Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 05-MAC authentication commands | 324.50 KB |
Contents
display mac-authentication connection
display mac-authentication mac-address
display mac-authentication user-recovery-profile
mac-authentication access-user log enable
mac-authentication authentication-method
mac-authentication auto-recover-user
mac-authentication carry user-ip
mac-authentication critical vlan
mac-authentication guest-vlan auth-period
mac-authentication guest-vlan re-authenticate
mac-authentication mac-range-account
mac-authentication offline-detect enable
mac-authentication offline-detect mac-address
mac-authentication parallel-with-dot1x
mac-authentication re-authenticate
mac-authentication re-authenticate server-unreachable keep-online
mac-authentication recover-user
mac-authentication server-recovery online-user-sync
mac-authentication timer (interface view)
mac-authentication timer (system view)
mac-authentication unauthenticated-user aging enable
mac-authentication user-name-format
mac-authentication user-recovery-profile
reset mac-authentication access-user
reset mac-authentication critical vlan
reset mac-authentication guest-vlan
reset mac-authentication statistics
MAC authentication commands
display mac-authentication
Use display mac-authentication to display MAC authentication settings and statistics.
Syntax
display mac-authentication [ ap ap-name [ radio radio-id ] | interface interface-type interface-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ap ap-name: Specifies an AP by its name, a case-sensitive string of 1 to 64 characters. The string can contain letters, digits, underscores (_), left brackets ([), right brackets (]), forward slashes (/), and hyphens (-).
radio radio-id: Specifies a radio by its ID. The value range for the radio-id argument varies by device model. If you do not specify a radio, this command displays MAC authentication information for all radios on the specified AP.
interface interface-type interface-number: Specifies a port by its type and number. If the specified port is not enabled with MAC authentication, this command displays only global MAC authentication information.
Usage guidelines
If you do not specify any parameters, this command displays all MAC authentication information including the global settings, port-specific settings, MAC authentication statistics, and online user statistics.
Examples
# Display all MAC authentication settings and statistics.
<Sysname> display mac-authentication
Global MAC authentication parameters:
MAC authentication : Enabled
Authentication method : PAP
M-LAG member configuration conflict : Unknown
Username format : MAC address in lowercase(xx-xx-xx-xx-xx-xx)
Username : mac
Password : Not configured
Offline detect period : 300 s
Quiet period : 60 s
Server timeout : 100 s
Reauth period : 3600 s
User aging period for critical VLAN : 1000 s
User aging period for guest VLAN : 1000 s
Authentication domain : Not configured, use default domain
Online MAC-auth wired users : 1
Silent MAC users:
MAC address VLAN ID From port Port index
0001-0000-0001 100 GE1/0/2 21
GigabitEthernet1/0/1 is link-up
MAC authentication : Enabled
Carry User-IP : Disabled
Authentication domain : Not configured
Auth-delay timer : Enabled
Auth-delay period : 60 s
Periodic reauth : Enabled
Reauth period : 120 s
Re-auth server-unreachable : Logoff
Guest VLAN : 100
Guest VLAN reauthentication : Enabled
Guest VLAN auth-period : 150 s
Critical VLAN : Not configured
Critical voice VLAN : Disabled
Host mode : Multiple VLAN
Offline detection : Enabled
Authentication order : Parallel
User aging : Enabled
Server-recovery online-user-sync : Enabled
VLAN tag configuration ignoring : Disabled
Max online users : 4294967295
Authentication attempts : successful 2, failed 3
Current online users : 1
MAC address Auth state
0001-0000-0000 Authenticated
0001-0000-0001 Unauthenticated
AP name: AP1 Radio ID: 1 SSID: wlan_maca_ssid
BSSID : 1111-1111-1111
MAC authentication : Enabled
Authentication domain : Not configured
Max online users : 256
Authentication attempts : successful 1, failed 0
Current online users : 2
MAC address Auth state
0001-0000-0002 Authenticated
0001-0000-0003 Unauthenticated
Table 1 Command output
|
Field |
Description |
|
MAC authentication |
Whether MAC authentication is enabled globally. Support for MAC authentication depends on the device model. The MAC authentication configuration does not take effect on some device models. |
|
M-LAG member configuration conflict |
This field is not supported in the current software version. M-LAG member configuration check result: · Conflicted—The configuration on one M-LAG member device conflicts with that on the other M-LAG member device. · Not conflicted—The configuration on one M-LAG member device does not conflict with that on the other M-LAG member device. · Unknown—The system cannot detect whether the configuration on one M-LAG member device conflicts with that on the other M-LAG member device. |
|
Authentication method |
Authentication method for MAC authentication, which is PAP. |
|
Username format |
User account type: MAC-based or shared. · If MAC-based accounts are used, this field displays the format settings for the username. For example, MAC address in lowercase(xx-xx-xx-xx-xx-xx) indicates that the MAC address is in hexadecimal notation and is separated into six sections by hyphen (-). The letters in the MAC address are in lower case. · If a shared account is used, this field displays Fixed account. |
|
Username |
Username for MAC authentication. · If MAC-based accounts are used, this field displays mac. · If a shared account is used, this field displays the username of the shared account for MAC authentication users. By default, the username is mac. |
|
Password |
Password for MAC authentication. · If the MAC address of each user is used as the password or if a shared account is used but no password is configured, this field displays Not configured. · If a password is configured, this field displays a string of asterisks (******). |
|
Offline detect period |
Offline detect timer. |
|
Quiet period |
Quiet timer. |
|
Server timeout |
Server timeout timer. |
|
Reauth period |
Periodic MAC reauthentication timer in seconds. |
|
User aging period for critical VLAN |
Aging timer in seconds for users in critical VLANs. |
|
User aging period for guest VLAN |
Aging timer in seconds for users in guest VLANs. |
|
Authentication domain |
MAC authentication domain specified in system view. If no authentication domain is specified in system view, this field displays Not configured, use default domain. |
|
Online MAC-auth wired users |
Number of wired online MAC authentication users, including users that have passed MAC authentication and users that are performing MAC authentication. |
|
Online MAC-auth wireless users |
Number of wireless online MAC authentication users, including users that have passed MAC authentication and users that are performing MAC authentication. |
|
Silent MAC users |
Information about silent MAC addresses, including MAC addresses that have failed MAC authentication and MAC addresses that have been assigned the blackhole MAC attribute from the RADIUS server. |
|
MAC address |
Silent MAC address. |
|
VLAN ID |
ID of the VLAN to which the silent MAC address belongs. |
|
From port |
Name of the port that marks the MAC address as a silent MAC address. |
|
Port index |
Index of the port that marks the MAC address as a silent MAC address. |
|
GigabitEthernet1/0/1 is link-up |
Status of the link on GigabitEthernet 1/0/1. In this example, the link is up. |
|
MAC authentication |
Status of MAC authentication on the port: · Enabled. Enabled (but NOT effective). This value is displayed if MAC authentication is enabled, but the device does not have available ACL resources. · Disabled. |
|
Carry User-IP |
Whether user IP addresses are included in MAC authentication requests. |
|
Authentication domain |
MAC authentication domain specified for the port. |
|
Auth-delay timer |
Whether MAC authentication delay is enabled on the port. |
|
Auth-delay period |
MAC authentication delay timer. |
|
Periodic reauth |
Whether periodic MAC reauthentication is enabled on the port. |
|
Reauth period |
Periodic MAC reauthentication timer on the port. |
|
Re-auth server-unreachable |
Action taken when no server is reachable for MAC reauthentication: · Logoff—Logs off online MAC authentication users. · Online—Keeps MAC authenticated users online. |
|
Guest VLAN |
MAC authentication guest VLAN configured on the port. If no MAC authentication guest VLAN is configured, this field displays Not configured. |
|
Guest VLAN reauthentication |
Status of guest VLAN reauthentication in MAC authentication, which can be Enabled or Disabled. |
|
Guest VLAN auth-period |
Authentication interval for users in the guest VLAN for MAC authentication on the port. |
|
Critical VLAN |
MAC authentication critical VLAN configured on the port. If no MAC authentication critical VLAN is configured, this field displays Not configured. |
|
Host mode |
· If multi-VLAN mode is disabled, this field displays Single VLAN. · If multi-VLAN mode is enabled, this field displays Multiple VLAN. |
|
Offline detection |
Status of MAC authentication offline detection: · Enabled. · Disabled. |
|
Authentication order |
If parallel MAC authentication and 802.1X authentication is disabled, this field displays Default. If parallel MAC authentication and 802.1X authentication is enabled, this field displays Parallel. |
|
User aging |
Status of the aging feature for unauthenticated MAC authentication users on a port: · Enabled. · Disabled. |
|
Server-recovery online-user-sync |
Status of online user synchronization for MAC authentication on the port: · Enabled. · Disabled. |
|
Auto-tag feature |
Status of the authorization VLAN auto-tag feature: · Enabled. · Disabled. |
|
VLAN tag configuration ignoring |
Status of the ignore-config mode: · Enabled. · Disabled. |
|
Max online users |
Maximum number of concurrent online users allowed on the port. |
|
Authentication attempts: successful 1, failed 0 |
MAC authentication statistics, including the number of successful and unsuccessful authentication attempts. |
|
MAC address |
MAC address of the online user. |
|
Auth state |
User status: · Authenticated—The user has passed MAC authentication. · Unauthenticated—The user has not passed MAC authentication. |
|
AP name |
Name of the AP with which users are associated. |
|
Radio ID |
ID of the radio with which users are associated. |
|
SSID |
SSID with which users are associated. |
|
BSSID |
ID of the BSS with which users are associated. |
display mac-authentication connection
Use display mac-authentication connection to display information about online MAC authentication users.
