By default, the device uses the authorization ACL deployed by the RADIUS server to match traffic that triggers URL redirection. Rule conflicts might exist if the authorization ACL is used by multiple features. To avoid undesirable redirection results, specify a dedicated ACL to match traffic that triggers URL redirection.

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

Examples

# In service template service1, specify ACL 3111 to match traffic that triggers URL redirection.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] client url-redirect acl 3111

Related commands

client url-redirect enable

Use client url-redirect enable to enable URL redirection for WLAN clients.

Use undo client url-redirect enable to disable URL redirection for WLAN clients.

Syntax

client url-redirect enable [ mode native [ https [ redirect-stop-timer seconds ] [ count number ] ] ]

undo client url-redirect enable

Default

URL redirection is disabled for WLAN clients

Views

Service template view

Predefined user roles

network-admin

Parameters

mode native: Sets the URL redirection mode to native mode. In this mode, the device redirects a MAC authentication client if it does not have a redirect URL access record for that client in the local cache.

https: Stops redirecting an HTTPS client if the number of its visits to the IP addresses of the redirect URL has reached the limit before the redirect stop timer expires.

redirect-stop-timer seconds: Sets the redirect stop timer in seconds. The value range for the seconds argument is 1 to 30 seconds and the default setting is 5 seconds.

count number: Sets the minimum number of visits to the IP addresses of the redirect URL. The value range for the number argument is 3 to 60 and the default setting is 3.

Usage guidelines

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

This command takes effect only on clients that use RADIUS-based MAC authentication.

In RADIUS-based MAC authentication, a client can pass authentication only if the RADIUS server has its credential information (username and password) and MAC address.

URL redirection facilitates a client to authenticate to the RADIUS server after it has failed a MAC authentication because the server does not have its credential information and MAC address. This feature redirects the client to a specified authentication webpage URL for portal authentication. After the client passes portal authentication, the RADIUS server records the client's credential information and MAC address. At the same time, the server uses DM requests to log off the client. At the next MAC authentication attempt, the client can pass MAC authentication. For information about DMs, see AAA configuration in User Access and Authentication Configuration Guide.

Typically, redirect decisions are made on the RADIUS server. If the RADIUS server contains MAC authentication information about a client, the client can pass authentication without being redirected to the redirect URL. To make sure all clients visit the redirect URL for purposes such as advertisement, set the URL redirection mode to native mode. In this mode, the device maintains a redirect URL access records for clients and makes a URL redirection decision based on the records, as follows:

· Redirects the client if no URL access record is found for the client.

· Stops redirecting an HTTP client if an URL access record exists for the client.

· Stops redirecting an HTTPS client if the number of its visits to the IP addresses of the redirect URL has reached the specified limit before the redirect stop timer expires.

IMPORTANT:

The native redirection mode must be used together with the client url-redirect acl command.

Examples

# Enable native URL redirection for WLAN clients in service template service1. Stop redirecting an HTTPS client if that client has visited the IP addresses of the redirect URL for 10 times or more within 10 seconds.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] client url-redirect enable mode native https redirect-stop-timer 10 count 10

Related commands

client url-redirect acl

client-security aaa attribute ip-snooping-method

Use client-security aaa attribute ip-snooping-method to include the client IP snooping method in RADIUS packets.

Use undo client-security aaa attribute ip-snooping-method to restore the default.

Syntax

client-security aaa attribute ip-snooping-method

undo client-security aaa attribute ip-snooping-method

Default

The device does not include the client IP snooping method in RADIUS packets.

Views

Service template view

Predefined user roles

network-admin

Usage guidelines

The device can obtain the IP address of a client by snooping packets such as DHCP and ARP packets. To help the RADIUS server determine whether the IP address of an 802.1X or MAC authentication client is assigned by a DHCP server, send the IP snooping method in RADIUS packets to the server.

The IP snooping method is encapsulated in the H3c-Ip-Source-Mod attribute (an extended RADIUS attribute with ID 221).

To identify the IP snooping method, the RADIUS server must support extended RADIUS attributes with a vendor ID of 25506. For more information, see AAA configuration in User Access and Authentication Configuration Guide.

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

Examples

# In service template service1, include the client IP snooping method in RADIUS packets.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] client-security aaa attribute ip-snooping-method

client-security accounting-delay time

Use client-security accounting-delay time to configure the accounting delay.

Use undo client-security accounting-delay time to restore the default.

Syntax

client-security accounting-delay time time [ no-ip-logoff ]

undo client-security accounting-delay time

Default

The device sends a start-accounting request for a client only when the device learns the IP address of that client.

Views

Service template view

Predefined user roles

network-admin

Parameters

time: Sets the accounting delay timer. The value range for the time argument is 1 to 600 seconds.

no-ip-logoff: Logs off a client if the device has failed to obtain the client IP address before the delay timer expires. If you do not specify this keyword, the device sends a start-accounting request immediately after the accounting delay timer expires.

Usage guidelines

The accounting delay timer operates in conjunction with an IP-based accounting-start trigger. The timer specifies the maximum interval for the device to learn the IP address of an 802.1X or MAC authenticated client before it takes the specified action.

The timer starts when a client passes 802.1X or MAC authentication. If the device has failed to learn an IP address that matches the IP-based accounting-start trigger before the accounting delay timer expires, the device takes either of the following actions:

· Sends a start-accounting request immediately if the no-ip-logoff action is not specified.

· Logs off the client if the no-ip-logoff action is specified.

Configure the accounting delay timer depending on the typical amount of time for the device to learn the IP address of a client. As a best practice, increase the delay timer on a low-performance network.

The timer takes effect only on clients that come online after the timer is configured.

Examples

# Set the accounting delay timer to 15 seconds in service template service1. Configure the device to log off a client if it has failed to learn the required client IP address before the delay timer expires.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] client-security accounting-delay time 15 no-ip-logoff

Related commands

client-security accounting-start trigger

client-security accounting-restart trigger ipv4

Use client-security accounting-restart trigger ipv4 to enable the IPv4 address-based accounting-restart trigger for clients.

Use undo client-security accounting-restart trigger ipv4 to disable the IPv4 address-based accounting-restart trigger for clients.

Syntax

client-security accounting-restart trigger ipv4 [ delay interval ]

undo client-security accounting-restart trigger ipv4

Default

The IPv4 address-based accounting-restart trigger is disabled.

Views

Service template view

Predefined user roles

network-admin

Parameters

delay interval: Sets the delay for the device to send a start-accounting request for another accounting cycle after it sends a stop-accounting request. The value range for the interval argument is 0 to 20 seconds. The default delay time is 15 seconds.

Usage guidelines

The IPv4 address-based accounting-restart trigger applies to 802.1X and MAC authentication clients.

This trigger restarts accounting for a client by sending a stop-accounting request and then a start-accounting request to the accounting server when the IPv4 address of the client changes.

This trigger has higher priority than the accounting-update trigger configured for IPv4 by using the client-security accounting-update trigger command.

This trigger is configurable when the service template is disabled, and it takes effect after the service template is enabled.

Examples

# Enable the IPv4 address-based accounting-restart trigger in service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] client-security accounting-restart trigger ipv4

client-security accounting-start trigger

Use client-security accounting-start trigger to configure an accounting-start trigger for clients.

Use undo client-security accounting-start trigger to restore the default.

Syntax

client-security accounting-start trigger { ipv4 | ipv4-ipv6 | ipv6 | none }

undo client-security accounting-start trigger

Default

The accounting-start trigger is based on IPv4 address type.

Views

Service template view

Predefined user roles

network-admin

Parameters

ipv4 : Sends a start-accounting request if an 802.1X or MAC authenticated client uses an IPv4 address.

ipv4-ipv6: Sends a start-accounting request if an 802.1X or MAC authenticated client uses an IPv4 or IPv6 address.

ipv6: Sends a start-accounting request if an 802.1X or MAC authenticated client uses an IPv6 address.

none: Sends a start-accounting request when a client passes authentication without examining its IP address type.

Usage guidelines

This command takes effect only on clients that have passed 802.1X or MAC authentication. For more information about accounting, see AAA in Security Configuration Guide.

For the accounting-start trigger to take effect, follow these guidelines:

· If the trigger is IP address type based, you must enable learning IP addresses of that type. For information about wireless client IP address learning, see WLAN IP snooping configuration in User Access and Authentication Configuration Guide.

· The IP-based trigger must match the requirement of the accounting server for the IP version.

The trigger takes effect only on clients that come online after the trigger is configured.

Examples

# Configure an IPv4 address-based accounting-start trigger in service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] client-security accounting-start trigger ipv4

Related commands

client ipv4-snooping arp-learning enable

client ipv4-snooping dhcp-learning enable

client ipv6-snooping dhcpv6-learning enable

client ipv6-snooping nd-learning enable

client-security accounting-delay time

client-security accounting-update trigger

Use client-security accounting-update trigger to specify an event-based accounting-update trigger.

Use undo client-security accounting-update trigger to restore the default.

