 1
[Sysname-wlan-st-1] client-security authentication fail-vlan 10
client-security authentication-location
Use client-security authentication-location to specify the authenticator for WLAN clients.
Use undo client-security authentication-location to restore the default.
Syntax
client-security authentication-location { ac | ap }
undo client-security authentication-location
Default
The AC acts as the authenticator to authenticate WLAN clients.
Views
Service template view
Predefined user roles
network-admin
Parameters
ac: Specifies the AC as the authenticator.
ap: Specifies the AP as the authenticator.
Usage guidelines
You cannot specify the AP as the authenticator if the AC is configured to forward client data traffic (by using the client forwarding-location command). For information about the client forwarding-location command, see "WLAN access commands."
This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.
Examples
# Configure the AC as the authenticator for WLAN clients in service template s1.
[Sysname] wlan service-template s1
[Sysname-wlan-st-s1] client-security authentication-location ac
Related commands
client forwarding-location
client-security authentication-mode
Use client-security authentication-mode to set the authentication mode for WLAN clients.
Use undo client-security authentication-mode to restore the default.
Syntax
client-security authentication-mode { dot1x | dot1x-then-mac | mac | mac-then-dot1x | oui-then-dot1x }
undo client-security authentication-mode
Default
The WLAN authentication mode is Bypass. The device does not perform authentication for WLAN clients.
Views
Service template view
Predefined user roles
network-admin
Parameters
dot1x: Performs 802.1X authentication only.
dot1x-then-mac: Performs 802.1X authentication first, and then MAC authentication. If the client passes 802.1X authentication, MAC authentication is not performed.
mac: Performs MAC authentication only.
mac-then-dot1x: Performs MAC authentication first, and then 802.1X authentication. If the client passes MAC authentication, 802.1X authentication is not performed.
oui-then-dot1x: Performs OUI authentication first, and then 802.1X authentication. If the client passes OUI authentication, 802.1X authentication is not performed.
Usage guidelines
A service template allows access of multiple authenticated clients in any authentication mode. To set the maximum number of 802.1X clients, use the dot1x max-user command. To set the maximum number of MAC authentication clients, use the mac-authentication max-user command.
This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.
Examples
# Set the authentication mode to mac for WLAN clients in service template service1.
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] client-security authentication-mode mac
client-security authorization-fail offline
Use client-security authorization-fail offline to enable the authorization-fail-offline feature.
Use undo client-security authorization-fail offline to disable the authorization-fail-offline feature.
Syntax
client-security authorization-fail offline
undo client-security authorization-fail offline
Default
The authorization-fail-offline feature is disabled.
Views
Service template view
Predefined user roles
network-admin
Usage guidelines
The authorization-fail-offline feature logs off WLAN clients that fail ACL or user profile authorization.
A WLAN client fails ACL or user profile authorization in the following situations:
· The device or server fails to authorize the specified ACL or user profile to the client.
· The authorized ACL or user profile does not exist.
If this feature is disabled, the device does not log off WLAN clients that fail ACL or user profile authorization. However, the device outputs logs to report the failure.
This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.
Examples
# Enable the authorization-fail-offline feature for service template service1.
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] client-security authorization-fail offline
client-security ignore-authentication
Use client-security ignore-authentication to configure the device to ignore the 802.1X or MAC authentication failures.
Use undo client-security ignore-authentication to restore the default.
Syntax
client-security ignore-authentication
undo client-security ignore-authentication
Default
The device does not ignore the authentication failures for wireless clients that use 802.1X authentication or RADIUS-based MAC authentication.
Views
Service template view
Predefined user roles
network-admin
Usage guidelines
This command applies to the following clients:
· Clients that use 802.1X authentication.
This command enables the device to ignore the 802.1X authentication failures and allow clients that have failed 802.1X authentication to come online.
· Clients that use both RADIUS-based MAC authentication and portal authentication.
Typically, a client must pass MAC authentication and portal authentication in turn to access network resources. The client provides username and password each time portal authentication is performed.
This command simplifies the authentication process for a client as follows:
¡ If the RADIUS server already records the client's MAC authentication information, the client passes MAC authentication. The device allows the client to access network resources without performing portal authentication.
¡ If the RADIUS server does not record the client's MAC authentication information, the client fails MAC authentication. The device ignores the MAC authentication failure and performs portal authentication for the client. If the client passes portal authentication, it can access network resources. The MAC address of the portal authenticated client will be recorded as MAC authentication information on the RADIUS server.
