By default, the device uses the authorization ACL deployed by the RADIUS server to match traffic that triggers URL redirection. Rule conflicts might exist if the authorization ACL is used by multiple features. To avoid undesirable redirection results, specify an ACL that is configured only for matching traffic that triggers URL redirection.

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

Examples

# In service template service1, specify ACL 3111 to match traffic that triggers URL redirection.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] client url-redirect acl 3111

Related commands

client url-redirect enable

Use client url-redirect enable to enable URL redirection for WLAN clients.

Use undo client url-redirect enable to disable URL redirection for WLAN clients.

Syntax

client url-redirect enable

undo client url-redirect enable

Default

URL redirection is disabled for WLAN clients

Views

Service template view

Predefined user roles

network-admin

Usage guidelines

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

This command takes effect only on clients that use RADIUS-based MAC authentication.

In RADIUS-based MAC authentication, a client can pass authentication only if the RADIUS server has its credential information (username and password) and MAC address.

URL redirection enables a client to authenticate to the RADIUS server after it has failed a MAC authentication because the server does not have its credential information and MAC address. This feature redirects the client to the specified authentication webpage URL for portal authentication. After the client passes portal authentication, the RADIUS server records the client's credential information and MAC address, and sends DM requests to log off the client. When the client reconnects to the network, the client can pass MAC authentication. For information about DMs, see AAA configuration in User Access and Authentication Configuration Guide.

Examples

# Enable native URL redirection for WLAN clients in service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] client url-redirect enable

Related commands

client url-redirect acl

client-security accounting-delay time

Use client-security accounting-delay time to configure the accounting delay.

Use undo client-security accounting-delay time to restore the default.

Syntax

client-security accounting-delay time time [ no-ip-logoff ]

undo client-security accounting-delay time

Default

The device sends a start-accounting request for a client only when the device learns the IP address of that client.

Views

Service template view

Predefined user roles

network-admin

Parameters

time: Sets the accounting delay timer. The value range for the time argument is 1 to 600 seconds.

no-ip-logoff: Logs off a client if the device has failed to learn the client's IP address before the delay timer expires. If you do not specify this keyword, the device sends a start-accounting request immediately after the accounting delay timer expires.

Usage guidelines

The accounting delay timer operates in conjunction with an IP-based accounting-start trigger.

· The IP-based accounting-start trigger specifies that the IP address of an 802.1X or MAC authenticated client triggers an accounting-start request.

· The accounting delay timer specifies the maximum interval for the device to learn the IP address of an 802.1X or MAC authenticated client before it takes the specified action.

The accounting delay timer starts when a client passes 802.1X or MAC authentication. If the device has failed to learn the client's IP address before the timer expires, the device takes either of the following actions:

· Sends a start-accounting request immediately if the no-ip-logoff action is not specified.

· Logs off the client if the no-ip-logoff action is specified.

Configure the accounting delay timer depending on the typical amount of time for the device to learn the IP address of a client. As a best practice, increase the delay timer on a low-performance network.

The timer takes effect only on clients that come online after the timer is configured.

Examples

# Set the accounting delay timer to 15 seconds in service template service1. Configure the device to log off a client if it has failed to learn the client's matching IP address before the delay timer expires.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] client-security accounting-delay time 15 no-ip-logoff

Related commands

client-security accounting-start trigger

client-security accounting-restart trigger ipv4

Use client-security accounting-restart trigger ipv4 to enable the IPv4 address-based accounting-restart trigger for clients.

Use undo client-security accounting-restart trigger ipv4 to disable the IPv4 address-based accounting-restart trigger for clients.

Syntax

client-security accounting-restart trigger ipv4 [ delay interval ]

undo client-security accounting-restart trigger ipv4

Default

The IPv4 address-based accounting-restart trigger is disabled.

Views

Service template view

Predefined user roles

network-admin

Parameters

delay interval: Sets the delay for the device to send a start-accounting request for a new accounting cycle after it sends a stop-accounting request. The value range for the interval argument is 0 to 20 seconds. The default delay time is 15 seconds.

Usage guidelines

The IPv4 address-based accounting-restart trigger applies to 802.1X and MAC authentication clients.

This trigger restarts accounting for a client by sending a stop-accounting request and then a start-accounting request to the accounting server when the IPv4 address of the client changes.

This trigger has higher priority than the accounting-update trigger configured for IPv4 by using the client-security accounting-update trigger command.

This trigger is configurable when the service template is disabled, and it takes effect after the service template is enabled.

Examples

# Enable the IPv4 address-based accounting-restart trigger in service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] client-security accounting-restart trigger ipv4 delay 10

client-security accounting-start trigger

Use client-security accounting-start trigger to configure an accounting-start trigger for clients.

Use undo client-security accounting-start trigger to restore the default.

Syntax

client-security accounting-start trigger { ipv4 | ipv4-ipv6 | ipv6 | none }

undo client-security accounting-start trigger

Default

The accounting-start trigger is based on IPv4 address type.

Views

Service template view

Predefined user roles

network-admin

Parameters

ipv4 : Specifies an IPv4-based accounting-start trigger. The device sends a start-accounting request when the device learns the IPv4 address of an authenticated client.

ipv4-ipv6: Specifies IPv4-based and IPv6-based accounting-start triggers. The device sends a start-accounting request when the device learns the IPv4 or IPv6 address of an authenticated client.

ipv6: Specifies an IPv6-based accounting-start trigger. The device sends a start-accounting request when the device learns the IPv6 address of an authenticated client.

none: Specifies a non-IP-based accounting-start trigger. The device sends a start-accounting request when a client passes authentication without examining its IP address type.

Usage guidelines

This command takes effect only on clients that have passed 802.1X or MAC authentication.

If the trigger is IP address type based, you must enable learning IP addresses of that type. For information about wireless client IP address learning, see WLAN IP snooping configuration in User Access and Authentication Configuration Guide.

When you configure an IP-based accounting-start trigger, make sure the specified IP address version is the same as the version required by the accounting server.

The trigger takes effect only on clients that come online after the trigger is configured.

Examples

# Configure an IPv4 address-based accounting-start trigger in service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] client-security accounting-start trigger ipv4

Related commands

client ipv4-snooping arp-learning enable

client ipv4-snooping dhcp-learning enable

client ipv6-snooping dhcpv6-learning enable(User Access and Authentication Command Reference)

client ipv6-snooping nd-learning enable(User Access and Authentication)

client-security accounting-delay time

client-security accounting-update trigger

Use client-security accounting-update trigger to specify an event-based accounting-update trigger.

Use undo client-security accounting-update trigger to restore the default.

Syntax

client-security accounting-update trigger { ipv4 | ipv4-ipv6 | ipv6 }

undo client-security accounting-update trigger

Default

No event-based accounting-update trigger is configured. The device sends update-accounting requests to the accounting server only regularly at server-assigned or user-defined real-time accounting intervals.

Views

Service template view

Predefined user roles

network-admin

Parameters

ipv4: Sends an update-accounting request when the IPv4 address of an online 802.1X or MAC authenticated client changes.

ipv4-ipv6: Sends an update-accounting request when the IPv4 or IPv6 address of an online 802.1X or MAC authenticated client changes.

ipv6: Sends an update-accounting request when the IPv6 address of an online 802.1X or MAC authenticated client changes.

Usage guidelines

Use the accounting-update trigger in conjunction with the IP-based accounting-start trigger. The accounting-update trigger takes effect only if the IP-based accounting-start trigger setting takes effect.

In addition to the event-based accounting-update trigger, you can set a regular accounting-update interval by using the timer realtime-accounting command.

The accounting-update trigger takes effect only on clients that come online after the trigger is configured.

Examples

# Configure an IPv4 address change-based accounting-update trigger in service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] client-security accounting-update trigger ipv4

Related commands

client-security accounting-start trigger

timer realtime-accounting ‌

client-security accounting dual-stack separate enable

Use client-security accounting dual-stack separate enable to enable traffic accounting for 802.1X dual-stack clients by IP protocol version.

Use undo client-security accounting dual-stack separate enable to merge IPv4 and IPv6 data for accounting of 802.1X dual-stack clients.

Syntax

client-security accounting dual-stack separate enable

undo client-security accounting dual-stack separate enable

Default

The device merges IPv4 and IPv6 data for accounting of 802.1X dual-stack clients.

Views

Service template view

Predefined user roles

network-admin

Usage guidelines

To measure the IPv4 and IPv6 traffic of 802.1X dual-stack clients separately, use this feature. With this feature, traffic data sent to the AAA accounting server about 802.1X dual-stack clients is separate by IP protocol version.

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

This command is not applicable to wireless terminator solutions.

Examples

# Separate IPv4 and IPv6 data for the accounting of 802.1X dual-stack clients in service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] client-security accounting dual-stack separate enable

client-security authentication critical-vlan

Use client-security authentication critical-vlan to configure a critical VLAN for a service template.

Use undo client-security authentication critical-vlan to restore the default.

Syntax

client-security authentication critical-vlan vlan-id

undo client-security authentication critical-vlan

Default

No critical VLAN exists for a service template.

Views

Service template view

Predefined user roles

network-admin

Parameters

vlan-id: Specifies the ID of the critical VLAN, in the range of 1 to 4094.

Usage guidelines

802.1X authentication does not support this command.

The WLAN critical VLAN accommodates clients that have failed WLAN access authentication because all RADIUS servers in their ISP domains are unreachable. Clients in the critical VLAN can access a limited set of network resources depending on the configuration.

The authenticator reauthenticates a client in the critical VLAN at intervals of 30 seconds.

