Contents

802.1X commands· 1

display dot1x· 1

display dot1x connection· 4

dot1x access-user log enable· 6

dot1x authentication-method· 7

dot1x domain-delimiter 8

dot1x duplicate-eapol-start discard· 9

dot1x handshake· 10

dot1x handshake reply enable· 10

dot1x handshake secure· 11

dot1x mandatory-domain· 12

dot1x max-user 13

dot1x max-user-alarm·· 13

dot1x quiet-period· 14

dot1x re-authenticate· 15

dot1x re-authenticate { authentication-fail | server-unreachable } keep-online· 16

dot1x retry· 17

dot1x timer 18

reset dot1x access-user 20

reset dot1x statistics· 20

 

802.1X commands

display dot1x

Use display dot1x to display information about 802.1X.

Syntax

display dot1x [ sessions | statistics ] [ interface interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

sessions: Displays 802.1X session information.

statistics: Displays 802.1X statistics.

interface interface-type interface-number: Specifies an interface by its type and number.

Usage guidelines

If you do not specify the sessions keyword or the statistics keyword, this command displays all information about 802.1X, including session information, statistics, and settings.

If you do not specify the interface interface-type interface-number option, this command displays 802.1X information for all interfaces.

Examples

# Display all information about 802.1X.

<Sysname> display dot1x

 Global 802.1X parameters:

   802.1X authentication                   : Enabled

   CHAP authentication                     : Enabled

   Max-tx period                           : 30 s

   Handshake period                        : 15 s

   Quiet timer                             : Disabled

       Quiet period                        : 60 s

       Max auth-fail times before quiet    : 3

       Max auth-fail period before quiet   : 30 s

   Supp timeout                            : 30 s

   Server timeout                          : 100 s

   Reauth period                           : 3600 s

   Max auth requests                       : 2

   Domain delimiter                        : @

 Online 802.1X wired users                 : 1

 

 Ten-GigabitEthernet3/1/1  is link-up

   802.1X authentication                   : Enabled

   Handshake                               : Enabled

   Handshake reply                         : Disabled

   Handshake security                      : Disabled

   Periodic reauth                         : Disabled

   Port role                               : Authenticator

   Mandatory auth domain                   : Not configured

   Re-auth server-unreachable              : Logoff

   Re-auth authentication-fail             : Logoff

   Max-user high alarm threshold           : Not configured

   Max-user alarm clear threshold          : Not configured

   Max online users                        : 256

   Discard duplicate EAPOL-Start           : No

 