This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.
For 802.1X clients that use RSN to roam to a new AP, do not use this command.
Examples
# Configure the device to ignore 802.1X or MAC authentication failures in service template service1.
<Sysname> system-view
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] client-security ignore-authentication
client-security ignore-authorization
Use client-security ignore-authorization to configure the device to ignore the authorization information received from the authentication server (a RADIUS server or the local device).
Use undo client-security ignore-authorization to restore the default.
Syntax
client-security ignore-authorization
undo client-security ignore-authorization
Default
The device uses the authorization information from the server.
Views
Service template view
Predefined user roles
network-admin
Usage guidelines
After a client passes RADIUS or local authentication, the server performs authorization based on the authorization attributes configured for the user account. For example, the server can assign a VLAN. If you do not want the device to use these authorization attributes for clients, configure this command to ignore the authorization information from the server.
This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.
Examples
# Configure the device to ignore the authorization information from the authentication server for service template service1.
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] client-security ignore-authorization
client-security intrusion-protection action
Use client-security intrusion-protection action to configure the intrusion protection action that the device takes when intrusion protection detects illegal frames.
Use undo client-security intrusion-protection action to restore the default.
Syntax
client-security intrusion-protection action { service-stop | temporary-block | temporary-service-stop }
undo client-security intrusion-protection action
Default
The intrusion protection action is temporary-block.
Views
Service template view
Predefined user roles
network-admin
Parameters
service-stop: Stops the BSS where an illegal frame is received until the BSS is enabled manually on the radio interface.
temporary-block: Adds the source MAC address of an illegal frame to the blocked MAC address list for a period. To set the period, use the client-security intrusion-protection timer temporary-block command.
temporary-service-stop: Stops the BSS where an illegal frame is received for a period. To set the period, use the client-security intrusion-protection timer temporary-service-stop command.
Usage guidelines
This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.
For this command to take effect, you must also use the client-security intrusion-protection enable command to enable the intrusion protection feature.
Examples
# Configure the device to stop the BSS where intrusion protection detects illegal frames for service template service1.
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] client-security intrusion-protection enable
[Sysname-wlan-st-service1] client-security intrusion-protection action service-stop
Related commands
client-security intrusion-protection enable
client-security intrusion-protection timer temporary-block
client-security intrusion-protection timer temporary-service-stop
client-security intrusion-protection enable
Use client-security intrusion-protection enable to enable the intrusion protection feature.
Use undo client-security intrusion-protection enable to disable the intrusion protection feature.
Syntax
client-security intrusion-protection enable
undo client-security intrusion-protection enable
Default
The intrusion protection feature is disabled.
Views
Service template view
Predefined user roles
network-admin
Usage guidelines
When the device receives an association request from an illegal client, the device takes the predefined protection action on the BSS where the request is received. A client is illegal if its MAC address fails WLAN authentication. To set the protection action, use the client-security intrusion-protection action command.
This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.
Examples
# Enable the intrusion protection feature for service template service1.
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] client-security intrusion-protection enable
Related commands
client-security intrusion-protection action
client-security intrusion-protection timer temporary-block
Use client-security intrusion-protection timer temporary-block to set the period during which a MAC address is blocked by intrusion protection.
Use undo client-security intrusion-protection timer temporary-block to restore the default.
Syntax
client-security intrusion-protection timer temporary-block time
undo client-security intrusion-protection timer temporary-block
Default
An illegal MAC address is blocked for 180 seconds.
Views
Service template view
Predefined user roles
network-admin
Parameters
time: Specifies the period during which a MAC address is blocked. The value range is 60 to 300 seconds.
Usage guidelines
This command takes effect only when the intrusion protection action is temporary-block.
If you change the blocking period after the service template is enabled, the new setting takes effect on the subsequent detected illegal packets.
Examples
# Configure service template service1 to block illegal MAC addresses for 120 seconds.
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] client-security intrusion-protection enable
[Sysname-wlan-st-service1] client-security intrusion-protection action temporary-block
[Sysname-wlan-st-service1] client-security intrusion-protection timer temporary-block 120
Related commands
client-security intrusion-protection action
client-security intrusion-protection enable
client-security intrusion-protection timer temporary-service-stop
Use client-security intrusion-protection timer temporary-service-stop to set the BSS silence period for intrusion protection.
Use undo client-security intrusion-protection timer temporary-service-stop to restore the default.