Syntax

client-security accounting-update trigger { ipv4 | ipv4-ipv6 | ipv6 }

undo client-security accounting-update trigger

Default

No event-based accounting-update trigger is configured. The device sends update-accounting requests to the accounting server only regularly at server-assigned or user-defined real-time accounting intervals.

Views

Service template view

Predefined user roles

network-admin

Parameters

ipv4: Sends an update-accounting request when the IPv4 address of an online 802.1X or MAC authenticated client changes.

ipv4-ipv6: Sends an update-accounting request when the IPv4 or IPv6 address of an online 802.1X or MAC authenticated client changes.

ipv6: Sends an update-accounting request when the IPv6 address of an online 802.1X or MAC authenticated client changes.

Usage guidelines

Use the accounting-update trigger in conjunction with the accounting-start trigger. The accounting-update trigger takes effect only if you have configured the accounting-start trigger by using the client-security accounting-start trigger command.

In addition to the event-based accounting-update trigger, you can set a regular accounting-update interval by using the timer realtime-accounting command.

The accounting-update trigger takes effect only on clients that come online after the trigger is configured.

Examples

# Configure an IPv4 address change-based accounting-update trigger in service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] client-security accounting-update trigger ipv4

Related commands

client-security accounting-start trigger

timer realtime-accounting

client-security authentication critical-vlan

Use client-security authentication critical-vlan to configure a critical VLAN for a service template.

Use undo client-security authentication critical-vlan to restore the default.

Syntax

client-security authentication critical-vlan vlan-id

undo client-security authentication critical-vlan

Default

No critical VLAN exists for a service template.

Views

Service template view

Predefined user roles

network-admin

Parameters

vlan-id: Specifies the ID of the critical VLAN, in the range of 1 to 4094.

Usage guidelines

The WLAN critical VLAN accommodates clients that have failed WLAN authentication because all RADIUS servers in their ISP domains are unreachable. Clients in the critical VLAN can access a limited set of network resources depending on the configuration.

The authenticator reauthenticates a client in the critical VLAN at the interval of 30 seconds.

· If the client passes the reauthentication, the authenticator assigns the client to the authorization VLAN. If no authorization VLAN is configured, the client is assigned to the initial VLAN.

· If the client fails the reauthentication because all the RADIUS servers are unreachable, the client is still in the critical VLAN.

· If the client fails the reauthentication for any reason other than unreachable servers, the device assigns the client to the Auth-Fail VLAN. If no Auth-Fail VLAN is configured, the device handles the client depending on the intrusion protection setting. If the intrusion protection feature is not configured, the device logs off the client.

The critical VLAN feature does not take effect on clients that use RSNA. When these clients fail authentication because all the RADIUS servers are unreachable, the authenticator directly logs off the clients.

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

Examples

# Configure VLAN 10 as the critical VLAN in service template 1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] client-security authentication critical-vlan 10

client-security authentication fail-vlan

Use client-security authentication fail-vlan to configure an Auth-Fail VLAN for a service template.

Use undo client-security authentication fail-vlan to restore the default.

Syntax

client-security authentication fail-vlan vlan-id

undo client-security authentication fail-vlan

Default

No Auth-Fail VLAN exists for a service template.

Views

Service template view

Predefined user roles

network-admin

Parameters

vlan-id: Specifies the ID of the Auth-Fail VLAN, in the range of 1 to 4094. Make sure the VLAN has been created.

Usage guidelines

The WLAN Auth-Fail VLAN accommodates clients that have failed WLAN authentication because of the failure to comply with the organization security strategy. For example, the VLAN accommodates clients that have entered invalid passwords. The Auth-Fail VLAN does not accommodate WLAN clients that have failed authentication for authentication timeouts or network connection problems.

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

Examples

# Configure VLAN 10 as the Auth-Fail VLAN in service template 1.

<Sysname> system-view

[Sysname] wlan service-template 1

[Sysname-wlan-st-1] client-security authentication fail-vlan 10

client-security authorization trigger byod

Use client-security authorization trigger byod to enable the BYOD authorization trigger.

Use undo client-security authorization trigger byod to disable the BYOD authorization trigger.

Syntax

client-security authorization trigger byod

undo client-security authorization trigger byod

Default

The BYOD authorization trigger is disabled.

Views

Service template view

Predefined user roles

network-admin

Usage guidelines

This command enables the access device to trigger BYOD authorization for an authenticated client after the device obtains that client's BYOD information, including its IP address. When BYOD authorization is triggered, the session-timeout timer assigned to the client restarts, extending the amount of time that the client can stay online before a reauthentication is required. On a low performance network, it might take so much time for the device to obtain the IP address of a client that the client's extended amount of online time becomes undesirable.

As a best practice to avoid this undesirable issue, use this command only if BYOD authorization is required and make sure the network performance is good. For more information about BYOD authorization, see AAA configuration in User Access and Authentication Configuration Guide.

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

Examples

# Enable the BYOD authorization trigger in service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] client-security authorization trigger byod

client-security authentication-mode

Use client-security authentication-mode to set the authentication mode for WLAN clients.

Use undo client-security authentication-mode to restore the default.

Syntax

client-security authentication-mode { dot1x | dot1x-then-mac | mac | mac-and-dot1x | mac-then-dot1x | oui-then-dot1x }

undo client-security authentication-mode

Default

The WLAN authentication mode is Bypass. The device does not perform authentication for WLAN clients.

Views

Service template view

Predefined user roles

network-admin

Parameters

dot1x: Performs only 802.1X authentication for the attached clients. A client cannot access the network if it fails 802.1X authentication.

dot1x-then-mac: Performs 802.1X authentication for the attached clients first, and then MAC authentication if they fail 802.1X authentication. If a client passes 802.1X authentication, MAC authentication is not performed. A client cannot access the network if it does not pass either authentication.

mac: Performs only MAC authentication for the attached clients. A client cannot access the network if it fails MAC authentication.

mac-and-dot1x: Performs MAC authentication for the attached clients first, and then 802.1X authentication. The attached clients must pass MAC authentication and then 802.1X authentication before they can access the network. A client cannot access the network if it fails MAC authentication or 802.1X authentication.

mac-then-dot1x: Performs MAC authentication for the attached clients first, and then 802.1X authentication if they fail MAC authentication. If a client passes MAC authentication, 802.1X authentication is not performed. A client cannot access the network if it does not pass either authentication.

oui-then-dot1x: Performs OUI authentication for the attached clients first, and then 802.1X authentication if they fail OUI authentication. If a client passes OUI authentication, 802.1X authentication is not performed. A client cannot access the network if it does not pass either authentication.

Usage guidelines

A service template allows access of multiple authenticated clients in any authentication mode. To set the maximum number of 802.1X clients, use the dot1x max-user command. To set the maximum number of MAC authentication clients, use the mac-authentication max-user command.

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

The dot1x-then-mac, mac-then-dot1x, and oui-then-dot1x modes require iNode. To use such a mode, make sure the wireless endpoints have been installed with the iNode client.

Examples

# Set the authentication mode to mac for WLAN clients in service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] client-security authentication-mode mac

client-security authorization-fail offline

Use client-security authorization-fail offline to enable the authorization-fail-offline feature.

Use undo client-security authorization-fail offline to disable the authorization-fail-offline feature.

Syntax

client-security authorization-fail offline

undo client-security authorization-fail offline

Default

The authorization-fail-offline feature is disabled.

Views

Service template view

Predefined user roles

network-admin

Usage guidelines

The authorization-fail-offline feature logs off WLAN clients that fail ACL or user profile authorization.

A WLAN client fails ACL or user profile authorization in the following situations:

· The device or server fails to authorize the specified ACL or user profile to the client.

· The authorized ACL or user profile does not exist.

If this feature is disabled, the device does not log off WLAN clients that fail ACL or user profile authorization. However, the device outputs logs to report the failure.

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

Examples

# Enable the authorization-fail-offline feature for service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] client-security authorization-fail offline

client-security ignore-authentication

Use client-security ignore-authentication to configure the device to ignore the 802.1X or MAC authentication failures.

Use undo client-security ignore-authentication to restore the default.

Syntax

client-security ignore-authentication

undo client-security ignore-authentication

Default

The device does not ignore the authentication failures for wireless clients that use 802.1X authentication or RADIUS-based MAC authentication.

Views

Service template view

Predefined user roles

network-admin

Usage guidelines

This command applies to the following clients:

· Clients that use 802.1X authentication.

This command enables the device to ignore the 802.1X authentication failures and allow clients that have failed 802.1X authentication to come online.

· Clients that use both RADIUS-based MAC authentication and portal authentication.

Typically, a client must pass MAC authentication and portal authentication in turn to access network resources. The client provides username and password each time portal authentication is performed.

This command simplifies the authentication process for a client as follows:

¡ If the RADIUS server already records the client's MAC authentication information, the client passes MAC authentication. The device allows the client to access network resources without performing portal authentication.

¡ If the RADIUS server does not record the client's MAC authentication information, the client fails MAC authentication. The device ignores the MAC authentication failure and performs portal authentication for the client. If the client passes portal authentication, it can access network resources. The MAC address of the portal authenticated client will be recorded as MAC authentication information on the RADIUS server.

