Field	Description
Global 802.1X parameters	Global 802.1X configuration.
802.1X authentication	Whether 802.1X is enabled globally.
M-LAG member configuration conflict	M-LAG member configuration check result: · Conflicted—The configuration on one M-LAG member device conflicts with that on the other M-LAG member device. · Not conflicted—The configuration on one M-LAG member device does not conflict with that on the other M-LAG member device. · Unknown—The system cannot detect whether the configuration on one M-LAG member device conflicts with that on the other M-LAG member device.
CHAP authentication	Performs EAP termination and uses CHAP to communicate with the RADIUS server.
EAP authentication	Relays EAP packets and supports any of the EAP authentication methods to communicate with the RADIUS server.
PAP authentication	Performs EAP termination and uses PAP to communicate with the RADIUS server.
Max-tx period	Username request timeout timer in seconds.
Handshake period	Handshake timer in seconds.
Offline detect period	Offline detect timer in seconds.
Quiet timer	Status of the quiet timer, enabled or disabled. This field is not supported in the current software version.
Quiet period	Quiet timer in seconds. This field is not supported in the current software version.
Supp timeout	Client timeout timer in seconds.
Server timeout	Server timeout timer in seconds.
Reauth period	Periodic reauthentication timer in seconds. This field is not supported in the current software version.
Max auth requests	Maximum number of attempts for sending an authentication request to a client. This field is not supported in the current software version.
User aging period for Auth-Fail VLAN	Aging timer in seconds for users in Auth-Fail VLANs. This field is not supported in the current software version.
User aging period for critical VLAN	Aging timer in seconds for users in critical VLANs. This field is not supported in the current software version.
User aging period for guest VLAN	Aging timer in seconds for users in guest VLANs. This field is not supported in the current software version.
EAD assistant function	Whether EAD assistant is enabled. This field is not supported in the current software version.
URL	Redirect URL for unauthenticated users using a Web browser to access the network.
Free IP	Network segment accessible to unauthenticated users.
EAD timeout	EAD rule timer in minutes. This field is not supported in the current software version.
Domain delimiter	Domain delimiters supported by the device. This field is not supported in the current software version.
Max EAP-TLS fragment (to-server)	Maximum size of EAP-TLS fragments sent in authentication packets to the server. If no maximum size is set, this field displays N/A. This field is not supported in the current software version.
Online 802.1X wired users	Number of wired online 802.1X users, including users that have passed 802.1X authentication and users that are performing 802.1X authentication.
HundredGigE1/0/1 is link-up	Status of the port. In this example, HundredGigE 1/0/1 is up.
802.1X authentication	Whether 802.1X is enabled on the port.
Handshake	Whether the online user handshake feature is enabled on the port.
Handshake reply	Whether the online user handshake reply feature is enabled on the port.
Handshake security	Whether the online user handshake security feature is enabled on the port.
Offline detection	Status of 802.1X offline detection: · Enabled—This feature is enabled and effective. · Disabled—This feature is disabled. · Enabled(NOT effective)—This feature is enabled but it does not take effect. This state is displayed when the port access control mode is port-based.
Unicast trigger	Whether the 802.1X unicast trigger is enabled on the port. This field is not supported in the current software version.
Periodic reauth	Whether 802.1X periodic reauthentication is enabled on the port. This field is not supported in the current software version.
Reauth period	Periodic reauthentication timer on the port. If no periodic reauthentication timer is configured on the port, this field displays N/A. If 802.1X periodic reauthentication is not enabled on the port, this field is not available. This field is not supported in the current software version.
Port role	Role of the port. The port functions only as an Authenticator.
Authorization mode	Authorization state of the port, which can be Force-Authorized, Auto, or Force-Unauthorized.
Port access control	Access control method of the port: · MAC-based—MAC-based access control. · Port-based—Port-based access control.
Multicast trigger	Whether the 802.1X multicast trigger feature is enabled. This field is not supported in the current software version.
Mandatory auth domain	Mandatory authentication domain on the port. This field is not supported in the current software version.
Guest VLAN	802.1X guest VLAN configured on the port. If no 802.1X guest VLAN is configured on the port, this field displays Not configured. This field is not supported in the current software version.
Auth-Fail VLAN	802.1X Auth-Fail VLAN configured on the port. If no 802.1X Auth-Fail VLAN is configured on the port, this field displays Not configured. This field is not supported in the current software version.
Critical VLAN	802.1X critical VLAN configured on the port. If no 802.1X critical VLAN is configured on the port, this field displays Not configured. This field is not supported in the current software version.
Critical voice VLAN	Whether the 802.1X critical voice VLAN feature is enabled on the port. This field is not supported in the current software version.
Add Guest VLAN delay	Status and mode of the 802.1X guest VLAN assignment delay feature on a port: · EAPOL—EAPOL-triggered 802.1X guest VLAN assignment delay is enabled. · NewMac—New MAC-triggered 802.1X guest VLAN assignment delay is enabled. · ALL—Both EAPOL-triggered and new MAC-triggered 802.1X guest VLAN assignment delays are enabled. · Disabled—802.1X guest VLAN assignment delay is disabled. This field is not supported in the current software version.
Re-auth server-unreachable	Whether to log off online 802.1X users or keep them online when no server is reachable for 802.1X reauthentication. This field is not supported in the current software version.
Max online users	Maximum number of concurrent 802.1X users on the port.
User IP freezing	Whether user IP freezing is enabled on the port. This field is not supported in the current software version.
Send Packets Without Tag	Whether to remove the VLAN tags of all 802.1X protocol packets sent out of the port to 802.1X clients. This field is not supported in the current software version.
Max Attempts Fail Number	Maximum number of 802.1X authentication attempts for MAC authenticated users. This field is not supported in the current software version.
User aging	Status of 802.1X unauthenticated user aging on a port: · Enabled. · Disabled. This field is not supported in the current software version.
Server-recovery online-user-sync	Status of 802.1X online user synchronization: · Enabled. · Disabled. This field is not supported in the current software version.
Auth-Fail EAPOL	This field displays whether the device sends EAP-Success packets to 802.1X clients on their assignment to the 802.1X Auth-Fail VLAN on the port. Options: · Enabled. · Disabled. This field is not supported in the current software version.
Critical EAPOL	This field displays whether the device sends EAP-Success packets to 802.1X clients on their assignment to the 802.1X critical VLAN on the port. Options: · Enabled. · Disabled. This field is not supported in the current software version.
Discard duplicate EAPOL-Start	Whether the device discards duplicate EAPOL-Start requests on the port. Options: · Yes—Discard. · No—Not discard. This field is not supported in the current software version.
EAPOL packets	Number of sent (Tx) and received (Rx) EAPOL packets.
Sent EAP Request/Identity packets	Number of sent EAP-Request/Identity packets.
EAP Request/Challenge packets	Number of sent EAP-Request/MD5-Challenge packets.
EAP Success packets	Number of sent EAP-Success packets.
EAP Failure packets	Number of sent EAP-Failure packets.
Received EAPOL Start packets	Number of received EAPOL-Start packets.
EAPOL LogOff packets	Number of received EAPOL-LogOff packets.
EAP Response/Identity packets	Number of received EAP-Response/Identity packets.
EAP Response/Challenge packets	Number of received EAP-Response/MD5-Challenge packets.
Error packets	Number of received error packets.
Online 802.1X users	Number of online 802.1X users on the port, including users that have passed 802.1X authentication and users that are performing 802.1X authentication.
MAC address	MAC addresses of the online 802.1X users.
Auth state	Authentication status of the online 802.1X users.