· If the client passes the reauthentication, the authenticator assigns the client to the authorization VLAN. If no authorization VLAN is configured, the client is assigned to the initial VLAN.

· If the client fails the reauthentication because all the RADIUS servers are unreachable, the client stays in the critical VLAN.

· If the client fails the reauthentication for any reason other than unreachable servers, the device assigns the client to the Auth-Fail VLAN. If no Auth-Fail VLAN is configured, the device logs off the client.

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

Examples

# Configure VLAN 10 as the critical VLAN in service template 1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] client-security authentication critical-vlan 10

client-security authentication fail-vlan

Use client-security authentication fail-vlan to configure an Auth-Fail VLAN for a service template.

Use undo client-security authentication fail-vlan to restore the default.

Syntax

client-security authentication fail-vlan vlan-id

undo client-security authentication fail-vlan

Default

No Auth-Fail VLAN exists for a service template.

Views

Service template view

Predefined user roles

network-admin

Parameters

vlan-id: Specifies the ID of the Auth-Fail VLAN, in the range of 1 to 4094. Make sure the VLAN has been created.

Usage guidelines

802.1X authentication does not support this command.

The WLAN Auth-Fail VLAN accommodates clients that have failed WLAN access authentication because of the failure to comply with the applicable security policy. For example, the VLAN accommodates clients that have entered invalid passwords. The Auth-Fail VLAN does not accommodate WLAN clients that have failed authentication because of authentication timeouts or network connection issues.

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

Examples

# Configure VLAN 10 as the Auth-Fail VLAN in service template 1.

<Sysname> system-view

[Sysname] wlan service-template 1

[Sysname-wlan-st-1] client-security authentication fail-vlan 10

client-security authentication-location

Use client-security authentication-location to specify the authenticator for WLAN clients.

Use undo client-security authentication-location to restore the default.

Syntax

client-security authentication-location { ac | ap }

undo client-security authentication-location

Default

The AC acts as the authenticator to authenticate WLAN clients.

Views

Service template view

Predefined user roles

network-admin

Parameters

ac: Specifies the AC as the authenticator.

ap: Specifies the AP as the authenticator.

Usage guidelines

You cannot specify the AP as the authenticator if the AC is configured to forward client data traffic (by using the client forwarding-location command). For information about the client forwarding-location command, see WLAN access commands in WLAN Access Command Reference.

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

Examples

# Configure the AC as the authenticator for WLAN clients in service template s1.

<Sysname> system-view

[Sysname] wlan service-template s1

[Sysname-wlan-st-s1] client-security authentication-location ac

Related commands

client forwarding-location

client-security authentication-mode

Use client-security authentication-mode to set the authentication mode for WLAN clients.

Use undo client-security authentication-mode to restore the default.

Syntax

client-security authentication-mode { dot1x | mac | mac-and-dot1x }

undo client-security authentication-mode

Default

The WLAN access authentication mode is Bypass. The device does not perform authentication for WLAN clients.

Views

Service template view

Predefined user roles

network-admin

Parameters

dot1x: Performs only 802.1X authentication for the attached clients. A client cannot access the network if it fails 802.1X authentication.

mac: Performs only MAC authentication for the attached clients. A client cannot access the network if it fails MAC authentication.

mac-and-dot1x: Performs MAC authentication and then 802.1X authentication for the attached clients. The attached clients must pass both MAC authentication and 802.1X authentication before they can access the network. A client cannot access the network if it fails MAC authentication or 802.1X authentication.

Usage guidelines

A service template allows access of multiple authenticated clients in any authentication mode. To set the maximum number of 802.1X clients, use the dot1x max-user command.

The WLAN access authentication mode is configurable when the service template is disabled, and it takes effect after the service template is enabled.

Examples

# Set the authentication mode to dot1x for WLAN clients in service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] client-security authentication-mode dot1x

client-security authorization-fail offline

Use client-security authorization-fail offline to enable the authorization-fail-offline feature.

Use undo client-security authorization-fail offline to disable the authorization-fail-offline feature.

Syntax

client-security authorization-fail offline

undo client-security authorization-fail offline

Default

The authorization-fail-offline feature is disabled.

Views

Service template view

Predefined user roles

network-admin

Usage guidelines

The authorization-fail-offline feature logs off WLAN clients that fail ACL or user profile authorization.

A WLAN client fails ACL or user profile authorization in the following situations:

· The device or server fails to authorize the specified ACL or user profile to the client.

· The authorized ACL or user profile does not exist.

If this feature is disabled, the device generates a log message to record the authentication failure without logging off the WLAN client.

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

Examples

# Enable the authorization-fail-offline feature for service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] client-security authorization-fail offline

client-security authorization trigger byod

Use client-security authorization trigger byod to enable the BYOD authorization trigger.

Use undo client-security authorization trigger byod to disable the BYOD authorization trigger.

Syntax

client-security authorization trigger byod

undo client-security authorization trigger byod

Default

The BYOD authorization trigger is disabled.

Views

Service template view

Predefined user roles

network-admin

Usage guidelines

This command enables the access device to trigger BYOD authorization for an authenticated client after the device obtains that client's BYOD information, including its IP address. When BYOD authorization is triggered, the session-timeout timer assigned to the client restarts, extending the amount of time that the client can stay online before a reauthentication is required. On a low performance network, it might take so much time for the device to obtain the IP address of a client that the client's extended amount of online time becomes undesirable.

As a best practice to avoid this undesirable issue, use this command only if BYOD authorization is required and make sure the network performance is good. For more information about BYOD authorization, see AAA configuration in User Access and Authentication Configuration Guide.

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

Examples

# Enable the BYOD authorization trigger in service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] client-security authorization trigger byod

client-security ignore-authentication

Use client-security ignore-authentication to configure the device to ignore 802.1X and MAC authentication failures.

Use undo client-security ignore-authentication to restore the default.

Syntax

client-security ignore-authentication

undo client-security ignore-authentication

Default

The device does not ignore authentication failures for wireless clients that use 802.1X authentication or RADIUS-based MAC authentication.

Views

Service template view

Predefined user roles

network-admin

Usage guidelines

IMPORTANT:

For 802.1X clients that use RSN to roam to a new AP, do not use this command.

‌

This command allows a client to come online or continue with its authentication process despite an 802.1X or MAC authentication failure.

This command applies to the following clients:

· Clients that use 802.1X authentication without any encryption (akm mode, security-ie, cipher-suite, or wep mode dynamic) configured.

This command enables the device to ignore 802.1X authentication failures and allow clients that have failed 802.1X authentication to come online. If encryption is configured, the 802.1X authentication results cannot be ignored.

· Clients that use both RADIUS-based MAC authentication and portal authentication.

Typically, a client must pass MAC authentication and portal authentication in turn to access network resources. The client provides username and password when it performs portal authentication.

This command simplifies the authentication process for such a client, as follows:

¡ If the RADIUS server already records the client's MAC authentication information, the client passes MAC authentication. The device allows the client to access network resources without performing portal authentication.

¡ If the RADIUS server does not record the client's MAC authentication information, the client fails MAC authentication. The device ignores the MAC authentication failure and performs portal authentication for the client. If the client passes portal authentication, it can access network resources. The MAC address of the portal authenticated client will be recorded as MAC authentication information on the RADIUS server.

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

Examples

# Configure the device to ignore 802.1X and MAC authentication failures in service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] client-security ignore-authentication

client-security ignore-authorization

Use client-security ignore-authorization to configure the device to ignore the authorization information received from the authentication server (a RADIUS server or the local device).

Use undo client-security ignore-authorization to restore the default.

Syntax

client-security ignore-authorization

undo client-security ignore-authorization

Default

The device uses the authorization information from the server.

Views

Service template view

Predefined user roles

network-admin

Usage guidelines

After a client passes RADIUS or local authentication, the server performs authorization based on the authorization attributes configured for the user account. For example, the server might assign a VLAN to the client. If you do not want to apply server-assigned authorization attributes to clients, configure the device to ignore the authorization information from the server.

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

Examples

# Configure the device to ignore the authorization information from the authentication server for service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] client-security ignore-authorization

display dot1x

Use display dot1x to display information about 802.1X.

Syntax

display dot1x [ sessions | statistics ] [ ap ap-name [ radio radio-id ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

sessions: Displays 802.1X session information.

statistics: Displays 802.1X statistics.

radio radio-id: Specifies a radio by its ID. The value range for the radio-id argument varies by AP model. If you do not specify a radio, this command displays 802.1X information for all radios on the specified AP.

Usage guidelines

If you do not specify the sessions keyword or the statistics keyword, this command displays all information about 802.1X, including session information, statistics, and settings.