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

For 802.1X clients that use RSN to roam to a new AP, do not use this command.

Examples

# Configure the device to ignore 802.1X or MAC authentication failures in service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] client-security ignore-authentication

client-security ignore-authorization

Use client-security ignore-authorization to configure the device to ignore the authorization information received from the authentication server (a RADIUS server or the local device).

Use undo client-security ignore-authorization to restore the default.

Syntax

client-security ignore-authorization

undo client-security ignore-authorization

Default

The device uses the authorization information from the server.

Views

Service template view

Predefined user roles

network-admin

Usage guidelines

After a client passes RADIUS or local authentication, the server performs authorization based on the authorization attributes configured for the user account. For example, the server can assign a VLAN. If you do not want the device to use these authorization attributes for clients, configure this command to ignore the authorization information from the server. Authorization information includes VLAN and CAR information.

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

Examples

# Configure the device to ignore the authorization information from the authentication server for service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] client-security ignore-authorization

client-security intrusion-protection action

Use client-security intrusion-protection action to configure the intrusion protection action that the device takes when intrusion protection detects illegal frames.

Use undo client-security intrusion-protection action to restore the default.

Syntax

client-security intrusion-protection action { service-stop | temporary-block | temporary-service-stop }

undo client-security intrusion-protection action

Default

The intrusion protection action is temporary-block.

Views

Service template view

Predefined user roles

network-admin

Parameters

service-stop: Stops the BSS where an illegal frame is received until the BSS is enabled manually on the radio interface.

temporary-block: Adds the source MAC address of an illegal frame to the blocked MAC address list for a period. To set the period, use the client-security intrusion-protection timer temporary-block command.

temporary-service-stop: Stops the BSS where an illegal frame is received for a period. To set the period, use the client-security intrusion-protection timer temporary-service-stop command.

Usage guidelines

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

For this command to take effect, you must also use the client-security intrusion-protection enable command to enable the intrusion protection feature.

Examples

# Configure the device to stop the BSS where intrusion protection detects illegal frames for service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] client-security intrusion-protection enable

[Sysname-wlan-st-service1] client-security intrusion-protection action service-stop

Related commands

client-security intrusion-protection enable

client-security intrusion-protection timer temporary-block

client-security intrusion-protection timer temporary-service-stop

client-security intrusion-protection enable

Use client-security intrusion-protection enable to enable the intrusion protection feature.

Use undo client-security intrusion-protection enable to disable the intrusion protection feature.

Syntax

client-security intrusion-protection enable

undo client-security intrusion-protection enable

Default

The intrusion protection feature is disabled.

Views

Service template view

Predefined user roles

network-admin

Usage guidelines

When the device receives an association request from an illegal client, the device takes the predefined protection action on the BSS where the request is received. A client is illegal if its MAC address fails WLAN authentication. To set the protection action, use the client-security intrusion-protection action command.

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

Examples

# Enable the intrusion protection feature for service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] client-security intrusion-protection enable

Related commands

client-security intrusion-protection action

client-security intrusion-protection timer temporary-block

Use client-security intrusion-protection timer temporary-block to set the period during which a MAC address is blocked by intrusion protection.

Use undo client-security intrusion-protection timer temporary-block to restore the default.

Syntax

client-security intrusion-protection timer temporary-block time

undo client-security intrusion-protection timer temporary-block

Default

An illegal MAC address is blocked for 180 seconds.

Views

Service template view

Predefined user roles

network-admin

Parameters

time: Specifies the period during which a MAC address is blocked. The value range is 60 to 300 seconds.

Usage guidelines

This command takes effect only when the intrusion protection action is temporary-block.

If you change the blocking period after the service template is enabled, the new setting takes effect on the subsequent detected illegal packets.

Examples

# Configure service template service1 to block illegal MAC addresses for 120 seconds.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] client-security intrusion-protection enable

[Sysname-wlan-st-service1] client-security intrusion-protection action temporary-block

[Sysname-wlan-st-service1] client-security intrusion-protection timer temporary-block 120

Related commands

client-security intrusion-protection action

client-security intrusion-protection enable

client-security intrusion-protection timer temporary-service-stop

Use client-security intrusion-protection timer temporary-service-stop to set the BSS silence period for intrusion protection.

Use undo client-security intrusion-protection timer temporary-service-stop to restore the default.

Syntax

client-security intrusion-protection timer temporary-service-stop time

undo client-security intrusion-protection timer temporary-service-stop

Default

The BSS silence period for intrusion protection is 20 seconds.

Views

Service template view

Predefined user roles

network-admin

Parameters

time: Specifies the period during which a BSS is disabled. The value range is 10 to 300 seconds.

Usage guidelines

This command takes effect only when the intrusion protection action is temporary-service-stop.

If you change the BSS silence period after the service template is enabled, the new setting takes effect on the subsequent detected illegal packets.

Examples

# Set the BSS silence period to 30 seconds for intrusion protection in service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] client-security intrusion-protection enable

[Sysname-wlan-st-service1] client-security intrusion-protection action temporary-service-stop

[Sysname-wlan-st-service1] client-security intrusion-protection timer temporary-service-stop 30

Related commands

client-security intrusion-protection action

client-security intrusion-protection enable

display dot1x

Use display dot1x to display information about 802.1X.

Syntax

display dot1x [ sessions | statistics ] [ ap ap-name [ radio radio-id ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

sessions: Displays 802.1X session information.

statistics: Displays 802.1X statistics.

radio radio-id: Specifies a radio by its ID. The value range for the radio-id argument varies by AP model. If you do not specify this option, this command displays 802.1X information for all radios on the specified AP.

Usage guidelines

If you do not specify the sessions keyword or the statistics keyword, this command displays all information about 802.1X, including session information, statistics, and settings.

Examples

# Display all information about 802.1X.

<Sysname> display dot1x

Global 802.1X parameters:

802.1X authentication : Enabled

M-LAG member configuration conflict : Unknown

EAP authentication : Enabled

Max-tx period : 30 s

Handshake period : 15 s

Offline detect period : 300 s

Quiet timer : Disabled

Quiet period : 60 s

Supp timeout : 30 s

Server timeout : 100 s

Reauth period : 3600 s

Max auth requests : 2

SmartOn supp timeout : 30 s

SmartOn retry counts : 3

User aging period for Auth-Fail VLAN : 1000 s

User aging period for critical VLAN : 1000 s

User aging period for guest VLAN : 1000 s

EAD assistant function : Disabled

URL : http://www.dwsoft.com

Free IP : 6.6.6.0 255.255.255.0

EAD timeout : 30 min

Domain delimiter : @

Max EAP-TLS fragment (to-server) : 400 bytes

Online 802.1X wired users : 1

Online 802.1X wireless users : 1

AP name: AP1 Radio ID: 1 SSID: wlan_dot1x_ssid

BSSID : 1111-1111-1111

802.1X authentication : Enabled

Handshake : Enabled

Handshake security : Disabled

Periodic reauth : Disabled

Mandatory auth domain : Not configured

Max online users : 256

EAPOL packets: Tx 3, Rx 3

Sent EAP Request/Identity packets : 1

EAP Request/Challenge packets: 1

EAP Success packets: 1

EAP Failure packets: 0

Received EAPOL Start packets : 1

EAPOL LogOff packets: 1

EAP Response/Identity packets : 1

EAP Response/Challenge packets: 1

Error packets: 0

Online 802.1X users: 1

MAC address Auth state

0001-0000-0002 Authenticated

Table 1 Command output

Field	Description
Global 802.1X parameters	Global 802.1X configuration.
802.1X authentication	Whether 802.1X is enabled globally.
M-LAG member configuration conflict	This field is not supported in the current software version. Configuration check result on the two M-LAG member devices. · Conflicted. · Not conflicted. · Unknown.
CHAP authentication	Performs EAP termination and uses CHAP to communicate with the RADIUS server.
EAP authentication	Relays EAP packets and supports any of the EAP authentication methods to communicate with the RADIUS server.
PAP authentication	Performs EAP termination and uses PAP to communicate with the RADIUS server.
Max-tx period	Username request timeout in seconds.
Handshake period	Handshake timeout in seconds.
Offline detect period	Offline detect timeout in seconds.
Quiet timer	Enabling status of the quiet timer.
Quiet period	Quiet timeout in seconds.
Supp timeout	Client timeout in seconds.
Server timeout	Authentication server timeout in seconds.
Reauth period	Re-authentication server timer in seconds.
Max auth requests	Maximum number of attempts for sending an authentication request to a client.
SmartOn switch ID	This field is not supported in the current software version. Switch ID of SmartOn.
SmartOn supp timeout	This field is not supported in the current software version. SmartOn client authentication timeout in seconds.
User aging period for Auth-Fail VLAN	User aging time in the Auth-Fail VLAN.
User aging period for critical VLAN	User aging time in the critical VLAN.
User aging period for guest VLAN	This field is not supported in the current software version. User aging time in the guest VLAN.
EAD assistant function	Enabling status of the EAD assistant function.
URL	Redirect URL for unauthenticated users using a Web browser to access the network.
Free IP	Network segment accessible to unauthenticated users.
EAD timeout	EAD rule timeout in minutes.
Domain delimiter	Domain delimiters supported by the device.
Max EAP-TLS fragment (to-server)	Maximum length of an EAP-TLS fragment carried in an authentication packet sent to the authentication server. This field displays N/A if the maximum length is not specified.
Online 802.1X wired users	Total number of online 802.1X wired users and 802.1X wired users that are initiating 802.1X authentication.
Online 802.1X wireless users	Total number of online 802.1X wireless users and 802.1X wireless users that are initiating 802.1X authentication.
AP name	AP name.
Radio ID	Radio ID.
802.1X authentication	Enabling status of 802.1X on the port.
Handshake	Enabling status of online user handshake.
Handshake security	Enabling status of handshake security.
Periodic reauth	Enabling status of periodic re-authentication.
Mandatory auth domain	Mandatory authentication domain on the port.
Max online users	Maximum number of concurrent users on the port.
EAPOL packets	Number of EAPOL packets. Tx represents sent packets and Rx represents received packets.
Sent EAP Request/Identity packets	Number of sent EAP Request/Identity packets.
EAP Request/Challenge packets	Number of sent EAP Request/Challenge packets.
EAP Success packets	Number of sent EAP Success packets.
EAP Failure packets	Number of sent EAP Failure packets.
Received EAPOL Start packets	Number of received EAPOL Start packets.
EAPOL LogOff packets	Number of received EAPOL LogOff packets.
EAP Response/Identity packets	Number of received EAP Response/Identity packets.
EAP Response/Challenge packets	Number of received EAP Response/Challenge packets.
Error packets	Number of received error packets.
Online 802.1X users	Total number of online 802.1X users and 802.1X users that are being authenticated on the port.
MAC address	MAC address of the 802.1X user.
Auth state	Authentication status of the 802.1X user.

display dot1x connection

Use display dot1x connection to display information about online 802.1X users.

Syntax

display dot1x connection [ ap ap-name [ radio radio-id ] | slot slot-number | user-mac mac-address | user-name name-string ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ap ap-name: Specifies an AP by its name, a case-sensitive string of 1 to 64 characters. The string can contain letters, digits, underscores (_), left brackets ([), right brackets (]), forward slashes (/), and hyphens (-). If you do not specify this option, the command displays information about all 802.1X online users.

radio radio-id: Specifies a radio by its ID. The value range for the radio-id argument varies by AP model. If you do not specify this option, this command displays online 802.1X user information for all radios on the specified AP.

slot slot-number: Specifies a member device by its member ID. If you do not specify a member device, this command displays online 802.1X user information on all member devices.

user-mac mac-address: Specifies an 802.1X user by its MAC address. The mac-address argument represents the MAC address of the user, in the form of H-H-H. If you do not specify this option, the command displays information about all 802.1X online users.

user-name name-string: Specifies an 802.1X user by its name. The name-string argument represents the username, a case-sensitive string of 1 to 253 characters. If you do not specify this option, the command displays information about all 802.1X online users.

Examples

# Display information about all online 802.1X users.

<Sysname> display dot1x connection

Total connections: 1

Slot ID: 1

User MAC address : 0015-e9a6-7cfe

AP name : ap1

Radio ID : 1

SSID : wlan_dot1x_ssid

BSSID : 0015-e9a6-7cf0

User name : ias

Anonymous username : test

Authentication domain : 1

IPv4 address : 192.168.1.1

IPv6 address : 2000:0:0:0:1:2345:6789:abcd

Authentication method : CHAP

Initial VLAN : 1

Authorization VLAN : N/A

Authorization ACL number : 3001

Authorization user profile : N/A

Authorization CAR : N/A

Authorization URL : http://oauth.h3c.com

Authorization IPv6 URL : N/A

Termination action : Default

Session timeout last from : 2023/05/30 17:32:42

Session timeout period : 86400 s

Online from : 2023/05/30 11:20:41

Online duration : 6h 18m 39s

Table 2 Command output

Field	Description
Total connections	Total number of online 802.1X users.
User MAC address	MAC address of the user.
AP name	AP name.
Radio ID	Radio ID.
Username	Username.
Anonymous username	Username of the anonymous user. This field displays N/A if the anonymous user name is not specified.
Authentication domain	ISP domain used for 802.1X authentication.
IPv4 address	IPv4 address of the user. This field is not displayed if the system fails to obtain the IPv4 address of the user.
IPv6 address	IPv6 address of the user. This field is not displayed if the system fails to obtain the IPv6 address of the user.
Authentication method	802.1X authentication method: · CHAP—Performs EAP termination and uses CHAP to communicate with the RADIUS server. · EAP—Relays EAP packets and supports any of the EAP authentication methods to communicate with the RADIUS server. · PAP—Performs EAP termination and uses PAP to communicate with the RADIUS server.
Initial VLAN	Initial VLAN.
Authorization VLAN	Authorized VLAN.
Authorization ACL number	Number of the authorized ACL. If no ACL is authorized, this field displays N/A. If ACL authorization fails, this field displays (Not effective) after the ACL number.
Authorization user profile	User profile authorized to the user.
Authorization CAR	If no authorization CAR attributes are assigned, this field displays N/A. Authorization CAR attributes assigned by the server: · Average input rate—Average rate of inbound traffic in kbps. · Peak input rate—Peak rate of inbound traffic in kbps. · Average output rate—Average rate of outbound traffic in kbps. · Peak output rate—Peak rate of outbound traffic in kbps. If the authorization fails, the system displays (NOT effective). If only the average input/output rate is authorized, the peak input/output rate is the same as the average rate by default. In the current software version, the system does not support the server to authorize only the input or output peak rate.
Authorization URL	Authorized redirect URL.
Authorization IPv6 URL	Authorized IPv6 redirect URL.
Termination action	Action attribute assigned by the server to terminate the user session: · Default—Logs off the online 802.1X user when the session timeout timer expires. This attribute does not take effect when 802.1X periodic re-authentication is enabled and the periodic reauthentication timer value is shorter than the session timeout. · Radius-request—Reauthenticates the online user when the session timeout timer expires. If the device performs local authentication, this field displays N/A.
Session timeout last from	Session timeout.
Session timeout period	Session timeout assigned by the server, in seconds. When the timer expires for a session, the session is deleted. The action to take on the user depends on the value of the Termination action field.
Online from	Time at which the user came online.
Online duration	Online duration of the user.

display mac-authentication

Use display mac-authentication to display MAC authentication settings and statistics.

Syntax

display mac-authentication [ ap ap-name [ radio radio-id ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

Usage guidelines

If you do not specify any parameters, this command displays all MAC authentication information, including the global settings, port-specific settings, MAC authentication packet statistics, and authenticated user statistics.

Examples

# Display MAC authentication information.

<Sysname> display mac-authentication

Global MAC authentication parameters:

MAC authentication : Enabled

Authentication method : PAP

M-LAG member configuration conflict : Unknown

Username format : MAC address in lowercase(xx-xx-xx-xx-xx-xx)

Username : mac

Password : Not configured

MAC range accounts : 0

MAC address Mask Username

Offline detect period : 300 s

Quiet period : 60 s

Server timeout : 100 s

Reauth period : 3600 s

User aging period for critical VLAN : 1000 s

User aging period for guest VLAN : 1000 s

Authentication domain : Not configured, use default domain

HTTP proxy port list : Not configured

HTTPS proxy port list : Not configured

Online MAC-auth wired users : 0

Online MAC-auth wireless users : 1

Silent MAC users:

MAC address VLAN ID From port Port index

AP name: AP1 Radio ID: 1 SSID: wlan_maca_ssid

BSSID : 1111-1111-1111

MAC authentication : Enabled

Authentication domain : Not configured

Max online users : 256

Authentication attempts : successful 1, failed 0

Current online users : 2

MAC address Auth state

0001-0000-0002 Authenticated

0001-0000-0003 Unauthenticated

Table 3 Command output

Field	Description
MAC authentication	Enabling status of MAC authentication.
Authentication method	MAC authentication method: · CHAP. · PAP.
M-LAG member configuration conflict	This field is not supported in the current software version. Configuration check result on the two M-LAG member devices. · Conflicted. · Not conflicted. · Unknown.
Username format	Username format for MAC authentication: · If a MAC-based account is used, this field displays the format settings for the username. For example, MAC address in lowercase(xx-xx-xx-xx-xx-xx) indicates that the MAC address is in six-section format, and letters are in lower case. · If a fixed username account is used, this field displays Fixed account.
Username	Username · If a MAC-based account is used, this field displays mac. It indicates that the device uses the MAC address of each user as the username and password for MAC authentication. · If a fixed account is used, this field displays the configured username. By default, the username is mac.
Password	Password corresponding to the username. · If a MAC-based account is used, this field displays Not configured. · If a fixed account is used, this field displays a string of asterisks (******).
MAC range accounts	List of MAC authentication user account information for the specified range of MAC addresses.
MAC address	Specified MAC address.
Mask	MAC address mask.
Username	Username of the MAC authentication user.
Offline detect period	Offline detect timeout in seconds.
Quiet period	Quiet timeout in seconds.
Server timeout	Server connection timeout in seconds.
Reauth period	Re-authentication server timer in seconds.
User aging period for critical VLAN	User aging time in the critical VLAN.
User aging period for guest VLAN	This field is not supported in the current software version. User aging time in the guest VLAN.
Authentication domain	MAC authentication domain specified in system view. If no authentication domain is specified in system view, this field displays Not configured, use default domain.
HTTP proxy port list	This field is not supported in the current software version. HTTP proxy server port.
HTTPS proxy port list	This field is not supported in the current software version. HTTPS proxy server port.
Online MAC-auth wired users	This field is not supported in the current software version. Total number of online wired users and wired users that are initiating MAC authentication.
Online MAC-auth wireless users	Total number of online wireless users and wireless users that are initiating MAC authentication.
Silent MAC users	Information about silent MAC addresses, including added silent MAC addresses on the device and blackhole MAC addresses issued by the server.
MAC address	Silent MAC address.
VLAN ID	ID of the VLAN to which the silent MAC address belongs.
From port	Name of the port that marks the MAC address as a silent MAC address.
Port index	Index of the port that marks the MAC address as a silent MAC address.
AP name	AP name.
Radio ID	Radio ID.
MAC authentication	Enabling status of MAC authentication on the port. · Enabled. · Enabled (but NOT effective)— MAC authentication does not take effect on the port because all ACL resources on the device are fully utilized. · Disabled.
Authentication domain	MAC authentication domain used by users on the port.
Max online users	Maximum number of concurrent users on the port.
Authentication attempts: successful 1, failed 0	MAC authentication statistics, including the number of successful and unsuccessful authentication attempts.
MAC address	MAC address of the access user.
Auth state	Authentication status of the access user: · Authenticated. · Unauthenticated.

display mac-authentication connection

Use display mac-authentication connection to display information about online MAC authentication users.

Syntax

display mac-authentication connection [ ap ap-name [ radio radio-id ] | slot slot-number | user-mac mac-address | user-name user-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

radio radio-id: Specifies a radio by its ID. The value range for the radio-id argument varies by AP model. If you do not specify this option, this command displays MAC authentication information for all radios on the specified AP. If you do not specify this option, the command displays information about all MAC authentication users.

slot slot-number: Specifies a member device by its member ID. If you do not specify this option, the command displays information about MAC authentication users on all member devices.

user-mac mac-address: Specifies a MAC authentication user by its MAC address. The mac-address argument represents the MAC address of the user, in the form of H-H-H. If you do not specify this option, the command displays information about all MAC authentication users.

user-name name-string: Specifies a MAC authentication user by its username. The name-string argument represents the username (excluding or including the domain name), a case-sensitive string of 1 to 55 characters. If you do not specify this option, the command displays information about all MAC authentication users.

Examples

# Display information about all online MAC authentication users.

<Sysname> display mac-authentication connection

Total connections: 1

Slot ID: 0

User MAC address : 0015-e9a6-7cfe

AP name : ap1

Radio ID : 1

SSID : wlan_dot1x_ssid

BSSID : 0015-e9a6-7cf0

User name : ias

Authentication domain : 1

Initial VLAN : 1

Authorization VLAN : 100

Authorization ACL number : 3001

Authorization user profile : N/A

Authorization CAR : N/A

Authorization URL : N/A

Authroization IPv6 URL : N/A

Termination action : Radius-request

Session timeout last from : 2023/05/30 17:32:42

Session timeout period : 86400 s

Online from : 2023/05/30 11:20:41

Online duration : 6h 18m 39s

Table 4 Command output

Field	Description
Total connections	Total number of online MAC authentication users.
User MAC address	MAC address of the user.
Access interface	Access interface of the user.
AP name	AP name.
Radio ID	Radio ID.
Username	Username.
Authentication domain	ISP domain used for MAC authentication.
Initial VLAN	Initial VLAN.
Authorization VLAN	Authorized VLAN.
Authorization ACL number	Number of the authorized ACL. If no ACL is authorized, this field displays N/A. If ACL authorization fails, this field displays (Not effective) after the ACL number.
Authorization user profile	Name of the authorization user profile.
Authorization CAR	If no authorization CAR attributes are assigned, this field displays N/A. Authorization CAR attributes assigned by the server: · Average input rate—Average rate of inbound traffic in kbps. · Peak input rate—Peak rate of inbound traffic in kbps. · Average output rate—Average rate of outbound traffic in kbps. · Peak output rate—Peak rate of outbound traffic in kbps. If the authorization fails, the system displays (NOT effective). If only the average input/output rate is authorized, the peak input/output rate is the same as the average rate by default. In the current software version, the system does not support the server to authorize only the input or output peak rate.
Authorization URL	Authorized redirect URL.
Authorization IPv6 URL	Authorized IPv6 redirect URL.
Termination action	Action attribute assigned by the server to terminate the user session: · Default—Logs off the user when the session timeout timer expires. · Radius-Request—Re-authenticates the online user when the session timeout timer expires. If the device performs local authentication, this field displays N/A.
Session timeout last from	Session timeout.
Session timeout period	Session timeout assigned by the server, in seconds. When the timer expires for a session, the session is deleted. The action to take on the user depends on the value of the Termination action field.
Online from	Time at which the MAC authentication user came online.
Online duration	Online duration of the MAC authentication user.

display wlan client-security block-mac‌

Use display wlan client-security block-mac to display blocked MAC address information for WLAN clients.

Syntax

display wlan client-security block-mac

Views

Any view

Predefined user roles

network-admin

network-operator

Usage guidelines

A MAC address that fails authentication is added to the blocked MAC address list when the intrusion protection action is temporary-block.

Examples

# Display information about all blocked MAC addresses.

<Sysname> display wlan client-security block-mac

MAC address AP ID RADIO ID BSSID

0002-0002-0002 1 1 00ab-0de1-0001

000d-88f8-0577 1 1 0ef1-0001-02c1

Total entries: 2

Table 5 Command output

Field	Description
MAC address	Blocked MAC address, in the format of H-H-H.
AP ID	AP ID of the blocked MAC address.
RADIO ID	Radio ID of the blocked MAC address.
BSSID	BSS ID of the blocked MAC address, in the format of H-H-H.
Total entries	Number of blocked MAC addresses.

‌

Related commands:

client-security intrusion-protection action

client-security intrusion-protection timer temporary-block

display wlan statistics accounting

Use display wlan statistics accounting to display RADIUS accounting packet statistics about wireless clients.

Syntax

display wlan statistics accounting

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display RADIUS accounting packet statistics about wireless clients.

<Sysname> display wlan statistics accounting

Account start request : 1

Account start response : 1

Account update request : 3

Account update response : 3

Account stop request : 1

Account stop response : 1

Table 6 Command output

Field	Description
Account start request	Number of sent RADIUS start-accounting request packets.
Account start response	Number of received RADIUS start-accounting response packets.
Account update request	Number of sent RADIUS real-time accounting request packets.
Account update response	Number of received RADIUS real-time accounting response packets.
Account stop request	Number of sent RADIUS stop-accounting request packets.
Account stop response	Number of received RADIUS stop-accounting response packets.

‌

dot1x authentication-method

Use dot1x authentication-method to specify the 802.1X authentication method.

Use undo dot1x authentication-method to restore the default.

Syntax

dot1x authentication-method { chap | eap | pap }

undo dot1x authentication-method

Default

The access device performs EAP rely and uses EAP to communicate with the RADIUS server.

Views

System view

Predefined user roles

network-admin

Parameters

chap: Configures the access device to perform Extensible Authentication Protocol (EAP) termination and use the Challenge Handshake Authentication Protocol (CHAP) to communicate with the RADIUS server.

eap: Configures the access device to relay EAP packets, and supports any of the EAP authentication methods to communicate with the RADIUS server.

pap: Configures the access device to perform EAP termination and use the Password Authentication Protocol (PAP) to communicate with the RADIUS server.

Usage guidelines

The access device terminates or relays EAP packets.

· In EAP termination mode—The access device re-encapsulates and sends the authentication data from the client in standard RADIUS packets to the RADIUS server. The device performs either CHAP or PAP authentication with the RADIUS server. In this mode, the RADIUS server supports only MD5-Challenge EAP authentication and the username and password EAP authentication initiated by an iNode client.

¡ PAP transports usernames and passwords in plaintext format. The authentication method applies to scenarios that do not require high security. To use PAP, the client can be an iNode 802.1X client.

¡ CHAP transports usernames in plaintext format and passwords in ciphertext format over the network. CHAP is more secure than PAP. Compared with PAP, CHAP provides better confidentiality and is more secure and reliable.

· In EAP relay mode—The access device relays EAP packets between the client and the RADIUS server. The EAP relay mode supports multiple EAP authentication methods, such as MD5-Challenge, EAP-TLS, and PEAP. To use this mode, make sure the RADIUS server uses the same EAP authentication method as the client.