display dot1x connection

Use display dot1x connection to display information about online 802.1X users.

Syntax

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

open: Displays information only about 802.1X users that use nonexistent usernames or incorrect passwords for network access in open authentication mode. If you do not specify this keyword, the command displays information about all online 802.1X users.

m-lag [ local | peer ]: Specifies online 802.1X users on M-LAG interfaces. If you do not specify these keywords, the command does not distinguish online 802.1X users on M-LAG interfaces and non-M-LAG interfaces. If you specify the m-lag keyword without the local or peer keyword, the command displays information about online 802.1X users on both the local and peer M-LAG member devices.

· local: Displays information about online 802.1X users on the local M-LAG member device.

· peer: Displays information about online 802.1X users on the peer M-LAG member device.

interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command displays online 802.1X user information for all ports.

slot slot-number: Specifies the slot number of the device, which is fixed at 1.

user-mac mac-address: Specifies an 802.1X user by MAC address. The mac-address argument represents the MAC address of the user, in the form of H-H-H. If you do not specify an 802.1X user, this command displays all online 802.1X user information.

user-name name-string: Specifies an 802.1X user by its name. The name-string argument represents the username, a case-sensitive string of 1 to 253 characters. If you do not specify an 802.1X user, this command displays all online 802.1X user information.