Syntax
client-security intrusion-protection timer temporary-service-stop time
undo client-security intrusion-protection timer temporary-service-stop
Default
The BSS silence period for intrusion protection is 20 seconds.
Views
Service template view
Predefined user roles
network-admin
Parameters
time: Specifies the period during which a BSS is disabled. The value range is 10 to 300 seconds.
Usage guidelines
This command takes effect only when the intrusion protection action is temporary-service-stop.
If you change the BSS silence period after the service template is enabled, the new setting takes effect on the subsequent detected illegal packets.
Examples
# Set the BSS silence period to 30 seconds for intrusion protection in service template service1.
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] client-security intrusion-protection enable
[Sysname-wlan-st-service1] client-security intrusion-protection action temporary-service-stop
[Sysname-wlan-st-service1] client-security intrusion-protection timer temporary-service-stop 30
Related commands
client-security intrusion-protection action
client-security intrusion-protection enable
display wlan client-security block-mac
Use display wlan client-security block-mac to display blocked MAC address information for WLAN clients.
Syntax
display wlan client-security block-mac [ ap ap-name [ radio radio-id ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ap ap-name: Specifies an AP by its name, a case-insensitive string of 1 to 64 characters. The string can contain letters, digits, underscores (_), left brackets ([), right brackets (]), forward slashes (/), and minus signs (-). If you do not specify this option, the command displays information about all blocked MAC addresses.
radio radio-id: Specifies a radio by its ID. The value range for the radio-id argument varies by AP model. If you do not specify this option, the command displays blocked MAC address information for all radios on the specified AP.
Usage guidelines
A MAC address that fails authentication is added to the blocked MAC address list when the intrusion protection action is temporary-block.
Examples
# Display information about all blocked MAC addresses.
<Sysname> display wlan client-security block-mac
MAC address AP ID RADIO ID BSSID
0002-0002-0002 1 1 00ab-0de1-0001
000d-88f8-0577 1 1 0ef1-0001-02c1
Total entries: 2
Table 1 Command output
|
Field |
Description |
|
MAC address |
Blocked MAC address, in the format of H-H-H. |
|
AP ID |
AP ID of the blocked MAC address. |
|
RADIO ID |
Radio ID of the blocked MAC address. |
|
BSSID |
BSS ID of the blocked MAC address, in the format of H-H-H. |
|
Number of blocked MAC addresses. |
Related commands:
client-security intrusion-protection action
client-security intrusion-protection timer temporary-block
dot1x domain
Use dot1x domain to specify an authentication domain for 802.1X clients in a service template.
Use undo dot1x domain to restore the default.
Syntax
dot1x domain domain-name
Default
No authentication domain is specified for 802.1X clients in a service template.
Views
Service template view
Predefined user roles
network-admin
Parameters
domain-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters.
Usage guidelines
This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.
802.1X chooses an authentication domain for WLAN clients in the following order:
1. Authentication domain specified in the service template.
2. Domain specified by username.
3. Default authentication domain.
Examples
# Specify ISP domain my-domain as the authentication domain for 802.1X clients in service template service1.
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] dot1x domain my-domain
dot1x eap
Use dot1x eap to specify the EAP mode for 802.1X authentication.
Use undo dot1x eap to restore the default.
Syntax
dot1x eap { extended | standard }
undo dot1x eap
Default
The EAP mode is standard for 802.1X authentication.
Views
Service template view
Predefined user roles
network-admin
Parameters
extended: Specifies the extended EAP mode. This mode requires the device to interact with clients according to the provisions and packet format defined by the proprietary EAP protocol.
standard: Specifies the standard EAP mode. This mode requires the device to interact with clients according to the provisions and packet format defined by the standard EAP protocol.
Usage guidelines
This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.
When you configure this command, specify the extended keyword for iNode clients and the standard keyword for other clients.
This command is required only when an IMC server is used as the RADIUS server.
Examples
# Set the EAP mode to extended for service template 1.
<Sysname> system-view
[Sysname] wlan service-template 1
[Sysname-wlan-st-1] dot1x eap extended
dot1x handshake enable
Use dot1x handshake enable to enable the 802.1X online user handshake feature.
Use undo dot1x handshake enable to disable the 802.1X online user handshake feature.
Syntax
Default
The 802.1X online user handshake feature is disabled.
Views
Service template view
Predefined user roles
network-admin
Usage guidelines
The online user handshake feature checks the connection status of online 802.1X clients by periodically sending handshake messages to the clients. The device sets a client to the offline state if it does not receive responses from the client after making the maximum handshake attempts within the handshake timer. To set the handshake timer, use the dot1x timer handshake-period command. To set the maximum handshake attempts, use the dot1x retry command.