   EAPOL packets: Tx 3, Rx 3

   Sent EAP Request/Identity packets : 1

        EAP Request/Challenge packets: 1

        EAP Success packets: 1

        EAP Failure packets: 0

   Received EAPOL Start packets : 1

            EAPOL LogOff packets: 1

            EAP Response/Identity packets : 1

            EAP Response/Challenge packets: 1

            Error packets: 0

   Online 802.1X users: 1

          MAC address         Auth state

          0001-0000-0000      Authenticated

Table 1 Command output

Field	Description
Global 802.1X parameters	Global 802.1X configuration.
802.1X authentication	Whether 802.1X is enabled globally.
CHAP authentication	Performs EAP termination and uses CHAP to communicate with the RADIUS server.
EAP authentication	Relays EAP packets and supports any of the EAP authentication methods to communicate with the RADIUS server.
PAP authentication	Performs EAP termination and uses PAP to communicate with the RADIUS server.
Max-tx period	Username request timeout timer in seconds.
Handshake period	Handshake timer in seconds.
Quiet timer	Status of the quiet timer, enabled or disabled.
Quiet period	Quiet timer in seconds.
Max auth-fail times before quiet	Maximum number of consecutive authentication failures allowed for a user before the system starts the quiet timer for that user. If no maximum number is configured, this field displays Not configured.
Max auth-fail period before quiet	Maximum period during which the system allows consecutive authentication failures for a user before it starts the quiet timer for that user. If no maximum period is configured, this field displays Not configured.
Supp timeout	Client timeout timer in seconds.
Server timeout	Server timeout timer in seconds.
Reauth period	Periodic reauthentication timer in seconds.
Max auth requests	Maximum number of attempts for sending an authentication request to a client.
Domain delimiter	Domain delimiters supported by the device.
Online 802.1X wired users	Number of wired online 802.1X users, including users that have passed 802.1X authentication and users that are performing 802.1X authentication.
Ten-GigabitEthernet3/1/1 is link-up	Status of the interface. In this example, Ten-GigabitEthernet 3/1/1 is up.
802.1X authentication	Whether 802.1X is enabled on the interface.
Handshake	Whether the online user handshake feature is enabled on the interface.
Handshake reply	Whether the online user handshake reply feature is enabled on the interface.
Handshake security	Whether the online user handshake security feature is enabled on the interface.
Periodic reauth	Whether periodic online user reauthentication is enabled on the interface.
Port role	Role of the interface. The interface functions only as an Authenticator.
Mandatory auth domain	Mandatory authentication domain on the interface.
Re-auth server-unreachable	Whether to log off online 802.1X users or keep them online when no server is reachable for 802.1X reauthentication.
Re-auth authentication-fail	Action taken on 802.1X online users that fail reauthentication: ·     Logoff—Logs off these users. ·     Online—Allows these users to stay online.
Max-user high alarm threshold	Alarm threshold for 802.1X user access ratio on the port. If no alarm threshold is configured, this field displays Not configured.
Max-user alarm clear threshold	Alarm clear threshold for 802.1X user access ratio on the port. If no alarm clear threshold is configured, this field displays Not configured.
Max online users	Maximum number of concurrent 802.1X users on the interface.
Discard duplicate EAPOL-Start	Whether the device discards duplicate EAPOL-Start requests on the port.
EAPOL packets	Number of sent (Tx) and received (Rx) EAPOL packets.
Sent EAP Request/Identity packets	Number of sent EAP-Request/Identity packets.
EAP Request/Challenge packets	Number of sent EAP-Request/MD5-Challenge packets.
EAP Success packets	Number of sent EAP-Success packets.
EAP Failure packets	Number of sent EAP-Failure packets.
Received EAPOL Start packets	Number of received EAPOL-Start packets.
EAPOL LogOff packets	Number of received EAPOL-LogOff packets.
EAP Response/Identity packets	Number of received EAP-Response/Identity packets.
EAP Response/Challenge packets	Number of received EAP-Response/MD5-Challenge packets.
Error packets	Number of received error packets.
Online 802.1X users	Number of online 802.1X users on the interface, including users that have passed 802.1X authentication and users that are performing 802.1X authentication.
MAC address	MAC addresses of the online 802.1X users.
Auth state	Authentication status of the online 802.1X users.

 

display dot1x connection

Use display dot1x connection to display detailed information about online 802.1X users.

Syntax

In standalone mode:

display dot1x connection [ interface interface-type interface-number | slot slot-number | user-mac mac-address | user-name name-string ]

In IRF mode:

display dot1x connection [ chassis chassis-number slot slot-number | interface interface-type interface-number | user-mac mac-address | user-name name-string ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays online 802.1X user information for all interfaces.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays online 802.1X user information on all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays online 802.1X user information on all cards in the IRF fabric. (In IRF mode.)

user-mac mac-address: Specifies an 802.1X user by its MAC address in the form of H-H-H. If you do not specify an 802.1X user, this command displays information for all online 802.1X users.

user-name name-string: Specifies an 802.1X user by its name. The name-string argument represents the username, a case-sensitive string of 1 to 253 characters. If you do not specify an 802.1X user, this command displays information for all online 802.1X users.

Usage guidelines

This command displays only authorization attributes assigned by the server. To identify whether the authorization succeeds or not, use the display ip subscriber session command. For more information about the display ip subscriber session command, see "IPoE commands."

Examples

# (In standalone mode.) Display information about all online 802.1X users.

<Sysname> display dot1x connection

Slot ID: 1

User MAC address: 0015-e9a6-7cfe

Access interface: Ten-GigabitEthernet3/1/1

Username: ias

Authentication domain: h3c

Authentication method: CHAP

Initial CVLAN: 1

Initial SVLAN: 1

Termination action: Default

Session timeout period: 2 s

Online from: 2013/03/02  13:14:15

Online duration: 0h 2m 15s

 

Total 1 connections matched.