Examples

# Display all information about 802.1X.

<Sysname> display dot1x

Global 802.1X parameters:

802.1X authentication : Enabled

M-LAG member configuration conflict : Unknown

EAP authentication : Enabled

Max-tx period : 30 s

Handshake period : 15 s

Offline detect period : 300 s

Quiet timer : Disabled

Quiet period : 60 s

Supp timeout : 30 s

Server timeout : 100 s

Reauth period : 3600 s

Max auth requests : 2

SmartOn supp timeout : 30 s

SmartOn retry counts : 3

User aging period for Auth-Fail VLAN : 1000 s

User aging period for critical VLAN : 1000 s

User aging period for guest VLAN : 1000 s

EAD assistant function : Disabled

URL : http://www.dwsoft.com

Free IP : 6.6.6.0 255.255.255.0

EAD timeout : 30 min

Domain delimiter : @

Max EAP-TLS fragment (to-server) : 400 bytes

Online 802.1X wired users : 1

Online 802.1X wireless users : 1

AP name: AP1 Radio ID: 1 SSID: wlan_dot1x_ssid

BSSID : 1111-1111-1111

802.1X authentication : Enabled

Handshake : Enabled

Handshake security : Disabled

Periodic reauth : Disabled

Mandatory auth domain : Not configured

Max online users : 256

EAPOL packets: Tx 3, Rx 3

Sent EAP Request/Identity packets : 1

EAP Request/Challenge packets: 1

EAP Success packets: 1

EAP Failure packets: 0

Received EAPOL Start packets : 1

EAPOL LogOff packets: 1

EAP Response/Identity packets : 1

EAP Response/Challenge packets: 1

Error packets: 0

Online 802.1X users: 1

MAC address Auth state

0001-0000-0002 Authenticated

Table 1 Command output

Field	Description
Global 802.1X parameters	Global 802.1X configuration.
802.1X authentication	Whether 802.1X is enabled globally.
M-LAG member configuration conflict	This field is not supported in the current software version. M-LAG member configuration check result: · Conflicted—The configuration on one M-LAG member device conflicts with that on the other M-LAG member device. · Not conflicted—The configuration on one M-LAG member device does not conflict with that on the other M-LAG member device. · Unknown—The system cannot detect whether the configuration on one M-LAG member device conflicts with that on the other M-LAG member device.
CHAP authentication	Performs EAP termination and uses CHAP to communicate with the RADIUS server.
EAP authentication	Relays EAP packets and supports any of the EAP authentication methods to communicate with the RADIUS server.
PAP authentication	Performs EAP termination and uses PAP to communicate with the RADIUS server.
Max-tx period	Username request timeout timer in seconds.
Handshake period	Handshake timer in seconds.
Offline detect period	Offline detect timer in seconds.
Quiet timer	Status of the quiet timer, enabled or disabled.
Quiet period	Quiet timer in seconds.
Supp timeout	Client timeout timer in seconds.
Server timeout	Server timeout timer in seconds.
Reauth period	Periodic reauthentication timer in seconds.
Max auth requests	Maximum number of attempts for sending an authentication request to a client.
SmartOn switch ID	This field is not supported in the current software version. Switch ID for SmartOn authentication.
SmartOn supp timeout	This field is not supported in the current software version. SmartOn client timeout timer in seconds.
User aging period for Auth-Fail VLAN	Aging timer in seconds for users in Auth-Fail VLANs.
User aging period for critical VLAN	Aging time for users in the critical VLAN.
User aging period for guest VLAN	This field is not supported in the current software version. Aging time for users in the guest VLAN.
EAD assistant function	Whether EAD assistant is enabled.
URL	Redirect URL for unauthenticated users using a Web browser to access the network.
Free IP	Network segment accessible to unauthenticated users.
EAD timeout	EAD rule timer in minutes.
Domain delimiter	Domain delimiters supported by the device.
Max EAP-TLS fragment (to-server)	Maximum size of EAP-TLS fragments sent in authentication packets to the server. If no maximum size is set, this field displays N/A.
Online 802.1X wired users	Number of wired online 802.1X users, including users that have passed 802.1X authentication and users that are performing 802.1X authentication.
Online 802.1X wireless users	Number of wireless online 802.1X users, including users that have passed 802.1X authentication and users that are performing 802.1X authentication.
AP name	AP name.
Radio ID	Radio ID.
SSID	SSID.
BSSID	BSSID
802.1X authentication	Whether 802.1X authentication is enabled on the port.
Handshake	Whether the online user handshake feature is enabled on the port.
Handshake security	Whether the online user handshake security feature is enabled on the port.
Periodic reauth	Whether 802.1X periodic reauthentication is enabled on the port.
Mandatory auth domain	Mandatory authentication domain on the port.
Max online users	Maximum number of concurrent 802.1X users on the port.
EAPOL packets	Number of sent (Tx) and received (Rx) EAPOL packets.
Sent EAP Request/Identity packets	Number of sent EAP-Request/Identity packets.
EAP Request/Challenge packets	Number of sent EAP-Request/MD5-Challenge packets.
EAP Success packets	Number of sent EAP-Success packets.
EAP Failure packets	Number of sent EAP-Failure packets.
Received EAPOL Start packets	Number of received EAPOL-Start packets.
EAPOL LogOff packets	Number of received EAPOL-LogOff packets.
EAP Response/Identity packets	Number of received EAP-Response/Identity packets.
EAP Response/Challenge packets	Number of received EAP-Response/MD5-Challenge packets.
Error packets	Number of received error packets.
Online 802.1X users	Number of online 802.1X users on the port, including users that have passed 802.1X authentication and users that are performing 802.1X authentication.
MAC address	MAC addresses of the online 802.1X users.
Auth state	Authentication status of the online 802.1X users.

‌

display dot1x connection

Use display dot1x connection to display information about online 802.1X users.

Syntax

display dot1x connection [ ap ap-name [ radio radio-id ] | slot slot-number | user-mac mac-address | user-name name-string ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ap ap-name: Specifies an AP by its name, a case-sensitive string of 1 to 64 characters. The string can contain letters, digits, underscores (_), left brackets ([), right brackets (]), forward slashes (/), and hyphens (-). If you do not specify an AP, this command displays information about online 802.1X users for all APs.

radio radio-id: Specifies a radio by its ID. The value range for the radio-id argument varies by AP model. If you do not specify a radio, this command displays information about online 802.1X users for all radios on the specified AP.

slot slot-number: Specifies a cloud cluster member device by its member ID. If you do not specify a member device, this command displays online 802.1X user information for all member devices.

user-mac mac-address: Specifies an 802.1X user by MAC address. The mac-address argument represents the MAC address of the user, in the form of H-H-H. If you do not specify an 802.1X user, this command displays all online 802.1X user information.

user-name name-string: Specifies an 802.1X user by its name. The name-string argument represents the username, a case-sensitive string of 1 to 253 characters. If you do not specify an 802.1X user, this command displays all online 802.1X user information.

Examples

# Display information about all online 802.1X users.

<Sysname> display dot1x connection

Total connections: 1

Slot ID: 1

User MAC address : 0015-e9a6-7cfe

AP name : ap1

Radio ID : 1

SSID : wlan_dot1x_ssid

BSSID : 0015-e9a6-7cf0

User name : ias

Anonymous username : test

Authentication domain : 1

IPv4 address : 192.168.1.1

IPv6 address : 2000:0:0:0:1:2345:6789:abcd

Authentication method : CHAP

Initial VLAN : 1

Authorization VLAN : N/A

Authorization ACL number : 3001

Authorization user profile : N/A

Authorization CAR : N/A

Authorization URL : http://oauth.h3c.com

Authorization IPv6 URL : N/A

Termination action : Default

Session timeout last from : 2023/05/30 17:32:42

Session timeout period : 86400 s

Online from : 2023/05/30 11:20:41

Online duration : 6h 18m 39s

Table 2 Command output

Field	Description
Total connections	Number of online 802.1X users.
User MAC address	MAC address of the user.
AP name	Name of the AP with which the user is associated.
Radio ID	ID of the radio with which the user is associated.
SSID	SSID with which the user is associated.
BSSID	ID of the BSS with which the user is associated.
Username	Username of the user.
Anonymous username	Anonymous username of the user. If no anonymous username is configured, this field displays N/A.
Authentication domain	ISP domain used for 802.1X authentication.
IPv4 address	IPv4 address of the user. If the device does not get the IPv4 address of the user, this field is not available.
IPv6 address	IPv6 address of the user. If the device does not get the IPv6 address of the user, this field is not available.
Authentication method	EAP message handling method: · CHAP—Performs EAP termination and uses CHAP to communicate with the RADIUS server. · EAP—Relays EAP packets and supports any of the EAP authentication methods to communicate with the RADIUS server. · PAP—Performs EAP termination and uses PAP to communicate with the RADIUS server.
Initial VLAN	VLAN to which the user belongs before 802.1X authentication.
Authorization VLAN	Authorized VLAN.
Authorization ACL number	Number of the ACL authorized to the user. If no authorization ACL has been assigned, this field displays N/A. If the ACL authorization fails, this field displays (Not effective) next to the ACL.
Authorization user profile	User profile authorized to the user.
Authorization CAR	Authorization CAR attributes assigned by the server. · Average input rate—Average rate of inbound traffic in kbps. · Peak input rate—Peak rate of inbound traffic in kbps. · Average output rate—Average rate of outbound traffic in kbps. · Peak output rate—Peak rate of outbound traffic in kbps. If the device fails to assign the CAR attributes to the user, the Authorization CAR field displays (NOT effective). If the server does not assign the peak rates, the peak rates by default are the same as the assigned average rates. In the current software version, the device does not support exclusive assignment of peak rates from the server. If no authorization CAR attributes are assigned, this field displays N/A.
Authorization URL	Redirect URL authorized to the user.
Authorization IPv6 URL	Redirect IPv6 URL authorized to the user.
Termination action	Action attribute assigned by the server to terminate the user session: · Default—Logs off the online authenticated 802.1X user when the server-assigned session timeout timer expires. This attribute does not take effect when 802.1X periodic reauthentication is enabled and the periodic reauthentication timer is shorter than the server-assigned session timeout timer. · Radius-request—Reauthenticates the online user when the server-assigned session timeout timer expires, regardless of whether the 802.1X periodic reauthentication feature is enabled or not. If the device performs local authentication, this field displays Default.
Session timeout last from	Time when the session timed out.
Session timeout period	Session timeout timer assigned by the server. The session will be deleted after the timer expires. The action that will be taken on the user depends on the value of the Termination action field.
Online from	Time from which the 802.1X user came online.
Online duration	Online duration of the 802.1X user.