Examples

# Display information about all online 802.1X users.

<Sysname> display dot1x connection

Total connections: 2

Slot ID: 1

User MAC address: 0015-e9a6-7cfe

Access interface: HundredGigE1/0/1

Username: ias

User access state: Successful

Authentication domain: h3c

IPv4 address: 192.168.1.1

IPv6 address: 2000:0:0:0:1:2345:6789:abcd

Authentication method: CHAP

Initial VLAN: 1

Authorization untagged VLAN: 6

Authorization tagged VLAN list: 1 to 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 29 31 33

35 37 40 to 100

Authorization microsegment ID: N/A

Authorization ACL number/name: 3001

Authorization user profile: N/A

Authorization CAR:

Average input rate: 102400

Peak input rate: 204800

Average output rate: 102400

Peak output rate: 204800

Authorization URL: N/A

Termination action: Default

Session timeout period: 2 s

Online from: 2020/01/02 13:14:15

Online duration: 0h 2m 15s

User MAC address: 0015-e9a6-abcd

M-LAG NAS-IP type: Local

M-LAG user state: Active

Access interface: Bridge-Aggregation1

Username: luser

User access state: Successful

Authentication domain: aaa

IPv4 address: 192.168.1.1

IPv6 address: 2000:0:0:0:1:2345:6789:abcd

Authentication method: CHAP

Initial VLAN: 1

Authorization untagged VLAN: 6

Authorization tagged VLAN list: 1 to 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 29 31 33

35 37 40 to 100

Authorization VSI: N/A

Authorization microsegment ID: N/A

Authorization ACL number/name: 3001

Authorization user profile: N/A

Authorization CAR:

Average input rate: 102400

Peak input rate: 204800

Average output rate: 102400

Peak output rate: 204800

Authorization URL: N/A

Termination action: Default

Session timeout period: 2 s

Online from: 2020/12/02 13:14:15

Online duration: 0h 7m 15s

Table 2 Command output

Field	Description
Total connections	Number of online 802.1X users.
User MAC address	MAC address of the user.
M-LAG NAS-IP type	NAS-IP address type for the user if the user is authenticated on an M-LAG interface of the M-LAG system. · Local—Local NAS-IP address. The source IP address of outgoing RADIUS packets is an IP address on the local M-LAG member device. · Peer—Peer NAS-IP address. The source IP address of outgoing RADIUS packets is an IP address on the peer M-LAG member device.
M-LAG user state	Local state of the user on the M-LAG interface: · Active—The local M-LAG member device exchanges user authentication information with the AAA server. · Inactive—The peer M-LAG member device exchanges user authentication information with the AAA server.
Access interface	Interface through which the user access the device.
Username	Username of the user.
Anonymous username	Anonymous username of the user. If no anonymous username is configured, this field displays N/A.
User access state	Access state of the user. · Successful—The user passes 802.1X authentication and comes online. · Open—The user uses a nonexistent username or an incorrect password to come online in open authentication mode.
Authentication domain	ISP domain used for 802.1X authentication.
IPv4 address	IPv4 address of the user. If the device does not get the IPv4 address of the user, this field is not available.
IPv6 address	IPv6 address of the user. If the device does not get the IPv6 address of the user, this field is not available.
Authentication method	EAP message handling method: · CHAP—Performs EAP termination and uses CHAP to communicate with the RADIUS server. · EAP—Relays EAP packets and supports any of the EAP authentication methods to communicate with the RADIUS server. · PAP—Performs EAP termination and uses PAP to communicate with the RADIUS server.
Initial VLAN	VLAN to which the user belongs before 802.1X authentication.
Authorization untagged VLAN	Untagged VLAN authorized to the user.
Authorization tagged VLAN list	Tagged VLANs authorized to the user.
Authorization ACL number/name	Number or name of the ACL authorized to the user. If no authorization ACL has been assigned, this field displays N/A. If the ACL authorization fails, this field displays (Not effective) next to the ACL.
Authorization user profile	This field is not supported in the current software version. User profile authorized to the user.
Authorization CAR	Authorization CAR attributes assigned by the server. · Average input rate—Average rate of inbound traffic in bps. · Peak input rate—Peak rate of inbound traffic in bps. · Average output rate—Average rate of outbound traffic in bps. · Peak output rate—Peak rate of outbound traffic in bps. If the device fails to assign the CAR attributes to the user, the Authorization CAR field displays (NOT effective). If the server does not assign the peak rates, the peak rates by default are the same as the assigned average rates. In the current software version, the device does not support exclusive assignment of peak rates from the server. If no authorization CAR attributes are assigned, this field displays N/A.
Authorization URL	Redirect URL authorized to the user.
Authorization IPv6 URL	Redirect IPv6 URL authorized to the user.
Termination action	Action attribute assigned by the server to terminate the user session: · Default—Logs off the online authenticated 802.1X user when the server-assigned session timeout timer expires. This attribute does not take effect when 802.1X periodic reauthentication is enabled and the periodic reauthentication timer is shorter than the server-assigned session timeout timer. · Radius-request—Reauthenticates the online user when the server-assigned session timeout timer expires, regardless of whether the 802.1X periodic reauthentication feature is enabled or not. If the device performs local authentication, this field displays Default. This field is not supported in the current software version.
Session timeout period	Session timeout timer assigned by the server.
Online from	Time from which the 802.1X user came online.
Online duration	Online duration of the 802.1X user.