Table 2 Command output

Field	Description
User MAC address	MAC address of the user.
Access interface	Interface through which the user access the device.
Authentication domain	ISP domain used for 802.1X authentication.
Authentication method	EAP message handling method: ·     CHAP—Performs EAP termination and uses CHAP to communicate with the RADIUS server. ·     EAP—Relays EAP packets and supports any of the EAP authentication methods to communicate with the RADIUS server. ·     PAP—Performs EAP termination and uses PAP to communicate with the RADIUS server.
Initial CVLAN	Private VLAN to which the user belongs before 802.1X authentication.
Initial SVLAN	Public VLAN to which the user belongs before 802.1X authentication.
Termination action	Action attribute assigned by the server to terminate the user session: ·     Default—Logs off the online authenticated 802.1X user when the session timeout timer expires. This attribute does not take effect when periodic online user reauthentication is enabled and the periodic reauthentication timer is shorter than the session timeout timer. ·     Radius-request—Reauthenticates the online user when the session timeout timer expires, regardless of whether the periodic online reauthentication feature is enabled or not. If the device performs local authentication, this field displays Default.
Session timeout period	Session timeout timer assigned by the server. The action to terminate the user session depends on the value of the Termination action field.
Online from	Time from which the 802.1X user came online.
Online duration	Online duration of the 802.1X user.
Total xxx connections matched.	Number of online 802.1X users.

 

dot1x access-user log enable

Use dot1x access-user log enable to enable 802.1X user logging.

Use undo dot1x access-user log enable to disable 802.1X user logging.

Syntax

dot1x access-user log enable [ abnormal-logoff | failed-login | normal-logoff | quiet-rule-failed | successful-login ]

undo dot1x access-user log enable [ abnormal-logoff | failed-login | normal-logoff | quiet-rule-failed | successful-login ]

Default

802.1X user logging is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

abnormal-logoff: Logs exceptional logoffs of 802.1X users, such as logoffs caused by real-time accounting failures or reauthentication failures.

failed-login: Logs 802.1X user login failures.

normal-logoff: Logs logoffs requested by 802.1X users.

quiet-rule-failed: Logs quiet rule deployment failures. Quiet rules are used to improve the efficiency that the system discards 802.1X protocol packets of quiet users.

successful-login: Logs successful 802.1X user logins.

Usage guidelines

To prevent excessive 802.1X user log entries, use this feature only if you need to analyze abnormal 802.1X user logins or logouts.

If you do not specify any parameters, this command enables all types of 802.1X user logs.

Examples

# Enable logging 802.1X user login failures.

<Sysname> system-view

[Sysname] dot1x access-user log enable failed-login

Related commands

info-center source dot1x logfile deny (Network Management and Monitoring Command Reference)

dot1x authentication-method

Use dot1x authentication-method to specify an EAP message handling method.

Use undo dot1x authentication-method to restore the default.

Syntax

dot1x authentication-method { chap | eap | pap }

undo dot1x authentication-method

Default

The access device performs EAP termination and uses CHAP to communicate with the RADIUS server.

Views

System view

Predefined user roles

network-admin

Parameters

chap: Configures the access device to perform Extensible Authentication Protocol (EAP) termination and use the Challenge Handshake Authentication Protocol (CHAP) to communicate with the RADIUS server.

eap: Configures the access device to relay EAP packets, and supports any of the EAP authentication methods to communicate with the RADIUS server.

pap: Configures the access device to perform EAP termination and use the Password Authentication Protocol (PAP) to communicate with the RADIUS server.

Usage guidelines

Operating mechanism

The access device terminates or relays EAP packets.

·     In EAP termination mode—The access device re-encapsulates and sends the authentication data from the client in standard RADIUS packets to the RADIUS server. The device performs either CHAP or PAP authentication with the RADIUS server. In this mode the RADIUS server supports only MD5-Challenge EAP authentication, and the username and password EAP authentication initiated by an iNode client.