Syntax
display mac-authentication connection [ open ] [ ap ap-name [ radio radio-id ] | interface interface-type interface-number | user-mac mac-address | user-name user-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
open: Displays information only about MAC authentication users that use nonexistent usernames or incorrect passwords for network access in open authentication mode. If you do not specify this keyword, the command displays information about all online MAC authentication users.
ap ap-name: Specifies an AP by its name, a case-sensitive string of 1 to 64 characters. The string can contain letters, digits, underscores (_), left brackets ([), right brackets (]), forward slashes (/), and hyphens (-). If you do not specify an AP, this command displays information about online MAC authentication users for all APs.
radio radio-id: Specifies a radio by its ID. The value range for the radio-id argument varies by device model. If you do not specify a radio, this command displays information about online MAC authentication users for all radios on the specified AP.
interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command displays information about online MAC authentication users for all ports.
user-mac mac-address: Specifies an online MAC authentication user by its MAC address. The mac-address argument represents the MAC address of the user, in the form of H-H-H. If you do not specify an online MAC authentication user, this command displays all online MAC authentication user information.
user-name user-name: Specifies an online MAC authentication user by its username. The user name is a case-sensitive string of 1 to 55 characters, and it can include the domain name. If you do not specify an online MAC authentication user, this command displays all online MAC authentication user information.
Examples
# Display information about all online MAC authentication users.
<Sysname> display mac-authentication connection
Total connections: 2
User MAC address: 0015-e9a6-7cfe
Access interface: GigabitEthernet1/0/1
Username: ias
User access state: Successful
Authentication domain: macusers
IPv4 address: 192.168.1.1
IPv6 address: 2000:0:0:0:1:2345:6789:abcd
Initial VLAN: 1
Authorization untagged VLAN: 100
Authorization tagged VLAN: N/A
Authorization ACL number/name: 3001
Authorization user profile: N/A
Authorization CAR:
Average input rate: 102400 bps
Peak input rate: 204800 bps
Average output rate: 102400 bps
Peak output rate: 204800 bps
Authorization URL: N/A
Termination action: Radius-request
Session timeout period: 2 sec
Offline detection: 100 sec (server-assigned)
Online from: 2020/01/02 13:14:15
Online duration: 0h 2m 15s
User MAC address : 0015-e9a6-7cfe
AP name : ap1
Radio ID : 1
SSID : wlan_dot1x_ssid
BSSID : 0015-e9a6-7cf0
User name : ias
Authentication domain : 1
Initial VLAN : 1
Authorization untagged VLAN : 100
Authorization ACL number : 3001
Authorization user profile : N/A
Authorization CAR : N/A
Authorization URL : N/A
Authroization IPv6 URL : N/A
Termination action : Radius-request
Session timeout period : 2 sec
Online from : 2020/02/02 13:14:15
Online duration : 0h 2m 15s
Table 2 Command output
|
Field |
Description |
|
Total connections |
Total number of online MAC authentication users. |
|
User MAC address |
MAC address of the user. |
|
Access interface |
Interface through which the user accesses the device. |
|
AP name |
Name of the AP with which the user is associated. |
|
Radio ID |
ID of the radio with which the user is associated. |
|
SSID |
SSID with which the user is associated. |
|
BSSID |
ID of the BSS with which the user is associated. |
|
User access state |
Access state of the user: · Successful—The user passes MAC authentication and comes online. · Open—The user uses a nonexistent username or an incorrect password to come online in open authentication mode. |
|
Authentication domain |
MAC authentication domain to which the user belongs. |
|
IPv4 address |
IPv4 address of the user. If no user IPv4 address is available, this field is not displayed. |
|
IPv6 address |
IPv6 address of the user. If no user IPv6 address is available, this field is not displayed. |
|
Initial VLAN |
VLAN that holds the user before MAC authentication. |
|
Authorization untagged VLAN |
Untagged VLAN authorized to the user. |
|
Authorization tagged VLAN |
Tagged VLAN authorized to the user. |
|
Authorization ACL number/name |
Number or name of the ACL authorized to the user. If no authorization ACL has been assigned, this field displays N/A. If the ACL authorization fails, this field displays (Not effective) next to the ACL. |
|
Authorization user profile |
User profile authorized to the user. |
|
Authorization CAR |
Authorization CAR attributes assigned by the server. · Average input rate—Average rate of inbound traffic in bps. · Peak input rate—Peak rate of inbound traffic in bps. · Average output rate—Average rate of outbound traffic in bps. · Peak output rate—Peak rate of outbound traffic in bps. If the device fails to assign the CAR attributes to the user, the Authorization CAR field displays (NOT effective). If the server does not assign the peak rates, the peak rates by default are the same as the assigned average rates. In the current software version, the device does not support exclusive assignment of peak rates from the server. If no authorization CAR attributes are assigned, this field displays N/A. |
|
Authorization URL |
Redirect URL authorized to the user. |
|
Authorization IPv6 URL |
Redirect IPv6 URL authorized to the user. |
|
Termination action |
Action attribute assigned by the server to terminate the user session: · Default—Logs off the online authenticated user when the server-assigned session timeout timer expires. This attribute does not take effect when periodic MAC reauthentication is enabled and the periodic reauthentication timer is shorter than the server-assigned session timeout timer. · Radius-request—Reauthenticates the online user when the server-assigned session timeout timer expires, regardless of whether the periodic MAC reauthentication feature is enabled or not. If the device performs local authentication, this field displays N/A. |
|
Session timeout period |
Session timeout timer assigned by the server. |
|
Offline detection |
Offline detection setting for the user: · Ignore (command-configured)—The device does not perform offline detection for the user. The setting is configured from the CLI. · timer (command-configured)—Represents the offline detect timer. The timer is configured from the CLI, · Ignore (server-assigned)—The device does not perform offline detection for the user. The setting is assigned by a RADIUS server. · timer (server-assigned)—Represents the offline detect timer. The timer is assigned by a RADIUS server. |
|
Online from |
Time from which the MAC authentication user came online. |
|
Online duration |
Online duration of the MAC authentication user. |
display mac-authentication mac-address
Use display mac-authentication mac-address to display the MAC addresses of MAC authentication users in a type of access-limited VLAN for MAC authentication.
Syntax
display mac-authentication mac-address { critical-vlan | guest-vlan } [ interface interface-type interface-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
critical-vlan: Specifies critical VLANs for MAC authentication.
guest-vlan: Specifies guest VLANs for MAC authentication.
interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command displays the MAC addresses of MAC authentication users in the specified type of microsegment, VLAN, or VSI on all ports.
Usage guidelines
The displayed MAC addresses and MAC address count might not include all MAC addresses if a large number of MAC authentication users are performing authentication frequently.
Examples
# Display the MAC addresses of MAC authentication users in the guest VLANs for MAC authentication on all ports.
<Sysname> display mac-authentication mac-address guest-vlan
Total MAC addresses: 10
Interface: GigabitEthernet1/0/1 Guest VLAN: 3 Aging time: N/A
MAC addresses: 8
0800-2700-9427 0800-2700-2341 0800-2700-2324 0800-2700-2351
0800-2700-5627 0800-2700-2251 0800-2700-8624 0800-2700-3f51
Interface: GigabitEthernet1/0/2 Guest VLAN: 5 Aging time: 30 sec
MAC addresses: 2
0801-2700-9427 0801-2700-2341
Table 3 Command output
|
Field |
Description |
|
Total MAC addresses |
Total number of MAC addresses in the specified type of microsegment, VLAN, or VSI on the specified port or all ports. |
|
Interface |
Access port of MAC authentication users. |
|
Type VLAN |
Segment that contains the MAC authentication users. The Type argument has the following values: · Critical VLAN. · Guest VLAN. |
|
Aging time |
MAC address aging time in seconds. This field displays N/A if the MAC addresses do not age out. |
|
MAC addresses |
Number of matching MAC addresses on a port. |
|
xxxx-xxxx-xxxx |
MAC address. |
Related commands
mac-authentication critical vlan
mac-authentication guest-vlan
display mac-authentication user-recovery-profile
Use display mac-authentication user-recovery-profile to display MAC authentication user recovery profiles.