‌

display mac-authentication

Use display mac-authentication to display MAC authentication settings and statistics.

Syntax

display mac-authentication [ ap ap-name [ radio radio-id ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

radio radio-id: Specifies a radio by its ID. The value range for the radio-id argument varies by device model. If you do not specify a radio, this command displays MAC authentication information for all radios on the specified AP.

Usage guidelines

If you do not specify any parameters, this command displays all MAC authentication information including the global settings, port-specific settings, MAC authentication statistics, and online user statistics.

Examples

# Display all MAC authentication settings and statistics.

<Sysname> display mac-authentication

Global MAC authentication parameters:

MAC authentication : Enabled

Authentication method : PAP

M-LAG member configuration conflict : Unknown

Username format : MAC address in lowercase(xx-xx-xx-xx-xx-xx)

Username : mac

Password : Not configured

MAC range accounts : 0

MAC address Mask Username

Offline detect period : 300 s

Quiet period : 60 s

Server timeout : 100 s

Reauth period : 3600 s

User aging period for critical VLAN : 1000 s

User aging period for guest VLAN : 1000 s

Authentication domain : Not configured, use default domain

HTTP proxy port list : Not configured

HTTPS proxy port list : Not configured

Online MAC-auth wired users : 0

Online MAC-auth wireless users : 1

Silent MAC users:

MAC address VLAN ID From port Port index

AP name: AP1 Radio ID: 1 SSID: wlan_maca_ssid

BSSID : 1111-1111-1111

MAC authentication : Enabled

Authentication domain : Not configured

Max online users : 256

Authentication attempts : successful 1, failed 0

Current online users : 2

MAC address Auth state

0001-0000-0002 Authenticated

0001-0000-0003 Unauthenticated

Table 3 Command output

Field	Description
Global MAC authentication parameters	Global MAC authentication parameters.
MAC authentication	Whether MAC authentication is enabled.
Authentication method	MAC authentication method: · CHAP. · PAP.
M-LAG member configuration conflict	This field is not supported in the current software version. M-LAG member configuration check result: · Conflicted—The configuration on one M-LAG member device conflicts with that on the other M-LAG member device. · Not conflicted—The configuration on one M-LAG member device does not conflict with that on the other M-LAG member device. · Unknown—The system cannot detect whether the configuration on one M-LAG member device conflicts with that on the other M-LAG member device.
Username format	User account type: MAC-based or shared. · If MAC-based accounts are used, this field displays the format settings for the username. For example, MAC address in lowercase(xx-xx-xx-xx-xx-xx) indicates that the MAC address is in hexadecimal notation and is separated into six sections by hyphen (-). The letters in the MAC address are in lower case. · If a shared account is used, this field displays Fixed account.
Username	Username for MAC authentication. · If MAC-based accounts are used, this field displays mac. · If a shared account is used, this field displays the username of the shared account for MAC authentication users. By default, the username is mac.
Password	Password for MAC authentication. · If the MAC address of each user is used as the password, this field displays Not configured. · If a shared account is used, this field displays a string of asterisks (******).
MAC range accounts	List of MAC authentication accounts within the MAC address range.
Mask	MAC address mask.
Username	MAC authentication username.
Offline detect period	Offline detect timer in seconds.
Quiet period	Quiet timer in seconds.
Server timeout	Server timeout timer in seconds.
Reauth period	Periodic reauthentication timer in seconds.
User aging period for critical VLAN	Aging timer in seconds for users in critical VLANs.
User aging period for guest VLAN	This field is not supported in the current software version. Aging timer in seconds for users in the guest VLANs.
Authentication domain	Authentication domain for MAC authentication users specified in system view. If no authentication domain is specified, this field displays Not configured, use default domain.
HTTP proxy port list	This field is not supported in the current software version. HTTP proxy server port list.
HTTPS proxy port list	This field is not supported in the current software version. HTTPS proxy server port list.
Online MAC-auth wired users	This field is not supported in the current software version. Number of wired online MAC authentication users, including users that have passed MAC authentication and users that are performing MAC authentication.
Online MAC-auth wireless users	Number of wireless online MAC authentication users, including users that have passed MAC authentication and users that are performing MAC authentication.
Silent MAC users	Information about silent MAC addresses, including MAC addresses that have failed MAC authentication and MAC addresses that have been assigned the blackhole MAC attribute from the RADIUS server.
MAC address	Silent MAC address.
VLAN ID	ID of the VLAN to which the silent MAC address belongs.
From port	Name of the port that marks the MAC address as a silent MAC address.
Port index	Index of the port that marks the MAC address as a silent MAC address.
MAC authentication	Status of MAC authentication on the port: · Enabled. · Enabled (but NOT effective)—MAC authentication is enabled, but the device does not have available ACL resources. · Disabled.
Authentication domain	MAC authentication domain specified for the port.
Max online users	Maximum number of concurrent online users allowed on the port.
Authentication attempts: successful 1, failed 0	MAC authentication statistics, including the number of successful and unsuccessful authentication attempts.
MAC address	MAC address of the online user.
Auth state	User status: · Authenticated—The user has passed MAC authentication. · Unauthenticated—The user has not passed MAC authentication.

‌

display mac-authentication connection

Use display mac-authentication connection to display information about online MAC authentication users.

Syntax

display mac-authentication connection [ ap ap-name [ radio radio-id ] | slot slot-number | user-mac mac-address | user-name user-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

radio radio-id: Specifies a radio by its ID. The value range for the radio-id argument varies by device model. If you do not specify a radio, this command displays information about online MAC authentication users for all radios on the specified AP.

slot slot-number: Specifies a cloud cluster member device by its member ID. If you do not specify a member device, this command displays information about online MAC authentication users for all member devices.

user-mac mac-address: Specifies an online MAC authentication user by its MAC address. The mac-address argument represents the MAC address of the user, in the form of H-H-H. If you do not specify an online MAC authentication user, this command displays all online MAC authentication user information.

user-name user-name: Specifies an online MAC authentication user by its username. The user name is a case-sensitive string of 1 to 55 characters, and it can include the domain name. If you do not specify an online MAC authentication user, this command displays all online MAC authentication user information.

Examples

# Display information about all online MAC authentication users.

<Sysname> display mac-authentication connection

Total connections: 1

Slot ID: 0

User MAC address : 0015-e9a6-7cfe

AP name : ap1

Radio ID : 1

SSID : wlan_dot1x_ssid

BSSID : 0015-e9a6-7cf0

User name : ias

Authentication domain : 1

Initial VLAN : 1

Authorization VLAN : 100

Authorization ACL number : 3001

Authorization user profile : N/A

Authorization CAR : N/A

Authorization URL : N/A

Authorization IPv6 URL : N/A

Termination action : Radius-request

Session timeout last from : 2023/05/30 17:32:42

Session timeout period : 86400 s

Online from : 2023/05/30 11:20:41

Online duration : 6h 18m 39s

Table 4 Command output

Field	Description
Total connections	Total number of online MAC authentication users.
User MAC address	MAC address of the user.
Access interface	Interface through which the user accesses the device.
AP name	Name of the AP with which the user is associated.
Radio ID	ID of the radio with which the user is associated.
SSID	SSID with which the user is associated.
BSSID	ID of the BSS with which the user is associated.
Authentication domain	Name of the ISP domain used for authentication.
Initial VLAN	VLAN that holds the user before authentication.
Authorization VLAN	Authorized VLAN.
Authorization ACL number	Number of the ACL authorized to the user. If no authorization ACL has been assigned, this field displays N/A. If the ACL authorization fails, this field displays (Not effective) next to the ACL.
Authorization user profile	User profile authorized to the user.
Authorization CAR	If no authorization CAR attributes are assigned, this field displays N/A. Authorization CAR attributes assigned by the server. · Average input rate—Average rate of inbound traffic in kbps. · Peak input rate—Peak rate of inbound traffic in kbps. · Average output rate—Average rate of outbound traffic in kbps. · Peak output rate—Peak rate of outbound traffic in kbps. If the device fails to assign the CAR attributes to the user, the Authorization CAR field displays (NOT effective). If the server does not assign the peak rates, the peak rates by default are the same as the assigned average rates. In the current software version, the device does not support exclusive assignment of peak rates from the server.
Authorization URL	Redirect URL authorized to the user.
Authorization IPv6 URL	Redirect IPv6 URL authorized to the user.
Termination action	Action attribute assigned by the server to terminate the user session: · Default—Logs off the online authenticated user when the server-assigned session timeout timer expires. · Radius-request—Reauthenticates the online user when the server-assigned session timeout timer expires. If the device performs local authentication, this field displays Default.
Session timeout last from	Time when the session timed out.
Session timeout period	Session timeout timer assigned by the server. The session will be deleted after the timer expires. The action that will be taken on the user depends on the value of the Termination action field.
Online from	Time from which the MAC authentication user came online.
Online duration	Online duration of the MAC authentication user.

‌

display wlan statistics accounting

Use display wlan statistics accounting to display RADIUS accounting packet statistics about wireless clients.

Syntax

display wlan statistics accounting

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display RADIUS accounting packet statistics about wireless clients.

<Sysname> display wlan statistics accounting

Account start request : 1

Account start response : 1

Account update request : 3

Account update response : 3

Account stop request : 1

Account stop response : 1

Table 5 Command output

Field	Description
Account start request	Number of sent RADIUS start-accounting request packets.
Account start response	Number of received RADIUS start-accounting response packets.
Account update request	Number of sent RADIUS real-time accounting request packets.
Account update response	Number of received RADIUS real-time accounting response packets.
Account stop request	Number of sent RADIUS stop-accounting request packets.
Account stop response	Number of received RADIUS stop-accounting response packets.