¡     PAP transports usernames and passwords in plain text. The authentication method applies to scenarios that do not require high security. To use PAP, the client can be an iNode 802.1X client.

¡     CHAP transports usernames in plain text and passwords in encrypted form over the network. CHAP is more secure than PAP.

·     In EAP relay mode—The access device relays EAP messages between the client and the RADIUS server. The EAP relay mode supports multiple EAP authentication methods, such as MD5-Challenge, EAP-TLS, and PEAP. To use this mode, make sure the RADIUS server meets the following requirements:

¡     Supports the EAP-Message and Message-Authenticator attributes.

¡     Uses the same EAP authentication method as the client.

Restrictions and guidelines

Local authentication does not support EAP relay (eap).

If EAP relay is used, the user-name-format command configured in RADIUS scheme view does not take effect. For more information about the user-name-format command, see "RADIUS commands."

If RADIUS authentication is used, you must configure the access device to use the same authentication method (PAP, CHAP, or EAP) as the RADIUS server.

Examples

# Enable the access device to terminate EAP packets and perform PAP authentication with the RADIUS server.

<Sysname> system-view

[Sysname] dot1x authentication-method pap

Related commands

display dot1x

dot1x domain-delimiter

Use dot1x domain-delimiter to specify a set of domain name delimiters supported by the device.

Use undo dot1x domain-delimiter to restore the default.

Syntax

dot1x domain-delimiter string

undo dot1x domain-delimiter

Default

The device supports only the at sign (@) delimiter for 802.1X users.

Views

System view

Predefined user roles

network-admin

Parameters

string: Specifies a set of 1 to 16 domain name delimiters for 802.1X users. No space is required between delimiters. Available delimiters include the at sign (@), backslash (\), dot (.), and forward slash (/). If you want to use backslash (\) as the domain name delimiter, you must enter the escape character (\) along with the backslash (\) sign.

Usage guidelines

Any character in the configured set can be used as the domain name delimiter for 802.1X authentication users. Usernames that include domain names can use the format of username@domain-name, domain-name\username, username.domain-name, or username/domain-name.

The delimiter set you configured overrides the default setting. If the at sign (@) is not included in the delimiter set, the device does not support the 802.1X users that use this sign as the domain name delimiter.

If a username string contains multiple configured delimiters, the device takes the rightmost delimiter in the username string as the domain name delimiter. For example, if you configure the forward slash (/), dot (.), and backslash (\) as delimiters, the domain name delimiter for the username string 121.123/22\@abc is the backslash (\). The username is @abc and the domain name is 121.123/22.

Examples

# Specify the at sign (@) and forward slash (/) as domain name delimiters.

<Sysname> system-view

[Sysname] dot1x domain-delimiter @/

Related commands

display dot1x

dot1x duplicate-eapol-start discard

Use dot1x duplicate-eapol-start discard to discard duplicate EAPOL-Start requests on an interface.

Use undo dot1x duplicate-eapol-start discard to restore the default.

Syntax

dot1x duplicate-eapol-start discard

undo dot1x duplicate-eapol-start discard

Default

The device does not discard duplicate EAPOL-Start requests on an interface if the requests are legal.

Views

Layer 3 Ethernet interface view

Layer 3 aggregate interface view

Layer 3 Ethernet subinterface view

Layer 3 aggregate subinterface view

Predefined user roles

network-admin

Usage guidelines

During 802.1X authentication, the device might receive duplicate EAPOL-Start requests from an 802.1X user. By default, the device delivers the duplicate EAPOL-Start requests to the authentication server as long as they are legal. However, this mechanism might result in authentication failure if the authentication server cannot respond to duplicate EAPOL-Start requests. To resolve this issue, use this command on the user access interface to discard duplicate EAPOL-Start requests.

As a best practice, use this command only if the server cannot respond to duplicate EAPOL-Start requests. Do not use this command in other situations.

Examples

# Discard duplicate EAPOL-Start requests on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] dot1x duplicate-eapol-start discard

Related commands

display dot1x

dot1x handshake

Use dot1x handshake to enable the online user handshake feature.