dot1x

Use dot1x to enable 802.1X globally or on a port.

Use undo dot1x to disable 802.1X globally or on a port.

Syntax

dot1x

undo dot1x

Default

802.1X is neither enabled globally nor enabled for any port.

Views

System view

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Usage guidelines

For the 802.1X feature to take effect on a port, you must enable the feature both globally and on the port.

Examples

# Enable 802.1X globally.

<Sysname> system-view

[Sysname] dot1x

# Enable 802.1X on HundredGigE 1/0/1.

[Sysname] interface hundredgige 1/0/1

[Sysname-HundredGigE1/0/1] dot1x

[Sysname-HundredGigE1/0/1] quit

Related commands

display dot1x

dot1x access-user log enable

Use dot1x access-user log enable to enable 802.1X user logging.

Use undo dot1x access-user log enable to disable 802.1X user logging.

Syntax

dot1x access-user log enable [ abnormal-logoff | failed-login | normal-logoff | successful-login ] *

undo dot1x access-user log enable [ abnormal-logoff | failed-login | normal-logoff | successful-login ] *

Default

802.1X user logging is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

abnormal-logoff: Logs exceptional logoffs of 802.1X users, such as logoffs caused by real-time accounting failures or reauthentication failures.

failed-login: Logs 802.1X user login failures.

normal-logoff: Logs logoffs requested by 802.1X users.

successful-login: Logs successful 802.1X user logins.

Usage guidelines

To prevent excessive 802.1X user log entries, use this feature only if you need to analyze abnormal 802.1X user logins or logouts.

If you do not specify any parameters, this command enables all types of 802.1X user logs.

Examples

# Enable logging 802.1X user login failures.

<Sysname> system-view

[Sysname] dot1x access-user log enable failed-login

Related commands

info-center source dot1x logfile deny (System Management Command Reference)

dot1x after-mac-auth max-attempt

Use dot1x after-mac-auth max-attempt to set the maximum number of 802.1X authentication attempts for MAC authenticated users on a port.

Use undo dot1x after-mac-auth max-attempt to restore the default.

Syntax

dot1x after-mac-auth max-attempt max-attempts

undo dot1x after-mac-auth max-attempt

Default

The number of 802.1X authentication attempts for MAC authenticated users is not limited on a port.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Parameters

max-attempts: Specifies a number in the range of 1 to 50.

Usage guidelines

The device denies 802.1X authentication requests of a MAC authenticated user after the maximum number of 802.1X authentication attempts has been made.

The device will recount the number of 802.1X authentication attempts made by a MAC authenticated user if a user logoff or device reboot event occurs.

On an M-LAG system, one M-LAG member device will recount the 802.1X authentication attempts made by a MAC authenticated user if the following conditions exist:

· The M-LAG member device receives authentication requests from the user after the peer link has failed.

· The user has made the maximum number of failed 802.1X authentication attempts on the other M-LAG member device.

Examples

# Configure HundredGigE 1/0/1 to allow a maximum of 10 802.1X authentication attempts made by a MAC authenticated user.

<Sysname> system-view

[Sysname] interface hundredgige 1/0/1

[Sysname-HundredGigE1/0/1] dot1x after-mac-auth max-attempt 10

Related commands

display dot1x

dot1x authentication-method

Use dot1x authentication-method to specify an EAP message handling method.