Syntax
display mac-authentication user-recovery-profile [ profile-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
profile-name: Specifies a MAC authentication user recovery profile by its name, a case-insensitive string of 1 to 31 characters. If you do not specify a profile, this command displays all authentication user recovery profiles.
Examples
# Display all MAC authentication user recovery profiles.
<Sysname> display mac-authentication user-recovery-profile
User-recovery profile: profile1
Server IP : 3.3.3.3
Port : 8080
VPN : Not configured
Login name : user1
NAS IP address: 10.1.1.1
URI : dumbtermina/list
User-recovery profile: profile2
Server IP : 1.1.1.2
Port : 80
VPN : Not configured
Login name : user1
NAS IP address: 1:2::3:4
URI : dumbtermina/list
Table 4 Command output
|
Field |
Description |
|
User-recovery profile |
MAC authentication user recovery profile name. |
|
Server IP |
IP address of the RESTful server |
|
Port |
Port number of the RESTful server. |
|
VPN |
This field is not supported in the current software version. VPN instance to which the RESTful server belongs. |
|
Login name |
Username for accessing the RESTful server. |
|
NAS IP address |
NAS IP address used by the device to communicate with the RESTful server. |
|
URI |
URI used by the RESTful server to provide MAC authentication user information. |
Related commands
mac-authentication user-recovery-profile
server-address
login-name
nas-ip
uri
login-name
Use login-name to configure the username and password for accessing the RESTful server in a MAC authentication user recovery profile.
Use undo login-name to restore the default.
Syntax
login-name username [ password { cipher | simple } string ]
undo login-name
Default
No username or password is configured for accessing the RESTful server in a MAC authentication user recovery profile.
Views
MAC authentication user recovery profile view
Predefined user roles
network-admin
Parameters
username: Specifies the username, a case-sensitive string of 1 to 55 characters.
password: Specifies the password. If no password is required for accessing the RESTful server, do not specify this keyword.
cipher: Specifies the password in encrypted form.
simple: Specifies the password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.
string: Specifies the password. Its plaintext form is a case-sensitive string of 1 to 63 characters, and its encrypted form is a case-sensitive string of 1 to 117 characters.
Usage guidelines
Make sure the username and password settings are the same as the settings on the RESTful server.
Examples
# In MAC authentication user recovery profile profile1, configure the username and password for accessing the RESTful server as abc and plaintext string 123, respectively.
<Sysname> system-view
[Sysname] mac-authentication user-recovery-profile profile1
[Sysname-user-recovery-profile-profile1] login-name abc password simple 123
Related commands
display mac-authentication user-recovery-profile
mac-authentication
Use mac-authentication to enable MAC authentication globally or on a port.
Use undo mac-authentication to disable MAC authentication globally or on a port.
Syntax
mac-authentication
undo mac-authentication
Default
MAC authentication is disabled globally or on any port.
Views
System view
Layer 2 Ethernet interface view
Predefined user roles
network-admin
Usage guidelines
To use MAC authentication on a port, you must enable the feature both globally and on the port.
Support for MAC authentication depends on the device model. MAC authentication does not take effect on some device models.
Examples
# Enable MAC authentication globally.
<Sysname> system-view
[Sysname] mac-authentication
# Enable MAC authentication on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] mac-authentication
Related commands
display mac-authentication
mac-authentication access-user log enable
Use mac-authentication access-user log enable to enable MAC authentication user logging.
Use undo mac-authentication access-user log enable to disable MAC authentication user logging.
Syntax
mac-authentication access-user log enable [ failed-login | logoff | successful-login ] *
undo mac-authentication access-user log enable [ failed-login | logoff | successful-login ] *
Default
MAC authentication user logging is disabled.
Views
System view
Predefined user roles
network-admin
Parameters
failed-login: Logs MAC authentication user login failures.
logoff: Logs MAC authentication user logoffs.
successful-login: Logs successful MAC authentication user logins.
Usage guidelines
To prevent excessive MAC authentication user log entries, use this feature only if you need to analyze abnormal MAC authentication user logins or logouts.
If you do not specify any parameters, this command enables all types of MAC authentication user logs.
Examples
# Enable logging MAC authentication user login failures.
<Sysname> system-view
[Sysname] mac-authentication access-user log enable failed-login
Related commands
info-center source maca logfile deny (System Management Command Reference)
mac-authentication authentication-method
Use mac-authentication authentication-method to specify an authentication method for MAC authentication.
Use undo mac-authentication authentication-method to restore the default.
Syntax
mac-authentication authentication-method pap
undo mac-authentication authentication-method
Default
The device uses PAP for MAC authentication.
Views
System view
Predefined user roles
network-admin
Parameters
pap: Configures the access device to use the Password Authentication Protocol (PAP) to communicate with the RADIUS server.
Usage guidelines
RADIUS-based MAC authentication supports the PAP authentication method. PAP transports usernames and passwords in plain text. The authentication method applies to scenarios that do not require high security.
Examples
# Configure the device to use PAP for MAC authentication.
<Sysname> system-view
[Sysname] mac-authentication authentication-method pap
Related commands
mac-authentication auto-recover-user
Use mac-authentication auto-recover-user to enable automatic MAC authentication user recovery based on a MAC authentication user recovery profile.
Use undo mac-authentication auto-recover-user to disable automatic MAC authentication user recovery based on a profile.
Syntax
mac-authentication auto-recover-user profile profile-name
undo mac-authentication auto-recover-user profile profile-name
Default
Automatic MAC authentication user recovery is disabled.
Views
System view
Predefined user roles
network-admin
Parameters
profile profile-name: Specifies a MAC authentication user recovery profile by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
This feature enables the device to automatically obtain MAC authentication user information from a RESTful server and perform a reauthentication after the device or an interface module reboots or after an interface recovers from a failure.
This feature recovers the online state of MAC authenticated users quickly without waiting for packets from the MAC authentication users to trigger a reauthentication. It is helpful when the network has a large number of dumb terminals or the operation of dumb terminals is important for services.
To define the profile used for obtaining MAC authentication user information from a RESTful server, use the mac-authentication user-recovery-profile command.
For this feature to take effect after the device reboots, use the save command to save the configuration to the next-startup configuration file after you configure this feature. For more information about the save command, see configuration file management commands in Fundamentals Command Reference.
The automatic MAC authentication user recovery feature is mutually exclusive with the RADIUS accounting-on feature. Do not use the two features together. For more information about the RADIUS accounting-on feature, see AAA configuration in User Access and Authentication Configuration Guide.
Examples
# Enable automatic MAC authentication user recovery based on profile profile1.
<Sysname> system-view
[Sysname] mac-authentication auto-recover-user profile profile1
Related commands
accounting-on enable
display mac-authentication user-recovery-profile
mac-authentication user-recovery-profile
mac-authentication carry user-ip
Use mac-authentication carry user-ip to include user IP addresses in MAC authentication requests sent to an IMC server.
Use undo mac-authentication carry user-ip to restore the default.
Syntax
mac-authentication carry user-ip [ exclude-ip acl acl-number ]
undo mac-authentication carry user-ip
Default
A MAC authentication request does not include the user IP address.
Views
Layer 2 Ethernet interface view
Predefined user roles
network-admin
Parameters
exclude-ip: Specifies an ACL-based filter to identify source IP addresses that can or cannot trigger MAC authentication.
acl acl-number: Specifies a basic ACL. The value range for the acl-number argument is 2000 to 2999.
Usage guidelines
|
IMPORTANT: This command can only operate in conjunction with an IMC server. |
To avoid IP conflicts that result from changes to static IP addresses, use this command on a port that has MAC authentication users with static IP addresses.
This command adds user IP addresses to the MAC authentication requests sent to the authentication server. When MAC authentication is triggered for a user, the device checks the user's IP address for invalidity.
· If the IP address is valid, the device sends a MAC authentication request with the IP address included.