Use undo dot1x handshake to disable the online user handshake feature.

Syntax

dot1x handshake

undo dot1x handshake

Default

Online user handshake is disabled.

Views

Layer 3 Ethernet interface view

Layer 3 aggregate interface view

Layer 3 Ethernet subinterface view

Layer 3 aggregate subinterface view

Predefined user roles

network-admin

Usage guidelines

The online user handshake feature enables the device to periodically send EAP-Request/Identity packets to the client for verifying the connectivity status of online 802.1X users. The device sets a user to the offline state if it does not receive an EAP-Response/Identity packet from the user after making the maximum attempts within the handshake period. To set the handshake timer, use the dot1x timer handshake-period command. To set the maximum handshake attempts, use the dot1x retry command.

Examples

# Enable the online user handshake feature on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] dot1x handshake

Related commands

display dot1x

dot1x timer handshake-period

dot1x retry

dot1x handshake reply enable

Use dot1x handshake reply enable to enable the 802.1X online user handshake reply feature.

Use undo dot1x handshake reply enable to disable the 802.1X online user handshake reply feature.

Syntax

dot1x handshake reply enable

undo dot1x handshake reply enable

Default

The 802.1X online user handshake reply feature is disabled.

Views

Layer 3 Ethernet interface view

Layer 3 aggregate interface view

Layer 3 Ethernet subinterface view

Layer 3 aggregate subinterface view

Predefined user roles

network-admin

Usage guidelines

This command enables the device to reply to 802.1X clients' EAP-Response/Identity packets with EAP-Success packets during the online handshake process.

Use this command only if 802.1X clients will go offline without receiving EAP-Success packets from the device.

Examples

# Enable the 802.1X online user handshake reply feature on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] dot1x handshake reply enable

Related commands

dot1x handshake

dot1x handshake secure

Use dot1x handshake secure to enable the online user handshake security feature.

Use undo dot1x handshake secure to disable the online user handshake security feature.

Syntax

dot1x handshake secure

undo dot1x handshake secure

Default

The online user handshake security feature is disabled.

Views

Layer 3 Ethernet interface view

Layer 3 aggregate interface view

Layer 3 Ethernet subinterface view

Layer 3 aggregate subinterface view

Predefined user roles

network-admin

Usage guidelines

The online user handshake security feature enables the device to prevent users from using illegal client software.

The feature is implemented based on the online user handshake feature. To bring the security function into effect, make sure the online user handshake feature is enabled.

The online user handshake security feature takes effect only on the network where the iNode client and IMC server are used.

Examples

# Enable the online user handshake security feature on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] dot1x handshake secure

Related commands

display dot1x

dot1x handshake

dot1x mandatory-domain

Use dot1x mandatory-domain to specify a mandatory 802.1X authentication domain on an interface.

Use undo dot1x mandatory-domain to restore the default.

Syntax

dot1x mandatory-domain domain-name

undo dot1x mandatory-domain

Default

No mandatory 802.1X authentication domain is specified on an interface.

Views

Layer 3 Ethernet interface view

Layer 3 aggregate interface view

Layer 3 Ethernet subinterface view

Layer 3 aggregate subinterface view

Predefined user roles

network-admin

Parameters

domain-name: Specifies the ISP domain name, a case-insensitive string of 1 to 255 characters.

Usage guidelines

When the system authenticates an 802.1X user trying to access an interface, it selects an authentication domain in the following order:

1.     Mandatory domain.

2.     ISP domain specified in the username.

3.     Default ISP domain.

Examples

# Specify my-domain as the mandatory authentication domain for 802.1X users on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] dot1x mandatory-domain my-domain

Related commands

display dot1x

dot1x max-user

Use dot1x max-user to set the maximum number of concurrent 802.1X users on an interface.

Use undo dot1x max-user to restore the default.

Syntax

dot1x max-user max-number

undo dot1x max-user

Default

An interface supports a maximum of 4294967295 concurrent 802.1X users.