‌

dot1x authentication-method

Use dot1x authentication-method to specify an EAP message handling method.

Use undo dot1x authentication-method to restore the default.

Syntax

dot1x authentication-method { chap | eap | pap }

undo dot1x authentication-method

Default

The access device performs EAP relay and uses EAP to communicate with the RADIUS server.

Views

System view

Predefined user roles

network-admin

Parameters

chap: Configures the access device to perform Extensible Authentication Protocol (EAP) termination and use the Challenge Handshake Authentication Protocol (CHAP) to communicate with the RADIUS server.

eap: Configures the access device to relay EAP packets, and supports any of the EAP authentication methods to communicate with the RADIUS server.

pap: Configures the access device to perform EAP termination and use the Password Authentication Protocol (PAP) to communicate with the RADIUS server.

Usage guidelines

The access device terminates or relays EAP packets.

· In EAP termination mode—The access device re-encapsulates and sends the authentication data from the client in standard RADIUS packets to the RADIUS server. The device performs either CHAP or PAP authentication with the RADIUS server. In this mode, the RADIUS server supports only MD5-Challenge EAP authentication and the username and password EAP authentication initiated by an iNode client.

¡ PAP transports usernames and passwords in plain text. The authentication method applies to scenarios that do not require high security. To use PAP, the client can be an iNode 802.1X client.

¡ CHAP transports usernames in plain text and passwords in encrypted form over the network. CHAP is more secure than PAP.

· In EAP relay mode—The access device relays EAP messages between the client and the RADIUS server. The EAP relay mode supports multiple EAP authentication methods, such as MD5-Challenge, EAP-TLS, and PEAP. To use this mode, make sure the RADIUS server meets the following requirements:

¡ Supports the EAP-Message and Message-Authenticator attributes.

¡ Uses the same EAP authentication method as the client.

If this mode is used, the user-name-format command configured in RADIUS scheme view does not take effect. For more information about the user-name-format command, see "AAA commands."

If RADIUS authentication is used, you must configure the access device to use the same authentication method (PAP, CHAP, or EAP) as the RADIUS server.

Examples

# Enable the access device to terminate EAP packets and perform PAP authentication with the RADIUS server.

<Sysname> system-view

[Sysname] dot1x authentication-method pap

Related commands

display dot1x

dot1x domain

Use dot1x domain to specify an authentication domain for 802.1X clients in a service template.

Use undo dot1x domain to restore the default.

Syntax

dot1x domain domain-name

undo dot1x domain

Default

No authentication domain is specified for 802.1X clients in a service template.

Views

Service template view

Predefined user roles

network-admin

Parameters

domain-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters.

Usage guidelines

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

802.1X chooses an authentication domain for WLAN clients in the following order:

1. The authentication domain specified by using this command in service template view.

2. The domain included in the username.

3. The default authentication domain specified by using the domain default enable command.

Examples

# Specify ISP domain my-domain as the authentication domain for 802.1X clients in service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] dot1x domain my-domain

dot1x domain-delimiter

Use dot1x domain-delimiter to specify a set of domain name delimiters supported by the device.

Use undo dot1x domain-delimiter to restore the default.

Syntax

dot1x domain-delimiter string

undo dot1x domain-delimiter

Default

The device supports only the at sign (@) delimiter for 802.1X users.

Views

System view

Predefined user roles

network-admin

Parameters

string: Specifies a set of 1 to 16 domain name delimiters for 802.1X users. No space is required between delimiters. Available delimiters include the at sign (@), backslash (\), dot (.), and forward slash (/). If you want to use backslash (\) as the domain name delimiter, you must enter the escape character (\) along with the backslash (\) sign.

Usage guidelines

Any character in the configured set can be used as the domain name delimiter for 802.1X authentication users. Usernames that include domain names can use the format of username@domain-name, domain-name\username, username.domain-name, or username/domain-name.

The delimiter set you configured overrides the default setting. If the at sign (@) is not included in the delimiter set, the device does not support the 802.1X users that use this sign as the domain name delimiter.

If a username string contains multiple configured delimiters, the device takes the rightmost delimiter in the username string as the domain name delimiter. For example, if you configure the forward slash (/), dot (.), and backslash (\) as delimiters, the domain name delimiter for the username string 121.123/22\@abc is the backslash (\). The username is @abc and the domain name is 121.123/22.

Examples

# Specify the at sign (@) and forward slash (/) as domain name delimiters.

<Sysname> system-view

[Sysname] dot1x domain-delimiter @/

Related commands

display dot1x

dot1x eap

Use dot1x eap to specify the EAP mode for 802.1X authentication.

Use undo dot1x eap to restore the default.

Syntax

dot1x eap { extended | standard }

undo dot1x eap

Default

The EAP mode is standard for 802.1X authentication.

Views

Service template view

Predefined user roles

network-admin

Parameters

extended: Specifies the extended EAP mode. This mode requires the device to interact with clients according to the provisions and packet format defined by the proprietary EAP protocol.

standard: Specifies the standard EAP mode. This mode requires the device to interact with clients according to the provisions and packet format defined by the standard EAP protocol.

Usage guidelines

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

When you use this command, specify the extended keyword for iNode clients and the standard keyword for other clients.

This command is required only when an IMC server is used as the RADIUS server.

Examples

# Set the EAP mode to extended for service template 1.

<Sysname> system-view

[Sysname] wlan service-template 1

[Sysname-wlan-st-1] dot1x eap extended

dot1x eap-termination authentication-method

Use dot1x eap-termination authentication-method to enable EAP termination in a service template and specify the authentication method between the device and the authentication server.

Use undo dot1x eap-termination authentication-method to restore the default.

Syntax

dot1x eap-termination authentication-method { chap | pap }

undo dot1x eap-termination authentication-method

Default

CHAP is used.

Views

Service template view

Predefined user roles

network-admin

Parameters

chap: Specifies the CHAP authentication method.

pap: Specifies the PAP authentication method.

Usage guidelines

A client will fail authentication in EAP relay mode if the authentication server does not support the authentication method used by the client. To avoid authentication failure, use this command to enable EAP termination in the service template for that client and specify an authentication method for the device to communicate with the authentication server.

Use this command in a service template if that service template has clients that use the PEAP-GTC authentication method. With this feature, the device performs EAP termination for all clients in the service template.

Examples

# Enable EAP termination in service template service1 and specify PAP as the authentication method between the device and the authentication server.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] dot1x eap-termination authentication-method pap

dot1x eap-termination eap-profile

Use dot1x eap-termination eap-profile to specify an EAP profile for 802.1X EAP termination.

Use undo dot1x eap-termination eap-profile to restore the default.

Syntax

dot1x eap-termination eap-profile eap-profile-name

undo dot1x eap-termination eap-profile

Default

No EAP profile is specified for EAP termination.

Views

Service template view

Predefined user roles

network-admin

Parameters

eap-profile-name: Specifies an EAP profile by its name, a case-insensitive string of 1 to 32 characters. The EAP profile must already exist.

Usage guidelines

A client will fail authentication in EAP relay mode if the RADIUS server does not support the authentication method used by the client. To avoid authentication failure, use this command to enable the device to terminate the EAP packets received from the client and encapsulate the client authentication information in standard RADIUS packets.

Set the EAP authentication method to PEAP-GTC in the specified EAP profile.

As a best practice, use this command in a service template only if all clients of that service template use the PEAP-GTC authentication method. Clients that use other authentication method in the service template will fail authentication.

Examples

# Specify EAP profile gtcprofile for EAP termination in service template srvtmp1.

<Sysname> system-view

[Sysname] wlan service-template srvtmp1

[Sysname-wlan-st-srvtmp1] dot1x eap-termination eap-profile gtcprofile

Related commands

eap-profile

method

ssl-server-policy (Security Command Reference)

dot1x handshake enable

Use dot1x handshake enable to enable the 802.1X online user handshake feature.

Use undo dot1x handshake enable to disable the 802.1X online user handshake feature.

Syntax

dot1x handshake enable

undo dot1x handshake enable

Default

The 802.1X online user handshake feature is disabled.

Views

Service template view

Predefined user roles

network-admin

Usage guidelines

The online user handshake feature examines the connection status of an online 802.1X client by sending unicast EAP-Request/Identity message to that client at intervals. The device sets a client to the offline state if it does not receive a response from that client after it has made the maximum number of handshake attempts. To set the handshake interval (handshake timer), use the dot1x timer handshake-period command. To set the maximum handshake attempts, use the dot1x retry command.

The device does not respond to a client after it receives handshake responses from that client. Some clients might initiate reauthentication or go offline if they do not receive the device's responses to their handshake responses. If your network has such clients, disable the online user handshake feature as needed.

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

The online user handshake feature might cause some wireless clients to go offline. If such wireless clients exist, disable this feature as a best practice.

Examples

# Enable the online user handshake feature for 802.1X clients in service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] dot1x handshake enable

Related commands

dot1x handshake secure enable

dot1x retry

dot1x timer handshake-period

dot1x handshake secure enable

Use dot1x handshake secure enable to enable the 802.1X online user handshake security feature.

Use undo dot1x handshake secure enable to disable the 802.1X online user handshake security feature.

Syntax

dot1x handshake secure enable

undo dot1x handshake secure enable

Default

The 802.1X online user handshake security feature is disabled.