· If the IP address is not a valid host IP address or the triggering packet does not contain an IP address, the device does not initiate MAC authentication.
· If the packet is a DHCP packet with a source IP address of 0.0.0.0, the device sends a MAC authentication request without including the IP address. In this case, the IMC server does not examine the user IP address when it performs authentication.
Upon receipt of the authentication request that includes a user's IP address, the IMC server compares the user's IP and MAC addresses with its IP-MAC mappings.
· If an exact match is found or if no match is found, the user passes MAC authentication. In the latter case, the server creates an IP-MAC mapping for the user.
· If a mapping is found for the MAC address but the IP addresses do not match, the user fails the MAC authentication.
If the user host is configured with IPv6, the device might receive packets that contain an IPv6 link-local address, which starts with fe80. MAC authentication failure will occur if this address is used in MAC authentication. To avoid MAC authentication failure, configure a basic ACL to exclude the IPv6 IP addresses that start with fe80.
When you configure the ACL, follow these guidelines:
· Use permit rules to identify source IP addresses that are valid for MAC authentication. Use deny rules to identify source IP addresses that cannot trigger MAC authentication.
· In the rules, only the action keyword (permit or deny) and the source IP match criterion can take effect.
· As a best practice, configure a deny rule to exclude the IPv6 IP addresses that start with fe80 from triggering MAC authentication.
· If you configure permit rules, add a deny all rule at the bottom of the ACL.
Examples
# Include user IP addresses in MAC authentication requests on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] mac-authentication carry user-ip
# Include user IP addresses in MAC authentication requests on GigabitEthernet 1/0/1 and deny users that use IPv6 link-local addresses from performing MAC authentication on the port.
<Sysname> system-view
[Sysname] acl ipv6 basic 2000
[Sysname-acl-ipv6-basic-2000] rule deny source fe80:0::0:0 16
[Sysname-acl-ipv6-basic-2000] quit
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] mac-authentication carry user-ip exclude-ip acl 2000
Related commands
mac-authentication
mac-authentication critical vlan
Use mac-authentication critical vlan to configure a critical VLAN for MAC authentication on a port.
Use undo mac-authentication critical vlan to restore the default.
Syntax
mac-authentication critical vlan critical-vlan-id
undo mac-authentication critical vlan
Default
No critical VLAN exists for MAC authentication on a port.
Views
Layer 2 Ethernet interface view
Predefined user roles
network-admin
Parameters
critical-vlan-id: Specifies a VLAN as the critical VLAN for MAC authentication. The value range for the VLAN ID is 1 to 4094. Make sure the VLAN has been created.
Usage guidelines
The critical VLAN for MAC authentication accommodates users that have failed MAC authentication because all the servers in their ISP domains are unreachable. Users in the critical VLAN can access network resources in the critical VLAN.
The critical VLAN feature takes effect when MAC authentication is performed only through RADIUS servers. If a MAC authentication user fails local authentication after RADIUS authentication, the user is not assigned to the critical VLAN.
Before you delete a VLAN that has been set as a MAC authentication critical VLAN, use the undo mac-authentication critical vlan command to remove the critical VLAN configuration.
Examples
# Configure VLAN 100 as the critical VLAN for MAC authentication on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] mac-authentication critical vlan 100
Related commands
display mac-authentication
reset mac-authentication critical vlan
mac-authentication domain
Use mac-authentication domain to specify a global or port-specific authentication domain.
Use undo mac-authentication domain to restore the default.
Syntax
mac-authentication domain domain-name
undo mac-authentication domain
Default
The system default authentication domain is used. For more information about the default authentication domain, see the domain default enable command in "AAA commands."
Views
System view
Layer 2 Ethernet interface view
Predefined user roles
network-admin
Parameters
domain-name: Specifies the name of an ISP domain, a case-insensitive string of 1 to 255 characters.
Usage guidelines
The global authentication domain applies to all MAC authentication-enabled ports. An authentication domain specified in Layer 2 Ethernet interface view applies only to the port. You can specify different authentication domains on different ports.
A port chooses an authentication domain for MAC authentication users in the following order:
1. Authentication domain specified on the port.
2. Global authentication domain specified in system view.
3. Default authentication domain.
Examples
# Specify ISP domain domain1 as the global MAC authentication domain.
<Sysname> system-view
[Sysname] mac-authentication domain domain1
# Specify ISP domain aabbcc as the MAC authentication domain on GigabitEthernet 1/0/1.
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] mac-authentication domain aabbcc
Related commands
display mac-authentication
domain default enable
mac-authentication guest-vlan
Use mac-authentication guest-vlan to configure a guest VLAN for MAC authentication on a port.
Use undo mac-authentication guest-vlan to restore the default.
Syntax
mac-authentication guest-vlan guest-vlan-id
undo mac-authentication guest-vlan
Default
No guest VLAN exists for MAC authentication on a port.
Views
Layer 2 Ethernet interface view
Predefined user roles
network-admin
Parameters
guest-vlan-id: Specifies a VLAN as the guest VLAN for MAC authentication. The value range for the VLAN ID is 1 to 4094. Make sure the VLAN has been created.
Usage guidelines
The guest VLAN for MAC authentication accommodates users that have failed MAC authentication for any reason other than server unreachable. For example, the VLAN accommodates users with invalid passwords entered. You can deploy a limited set of network resources in the guest VLAN for MAC authentication. For example, a software server for downloading software and system patches.
Before you delete a VLAN that has been set as a guest VLAN for MAC authentication, use the undo mac-authentication guest-vlan command to remove the guest VLAN configuration.
Examples
# Configure VLAN 100 as the guest VLAN for MAC authentication on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] mac-authentication guest-vlan 100
Related commands
display mac-authentication
reset mac-authentication guest-vlan
mac-authentication guest-vlan auth-period
Use mac-authentication guest-vlan auth-period to set the interval at which the device authenticates users in the guest VLAN for MAC authentication.
Use undo mac-authentication guest-vlan auth-period to restore the default.
Syntax
mac-authentication guest-vlan auth-period period-value
undo mac-authentication guest-vlan auth-period
Default
The device authenticates users in the guest VLAN for MAC authentication every 30 seconds.
Views
Layer 2 Ethernet interface view
Predefined user roles
network-admin
Parameters
period-value: Sets the authentication interval for users in the guest VLAN for MAC authentication. The value range is 1 to 3600, in seconds.
Examples
# Set the authentication interval to 150 seconds for users in the guest VLAN for MAC authentication on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] mac-authentication guest-vlan auth-period 150
Related commands
display mac-authentication
mac-authentication guest-vlan
mac-authentication guest-vlan re-authenticate
Use mac-authentication guest-vlan re-authenticate to enable the guest VLAN reauthentication feature of MAC authentication on a port.
Use undo mac-authentication guest-vlan re-authenticate to disable the guest VLAN reauthentication feature of MAC authentication on a port.
Syntax
mac-authentication guest-vlan re-authenticate
undo mac-authentication guest-vlan re-authenticate
Default
The guest VLAN reauthentication feature of MAC authentication is enabled on a port.
Views
Layer 2 Ethernet interface view
Predefined user roles
network-admin
Usage guidelines
The guest VLAN reauthentication feature of MAC authentication enables the device to reauthenticate users in the guest VLAN for MAC authentication on a port at reauthentication intervals.
Typically, you disable this feature to suppress excessive authentication failure log messages, which might occur when a network issue results in a large number of reauthentication failures.
If guest VLAN reauthentication is disabled on a port, the device does not reauthenticate users in the guest VLAN for MAC authentication on the port. The guest VLAN users will stay in the guest VLAN until they age out. To configure the aging timer, use the mac-authentication timer user-aging guest-vlan aging-time-value command.
Examples
# Enable the guest VLAN reauthentication feature of MAC authentication on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] mac-authentication guest-vlan re-authenticate
Related commands
display mac-authentication
mac-authentication guest-vlan
mac-authentication guest-vlan auth-period
mac-authentication timer
mac-authentication host-mode
Use mac-authentication host-mode multi-vlan to enable MAC authentication multi-VLAN mode on a port.
Use undo mac-authentication host-mode to restore the default.
Syntax
mac-authentication host-mode multi-vlan
undo mac-authentication host-mode
Default
MAC authentication multi-VLAN mode is disabled on a port. When the port receives a packet sourced from an authenticated MAC address in a VLAN not matching the existing MAC-VLAN mapping, the device logs off and reauthenticates the user.