Views

Layer 3 Ethernet interface view

Layer 3 aggregate interface view

Layer 3 Ethernet subinterface view

Layer 3 aggregate subinterface view

Predefined user roles

network-admin

Parameters

max-number: Sets the maximum number of concurrent 802.1X users on an interface. The value range is 1 to 4294967295.

Usage guidelines

Set the maximum number of concurrent 802.1X users on an interface to prevent the system resources from being overused. When the maximum number is reached, the interface denies subsequent 802.1X users.

Examples

# Set the maximum number of concurrent 802.1X users to 32 on Ten-GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] dot1x max-user 32

Related commands

display dot1x

dot1x max-user-alarm

Use dot1x max-user-alarm to enable 802.1X max user alarm on an interface and set the alarm threshold and alarm clear threshold.

Use undo dot1x max-user-alarm to restore the default.

Syntax

dot1x max-user-alarm high-threshold high-threshold clear-threshold clear-threshold

undo dot1x max-user-alarm

Default

802.1X max user alarm is disabled on an interface.

Views

Layer 3 Ethernet interface view

Layer 3 aggregate interface view

Layer 3 Ethernet subinterface view

Layer 3 aggregate subinterface view

Predefined user roles

network-admin

Parameters

high-threshold high-threshold: Sets the alarm threshold in percentage, in the range of 1 to 100. The alarm threshold must be greater than the alarm clear threshold.

clear-threshold clear-threshold: Sets the alarm clear threshold in percentage, in the range of 0 to 99.

Usage guidelines

When the percentage of the number of the current online 802.1X users to the maximum number of 802.1X users on an interface reaches the alarm threshold, the device sends an alarm notification. When the percentage of the number of the current online 802.1X users to the maximum number of 802.1X users on an interface drops below the alarm clear threshold, the device sends an alarm clear notification. To set the maximum number of concurrent 802.1X users on an interface, use the dot1x max-user command.

The device sends an alarm notification only when the alarm threshold is crossed for the first time. It does not send another alarm notification before the alarm is cleared.

Examples

# Enable 802.1X max user alarm on an interface and set the alarm threshold and alarm clear threshold to 70 and 40, respectively.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] dot1x max-user-alarm high-threshold 70 clear-threshold 40

Related commands

display dot1x

dot1x max-user

dot1x quiet-period

Use dot1x quiet-period to enable the quiet timer.

Use undo dot1x quiet-period to disable the quiet timer.

Syntax

dot1x quiet-period

undo dot1x quiet-period

Default

The quiet timer is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

When a client fails 802.1X authentication, the device must wait a period of time before it can process authentication requests from the client. You can use the dot1x timer quiet-period command to set the quiet timer.

Examples

# Enable the quiet timer and set the quiet timer to 100 seconds.

<Sysname> system-view

[Sysname] dot1x quiet-period

[Sysname] dot1x timer quiet-period 100

Related commands

display dot1x

dot1x timer

dot1x re-authenticate

Use dot1x re-authenticate to enable the periodic online user reauthentication feature.

Use undo dot1x re-authenticate to disable the periodic online user reauthentication feature.

Syntax

dot1x re-authenticate

undo dot1x re-authenticate

Default

The periodic online user reauthentication feature is disabled.

Views

Layer 3 Ethernet interface view

Layer 3 aggregate interface view

Layer 3 Ethernet subinterface view

Layer 3 aggregate subinterface view

Predefined user roles

network-admin

Usage guidelines

Periodic reauthentication enables the access device to periodically authenticate online 802.1X users on an interface. This feature tracks the connection status of online users and updates the authorization attributes assigned by the server, such as the URL, user group, and QoS profile.

You can use the dot1x timer reauth-period command to configure the interval for reauthentication.

Examples

# Enable the 802.1X periodic online user reauthentication feature on Ten-GigabitEthernet 3/1/1, and set the periodic reauthentication interval to 1800 seconds.

<Sysname> system-view

[Sysname] dot1x timer reauth-period 1800

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] dot1x re-authenticate

Related commands

display dot1x

dot1x timer

dot1x re-authenticate { authentication-fail | server-unreachable } keep-online

Use dot1x re-authenticate { authentication-fail | server-unreachable } keep-online to enable the keep-online feature for a situation.