When a remote RADIUS server is used, make sure the RADIUS server supports the PAP, CHAP, or EAP method.

If this mode is used, the user-name-format configuration in RADIUS scheme view does not take effect.

Examples

# Enable the access device to terminate EAP packets and perform PAP authentication with the RADIUS server.

<Sysname> system-view

[Sysname] dot1x authentication-method pap

Related commands

display dot1x

dot1x domain

Use dot1x domain to specify an authentication domain for 802.1X clients in a service template.

Use undo dot1x domain to restore the default.

Syntax

dot1x domain domain-name

undo dot1x domain

Default

No authentication domain is specified for 802.1X clients in a service template.

Views

Service template view

Predefined user roles

network-admin

Parameters

domain-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters.

Usage guidelines

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

802.1X chooses an authentication domain for WLAN clients in the following order:

1. Authentication domain specified in the service template.

2. Domain specified by username.

3. Default authentication domain.

Examples

# Specify ISP domain my-domain as the authentication domain for 802.1X clients in service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] dot1x domain my-domain

dot1x domain-delimiter

Use dot1x domain-delimiter to specify a set of domain name delimiters supported by the device.

Use undo dot1x domain-delimiter to restore the default.

Syntax

dot1x domain-delimiter string

undo dot1x domain-delimiter

Default

The device supports only the at sign (@) delimiter for 802.1X users.

Views

System view

Predefined user roles

network-admin

Parameters

string: Specifies a set of 1 to 16 domain name delimiters for 802.1X users. No space is required between delimiters. Available delimiters include the at sign (@), backslash (\), dot (.), and forward slash (/). To use backslash (\) as the domain name delimiter, you must enter the escape character (\) along with the backslash (\) sign. For example, to use the backslash delimiter, specify \\.

Usage guidelines

802.1X supports using at sign (@), backslash (\), dot (.), and forward slash (/) as the domain name delimiter for 802.1X authentication users. Usernames that include domain names can use the format of username@domain-name, domain-name\username, username.domain-name, or username/domain-name. If a username string contains multiple configured delimiters, the device takes the rightmost delimiter in the username string as the domain name delimiter. For example, if you configure the forward slash (/), dot (.), and backslash (\) as delimiters, the domain name delimiter for the username string 121.123/22\@abc is the backslash (\). The username is @abc and the domain name is 121.123/22.

The delimiter set you configured overrides the default setting. If the at sign (@) is not included in the delimiter set, the device does not support the 802.1X users that use this sign as the domain name delimiter.

Examples

# Specify the at sign (@) and forward slash (/) as domain name delimiters.

<Sysname> system-view

[Sysname] dot1x domain-delimiter @/

Related commands

display dot1x

dot1x eap

Use dot1x eap to specify the EAP mode for 802.1X authentication.

Use undo dot1x eap to restore the default.

Syntax

dot1x eap { extended | standard }

undo dot1x eap

Default

The EAP mode is standard for 802.1X authentication.

Views

Service template view

Predefined user roles

network-admin

Parameters

extended: Specifies the extended EAP mode. This mode requires the device to interact with clients according to the provisions and packet format defined by the proprietary EAP protocol.

standard: Specifies the standard EAP mode. This mode requires the device to interact with clients according to the provisions and packet format defined by the standard EAP protocol.

Usage guidelines

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

When you configure this command, specify the extended keyword for iNode clients and the standard keyword for other clients.

This command is required only when an IMC server is used as the RADIUS server.

Examples

# Set the EAP mode to extended for service template 1.

<Sysname> system-view

[Sysname] wlan service-template 1

[Sysname-wlan-st-1] dot1x eap extended

dot1x handshake enable

Use dot1x handshake enable to enable the 802.1X online user handshake feature.

Use undo dot1x handshake enable to disable the 802.1X online user handshake feature.

Syntax

dot1x handshake enable

undo dot1x handshake enable

Default

The 802.1X online user handshake feature is disabled.

Views

Service template view

Predefined user roles

network-admin

Usage guidelines

The online user handshake feature checks the connection status of online 802.1X clients by periodically sending handshake messages to the clients. The device sets a client to the offline state if it does not receive responses from the client after making the maximum handshake attempts within the handshake timer. To set the handshake timer, use the dot1x timer handshake-period command. To set the maximum handshake attempts, use the dot1x retry command.

The device does not respond to a client after it receives handshake responses from that client. Some clients might initiate reauthentication or go offline if they do not receive the device's responses to their handshake responses. If your network has such clients, you can disable the online user handshake feature.

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

Examples

# Enable the online user handshake feature for 802.1X clients in service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] dot1x handshake enable

Related commands

dot1x handshake secure enable

dot1x retry

dot1x timer handshake-period

dot1x handshake secure enable

Use dot1x handshake secure enable to enable the 802.1X online user handshake security feature.

Use undo dot1x handshake secure enable to disable the 802.1X online user handshake security feature.

Syntax

dot1x handshake secure enable

undo dot1x handshake secure enable

Default

The 802.1X online user handshake security feature is disabled.

Views

Service template view

Predefined user roles

network-admin

Usage guidelines

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

For the 802.1X online user handshake security feature to take effect, you must enable the 802.1X online user handshake feature.

The online user handshake security feature protects only authenticated online 802.1X clients.

Examples

# Enable the 802.1X online user handshake security feature in service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] dot1x handshake enable

[Sysname-wlan-st-service1] dot1x handshake secure enable

Related commands

dot1x handshake enable

dot1x max-user

Use dot1x max-user to set the maximum number of concurrent 802.1X clients that a service template supports on a radio.

Use undo dot1x max-user to restore the default.

Syntax

dot1x max-user count

undo dot1x max-user

Default

A service template permits a maximum of 512 concurrent 802.1X clients to access the network on a radio.

Views

Service template view

Predefined user roles

network-admin

Parameters

count: Specifies the maximum number of concurrent 802.1X clients. The value range is 1 to 512.

Usage guidelines

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

This setting takes effect on a per-radio basis. If the number of 802.1X clients of the service template reaches the limit on a radio, no additional 802.1X clients can access the network through the service template on that radio.

Examples

# In service template service1, set the maximum number of concurrent 802.1X clients on a radio to 32.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] dot1x max-user 500

dot1x re-authenticate enable

Use dot1x re-authenticate enable to enable the 802.1X periodic online user reauthentication feature.

Use undo dot1x re-authenticate enable to disable the 802.1X periodic online user reauthentication feature.

Syntax

dot1x re-authenticate enable

undo dot1x re-authenticate enable

Default

The 802.1X periodic online user reauthentication feature is disabled.

Views

Service template view

Predefined user roles

network-admin

Usage guidelines

Periodic reauthentication enables the device to periodically authenticate online 802.1X clients in a service template. This feature checks the connection status of online clients and updates the authorization attributes assigned by the server, such as the ACL, VLAN, and user profile.

You can use the dot1x timer reauth-period command to configure the interval for reauthentication.

The server-assigned session timeout timer (Session-Timeout attribute) and termination action (Termination-Action attribute) can affect the periodic online user reauthentication feature. To display the server-assigned Session-Timeout and Termination-Action attributes, use the display dot1x connection command (see Security Command Reference).

· If the termination action is Default (logoff), periodic online user reauthentication on the template takes effect only when the periodic reauthentication timer is shorter than the session timeout timer.

· If the termination action is Radius-request, the periodic online user reauthentication configuration on the template does not take effect. The device reauthenticates the online 802.1X clients after the session timeout timer expires.

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

Examples

# Enable the 802.1X periodic online user reauthentication feature in service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] dot1x re-authenticate enable

Related commands

dot1x timer

dot1x retry

Use dot1x retry to set the maximum number of attempts for sending an authentication request to a client.

Use undo dot1x retry to restore the default.

Syntax

dot1x retry retries

undo dot1x retry

Default

The system supports a maximum of two attempts for sending an authentication request to a client.

Views

System view

Predefined user roles

network-admin

Parameters

retries: Specifies the maximum number of attempts for sending an authentication request to a client. The value range is 1 to 10.

Usage guidelines

The access device retransmits an authentication request to a client if it does not receive any responses from the client within the specified period. If the maximum number of transmission attempts is reached but no response is received, the device stops sending authentication requests. For EAP-Request/Identity packets, the timeout is set by the dot1x timer tx-period command. For EAP-Request/MD5 Challenge packets, the timeout is set by the dot1x timer supp-timeout command.

Examples

# Set the maximum number of attempts to 9 for sending an authentication request to a client.

<Sysname> system-view

[Sysname] dot1x retry 9

Related commands

display dot1x

dot1x timer

Use dot1x timer to set an 802.1X timer.

Use undo dot1x timer to restore the default of an 802.1X timer.

Syntax

dot1x timer { handshake-period handshake-period-value | reauth-period reauth-period-value | server-timeout server-timeout-value | supp-timeout supp-timeout-value }

undo dot1x timer { handshake-period handshake-period-value | reauth-period reauth-period-value | server-timeout server-timeout-value | supp-timeout supp-timeout-value }

Default

The client authentication timeout is 30 seconds, the authentication server timeout is 100 seconds, the handshake timeout is 15 seconds, and the periodic re-authentication timeout is 3600 seconds.