Views

Service template view

Predefined user roles

network-admin

Usage guidelines

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

For the 802.1X online user handshake security feature to take effect, you must enable the 802.1X online user handshake feature.

The online user handshake security feature protects only authenticated online 802.1X clients.

Examples

# Enable the 802.1X online user handshake security feature in service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] dot1x handshake enable

[Sysname-wlan-st-service1] dot1x handshake secure enable

Related commands

dot1x handshake enable

dot1x max-user

Use dot1x max-user to set the maximum number of concurrent 802.1X clients that a service template supports on a radio.

Use undo dot1x max-user to restore the default.

Syntax

dot1x max-user count

undo dot1x max-user

Default

A service template permits a maximum of 512 concurrent 802.1X clients to access the network on a radio.

Views

Service template view

Predefined user roles

network-admin

Parameters

count: Specifies the maximum number of concurrent 802.1X clients. The value range is 1 to 512.

Usage guidelines

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

This setting takes effect on a per-radio basis. If the number of 802.1X clients of the service template reaches the limit on a radio, no additional 802.1X clients can access the network through the service template on that radio.

Examples

# In service template service1, set the maximum number of concurrent 802.1X clients on a radio to 32.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] dot1x max-user 500

dot1x re-authenticate enable

Use dot1x re-authenticate enable to enable the 802.1X periodic online user reauthentication feature.

Use undo dot1x re-authenticate enable to disable the 802.1X periodic online user reauthentication feature.

Syntax

dot1x re-authenticate enable

undo dot1x re-authenticate enable

Default

The 802.1X periodic online user reauthentication feature is disabled.

Views

Service template view

Predefined user roles

network-admin

Usage guidelines

Periodic reauthentication enables the device to periodically authenticate online 802.1X clients in a service template. This feature checks the connection status of online clients and updates the authorization attributes assigned by the server, such as the ACL, VLAN, and user profile.

To configure the interval for reauthentication, use the dot1x timer reauth-period command.

If the server assigns session timeout timer (Session-Timeout attribute) and termination action (Termination-Action attribute) settings to a client, the server-assigned settings might take effect on the client. To identify settings for the server-assigned Session-Timeout and Termination-Action attributes, execute the display dot1x connection command.

· If the termination action is Default (logoff), periodic online user reauthentication on the template takes effect only when the periodic reauthentication timer is shorter than the server-assigned session timeout timer.

· If the termination action is Radius-request, the periodic online user reauthentication configuration on the template does not take effect. The device reauthenticates the online 802.1X client when the server-assigned session timeout timer expires.

If no session timeout timer is assigned by the server, whether the device performs periodic 802.1X reauthentication depends on the periodic reauthentication configuration on the device.

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

The periodic reauthentication feature might cause some wireless clients to go offline. If such wireless clients exist, disable this feature as a best practice.

Examples

# Enable the 802.1X periodic online user reauthentication feature in service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] dot1x re-authenticate enable

Related commands

dot1x timer

dot1x retry

Use dot1x retry to set the maximum number of attempts for sending an authentication request to a client.

Use undo dot1x retry to restore the default.

Syntax

dot1x retry retries

undo dot1x retry

Default

A maximum of 10 attempts are made to send an authentication request to a client.

Views

System view

Predefined user roles

network-admin

Parameters

retries: Specifies the maximum number of attempts for sending an authentication request to a client. The value range is 1 to 10.

Usage guidelines

The access device retransmits an authentication request to a client if the device does not receive any responses from the client within the client timeout interval. The timer is set by using the dot1x timer supp-timeout supp-timeout-value command for the EAP-Request/MD5-Challenge packet.

The access device stops retransmitting the request, if it has made the maximum number of request transmission attempts but still received no response.

Examples

# Set the maximum number of attempts to 9 for sending an authentication request to a client.

<Sysname> system-view

[Sysname] dot1x retry 9

Related commands

display dot1x

dot1x timer

Use dot1x timer to set an 802.1X timer.

Use undo dot1x timer to restore the default of an 802.1X timer.

Syntax

dot1x timer { ead-timeout ead-timeout-value | handshake-period handshake-period-value | quiet-period quiet-period-value | reauth-period reauth-period-value | server-timeout server-timeout-value | supp-timeout supp-timeout-value | user-aging { auth-fail-vlan | critical-vlan | guest-vlan } aging-time-value }

undo dot1x timer { ead-timeout | handshake-period | quiet-period | reauth-period | server-timeout | supp-timeout | user-aging { auth-fail-vlan | critical-vlan | guest-vlan } }

Default

The following 802.1X timers apply:

· EAD rule timer: 30 minutes.

· Handshake timer: 15 seconds.

· Quiet timer: 60 seconds.

· Periodic reauthentication timer: 3600 seconds.

· Server timeout timer: 100 seconds.

· Client timeout timer: 2 seconds.

· User aging timers for all applicable types of 802.1X VLANs: 1000 seconds.

Views

System view

Predefined user roles

network-admin

Parameters

ead-timeout ead-timeout-value: Sets the EAD rule timer in minutes. The value range for the ead-timeout-value argument is 1 to 1440.

handshake-period handshake-period-value: Sets the handshake timer in seconds. The value range for the handshake-period-value argument is 5 to 1024.

quiet-period quiet-period-value: Sets the quiet timer in seconds. The value range for the quiet-period-value argument is 10 to 120.

reauth-period reauth-period-value: Sets the periodic reauthentication timer in seconds. The value range for the reauth-period-value argument is 60 to 7200.

server-timeout server-timeout-value: Sets the server timeout timer in seconds. The value range for the server-timeout-value argument is 100 to 300.

supp-timeout supp-timeout-value: Sets the client timeout timer in seconds. The value range for the supp-timeout-value argument is 1 to 120.

user-aging: Sets the user aging timer for a type of 802.1X VLAN.

auth-fail-vlan: Specifies 802.1X Auth-Fail VLANs.

critical-vlan: Specifies 802.1X critical VLANs.

guest-vlan: Specifies 802.1X guest VLANs.

aging-time-value: Sets the user aging timer. The value range is 60 to 2147483647 seconds.

Usage guidelines

The network device uses the following 802.1X timers:

· EAD rule timer (ead-timeout)—Sets the lifetime of each EAD rule. When the timer expires or the user passes authentication, the rule is removed. If users fail to download the EAD client or fail to pass authentication before the timer expires, they must reconnect to the network to access the free IP.

· Handshake timer (handshake-period)—Sets the interval at which the access device sends client handshake requests to check the online status of a client that has passed authentication. If the device does not receive a response after sending the maximum number of handshake requests, it considers that the client has logged off.

· Quiet timer (quiet-period)—Starts when a client fails authentication. The access device must wait the time period before it can process the authentication attempts from the client.

· Periodic reauthentication timer (reauth-period)—Sets the interval at which the network device periodically reauthenticates online 802.1X users. To enable 802.1X periodic reauthentication on a port, use the dot1x re-authenticate command.

· Server timeout timer (server-timeout)—Starts when the access device sends a RADIUS Access-Request packet to the authentication server. If no response is received when this timer expires, the 802.1X authentication fails.

To avoid forced logoff before the server timeout timer expires, set the server timeout timer to a value that is lower than or equal to the product of the following values:

¡ The maximum number of RADIUS packet transmission attempts set by using the retry command in RADIUS scheme view.

¡ The RADIUS server response timeout timer set by using the timer response-timeout command in RADIUS scheme view.

For information about setting the maximum number of RADIUS packet transmission attempts and the RADIUS server response timeout timer, see AAA configuration in User Access and Authentication Configuration Guide.

· Client timeout timer (supp-timeout)—Starts when the access device sends an EAP-Request/MD5-Challenge packet to a client. If no response is received when this timer expires, the access device retransmits the request to the client.

· User aging timer (user-aging)—Sets the amount of time that a user can stay in a type of VLAN.

¡ When the access control mode is port-based, the device starts the timer after a port joins an auth-fail VLAN or critical VLAN. After the timer expires, the port leaves the VLAN.

¡ When the access control mode is MAC-based, the device starts the timer after a user joins an auth-fail VLAN, critical VLAN, or guest VLAN. After the timer expires, the user leaves the VLAN.

The timer takes effect after you enable unauthenticated user aging by using the dot1x unauthenticated-user aging enable command.

In most cases, the default settings are sufficient. You can edit the timers, depending on the network conditions.

The change to the periodic reauthentication timer applies to the users that have been online only after the old timer expires. Other timer changes take effect immediately on the device.

Examples

# Set the server timeout timer to 150 seconds.

<Sysname> system-view

[Sysname] dot1x timer server-timeout 150

Related commands

display dot1x

dot1x unauthenticated-user aging enable

retry

timer response-timeout (RADIUS scheme view)

fail-permit enable

Use fail-permit enable to enable authentication fail-permit.

Use undo fail-permit enable to disable authentication fail-permit.

Syntax

fail-permit enable [ keep-online | url-user-logoff ] [ always-service ]

undo fail-permit enable

Default

Authentication fail-permit is disabled.

Views

Service template view

Predefined user roles

network-admin

Parameters

keep-online: Allows online fail-permit users to stay online when an authentication fail-permit event occurs. If you do not specify this keyword, the device disconnects online fail-permit users when an authentication fail-permit event occurs.

url-user-logoff: Logs off a MAC authentication user when an authentication fail-permit event occurs after the user is redirected to the specified URL. This keyword is applicable only to clients that use MAC authentication.

always-service: Enables a wireless service template to continue to provide wireless services to clients when an authentication fail-permit event occurs, regardless of whether a fail-permit service template is configured. If you do not specify this keyword or configure a fail-permit service template, the wireless service template continues to provide wireless services to Bypass or MAC authentication clients when an authentication fail-permit event occurs. If you do not specify this keyword but has configured a fail-permit service template, the wireless service template stops providing wireless services to Bypass or MAC authentication clients when an authentication fail-permit event occurs. This keyword takes effect only on MAC authentication and Bypass authentication clients.