Use undo dot1x re-authenticate { authentication-fail | server-unreachable } keep-online to disable the keep-online feature for a situation.

Syntax

dot1x re-authenticate { authentication-fail | server-unreachable } keep-online

undo dot1x re-authenticate { authentication-fail | server-unreachable } keep-online

Default

The keep-online feature is disabled. The device logs off online 802.1X users if no authentication server is reachable for 802.1X reauthentication or the reauthentication fails.

Views

Layer 3 Ethernet interface view

Layer 3 aggregate interface view

Layer 3 Ethernet subinterface view

Layer 3 aggregate subinterface view

Predefined user roles

network-admin

Parameters

authentication-fail: Specifies the authentication failure situation.

server-unreachable: Specifies the server unreachable situation.

Usage guidelines

This feature allows authenticated 802.1X users to stay online when no server is reachable for 802.1X reauthentication or the users fail reauthentication.

Examples

# Allow authenticated 802.1X users on Ten-GigabitEthernet 3/1/1 to stay online when no server is reachable for 802.1X reauthentication.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/1/1

[Sysname-Ten-GigabitEthernet3/1/1] dot1x re-authenticate server-unreachable keep-online

Related commands

display dot1x

dot1x re-authenticate

dot1x retry

Use dot1x retry to set the maximum number of attempts for sending an authentication request to a client.

Use undo dot1x retry to restore the default.

Syntax

dot1x retry retries

undo dot1x retry

Default

A maximum of two attempts are made to send an authentication request to a client.

Views

System view

Predefined user roles

network-admin

Parameters

retries: Specifies the maximum number of attempts for sending an authentication request to a client. The value range is 1 to 10.

Usage guidelines

The access device retransmits an authentication request to a client if it does not receive any responses from the client within the client timeout interval. The client timeout interval is set by using the dot1x timer tx-period command for an EAP-Request/Identity packet. The client timeout interval is set by using the dot1x timer supp-timeout supp-timeout-value command for an EAP-Request/MD5-Challenge packet.

The access device stops retransmitting the request, if it has made the maximum number of request transmission attempts but still received no response.

Examples

# Set the maximum number of attempts to 9 for sending an authentication request to a client.

<Sysname> system-view

[Sysname] dot1x retry 9

Related commands

display dot1x

dot1x timer

dot1x timer

Use dot1x timer to set an 802.1X timer.

Use undo dot1x timer to restore the default of an 802.1X timer.

Syntax

dot1x timer { handshake-period handshake-period-value | quiet-period quiet-period-value [ fail-retry fail-retries retry-period retry-period-value ] | reauth-period reauth-period-value | server-timeout server-timeout-value | supp-timeout supp-timeout-value | tx-period tx-period-value }

undo dot1x timer { handshake-period | quiet-period | reauth-period | server-timeout | supp-timeout | tx-period }

Default

The following 802.1X timers apply:

·     Handshake timer: 15 seconds.

·     Quiet timer: 60 seconds.

·     Periodic reauthentication timer: 3600 seconds.

·     Server timeout timer: 100 seconds.

·     Client timeout timer: 30 seconds.

·     Username request timeout timer: 30 seconds.

Views

System view

Predefined user roles

network-admin

Parameters

handshake-period handshake-period-value: Sets the handshake timer in seconds. The value range for the handshake-period-value argument is 5 to 1024.

quiet-period quiet-period-value: Sets the quiet timer in seconds. The value range for the quiet-period-value argument is 10 to 120.

fail-retry fail-retries: Sets the maximum number of consecutive authentication failures allowed for a client before the system places the client in quiet state. The value range for the fail-retries argument is 1 to 20.

retry-period retry-period-value: Sets the client retry timeout period in seconds. The value range for the retry-period-value argument is 10 to 65535.

reauth-period reauth-period-value: Sets the periodic reauthentication timer in seconds. The value range for the reauth-period-value argument is 60 to 7200.

server-timeout server-timeout-value: Sets the server timeout timer in seconds. The value range for the server-timeout-value argument is 100 to 300.

supp-timeout supp-timeout-value: Sets the client timeout timer in seconds. The value range for the supp-timeout-value argument is 1 to 120.

tx-period tx-period-value: Sets the username request timeout timer, in seconds. The value range for the tx-period-value argument is 1 to 120.