Views

System view

Predefined user roles

network-admin

Parameters

handshake-period handshake-period-value: Specifies the handshake timeout in the range of 5 to 1024 seconds.

reauth-period reauth-period-value: Specifies the periodic re-authentication timeout in the range of 60 to 7200 seconds.

server-timeout server-timeout-value: Specifies the authentication server timeout in the range of 100 to 300 seconds.

supp-timeout supp-timeout-value: Specifies the client authentication timeout in the range of 1 to 120 seconds.

Usage guidelines

The network device uses the following 802.1X timers:

· Handshake timer (handshake-period)—Sets the interval at which the access device sends client handshake requests to check the online status of a client that has passed authentication. If the device does not receive a response after sending the maximum number of handshake requests, it considers that the client has logged off.

· Periodic reauthentication timer (reauth-period)—Sets the interval at which the access device periodically reauthenticates online 802.1X users. To enable 802.1X periodic reauthentication on a port, use the dot1x re-authenticate command. For online 802.1X users, the newly configured timer takes effect only on subsequent re-authentication after the current re-authentication period ends and the authentication is successful.

· Server timeout timer (server-timeout)—Starts when the access device sends a RADIUS Access-Request packet to the authentication server. If no response is received when this timer expires, 802.1X authentication fails.

As a best practice, set the server-timeout value to be smaller or equal to the maximum number of RADIUS packet transmission attempts (retry) multiplied by the RADIUS server response timeout (timer response-timeout). If the server-timeout value is larger than the retry value multiplied by the timer response-timeout, users might be logged off before the server authentication timeout (server-timeout) is reached. For more information about the maximum number of transmission attempts for a RADIUS packet and the RADIUS server response timeout, see User Access and Authentication Configuration Guide.

· Client timeout timer (supp-timeout)—Starts when the access device sends an EAP-Request/MD5-Challenge packet to a client. If no response is received when this timer expires, the access device retransmits the request to the client.

Under normal circumstances, you do not need to modify the values of the timers. However, in certain special or adverse network environments, this command can be used to adjust the interaction process.

The change to the periodic reauthentication timer applies to the users that have been online only after the old timer expires. Other timer changes take effect immediately on the device.

Related commands

display dot1x

dot1x unauthenticated-user aging enable

retry

timer response-timeout (RADIUS scheme view)

fail-permit enable

Use fail-permit enable to enable authentication fail-permit.

Use undo fail-permit enable to disable authentication fail-permit.

Syntax

fail-permit enable [ keep-online | url-user-logoff ] [ always-service ]

undo fail-permit enable

Default

Authentication fail-permit is disabled.

Views

Service template view

Predefined user roles

network-admin

Parameters

keep-online: Allows online fail-permit clients to stay online when an authentication fail-permit event occurs. If you do not specify this keyword, the device disconnects online fail-permit clients when an authentication fail-permit event occurs.

url-user-logoff: Enables the URL client logoff mechanism. This mechanism logs off MAC authentication clients if an authentication fail-permit event occurs after they have been assigned a redirect URL. This keyword is applicable only to MAC authentication clients.

always-service: Enables the current service template to continue providing services for clients after an authentication fail-permit event occurs, regardless of whether a fail-permit service template has been configured. If you do not specify this keyword or a fail-permit service template, MAC authentication or Bypass clients can continue using the current service template to access the network after an authentication fail-permit event occurs. If you do not specify this keyword but specify a fail-permit service template, the current service template stops providing services for clients after an authentication fail-permit event occurs. This keyword is applicable only to MAC authentication and Bypass clients.

Usage guidelines

Application scenarios

Authentication fail-permit (also called fail-open) allows 802.1X, MAC authentication, and Bypass clients to access the network after the AC disconnects from the RADIUS server or the AP. When either event occurs, the AP continues to provide access services and forward traffic for those clients.

Operating mechanism

The impact of an authentication fail-permit event on clients differs depending on their authentication method and depending on whether a fail-permit service template has been configured.

· Bypass clients:

¡ If the fail-permit template and fail-permit enable (without the always-service keyword) commands are configured, the Bypass clients will be logged off. To access the network, the Bypass clients must manually reconnect to the SSID in the preconfigured fail-permit service template.

¡ If the fail-permit template command is not configured, or if the fail-permit enable always-service command is configured, the Bypass clients can continue using the existing service template enabled with authentication fail-permit to access the network without interruption.

· MAC authentication clients:

¡ If the fail-permit template and fail-permit enable (without the always-service keyword) commands are configured, the MAC authentication clients will be logged off. To access the network, the MAC authentication clients must manually reconnect to the SSID in the preconfigured fail-permit service template.

¡ If the fail-permit template command is not configured, or if the fail-permit enable always-service command is configured, the MAC authentication clients can continue using the existing service template enabled with authentication fail-permit to access the network after a transient interruption. In this situation, the clients will be logged off and then automatically connected to the network.

· The 802.1X clients will be logged off. To access the network, the 802.1X clients must manually reconnect to the SSID in a preconfigured fail-permit service template.

Prerequisites

For authentication fail-permit to take effect, perform the following steps:

1. Execute the radius-server test-profile command to configure a RADIUS test profile to test the reachability of the RADIUS server.

In the profile, set the interval for sending detection packets as needed. The shorter the interval is, the quicker the response to the change will be.

2. Apply the profile to the RADIUS server in the RADIUS scheme for the authentication ISP domain.

Fail-permit will occur when the RADIUS server is determined to be unreachable.

For more information about configuring RADIUS test profiles, see AAA configuration in User Access and Authentication Configuration Guide.

Recommended configuration

In some network environments, such as the AD-Campus network solution, the RADIUS server assigns a redirect URL to MAC authentication clients when they come online. This URL is used to redirect the clients to the Web authentication page for user authentication. However, if an authentication fail-permit event occurs after an online MAC authentication client has been assigned a redirect URL, the client might remain in authenticating state due to the unavailability of the RADIUS server. To resolve this issue, you can specify the url-user-logoff keyword to force the client to log off. To continue accessing the network, the client must reconnect to the network.

You can only bind one fail-permit service template to a radio. If an authentication fail-permit event occurs, clients that use multiple service templates with authentication fail-permit enabled will all access one fail-permit service template to come online. As a result, the wireless network experience might degrade for clients. To prevent all clients from coming online through one fail-permit service template, you can specify the always-service keyword in the service templates that use MAC authentication or Bypass authentication. This keyword ensures that when an authentication fail-permit event occurs, the current service templates with authentication fail-permit enabled can continue providing wireless services regardless of whether a fail-permit service template has been configured.

Restrictions and guidelines

The fail-permit enable command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

The fail-permit enable command is mutually exclusive with the fail-permit template command in the same service template.

If you do not specify any parameters for the fail-permit enable command in a service template, all online clients in that service template will be logged off when an authentication fail-permit event occurs.

Examples

# Enable authentication fail-permit in a WLAN service template.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] fail-permit enable

Related commands

client url-redirect enable

fail-permit template

Use fail-permit template to specify a service template as a fail-permit service template.

Use undo fail-permit template to remove the fail-permit attribute of a fail-permit service template.

Syntax

fail-permit template

undo fail-permit template

Default

No service templates are specified as fail-permit service templates.

Views

Service template view

Predefined user roles

network-admin

Usage guidelines

You can use this command for the following purposes:

· Authentication fail-permit—To use the authentication fail-permit feature for clients associated with one service template, specify another service template as a fail-permit service template. If the protected service template has 802.1X clients, you must specify a fail-permit service template. This requirement is optional for other types of authentication clients. For more information about the authentication fail-permit feature, see the usage guidelines for the fail-permit enable command.

· 5G radio silence fail-permit—Allows an AP to move the clients of a service template on a 5G radio to a different 5G radio for network access when radio silence is imposed on the former radio.

You can execute the fail-permit template command only when the service template is disabled, and it takes effect after the service template is enabled.

The fail-permit template command is mutually exclusive with the fail-permit enable command in the same service template.

To ensure a successful fail-permit, follow these restrictions and guidelines:

· Enable APs to forward client data traffic in the fail-permit service template by using the client forwarding-location command.

· If APs are configured as the authenticator in a service template by using the client-security authentication-location command, the authenticator in the fail-permit service template of this service template must also be APs.

Use the following guidelines when you configure an authentication fail-permit service template:

· As a best practice, configure only one fail-permit service template for clients on an AP. If you configure multiple fail-permit service templates, only the one that is first bound to a radio on the AP will take effect.

· To ensure a successful fail-permit for clients, set the AKM mode to PSK or do not specify any AKM mode in the fail-permit service template.

Use the following guidelines when you configure a 5G silence fail-permit service template for 5G clients:

· Specify one 5G silence fail-permit service template for each 5G service template on a 5G radio. These 5G silence fail-permit service templates must contain the same settings as their protected 5G service templates except that the protected 5G service templates cannot contain the fail-permit template command.

· Bind a 5G silence fail-permit service template to a different radio than its protected 5G service template on the same AP.