Views
Layer 2 Ethernet interface view
Predefined user roles
network-admin
Usage guidelines
The MAC authentication multi-VLAN mode prevents an authenticated online user from service interruption caused by VLAN changes on a port. When the port receives a packet sourced from the user in a VLAN not matching the existing MAC-VLAN mapping, the device neither logs off the user nor reauthenticates the user. The device creates a new MAC-VLAN mapping for the user, and traffic transmission is not interrupted. The original MAC-VLAN mapping for the user remains on the device until it dynamically ages out. As a best practice, configure this feature on hybrid or trunk ports.
This feature improves transmission of data that is vulnerable to delay and interference. It is typically applicable to IP phone users.
Examples
# Enable MAC authentication multi-VLAN mode on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] mac-authentication host-mode multi-vlan
Related commands
display mac-authentication
mac-authentication mac-range-account
Use mac-authentication mac-range-account to configure a username and password for MAC authentication users in a MAC address range.
Use undo mac-authentication mac-range-account to restore the default.
Syntax
mac-authentication mac-range-account mac-address mac-address mask { mask | mask-length } account name password { cipher | simple } string
undo mac-authentication mac-range-account { all | mac-address mac-address }
Default
No username or password is specifically configured for MAC authentication users in a MAC address range. The global user account policy applies to the users.
Views
System view
Predefined user roles
network-admin
Parameters
mac-address mac-address: Specifies a MAC address in the format of H-H-H.
mask mask: Specifies a MAC address mask, in the format of H-H-H. Make sure the most significant bits of the MAC address mask in binary format are consecutive 1s.
mask mask-length: Specifies a MAC address mask length, in the range of 1 to 48.
account name: Specifies a username. The name is a case-sensitive string of 1 to 55 characters, and cannot include the at sign (@).
password: Specifies the user password.
cipher: Specifies a password in encrypted form.
simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.
string: Specifies the password. Its plaintext form is a case-sensitive string of 1 to 63 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.
all: Specifies all MAC address ranges.
Usage guidelines
Use this command to configure user account settings for users in a MAC address range (for example, users with a specific OUI). For users in the specified range, this command has higher priority than the mac-authentication user-name-format command.
You can configure a maximum of 16 MAC address ranges. However, you must make sure the MAC address ranges do not overlap.
If you configure user account settings multiple times for the same MAC address range, the most recent configuration overwrites the previous configuration.
The mac-authentication mac-range-account command applies only to unicast MAC addresses.
· If you specify a MAC address range that contains only multicast MAC addresses, execution of this command will fail.
· If you specify a MAC address range that contains both unicast and multicast MAC addresses, the command takes effect only on unicast MAC addresses.
The all-zero MAC address is invalid for MAC authentication. Users with the all-zero MAC address cannot pass MAC authentication.
Examples
# Configure a user account for MAC addresses that start with aaaa. Set the MAC address mask to ffff-0000-0000, the username to user1, and the password to 1234 in plaintext form.
<Sysname> system-view
[Sysname] mac-authentication mac-range-account mac-address aaaa-0000-0000 mask ffff-0000-0000 account user1 password simple 1234
Related commands
display mac-authentication
mac-authentication user-name-format
mac-authentication max-user
Use mac-authentication max-user to set the maximum number of concurrent MAC authentication users on a port.
Use undo mac-authentication max-user to restore the default.
Syntax
mac-authentication max-user max-number
undo mac-authentication max-user
Default
A port allows a maximum of 4294967295 concurrent MAC authentication users.
Views
Layer 2 Ethernet interface view
Predefined user roles
network-admin
Parameters
max-number: Sets the maximum number of concurrent MAC authentication users on the port. The value range for this argument is 1 to 4294967295.
Usage guidelines
Set the maximum number of concurrent MAC authentication users on a port to prevent the system resources from being overused. When the maximum number is reached, the port denies subsequent MAC authentication users.
Examples
# Configure GigabitEthernet 1/0/1 to support a maximum of 32 concurrent MAC authentication users.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] mac-authentication max-user 32
Related commands
display mac-authentication
mac-authentication offline-detect enable
Use mac-authentication offline-detect enable to enable MAC authentication offline detection on a port.
Use undo mac-authentication offline-detect enable to disable MAC authentication offline detection.
Syntax
mac-authentication offline-detect enable
undo mac-authentication offline-detect enable
Default
MAC authentication offline detection is enabled on a port.
Views
Layer 2 Ethernet interface view
Predefined user roles
network-admin
Usage guidelines
The MAC authentication offline detection feature monitors the online status of MAC authentication users. This feature uses an offline detect timer to set the interval that the device must wait for traffic from a user before the device determines that the user is idle. If the device has not received traffic from a user before the timer expires, the device logs off that user and requests the accounting server to stop accounting for the user.
To set the offline detect timer, use the mac-authentication timer command.
Examples
# Disable MAC authentication offline detection on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] undo mac-authentication offline-detect enable
Related commands
mac-authentication timer
mac-authentication offline-detect mac-address
Use mac-authentication offline-detect mac-address to configure MAC authentication offline detection for a MAC authentication user.
Use undo mac-authentication offline-detect mac-address to restore the default.
Syntax
mac-authentication offline-detect mac-address mac-address { ignore | timer offline-detect-value [ check-arp-or-nd-snooping ] }
undo mac-authentication offline-detect mac-address mac-address
Default
The offline detection settings configured on access ports take effect and the offline detect timer set in system view is used.
Views
System view
Predefined user roles
network-admin
Parameters
mac-address: Specifies a MAC address in the format of H-H-H, excluding multicast, all-zero, and all-F MAC addresses.
ignore: Skips offline detection for the specified user.
timer offline-detect-value: Specifies the offline detect timer for the specified user. The value range is 60 to 2147483647 seconds.
check-arp-or-nd-snooping: Uses the ARP snooping or ND snooping table in offline detection to determine the offline state of the user.
Usage guidelines
Use this command to set offline detection parameters specific to a MAC authentication user. To have this command take effect, you must make sure MAC authentication offline detection is enabled on the user's access port. The user-specific offline detection settings take effect on the online users immediately after they are configured.
Use this command as follows:
· Set an offline detect timer specific to a user and control whether to use the ARP snooping or ND snooping table to determine the offline state of the user.
¡ If the ARP snooping or ND snooping table is used, the device searches the ARP snooping or ND snooping table before it checks for traffic from the user within the detection interval. If a matching ARP snooping or ND snooping entry is found, the device resets the offline detect timer and the user stays online. If the offline detect timer expires because the device has not found a matching snooping entry for the user or received traffic from the user, the device disconnects the user.
¡ If the ARP or ND snooping table is not used, the device disconnects the user if it has not received traffic from that user before the offline detect timer expires.
When disconnecting the user, the device also notifies the RADIUS server (if any) to stop user accounting.
· Skip offline detection for the user. You can choose this option if the user is a dumb terminal. A dumb terminal might fail to come online again after it is logged off by the offline detection feature.
The device uses the offline detection settings for a user in the following sequence:
1. User-specific offline detection settings.
2. Offline detection settings assigned to the user by the RADIUS server. The settings include the offline detect timer, use of the ARP or ND snooping table in offline detection, and whether to ignore offline detection.
3. Port-based offline detection settings.
Examples
# Disable MAC authentication offline detection for the MAC authentication user with MAC address 000a-eb29-7511.
<Sysname> system-view
[Sysname] mac-authentication offline-detect mac-address 000a-eb29-7511 ignore
# Enable MAC authentication offline detection for the MAC authentication user with MAC address 000a-eb29-7511, and set the offline detect timer to 24 hours.
<Sysname> system-view
[Sysname] mac-authentication offline-detect mac-address 000a-eb29-7511 timer 86400
Related commands
display mac-authentication connection
mac-authentication offline-detect enable
mac-authentication timer (system view)
mac-authentication parallel-with-dot1x
Use mac-authentication parallel-with-dot1x to enable parallel MAC authentication and 802.1X authentication on a port.
Use undo mac-authentication parallel-with-dot1x to restore the default.
Syntax
mac-authentication parallel-with-dot1x
undo mac-authentication parallel-with-dot1x
Default
Parallel MAC authentication and 802.1X authentication is disabled on a port.
Views
Layer 2 Ethernet interface view
Predefined user roles
network-admin
Usage guidelines
When you use this command on a port, follow these restrictions and guidelines:
· Make sure the port meets the following requirements:
¡ The port is configured with both 802.1X authentication and MAC authentication and performs MAC-based access control for 802.1X authentication.
¡ The port is enabled with the 802.1X unicast trigger.
· Do not enable MAC authentication delay on the port. This operation will delay MAC authentication after 802.1X authentication is triggered.
· To configure both 802.1X authentication and MAC authentication on the port, enable the 802.1X and MAC authentication features separately on the port.