This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.
Examples
# Enable the online user handshake feature for 802.1X clients in service template service1.
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] dot1x handshake enable
Related commands
dot1x handshake secure enable
dot1x retry (Security Command Reference)
dot1x timer handshake-period (Security Command Reference)
dot1x handshake secure enable
Use dot1x handshake secure enable to enable the 802.1X online user handshake security feature.
Use undo dot1x handshake secure enable to disable the 802.1X online user handshake security feature.
Syntax
undo dot1x handshake secure enable
Default
The 802.1X online user handshake security feature is disabled.
Views
Service template view
Predefined user roles
network-admin
Usage guidelines
This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.
For the 802.1X online user handshake security feature to take effect, you must enable the 802.1X online user handshake feature.
The online user handshake security feature protects only authenticated online 802.1X clients.
Examples
# Enable the 802.1X online user handshake security feature in service template service1.
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] dot1x handshake enable
[Sysname-wlan-st-service1] dot1x handshake secure enable
Related commands
dot1x max-user
Use dot1x max-user to set the maximum number of concurrent 802.1X clients in a service template.
Use undo dot1x max-user to restore the default.
Syntax
dot1x max-user count
Default
A maximum of 4096 concurrent 802.1X clients are allowed in a service template.
Views
Service template view
Predefined user roles
network-admin
Parameters
count: Specifies the maximum number of concurrent 802.1X clients. The value range is 1 to 4096.
Usage guidelines
This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.
When the maximum number is reached, the service template denies subsequent 802.1X clients.
Examples
# Set the maximum number of concurrent 802.1X clients to 32 in service template service1.
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] dot1x max-user 500
dot1x re-authenticate enable
Use dot1x re-authenticate enable to enable the 802.1X periodic online user reauthentication feature.
Use undo dot1x re-authenticate enable to disable the 802.1X periodic online user reauthentication feature.
Syntax
undo dot1x re-authenticate enable
Default
The 802.1X periodic online user reauthentication feature is disabled.
Views
Service template view
Predefined user roles
network-admin
Usage guidelines
Periodic reauthentication enables the device to periodically authenticate online 802.1X clients in a service template. This feature checks the connection status of online clients and updates the authorization attributes assigned by the server, such as the ACL, VLAN, and user profile.
You can use the dot1x timer reauth-period command to configure the interval for reauthentication.
The server-assigned session timeout timer (Session-Timeout attribute) and termination action (Termination-Action attribute) can affect the periodic online user reauthentication feature. To display the server-assigned Session-Timeout and Termination-Action attributes, use the display dot1x connection command (see Security Command Reference).
· If the termination action is Default (logoff), periodic online user reauthentication on the template takes effect only when the periodic reauthentication timer is shorter than the session timeout timer.
· If the termination action is Radius-request, the periodic online user reauthentication configuration on the template does not take effect. The device reauthenticates the online 802.1X clients after the session timeout timer expires.
This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.
Examples
# Enable the 802.1X periodic online user reauthentication feature in service template service1.
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] dot1x re-authenticate enable
Related commands
dot1x timer (Security Command Reference)
mac-authentication domain
Use mac-authentication domain to specify an authentication domain for MAC authentication clients in a service template.
Use undo mac-authentication domain to restore the default.
Syntax
mac-authentication domain domain-name
undo mac-authentication domain
Default
No authentication domain is specified for MAC authentication clients in a service template.
Views
Service template view
Predefined user roles
network-admin
Parameters
domain-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters.
Usage guidelines
This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.
MAC authentication chooses an authentication domain for WLAN clients in the following order:
1. Authentication domain specified in the service template.
2. Global authentication domain specified in system view.
3. Default authentication domain.
Examples
# Specify ISP domain my-domain as the authentication domain for MAC authentication clients in service template service1.
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] mac-authentication domain my-domain
mac-authentication fast-connect enable
Use mac-authentication fast-connect enable to enable fast-connect for MAC authenticated intra-AC roaming clients.
Use undo mac-authentication fast-connect enable to disable fast-connect for MAC authenticated intra-AC roaming clients.
Syntax
mac-authentication fast-connect enable
undo mac-authentication fast-connect enable
Default
Fast-connect is disabled for MAC authenticated intra-AC roaming clients.