Examples

# Specify a service template as a fail-permit service template.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] fail-permit template

Related commands

akm mode

fail-permit enable

mac-authentication authentication-method

Use mac-authentication authentication-method to specify an authentication method for MAC authentication.

Use undo mac-authentication authentication-method to restore the default.

Syntax

mac-authentication authentication-method { chap | pap }

undo mac-authentication authentication-method

Default

The device uses PAP for MAC authentication.

Views

System view

Predefined user roles

network-admin

Parameters

chap: Configures the access device to use the Challenge Handshake Authentication Protocol (CHAP) to communicate with the RADIUS server.

pap: Configures the access device to use the Password Authentication Protocol (PAP) to communicate with the RADIUS server.

Usage guidelines

The device can use either of the following methods to perform MAC authentication with an authentication server:

· PAP—Transports usernames and passwords in plaintext format. The authentication method applies to scenarios that do not require high security.

· CHAP—Transports usernames in plaintext format and passwords in ciphertext format over the network. CHAP is more secure than PAP. Compared with PAP, CHAP provides better confidentiality and is more secure and reliable.

Examples

# Configure the device to use CHAP for MAC authentication.

<Sysname> system-view

[Sysname] mac-authentication authentication-method pap

Related commands

display mac-authentication

mac-authentication timer

Use mac-authentication timer to configure a MAC authentication timer.

Use undo mac-authentication timer to restore the default.

Syntax

mac-authentication timer { offline-detect offline-detect-value | quiet quiet-value | server-timeout server-timeout-value }

Default

The offline detect timeout is 300 seconds, the quiet timeout is 60 seconds, and the server timeout is 100 seconds.

Views

System view

Predefined user roles

network-admin

Parameters

offline-detect offline-detect-value: Sets the offline detect timeout in seconds, in the range of 60 to 2147483647 seconds.

quiet quiet-value: Sets the quiet timeout in the range of 1 to 3600 seconds.

server-timeout server-timeout-value: Sets the server timeout in the range of 100 to 300 seconds.

Usage guidelines

MAC authentication uses the following timers:

· Offline detect timer—Sets the interval that the device waits for traffic from a user before the device determines that the user is idle. If the device has not received traffic from a user before the timer expires, the device logs off that user and requests the accounting server to stop accounting for the user. To avoid unexpected user disassociations, if you set the offline detect timeout, make sure to set the MAC address aging time to the same value. The timer takes effect only when MAC authentication disassociation detection is enabled on the port.

· Quiet timer—Sets the interval that the device must wait before the device can perform MAC authentication for a user that has failed MAC authentication. All packets from the MAC address are dropped during the quiet time. This quiet mechanism prevents repeated authentication from affecting system performance.

· Server timeout timer—Sets the interval that the device waits for a response from a RADIUS server before the device determines that the RADIUS server is unavailable. If the timer expires during MAC authentication, the user cannot access the network.

For more information about the maximum number of transmission attempts for a RADIUS packet and the RADIUS server response timeout, see User Access and Authentication Configuration Guide.

Examples

# Set the server timeout to 150 seconds.

<Sysname> system-view

[Sysname] mac-authentication timer server-timeout 150

Related commands

display mac-authentication

mac-authentication guest-vlan auth-period

mac-authentication unauthenticated-user aging enable

retry

timer response-timeout (RADIUS scheme view)

mac-authentication domain

Use mac-authentication domain to specify an authentication domain for MAC authentication clients in a service template.

Use undo mac-authentication domain to restore the default.

Syntax

mac-authentication domain domain-name

undo mac-authentication domain

Default

No authentication domain is specified for MAC authentication clients in a service template.

Views

Service template view

Predefined user roles

network-admin

Parameters

domain-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters.

Usage guidelines

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

MAC authentication chooses an authentication domain for WLAN clients in the following order:

1. Authentication domain specified in the service template.

2. Global authentication domain specified in system view.

3. Default authentication domain.

Examples

# Specify ISP domain my-domain as the authentication domain for MAC authentication clients in service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] mac-authentication domain my-domain

mac-authentication max-user

Use mac-authentication max-user to set the maximum number of concurrent MAC authentication clients that a service template supports on a radio.

Use undo mac-authentication max-user to restore the default.

Syntax

mac-authentication max-user count

undo mac-authentication max-user

Default

A service template permits a maximum of 512 concurrent MAC authentication clients to access the network on a radio.

Views

Service template view

Predefined user roles

network-admin

Parameters

count: Sets the maximum number of concurrent MAC authentication clients. The value range for this argument is 1 to 512.

Usage guidelines

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

This command takes effect on a per-radio basis. If the number of MAC authentication clients of a service template reaches the limit on a radio, no additional MAC authentication clients can access the network through the service template on that radio.

Examples

# Configure service template service1 to support a maximum of 32 concurrent MAC authentication clients on a radio.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] mac-authentication max-user 32

reset dot1x statistics

Use reset dot1x statistics to clear 802.1X statistics.

Syntax

reset dot1x statistics [ ap ap-name [ radio radio-id ] ]

Views

User view

Predefined user roles

network-admin

Parameters

radio radio-id: Specifies a radio by its ID. The value range for the radio-id argument varies by AP model. If you do not specify this option, this command clears 802.1X statistics for all radios on the specified AP.

Examples

# Clear all 802.1X statistics.

<Sysname> reset dot1x statistics

Related commands

display dot1x

reset mac-authentication statistics

Use reset mac-authentication statistics to clear MAC authentication statistics.

Syntax

reset mac-authentication statistics [ ap ap-name [ radio radio-id ] ]

Views

User view

Predefined user roles

network-admin

Parameters

radio radio-id: Specifies a radio by its ID. The value range for the radio-id argument varies by AP model. If you do not specify this option, this command clears MAC authentication statistics for all radios on the specified AP.

Examples

# Clear all MAC authentication statistics.

<Sysname> reset mac-authentication statistics

Related commands

display mac-authentication

wlan authentication optimization

Use wlan authentication optimization to configure a modifier to adjust the authentication success ratio and abnormal offline ratio for 802.1X authentication, MAC authentication, and Layer 2 portal authentication.

Use undo wlan authentication optimization to restore the default.

Syntax

wlan authentication optimization value

undo wlan authentication optimization

Default

The modifier is 0. The device does not adjust the authentication success ratio and abnormal offline ratio for 802.1X authentication, MAC authentication, and Layer 2 portal authentication.

Views

System view

Predefined user roles

network-admin

Parameters

value: Sets the modifier, in the range of 900 to 1000. The lower the value, the lower the authentication success ratio, and the higher the abnormal offline ratio.

Usage guidelines

The authentication success ratio is the ratio of the number of authentication success times to the total number of authentication times. The abnormal offline ratio is calculated by using the following formula: abnormal offline ratio = number of times that clients go offline abnormally ÷ (number of authentication success times + number of current online users).

WLAN authentication statistics optimization uses a modifier to adjust the authentication success ratio and abnormal offline ratio of 802.1X authentication, MAC authentication, and Layer 2 portal authentication.

The modifier takes effect only on RADIUS-based 802.1X authentication, MAC authentication, and Layer 2 portal authentication.

Examples

# Set the modifier to 950 to adjust the authentication success ratio and abnormal offline ratio of 802.1X authentication, MAC authentication, and Layer 2 portal authentication.

<Sysname> system-view

[Sysname] wlan authentication optimization 950

wlan client-security authentication clear-previous-connection

Use wlan client-security authentication clear-previous-connection to enable the clear-previous-connection feature for WLAN authentication.

Use undo wlan client-security authentication clear-previous-connection to disable the clear-previous-connection feature for WLAN authentication.

Syntax

wlan client-security authentication clear-previous-connection

undo wlan client-security authentication clear-previous-connection

Default

The clear-previous-connection feature is disabled for WLAN authentication.

Views

System view

Predefined user roles

network-admin

Usage guidelines

IMPORTANT:

When this feature is enabled, the 802.1X reauthentication, WLAN Auth-Fail VLAN, and WLAN critical VLAN features cannot take effect.

‌

Some RADIUS servers reject to authenticate a client if they have an online user entry for that client. If they fail to remove the online user entry for a client that has gone offline incorrectly, that client will be unable to get authenticated and come online again.

To resolve this issue, use the clear-previous-connection feature.

With this feature, the device checks the local online user entries before it sends an authentication request to the RADIUS server for an 802.1X or MAC authentication client. If an entry is found, the device removes the entry and sends a stop-accounting request to the RADIUS server. Upon receipt of the stop-accounting request, the RADIUS server removes the online user entry. Then, the client can be authenticated correctly.

Examples

# Enable the clear-previous-connection feature.

<Sysname> system-view

[Sysname] wlan client-security authentication clear-previous-connection

12-User Access and Authentication Command Reference

WLAN authentication commands

client-security accounting-delay time

client-security ignore-authentication

display wlan client-security block-mac‌

dot1x handshake secure enable

dot1x re-authenticate enable

Application scenarios

Operating mechanism

Prerequisites

Recommended configuration

Restrictions and guidelines

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us