Examples
# Enable parallel MAC authentication and 802.1X authentication on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] mac-authentication parallel-with-dot1x
Related commands
display mac-authentication
mac-authentication re-authenticate
Use mac-authentication re-authenticate to enable the periodic MAC reauthentication feature on a port.
Use undo mac-authentication re-authenticate to disable the periodic MAC reauthentication feature on a port.
Syntax
mac-authentication re-authenticate
undo mac-authentication re-authenticate
Default
The periodic MAC reauthentication feature is disabled on a port.
Views
Layer 2 Ethernet interface view
Predefined user roles
network-admin
Usage guidelines
Periodic MAC reauthentication enables the access device to periodically authenticate online MAC authentication users on a port. This feature tracks the connection status of online users and updates the authorization attributes assigned by the server, such as the ACL and VLAN.
To set the periodic reauthentication timer, use the mac-authentication timer reauth-period command in system view or in Ethernet interface view.
If periodic reauthentication is triggered for a user while that user is waiting for online synchronization, the system performs online synchronization and does not perform reauthentication for the user.
Examples
# Enable the periodic MAC reauthentication feature on GigabitEthernet 1/0/1 and set the global periodic reauthentication timer to 1800 seconds.
<Sysname> system-view
[Sysname] mac-authentication timer reauth-period 1800
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] mac-authentication re-authenticate
Related commands
display mac-authentication
mac-authentication server-recovery online-user-sync
mac-authentication timer
mac-authentication re-authenticate server-unreachable keep-online
Use mac-authentication re-authenticate server-unreachable keep-online to enable the keep-online feature on a port.
Use undo mac-authentication re-authenticate server-unreachable to restore the default.
Syntax
mac-authentication re-authenticate server-unreachable keep-online
undo mac-authentication re-authenticate server-unreachable
Default
The keep-online feature is disabled on a port. The device logs off online MAC authentication users if no server is reachable for MAC reauthentication.
Views
Layer 2 Ethernet interface view
Predefined user roles
network-admin
Usage guidelines
The keep-online feature keeps authenticated MAC authentication users online when no server is reachable for MAC reauthentication.
Examples
# Enable the keep-online feature for authenticated MAC authentication users on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] mac-authentication re-authenticate server-unreachable keep-online
Related commands
display mac-authentication
mac-authentication recover-user
Use mac-authentication recover-user to manually trigger MAC authentication user recovery based on a MAC authentication user recovery profile.
Syntax
mac-authentication recover-user profile profile-name [ interface interface-type interface-number ]
Views
User view
Predefined user roles
network-admin
Parameters
profile profile-name: Specifies a MAC authentication user recovery profile by its name, a case-insensitive string of 1 to 31 characters.
interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command recovers MAC authentication users on all interfaces.
Usage guidelines
Use this command to manually trigger MAC authentication user recovery. Then, the device obtains MAC authentication user information from the RESTful server in the specified profile and performs reauthentication.
This command is helpful when automatic recovery fails to recover the online state of all MAC authenticated users because of link flapping.
Examples
# Use MAC authentication user recovery profile profile1 to manually recover MAC authentication users.
<Sysname> mac-authentication recover-user profile profile1
Related commands
mac-authentication auto-recover-user
mac-authentication user-recovery-profile
mac-authentication server-recovery online-user-sync
Use mac-authentication server-recovery online-user-sync to enable online user synchronization for MAC authentication.
Use undo mac-authentication server-recovery online-user-sync to disable online user synchronization for MAC authentication.
Syntax
mac-authentication server-recovery online-user-sync
undo mac-authentication server-recovery online-user-sync
Default
Online user synchronization for MAC authentication is disabled. The device does not synchronize online MAC authentication user information on a port with a RADIUS server after the RADIUS server recovers from the unreachable state.
Views
Layer 2 Ethernet interface view
Predefined user roles
network-admin
Usage guidelines
|
|
IMPORTANT: This command takes effect only when the device uses an IMC RADIUS server to authenticate MAC authentication users. |
To ensure that the RADIUS server maintains the same online MAC authentication user information as the device after the server state changes from unreachable to reachable, use this feature.
This feature synchronizes online MAC authentication user information between the device and the RADIUS server when the RADIUS server state is detected having changed from unreachable to reachable.
When synchronizing online MAC authentication user information on a port with the RADIUS server, the device initiates MAC authentication in turn for each authenticated online MAC authentication user to the RADIUS server.
If synchronization fails for an online user, the device logs off that user unless the failure occurs because the server has become unreachable again.
The amount of time required to complete online user synchronization increases as the number of online users grows. This might result in an increased delay for new MAC authentication users and users in the critical VLAN to authenticate or reauthenticate to the RADIUS server and come online.
To have this feature take effect, you must use it in conjunction with the RADIUS server status detection feature, which is configurable with the radius-server test-profile command. For more information about the RADIUS server status detection feature, see AAA configuration in User Access and Authentication Configuration Guide.
Examples
# Enable online user synchronization for MAC authentication on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] mac-authentication server-recovery online-user-sync
Related commands
display mac-authentication
radius-server test-profile
timer quiet (RADIUS scheme view)
mac-authentication timer (interface view)
Use mac-authentication timer to configure a MAC authentication timer on a port.
Use undo mac-authentication timer to restore the default of a MAC authentication timer.
Syntax
mac-authentication timer { auth-delay auth-delay-time | reauth-period reauth-period-value }
undo mac-authentication timer { auth-delay | reauth-period }
Default
No MAC authentication delay timer is set on a port. MAC authentication delay is disabled. MAC authentication starts immediately after it is triggered by a user packet.
No periodic MAC reauthentication timer is set on a port. The port uses the global periodic MAC reauthentication timer.
Views
Layer 2 Ethernet interface view
Predefined user roles
network-admin
Parameters
auth-delay auth-delay-time: Sets the delay time for MAC authentication in seconds. The value range is 1 to 180.
reauth-period reauth-period-value: Sets the port-specific periodic MAC reauthentication timer in seconds. The value range is 60 to 7200.
Usage guidelines
When both 802.1X authentication and MAC authentication are enabled on a port, you can delay MAC authentication so that 802.1X authentication is preferentially triggered. If no 802.1X authentication is triggered or if 802.1X authentication fails within the delay period, the port continues to process MAC authentication.
The device reauthenticates online MAC authentication users on a port at the specified periodic reauthentication interval if the port is enabled with periodic MAC reauthentication. To enable periodic MAC reauthentication on a port, use the mac-authentication re-authenticate command.
A change to the port-specific periodic reauthentication timer applies to online users only after the old timer expires.
The device selects a periodic reauthentication timer for MAC reauthentication in the following order:
1. Server-assigned reauthentication timer.
2. Port-specific reauthentication timer.
3. Global reauthentication timer.
4. Default reauthentication timer.
Examples
# Enable MAC authentication delay on GigabitEthernet 1/0/1 and set the delay time to 10 seconds.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] mac-authentication timer auth-delay 10
Related commands
display mac-authentication
mac-authentication timer (system view)
Use mac-authentication timer to configure a MAC authentication timer.
Use undo mac-authentication timer to restore the default of a MAC authentication timer.
Syntax
mac-authentication timer { offline-detect offline-detect-value | quiet quiet-value | reauth-period reauth-period-value | server-timeout server-timeout-value | user-aging { critical-vlan | guest-vlan } aging-time-value }
undo mac-authentication timer { offline-detect | quiet | reauth-period | server-timeout | user-aging { critical-vlan | guest-vlan } } }
Default
The following MAC authentication timers apply:
· The offline detect timer is 300 seconds.
· The quiet timer is 60 seconds.
· The global periodic MAC reauthentication timer is 3600 seconds.
· The server timeout timer is 100 seconds.
· User aging timer for a type of access-limited VLAN for MAC authentication: 1000 seconds.
Views
System view
Predefined user roles
network-admin
Parameters
offline-detect offline-detect-value: Sets the offline detect timer. The value range is 60 to 2147483647 seconds.
quiet quiet-value: Sets the quiet timer. The value range is 1 to 3600 seconds.
reauth-period reauth-period-value: Sets the global periodic MAC reauthentication timer. The value range is 60 to 7200 seconds.
server-timeout server-timeout-value: Sets the server timeout timer. The value range is 100 to 300 seconds.
user-aging: Sets the user aging timer for a type of MAC authentication VLAN.
critical-vlan: Specifies MAC authentication critical VLANs.
guest-vlan: Specifies MAC authentication guest VLANs.
aging-time-value: Sets the user aging timer. The value range is 60 to 2147483647 seconds.