Usage guidelines

Application scenarios

Authentication fail-permit (also called fail-open) allows 802.1X, MAC authentication, and Bypass clients to access the network after the AC disconnects from the RADIUS server or the AP. When either event occurs, the AP continues to provide access services and forward traffic for those clients.

Operating mechanism

The impact of an authentication fail-permit event on clients differs depending on their authentication method and depending on whether a fail-permit service template has been configured.

· Bypass clients:

¡ If you execute the fail-permit template command and the fail-permit enable command without the always-service keyword, the Bypass clients will be logged off. To access the network, the Bypass clients must manually reconnect to the SSID in the preconfigured fail-permit service template.

¡ If you do not execute the fail-permit template command or execute the fail-permit enable always-service command, the Bypass clients can continue to access the network with the existing service template without interruption.

· MAC authentication clients:

¡ If you execute the fail-permit template command and the fail-permit enable command without the always-service keyword, the MAC authentication clients will be logged off. To access the network, the MAC authentication clients must manually reconnect to the SSID in the preconfigured fail-permit service template.

¡ If you do not execute the fail-permit template command or execute the fail-permit enable always-service command, the MAC authentication clients can continue to access the network with the existing service template after a transient interruption. In this situation, the clients will be logged off and then automatically connected to the network.

· The 802.1X clients will be logged off. To access the network, the 802.1X clients must manually reconnect to the SSID in a preconfigured fail-permit service template.

When you configure authentication fail-permit for clients, follow these restrictions and guidelines:

· Enable authentication fail-permit in the service template to be protected.

· Configure another service template as the fail-permit service template to be used when authentication fail-permit occurs.

Prerequisites

For authentication fail-permit to take effect, perform the following steps:

1. Execute the radius-server test-profile command to configure a RADIUS test profile to test the reachability of the RADIUS server.

In the profile, set the interval for sending detection packets as needed. The shorter the interval is, the quicker the response to the change will be.

2. Apply the profile to the RADIUS server in the RADIUS scheme for the authentication ISP domain.

Fail-permit will occur when the RADIUS server is determined to be unreachable.

For more information about configuring RADIUS test profiles, see AAA configuration in User Access and Authentication Configuration Guide.

Recommended configuration

In some network environments, URL redirection is enabled to redirect a MAC authentication user to a specified authentication webpage URL such as AD Campus for user authentication. If an authentication fail-permit event occurs after the user is redirected to the URL, the user might remain the authentication status because the RADIUS server cannot be reached. To resolve the issue, you can configure the url-user-logoff keyword to log off the user and the user can access the fail-permit network again through reconnection.

A radio can be bound to only one fail-permit service template. When an authentication fail-permit event occurs, clients on multiple wireless service templates enabled with the fail-permit feature might come online on the same fail-permit service template, resulting in WLAN experience degradation. To resolve this issue, you can specify the always-service keyword when executing this command on a wireless service template that uses the MAC or Bypass authentication.

Restrictions and guidelines

The fail-permit enable command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

The fail-permit enable command is mutually exclusive with the fail-permit template command in the same service template.

If no keyword is specified, users will be logged off when an fail-permit event occurs.

Examples

# Enable authentication fail-permit in a WLAN service template.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] fail-permit enable

Related commands

client url-redirect enable

fail-permit template

Use fail-permit template to specify a service template as a fail-permit service template.

Use undo fail-permit template to remove the fail-permit attribute of a fail-permit service template.

Syntax

fail-permit template

undo fail-permit template

Default

No service templates are specified as fail-permit service templates.

Views

Service template view

Predefined user roles

network-admin

Usage guidelines

You can use this command for the following purposes:

· Authentication fail-permit—To use the authentication fail-permit feature for clients associated with one service template, specify another service template as a fail-permit service template. If the protected service template has 802.1X clients, you must specify a fail-permit service template. This requirement is optional for other types of authentication clients. For more information about the authentication fail-permit feature, see the usage guidelines for the fail-permit enable command.

· 5G radio silence fail-permit—Allows an AP to move the clients of a service template on a 5G radio to a different 5G radio for network access when radio silence is imposed on the former radio.

You can execute the fail-permit template command only when the service template is disabled, and it takes effect after the service template is enabled.

The fail-permit template command is mutually exclusive with the fail-permit enable command in the same service template.

To ensure a successful fail-permit, follow these restrictions and guidelines:

· Enable APs to forward client data traffic in the fail-permit service template by using the client forwarding-location command.

· If APs are configured as the authenticator in a service template by using the client-security authentication-location command, the authenticator in the fail-permit service template of this service template must also be APs.

Use the following guidelines when you configure an authentication fail-permit service template:

· As a best practice, configure only one fail-permit service template for clients on an AP. If you configure multiple fail-permit service templates, the first one displayed in the display wlan bss all command output takes effect.

· To ensure a successful fail-permit for clients, set the AKM mode to PSK or do not specify any AKM mode in the fail-permit service template.

Use the following guidelines when you configure a 5G silence fail-permit service template for 5G clients:

· Specify one 5G silence fail-permit service template for each 5G service template on a 5G radio. These 5G silence fail-permit service templates must contain the same settings as their protected 5G service templates except that the protected 5G service templates cannot contain the fail-permit template command.

· Bind a 5G silence fail-permit service template to a different radio than its protected 5G service template on the same AP.

Examples

# Specify a service template as a fail-permit service template.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] fail-permit template

Related commands

akm mode

fail-permit enable

mac-authentication authentication-method

Use mac-authentication authentication-method to specify an authentication method for MAC authentication.

Use undo mac-authentication authentication-method to restore the default.

Syntax

mac-authentication authentication-method pap

undo mac-authentication authentication-method

Default

The device uses PAP for MAC authentication.

Views

System view

Predefined user roles

network-admin

Parameters

pap: Configures the access device to use the Password Authentication Protocol (PAP) to communicate with the RADIUS server.

Usage guidelines

RADIUS-based MAC authentication support the PAP authentication method, which transports usernames and passwords in plain text. The authentication method applies to scenarios that do not require high security.

Examples

# Configure the device to use PAP for MAC authentication.

<Sysname> system-view

[Sysname] mac-authentication authentication-method pap

Related commands

display mac-authentication

mac-authentication domain

Use mac-authentication domain to specify an authentication domain for MAC authentication clients in a service template.

Use undo mac-authentication domain to restore the default.

Syntax

mac-authentication domain domain-name

undo mac-authentication domain

Default

The system default authentication domain is used. For more information about the default authentication domain, see the domain default enable command in "AAA commands."

Views

System view

Service template view

Predefined user roles

network-admin

Parameters

domain-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters.

Usage guidelines

The ISP domain specified in system view takes effect on all wireless service templates enabled with MAC authentication.

The ISP domain specified in wireless service template view takes effect only on the template. You can specify different ISP domains for different wireless service templates.

You specify an ISP domain for a wireless service template only when the template is disabled. MAC authentication users accessing the WLAN through a wireless service template select an ISP domain in the following order: ISP domain specified in the wireless service template view, ISP domain specified in system view, system default ISP domain.

Examples

# In system view, specify ISP domain domain1 for MAC authentication clients.

<Sysname> system-view

[Sysname] mac-authentication domain domain1

# Specify ISP domain my-domain as the authentication domain for MAC authentication clients in service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] mac-authentication domain my-domain

mac-authentication max-user

Use mac-authentication max-user to set the maximum number of concurrent MAC authentication clients that a service template supports on a radio.

Use undo mac-authentication max-user to restore the default.

Syntax

mac-authentication max-user count

undo mac-authentication max-user

Default

A service template permits a maximum of 4096 concurrent MAC authentication clients to access the network on a radio.

Views

Service template view

Predefined user roles

network-admin

Parameters

count: Specifies the maximum number of concurrent MAC authentication clients. The value range for this argument is 1 to 4096.

Usage guidelines

This command is configurable when the service template is disabled, and it takes effect after the service template is enabled.

This command takes effect on a per-radio basis. If the number of MAC authentication clients of a service template reaches the limit on a radio, no additional MAC authentication clients can access the network through the service template on that radio.

Examples

# Configure service template service1 to support a maximum of 32 concurrent MAC authentication clients on a radio.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] mac-authentication max-user 32

mac-authentication timer

Use mac-authentication timer to configure a MAC authentication timer.

Use undo mac-authentication timer to restore the default of a MAC authentication timer.

Syntax

mac-authentication timer { offline-detect offline-detect-value | quiet quiet-value | reauth-period reauth-period-value | server-timeout server-timeout-value | user-aging { critical-vlan | guest-vlan } aging-time-value }

undo mac-authentication timer { offline-detect | quiet | reauth-period | server-timeout | user-aging { critical-vlan | guest-vlan } }

Default

The following MAC authentication timers apply:

· The offline detect timer is 300 seconds.

· The quiet timer is 60 seconds.

· The global periodic MAC reauthentication timer is 3600 seconds.

· The server timeout timer is 100 seconds.

· User aging timer for a type of access-limited VLAN for MAC authentication: 1000 seconds.