Views
Service template view
Predefined user roles
network-admin
Usage guidelines
This command allows a MAC authentication roaming client that has been authenticated once on the AC to come online from any APs attached to the AC without re-authentication.
This feature applies only to MAC authentication wireless clients whose authentication location and association location are both on the AC.
This feature affects the displayed roaming state of inter-AC roaming clients that use MAC authentication and requires special configuration for them.
· If a client has roamed between ACs, its roaming state is N/A in the output from the display wlan client verbose command.
· If the inter-AC roaming clients belong to different VLANs, you must make sure the upstream ports of all the ACs in the same roaming group permit traffic from these VLANs to pass through.
Examples
# Enable fast-connect for MAC authenticated intra-AC roaming clients in service template service1.
<Sysname> system-view
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] mac-authentication fast-connect enable
Related commands
client-security authentication-mode
mac-authentication max-user
Use mac-authentication max-user to set the maximum number of concurrent MAC authentication clients in a service template.
Use undo mac-authentication max-user to restore the default.
Syntax
mac-authentication max-user count
undo mac-authentication max-user
Default
A maximum of 512 concurrent MAC authentication clients are allowed in a service template.
Views
Service template view
Predefined user roles
network-admin
Parameters
count: Sets the maximum number of concurrent MAC authentication clients. The value range for this argument is 1 to 512.
Usage guidelines
This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.
When the maximum number is reached, the service template denies subsequent MAC authentication clients.
Examples
# Configure service template service1 to support a maximum of 32 concurrent MAC authentication clients.
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] mac-authentication max-user 32
wlan authentication optimization
Use wlan authentication optimization to configure a modifier to adjust the authentication success ratio and abnormal offline ratio for 802.1X authentication, MAC authentication, and Layer 2 portal authentication.
Use undo wlan authentication optimization to restore the default.
Syntax
wlan authentication optimization value
undo wlan authentication optimization
Default
The modifier is 0. The device does not adjust the authentication success ratio and abnormal offline ratio for 802.1X authentication, MAC authentication, and Layer 2 portal authentication.
Views
System view
Predefined user roles
network-admin
Parameters
value: Sets the modifier, in the range of 900 to 1000. The lower the value, the lower the authentication success ratio, and the higher the abnormal offline ratio.
Usage guidelines
The authentication success ratio is the ratio of the number of authentication success times to the total number of authentication times. The abnormal offline ratio is calculated by using the following formula: abnormal offline ratio = number of times that clients go offline abnormally ÷ (number of authentication success times + number of current online users).
WLAN authentication statistics optimization uses a modifier to adjust the authentication success ratio and abnormal offline ratio of 802.1X authentication, MAC authentication, and Layer 2 portal authentication.
The modifier takes effect only on RADIUS-based 802.1X authentication, MAC authentication, and Layer 2 portal authentication.
Examples
# Set the modifier to 950 to adjust the authentication success ratio and abnormal offline ratio of 802.1X authentication, MAC authentication, and Layer 2 portal authentication.
<Sysname> system-view
[Sysname] wlan authentication optimization 950
wlan client-security authentication clear-previous-connection
Use wlan client-security authentication clear-previous-connection to enable the clear-previous-connection feature for WLAN authentication.
Use undo wlan client-security authentication clear-previous-connection to disable the clear-previous-connection feature for WLAN authentication.
Syntax
wlan client-security authentication clear-previous-connection
undo wlan client-security authentication clear-previous-connection
Default
The clear-previous-connection feature is disabled for WLAN authentication.
Views
System view
Predefined user roles
network-admin
Usage guidelines
|
|
IMPORTANT: When this feature is enabled, the 802.1X reauthentication, WLAN Auth-Fail VLAN, and WLAN critical VLAN features cannot take effect. |
Some RADIUS servers reject to authenticate a client if they have an online user entry for that client. If they fail to remove the online user entry for a client that has gone offline incorrectly, that client will be unable to get authenticated and come online again.
To resolve this issue, use the clear-previous-connection feature.
With this feature, the device checks the local online user entries before it sends an authentication request to the RADIUS server for an 802.1X or MAC authentication client. If an entry is found, the device removes the entry and sends a stop-accounting request to the RADIUS server. Upon receipt of the stop-accounting request, the RADIUS server removes the online user entry. Then, the client can be authenticated correctly.
Examples
# Enable the clear-previous-connection feature.
<Sysname> system-view
[Sysname] wlan client-security authentication clear-previous-connection