Usage guidelines
MAC authentication uses the following timers:
· Offline detect timer—Sets the interval that the device must wait for traffic from a user before the device determines that the user is idle. If the device has not received traffic from a user before the timer expires, the device logs off that user and requests the accounting server to stop accounting for the user. This timer takes effect only when the MAC authentication offline detection feature is enabled.
As a best practice, set the MAC address aging timer to the same value as the offline detect timer. This operation prevents a MAC authenticated user from being logged off within the offline detect interval because of MAC address entry expiration.
· Quiet timer—Sets the interval that the device must wait before the device can perform MAC authentication for a user that has failed MAC authentication. All packets from the MAC address are dropped during the quiet time. This quiet mechanism prevents repeated authentication from affecting system performance.
· Periodic MAC reauthentication timer—Sets the interval at which the device reauthenticates online MAC authentication users on a port if the port is enabled with periodic MAC reauthentication. A change to the global periodic reauthentication timer applies to online users only after the old timer expires.
· Server timeout timer—Sets the interval that the device waits for a response from a RADIUS server before the device determines that the RADIUS server is unavailable. If the timer expires during MAC authentication, the user fails MAC authentication.
To avoid forced logoff before the server timeout timer expires, set the server timeout timer to a value that is lower than or equal to the product of the following values:
¡ The maximum number of RADIUS packet transmission attempts set by using the retry command in RADIUS scheme view.
¡ The RADIUS server response timeout timer set by using the timer response-timeout command in RADIUS scheme view.
For information about setting the maximum number of RADIUS packet transmission attempts and the RADIUS server response timeout timer, see AAA configuration in User Access and Authentication Configuration Guide.
· User aging timer (user-aging)—Sets the user aging timer for a type of access-limited VLAN for MAC authentication.
If you enable user aging for unthenticated MAC authentication user, you can set a user aging timer for MAC authentication critical or guest VLANs. The user aging timer for a type of access-limited VLAN for MAC authentication determines how long a user can stay in that type of VLAN.
For more information about how user aging operates, see the usage guidelines for the mac-authentication unauthenticated-user aging enable command.
Examples
# Set the server timeout timer to 150 seconds.
<Sysname> system-view
[Sysname] mac-authentication timer server-timeout 150
Related commands
display mac-authentication
mac-authentication guest-vlan auth-period
mac-authentication unauthenticated-user aging enable
retry
timer response-timeout (RADIUS scheme view)
mac-authentication unauthenticated-user aging enable
Use mac-authentication unauthenticated-user aging enable to enable unauthenticated MAC authentication user aging.
Use undo mac-authentication unauthenticated-user aging enable to disable unauthenticated MAC authentication user aging.
Syntax
mac-authentication unauthenticated-user aging enable
undo mac-authentication unauthenticated-user aging enable
Default
Unauthenticated MAC authentication user aging is enabled.
Views
Layer 2 Ethernet interface view
Predefined user roles
network-admin
Usage guidelines
When a user in one of those VLANs ages out, the device removes the user from the VLAN and deletes the MAC address entry for the user from the access port.
For users in one of those VLANs on one port to be authenticated successfully and come online on another port, enable this feature. In any other scenarios, disable this feature as a best practice.
Examples
# Disable unauthenticated MAC authentication user aging on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] undo mac-authentication unauthenticated-user aging enable
Related commands
mac-authentication timer
mac-authentication user-name-format
Use mac-authentication user-name-format to configure the type of user accounts for MAC authentication users.
Use undo mac-authentication user-name-format to restore the default.
Syntax
mac-authentication user-name-format { fixed [ account name ][ password { cipher | simple } string ] | mac-address [ { with-hyphen [ six-section | three-section ] | without-hyphen } [ lowercase | uppercase ] ] }
undo mac-authentication user-name-format
Default
The MAC address of each user is used as both the username and password for MAC authentication. The MAC addresses are in hexadecimal notation without hyphens, and letters are in lower case.
Views
System view
Predefined user roles
network-admin
Parameters
fixed: Uses a shared account for all MAC authentication users.
account name: Specifies the username for the shared account. The name is a case-sensitive string of 1 to 55 characters, excluding the at sign (@). If you do not specify a username, the default name mac applies.
password: Specifies the password of the shared account. If you do not specify a password for the shared account, the shared account does not have a password.
cipher: Specifies a password in encrypted form.
simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.
string: Specifies the password. Its plaintext form is a case-sensitive string of 1 to 63 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.
mac-address: Uses MAC-based user accounts for MAC authentication users.
with-hyphen: Includes hyphens in a MAC address.
six-section: Specifies the six-section format. For example, xx-xx-xx-xx-xx-xx or XX-XX-XX-XX-XX-XX.
three-section: Specifies the three-section format. For example, xxxx-xxxx-xxxx or XXXX-XXXX-XXXX.
without-hyphen: Excludes hyphens from a MAC address, for example, xxxxxxxxxxxx.
lowercase: Specifies letters in lower case.
uppercase: Specifies letters in upper case.
Usage guidelines
If you do not specify the six-section or three-section keyword, the MAC addresses in MAC-based user accounts are in six-section format.
If you specify the MAC-based user account format, the device uses the MAC address of a user as the username for MAC authentication of the user. This user account type ensures high authentication security. However, you must create on the authentication server a user account for each user, using the MAC address of the user as the username.
If you specify a shared user account, the device uses the specified username and password for MAC authentication of all users. Because all MAC authentication users use a single account for authentication, you only need to create one account on the authentication server. This user account type is suitable for trusted networks.
Examples
# Configure a shared account for MAC authentication users, and set the username to abc and password to plaintext string of xyz.
<Sysname> system-view
[Sysname] mac-authentication user-name-format fixed account abc password simple xyz
# Use the MAC address of each user as both the username and password for MAC authentication. The MAC addresses are in hexadecimal notation without hyphens, and letters are in upper case.
<Sysname> system-view
[Sysname] mac-authentication user-name-format mac-address without-hyphen uppercase
display mac-authentication
mac-authentication user-recovery-profile
Use mac-authentication user-recovery-profile to create a profile for MAC authentication user recovery and enter its view, or enter the view of an existing profile.
Use undo mac-authentication user-recovery-profile to delete a MAC authentication user recovery profile.
Syntax
mac-authentication user-recovery-profile profile-name
undo mac-authentication user-recovery-profile profile-name
Default
No MAC authentication user recovery profiles exist.
Views
System view
Predefined user roles
network-admin
Parameters
profile-name: Specifies a profile name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
To obtain MAC authentication user information from a RESTful server, create a profile for obtaining information from that server. A profile contains a set of parameters for accessing a RESTful server and the URI from which you obtain MAC authentication user information.
You can configure a maximum of 16 profiles for MAC authentication user recovery.
Examples
# Create a MAC authentication user recovery profile named profile1 and enter its view.
<Sysname> system-view
[Sysname] mac-authentication user-recovery-profile profile1
[Sysname-user-recovery-profile-profile1]
New user-recovery profile created
Related commands
display mac-authentication user-recovery-profile
mac-authentication auto-recover-user
mac-authentication recover-user
mac-authentication web-proxy
Use mac-authentication web-proxy to enable the device to trigger URL redirection for HTTP or HTTPS requests sent by a MAC authenticated user to a specified Web proxy port.
Use undo mac-authentication web-proxy to remove the specified or all Web proxy ports.
Syntax
mac-authentication web-proxy { http | https } port port-number
undo mac-authentication web-proxy { { http | https } port port-number | all-port }
Default
No Web proxy ports are specified. The device redirects the HTTP or HTTPS requests from a MAC authenticated user to the authorized URL only if the requests are sent from a browser with Web proxy disabled.
Views
System view
Predefined user roles
network-admin
Parameters
http: Specifies HTTP requests.
https: Specifies HTTPS requests.
port port-number: Specifies the TCP port number of a Web proxy for HTTP or HTTPS requests, in the range of 1 to 65535. The device always allows Web requests that use ports 80 and 443 to trigger MAC authentication URL redirection, and the two port numbers are not user configurable.
all-port: Specifies all Web proxy ports for MAC authentication URL redirection.
Usage guidelines
By default, the device discards the HTTP and HTTPS requests sent by a MAC authenticated user if they are sent from a browser configured with a Web proxy. To redirect the HTTP or HTTPS requests sent by a MAC authenticated user to a Web proxy port, add that Web proxy port to the device.
When you use this command, follow these restrictions and guidelines:
· You can specify a maximum of 64 Web proxy ports.
· Specify different Web proxy port numbers for HTTP and HTTPS requests.