Views

System view

Predefined user roles

network-admin

Parameters

offline-detect offline-detect-value: Sets the offline detect timer. The value range is 60 to 2147483647 seconds.

quiet quiet-value: Sets the quiet timer. The value range is 1 to 3600 seconds.

reauth-period reauth-period-value: Sets the global periodic MAC reauthentication timer. The value range is 60 to 7200 seconds.

server-timeout server-timeout-value: Sets the server timeout timer. The value range is 100 to 300 seconds.

user-aging: Sets the user aging timer for a type of MAC authentication VLAN.

critical-vlan: Specifies MAC authentication critical VLANs.

guest-vlan: Specifies MAC authentication guest VLANs.

aging-time-value: Sets the user aging timer. The value range is 60 to 2147483647 seconds.

Usage guidelines

MAC authentication uses the following timers:

· Offline detect timer—Sets the interval that the device must wait for traffic from a user before the device determines that the user is idle. If the device has not received traffic from a user before the timer expires, the device logs off that user and requests the accounting server to stop accounting for the user. This timer takes effect only when the MAC authentication offline detection feature is enabled.

As a best practice, set the MAC address aging timer to the same value as the offline detect timer. This operation prevents a MAC authenticated user from being logged off within the offline detect interval because of MAC address entry expiration.

· Quiet timer—Sets the interval that the device must wait before the device can perform MAC authentication for a user that has failed MAC authentication. All packets from the MAC address are dropped during the quiet time. This quiet mechanism prevents repeated authentication from affecting system performance.

· Periodic MAC reauthentication timer—Sets the interval at which the device reauthenticates online MAC authentication users on a port if the port is enabled with periodic MAC reauthentication. A change to the global periodic reauthentication timer applies to online users only after the old timer expires.

· Server timeout timer—Sets the interval that the device waits for a response from a RADIUS server before the device determines that the RADIUS server is unavailable. If the timer expires during MAC authentication, the user fails MAC authentication.

To avoid forced logoff before the server timeout timer expires, set the server timeout timer to a value that is lower than or equal to the product of the following values:

¡ The maximum number of RADIUS packet transmission attempts set by using the retry command in RADIUS scheme view.

¡ The RADIUS server response timeout timer set by using the timer response-timeout command in RADIUS scheme view.

· User aging timer (user-aging)—Sets the user aging timer for a type of access-limited VLAN for MAC authentication.

If you enable user aging for authenticated MAC authentication user, you can set a user aging timer for MAC authentication critical or guest VLANs. The user aging timer for a type of access-limited VLAN for MAC authentication determines how long a user can stay in that type of VLAN.

For more information about how user aging operates, see the usage guidelines for the mac-authentication unauthenticated-user aging enable command.

Examples

# Set the server timeout timer to 150 seconds.

<Sysname> system-view

[Sysname] mac-authentication timer server-timeout 150

Related commands

display mac-authentication

mac-authentication guest-vlan auth-period

mac-authentication unauthenticated-user aging enable

retry

timer response-timeout (RADIUS scheme view)

mac-authentication user-name-format

Use mac-authentication user-name-format to configure the type of user accounts for MAC authentication users.

Use undo mac-authentication user-name-format to restore the default.

Syntax

mac-authentication user-name-format { fixed [ account name ][ password { cipher | simple } string ] | mac-address [ { with-hyphen [ six-section | three-section ] | without-hyphen } [ lowercase | uppercase ] ] }

undo mac-authentication user-name-format

Default

The MAC address of each user is used as both the username and password for MAC authentication. The MAC addresses are in hexadecimal notation without hyphens, and letters are in lower case.

Views

System view

Predefined user roles

network-admin

Parameters

fixed: Uses a shared account for all MAC authentication users.

account name: Specifies the username for the shared account. The name is a case-sensitive string of 1 to 55 characters, excluding the at sign (@). If you do not specify a username, the default name mac applies.

mac-address: Uses MAC-based user accounts for MAC authentication users.

with-hyphen [ six-section | three-section ]: Includes hyphens in a MAC address. The six-section keyword specifies the six-section format. For example, xx-xx-xx-xx-xx-xx or XX-XX-XX-XX-XX-XX. The three-section keyword specifies the three-section format. For example, xxxx-xxxx-xxxx or XXXX-XXXX-XXXX. By default, the six-section format is used.

without-hyphen: Excludes hyphens from a MAC address, for example, xxxxxxxxxxxx.

lowercase: Specifies letters in lower case.

uppercase: Specifies letters in upper case.

Usage guidelines

If you specify the MAC-based user account format, the device uses the MAC address of a user as the username for MAC authentication of the user. This user account type ensures high authentication security. However, you must create on the authentication server a user account for each user, using the MAC address of the user as the username.

If you specify a shared user account, the device uses the specified username and password for MAC authentication of all users. Because all MAC authentication users use a single account for authentication, you only need to create one account on the authentication server. This user account type is suitable for trusted networks.

Examples

# Configure a shared account for MAC authentication users, and set the username to abc and password to plaintext string of xyz.

<Sysname> system-view

[Sysname] mac-authentication user-name-format fixed account abc password simple xyz

# Use the MAC address of each user as both the username and password for MAC authentication. The MAC addresses are in hexadecimal notation without hyphens, and letters are in upper case.

<Sysname> system-view

[Sysname] mac-authentication user-name-format mac-address without-hyphen uppercase

Related commands

display mac-authentication

reset dot1x statistics

Use reset dot1x statistics to clear 802.1X statistics.

Syntax

reset dot1x statistics [ ap ap-name [ radio radio-id ] ]

Views

User view

Predefined user roles

network-admin

Parameters

ap ap-name: Specifies an AP by its name, a case-sensitive string of 1 to 64 characters. The string can contain letters, digits, underscores (_), left brackets ([), right brackets (]), forward slashes (/), and hyphens (-).If you do not specify an AP, this command clears statistics of 802.1X users for all APs.

radio radio-id: Specifies a radio by its ID. The value range for the radio-id argument varies by AP model. If you do not specify a radio, this command clears 802.1X statistics for all radios on the specified AP.

Examples

# Clear all 802.1X statistics.

<Sysname> reset dot1x statistics

Related commands

display dot1x

reset mac-authentication statistics

Use reset mac-authentication statistics to clear MAC authentication statistics.

Syntax

reset mac-authentication statistics [ ap ap-name [ radio radio-id ] ]

Views

User view

Predefined user roles

network-admin

Parameters

radio radio-id: Specifies a radio by its ID. The value range for the radio-id argument varies by device model. If you do not specify a radio, this command clears MAC authentication statistics for all radios on the specified AP.

Examples

# Clear all MAC authentication statistics.

<Sysname> reset mac-authentication statistics

Related commands

display mac-authentication

wlan authentication optimization

Use wlan authentication optimization to configure a modifier to adjust the authentication success ratio and abnormal offline ratio for 802.1X authentication, MAC authentication, and Layer 2 portal authentication.

Use undo wlan authentication optimization to restore the default.

Syntax

wlan authentication optimization value

undo wlan authentication optimization

Default

The modifier is 0. The device does not adjust the authentication success ratio and abnormal offline ratio for 802.1X authentication, MAC authentication, and Layer 2 portal authentication.

Views

System view

Predefined user roles

network-admin

Parameters

value: Sets the modifier, in the range of 900 to 1000. The lower the value, the lower the authentication success ratio, and the higher the abnormal offline ratio.

Usage guidelines

The authentication success ratio is the ratio of authentication successes to the total number of authentications. The abnormal offline ratio is calculated by using the following formula:

Abnormal offline ratio = number of abnormal offline events/(number of online client authentication successes + number of current online users)

WLAN access authentication statistics optimization uses a modifier to adjust the authentication success ratio and abnormal offline ratio of 802.1X authentication, MAC authentication, and Layer 2 portal authentication.

The modifier takes effect only on RADIUS-based 802.1X authentication, MAC authentication, and Layer 2 portal authentication.

Examples

# Set the modifier to 950 to adjust the authentication success ratio and abnormal offline ratio of 802.1X authentication, MAC authentication, and Layer 2 portal authentication.

<Sysname> system-view

[Sysname] wlan authentication optimization 950

wlan client-security authentication clear-previous-connection

Use wlan client-security authentication clear-previous-connection to enable the clear-previous-connection feature for WLAN authentication.

Use undo wlan client-security authentication clear-previous-connection to disable the clear-previous-connection feature for WLAN authentication.

Syntax

wlan client-security authentication clear-previous-connection

undo wlan client-security authentication clear-previous-connection

Default

The clear-previous-connection feature is disabled for WLAN authentication.

Views

System view

Predefined user roles

network-admin

Usage guidelines

IMPORTANT:

When this feature is enabled, the 802.1X reauthentication, WLAN Auth-Fail VLAN, and WLAN critical VLAN features cannot take effect.

‌

Some RADIUS servers reject to authenticate a client if they have an online user entry for that client. If they fail to remove the online user entry for a client that has gone offline incorrectly, that client will be unable to get authenticated and come online again.

To resolve this issue, use the clear-previous-connection feature.

With this feature, the device checks the local online user entries before it sends an authentication request to the RADIUS server for an 802.1X or MAC authentication client. If an entry is found, the device removes the entry and sends a stop-accounting request to the RADIUS server. Upon receipt of the stop-accounting request, the RADIUS server removes the online user entry. Then, the client can be authenticated correctly.

Examples

# Enable the clear-previous-connection feature.

<Sysname> system-view

[Sysname] wlan client-security authentication clear-previous-connection

13-User Access and Authentication Command Reference

WLAN access authentication commands

client-security accounting-delay time

client-security ignore-authentication

dot1x handshake secure enable

dot1x re-authenticate enable

Application scenarios

Operating mechanism

Prerequisites

Recommended configuration

Restrictions and guidelines

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us