Usage guidelines

In most cases, the default settings are sufficient. You can edit the timers, depending on the network conditions.

·     In a low-speed network, increase the client timeout timer.

·     In a vulnerable network, set the quiet timer to a high value.

·     In a high-performance network with quick authentication response, set the quiet timer to a low value.

·     In a network with authentication servers of different performance, adjust the server timeout timer.

The network device uses the following 802.1X timers:

·     Handshake timer (handshake-period)—Sets the interval at which the access device sends client handshake requests to check the online status of a client that has passed authentication. If the device does not receive a response after sending the maximum number of handshake requests, it considers that the client has logged off.

·     Quiet timer (quiet-period)—Starts when a client fails authentication. The access device must wait the time period before it can process the authentication attempts from the client. To restrict the number of consecutive authentication failures allowed for a client within a time period, specify the fail-retry fail-retries and retry-period retry-period-value options. The device places a client in quiet state if the maximum number of consecutive authentication failures has been reached for the client within the specified retry timeout period. If the timer for the client timeout period expires before the maximum number of consecutive authentication failures is reached, the device recounts the number of authentication failures. However, if the client still fails authentication when the timer expires, the device places the client in quiet state.

If you do not specify the fail-retry fail-retries or retry-period retry-period-value option, the device places a user in quiet state after the user fails authentication for the first time. If you set the fail-retry fail-retries option to 1, the device also places a user in quiet state after the user fails authentication for the first time.

·     Periodic reauthentication timer (reauth-period)—Sets the interval at which the network device periodically reauthenticates online 802.1X users. To enable periodic online user reauthentication on an interface, use the dot1x re-authenticate command.

·     Server timeout timer (server-timeout)—Starts when the access device sends a RADIUS Access-Request packet to the authentication server. If no response is received when this timer expires, the 802.1X authentication fails.

·     Client timeout timer (supp-timeout)—Starts when the access device sends an EAP-Request/MD5-Challenge packet to a client. If no response is received when this timer expires, the access device retransmits the request to the client.

·     Username request timeout timer (tx-period)—Starts when the device sends an EAP-Request/Identity packet to a client in response to an authentication request. If the device does not receive a response before this timer expires, it retransmits the request. The timer also sets the interval at which the network device sends multicast EAP-Request/Identity packets to detect clients that cannot actively request authentication.

The change to the periodic reauthentication timer applies to the users that have been online only after the old timer expires. Other timer changes take effect immediately on the device.

Examples

# Set the server timeout timer to 150 seconds.

<Sysname> system-view

[Sysname] dot1x timer server-timeout 150

Related commands

display dot1x

reset dot1x access-user

Use reset dot1x access-user to log off 802.1X users.

Syntax

reset dot1x access-user [ interface interface-type interface-number | mac mac-address | username username ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies an interface by its type and number.

mac mac-address: Specifies an 802.1X user by its MAC address. The mac-address argument is in the format of H-H-H.

username username: Specifies an 802.1X user by its name. The username argument is a case-sensitive string of 1 to 253 characters.

Usage guidelines

Use this command to log off the specified 802.1X users and clear information about these users from the device. These users must perform 802.1X authentication to come online again.

If you do not specify any parameters, this command logs off all 802.1X users on the device.

Examples

# Log off all 802.1X users on Ten-GigabitEthernet 3/1/1.

<Sysname> reset dot1x access-user interface ten-gigabitethernet 3/1/1

Related commands

display dot1x connection

reset dot1x statistics

Use reset dot1x statistics to clear 802.1X statistics.

Syntax

reset dot1x statistics [ interface interface-type interface-number ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command clears 802.1X statistics on all interfaces.

Examples

# Clear 802.1X statistics on Ten-GigabitEthernet 3/1/1.

<Sysname> reset dot1x statistics interface ten-gigabitethernet 3/1/1

Related commands

display dot1x