· Adding or removing a Web proxy port will cause the device to log off all online MAC authenticated users that have been assigned an authorization redirect URL.
Examples
# Configure the device to trigger URL redirection for the HTTP requests sent by MAC authenticated users to Web proxy port 8080.
<Sysname> system-view
[Sysname] mac-authentication web-proxy http port 8080
Related commands
display mac-authentication
nas-ip
Use nas-ip to specify the NAS IP address for the device to communicate with the RESTful server in a MAC authentication user recovery profile.
Use undo nas-ip to remove the NAS IP addresses used by the device to communicate with the RESTful server in a MAC authentication user recovery profile.
Syntax
nas-ip { ipv4-address | ipv6 ipv6-address }
undo nas-ip
Default
No NAS IP address is specified for the device to communicate with the RESTful server in a MAC authentication user recovery profile.
Views
MAC authentication user recovery profile view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies an IPv4 NAS IP address. The IPv4 address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.
ipv6 ipv6-address: Specifies an IPv6 NAS IP address. The IPv6 address must be a unicast address and cannot be a loopback address or a link-local address.
Usage guidelines
The NAS IP address must be the same as that configured in the authentication RADIUS scheme for the MAC authentication users. In addition, it must be in the same IP address family as the IP address of the RESTful server in the profile.
You can specify only one NAS IP address in a profile. If you execute this command multiple times, the most recent configuration takes effect.
Examples
# In MAC authentication user recovery profile profile1, configure the device to use NAS IP address 10.1.1.1 to communicate with the RESTful server.
<Sysname> system-view
[Sysname] mac-authentication user-recovery-profile profile1
[Sysname-user-recovery-profile-profile1] nas-ip 10.1.1.1
Related commands
display mac-authentication user-recovery-profile
nas-ip (RADIUS scheme view)
reset mac-authentication access-user
Use reset mac-authentication access-user to log off MAC authentication users.
Syntax
reset mac-authentication access-user [ interface interface-type interface-number | mac mac-address | username username | vlan vlan-id ]
Views
User view
Predefined user roles
network-admin
Parameters
interface interface-type interface-number: Specifies a port by its type and number.
mac mac-address: Specifies a MAC authentication user by its MAC address. The mac-address argument is in the format of H-H-H.
username username: Specifies a MAC authentication user by its name. The username argument is a case-sensitive string of 1 to 253 characters.
vlan vlan-id: Specifies a VLAN by its VLAN ID. The value range for the vlan-id argument is 1 to 4094.
Usage guidelines
Use this command to log off the specified MAC authentication users and clear information about these users from the device. These users must perform MAC authentication to come online again.
With a VLAN specified, this command logs off the following MAC authentication users:
· Users that have passed MAC authentication and have been assigned the specified VLAN as their authorization VLAN by the server.
· Users that stay in the specified VLAN after they have passed MAC authentication, because they have not been assigned an authorization VLAN yet.
· Users that are performing MAC authentication in the specified VLAN.
To identify the VLAN in which a user is staying, use the display mac-address command.
If you do not specify any parameters, the reset mac-authentication access-user command logs off all MAC authentication users on the device.
The reset mac-authentication access-user command takes effect only on wired MAC authentication users. To log off wireless MAC authentication users, use the reset wlan client command. For more information about the reset wlan client command, see WLAN Access Command Reference.
Examples
# Log off all MAC authentication users on GigabitEthernet 1/0/1.
<Sysname> reset mac-authentication access-user interface gigabitethernet 1/0/1
Related commands
display mac-authentication connection
reset mac-authentication critical vlan
Use reset mac-authentication critical vlan to remove users from the MAC authentication critical VLAN on a port.
Syntax
reset mac-authentication critical vlan interface interface-type interface-number [ mac-address mac-address ]
Views
User view
Predefined user roles
network-admin
Parameters
interface interface-type interface-number: Specifies a port by its type and number.
mac-address mac-address: Specifies a user by its MAC address. If you do not specify this option, the command removes all users from the MAC authentication critical VLAN on the port.
Examples
# Remove the user with MAC address 1-1-1 from the MAC authentication critical VLAN on GigabitEthernet 1/0/1.
<Sysname> reset mac-authentication critical vlan interface gigabitethernet 1/0/1 mac-address 1-1-1
Related commands
display mac-authentication
mac-authentication critical vlan
reset mac-authentication guest-vlan
Use reset mac-authentication guest-vlan to remove users from the guest VLAN for MAC authentication on a port.
Syntax
reset mac-authentication guest-vlan interface interface-type interface-number [ mac-address mac-address ]
Views
User view
Predefined user roles
network-admin
Parameters
interface interface-type interface-number: Specifies a port by its type and number.
mac-address mac-address: Specifies a user by its MAC address. If you do not specify this option, the command removes all users from the guest VLAN for MAC authentication on the port.
Examples
# Remove the user with MAC address 1-1-1 from the guest VLAN for MAC authentication on GigabitEthernet 1/0/1.
<Sysname> reset mac-authentication guest-vlan interface gigabitethernet 1/0/1 mac-address 1-1-1
Related commands
display mac-authentication
mac-authentication guest-vlan
reset mac-authentication statistics
Use reset mac-authentication statistics to clear MAC authentication statistics.
Syntax
reset mac-authentication statistics [ ap ap-name [ radio radio-id ] | interface interface-type interface-number ]
Views
User view
Predefined user roles
network-admin
Parameters
ap ap-name: Specifies an AP by its name, a case-sensitive string of 1 to 64 characters. The string can contain letters, digits, underscores (_), left brackets ([), right brackets (]), forward slashes (/), and hyphens (-). If you do not specify an AP, this command clears MAC authentication statistics for all APs.
radio radio-id: Specifies a radio by its ID. The value range for the radio-id argument varies by device model. If you do not specify a radio, this command clears MAC authentication statistics for all radios on the specified AP.
interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command clears both global and port-specific MAC authentication statistics.
Examples
# Clear MAC authentication statistics on GigabitEthernet 1/0/1.
<Sysname> reset mac-authentication statistics interface gigabitethernet 1/0/1
Related commands
display mac-authentication
server-address
Use server-address to configure the IP address and service port number of a RESTful server.
Use undo server-address to restore the default.
Syntax
server-address { ip ipv4-address | ipv6 ipv6-address } [ port port-number ]
undo server-address
Default
A MAC authentication user recovery profile does not contain a RESTful server.
Views
MAC authentication user recovery profile view
Predefined user roles
network-admin
Parameters
ip ipv4-address: Specifies the IPv4 address of the RESTful server.
ipv6 ipv6-address: Specifies the IPv6 address of the RESTful server.
port port-number: Specifies the port number on which the RESTful server listens for request messages. The value range is 1 to 65535 and the default setting is 80.
Usage guidelines
Use this command to specify the RESTful server from which you obtain MAC authentication user information for reauthentication.
This server can only be the IMC server that acts as the authentication server for the MAC authentication users.
The IP address of the RESTful server must be in the same IP address family as the NAS IP address of the device in the same profile.
You can specify only one RESTful server in a profile. If you execute this command multiple times, the most recent configuration takes effect.
Examples
# In MAC authentication user recovery profile profile1, specify the RESTful server at 3.3.3.3 and set its service port number to 800.
<Sysname> system-view
[Sysname] mac-authentication user-recovery-profile profile1
[Sysname-user-recovery-profile-profile1] server-address ip 3.3.3.3 port 8080
Related commands
display mac-authentication user-recovery-profile
nas-ip
uri
Use uri to specify the URI for the device to obtain MAC authentication user information from the RESTful server in a MAC authentication user recovery profile.
Use undo uri to remove the URI in a MAC authentication user recovery profile.
Syntax
uri uri-string
undo uri
Default
A MAC authentication user recovery profile does not contain a URI.
Views
MAC authentication user recovery profile view
Predefined user roles
network-admin
Parameters
uri-string: Specifies a URI, a case-sensitive string of 1 to 255 characters.
Usage guidelines
Use this command to specify the URI that the RESTful server uses to provide MAC authentication user information.
The URI can only be imcrs/uam/online/notAgingMuteTerminal. Other URIs cannot take effect.
Examples
# In MAC authentication user recovery profile profile1, specify imcrs/uam/online/notAgingMuteTerminal as the URI for obtaining MAC authentication user information from the RESTful server.
<Sysname> system-view
[Sysname] mac-authentication user-recovery-profile profile1
[Sysname-user-recovery-profile-profile1] uri imcrs/uam/online/notAgingMuteTerminal
Related commands
display mac-authentication user-recovery-profile
server-address