Use undo dot1x authentication-method to restore the default.

Syntax

dot1x authentication-method { chap | eap | pap }

undo dot1x authentication-method

Default

The access device performs EAP termination and uses CHAP to communicate with the RADIUS server.

Views

System view

Predefined user roles

network-admin

Parameters

chap: Configures the access device to perform Extensible Authentication Protocol (EAP) termination and use the Challenge Handshake Authentication Protocol (CHAP) to communicate with the RADIUS server.

eap: Configures the access device to relay EAP packets, and supports any of the EAP authentication methods to communicate with the RADIUS server.

pap: Configures the access device to perform EAP termination and use the Password Authentication Protocol (PAP) to communicate with the RADIUS server.

Usage guidelines

The access device terminates or relays EAP packets.

· In EAP termination mode—The access device re-encapsulates and sends the authentication data from the client in standard RADIUS packets to the RADIUS server. The device performs either CHAP or PAP authentication with the RADIUS server. In this mode, the RADIUS server supports only MD5-Challenge EAP authentication and the username and password EAP authentication initiated by an iNode client.

¡ PAP transports usernames and passwords in plain text. The authentication method applies to scenarios that do not require high security. To use PAP, the client can be an iNode 802.1X client.

¡ CHAP transports usernames in plain text and passwords in encrypted form over the network. CHAP is more secure than PAP.

· In EAP relay mode—The access device relays EAP messages between the client and the RADIUS server. The EAP relay mode supports multiple EAP authentication methods, such as MD5-Challenge, EAP-TLS, and PEAP. To use this mode, make sure the RADIUS server meets the following requirements:

¡ Supports the EAP-Message and Message-Authenticator attributes.

¡ Uses the same EAP authentication method as the client.

If this mode is used, the user-name-format command configured in RADIUS scheme view does not take effect. For more information about the user-name-format command, see "AAA commands."

If RADIUS authentication is used, you must configure the access device to use the same authentication method (PAP, CHAP, or EAP) as the RADIUS server.

Examples

# Enable the access device to terminate EAP packets and perform PAP authentication with the RADIUS server.

<Sysname> system-view

[Sysname] dot1x authentication-method pap

Related commands

display dot1x

dot1x handshake

Use dot1x handshake to enable the online user handshake feature.

Use undo dot1x handshake to disable the online user handshake feature.

Syntax

dot1x handshake

undo dot1x handshake

Default

The online user handshake feature is enabled.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Usage guidelines

The online user handshake feature enables the device to periodically send EAP-Request/Identity packets to the client for verifying the connectivity status of online 802.1X users. The device sets a user to the offline state if it does not receive an EAP-Response/Identity packet from the user after making the maximum attempts within the handshake period. To set the handshake timer, use the dot1x timer handshake-period command. To set the maximum handshake attempts, use the dot1x retry command.

Examples

# Enable the online user handshake feature on HundredGigE 1/0/1.

<Sysname> system-view

[Sysname] interface hundredgige 1/0/1

[Sysname-HundredGigE1/0/1] dot1x handshake

Related commands

display dot1x

dot1x timer handshake-period

dot1x retry

dot1x handshake reply enable

Use dot1x handshake reply enable to enable the 802.1X online user handshake reply feature.

Use undo dot1x handshake reply enable to disable the 802.1X online user handshake reply feature.

Syntax

dot1x handshake reply enable

undo dot1x handshake reply enable

Default

The 802.1X online user handshake reply feature is disabled.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Usage guidelines

This command enables the device to reply to 802.1X clients' EAP-Response/Identity packets with EAP-Success packets during the online handshake process.

Use this command only if 802.1X clients will go offline without receiving EAP-Success packets from the device.

Examples

# Enable the 802.1X online user handshake reply feature on HundredGigE 1/0/1.

<Sysname> system-view

[Sysname] interface hundredgige 1/0/1

[Sysname-HundredGigE1/0/1] dot1x handshake reply enable

Related commands

dot1x handshake

dot1x handshake secure

Use dot1x handshake secure to enable the online user handshake security feature.

Use undo dot1x handshake secure to disable the online user handshake security feature.

Syntax

dot1x handshake secure

undo dot1x handshake secure

Default

The online user handshake security feature is disabled.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Usage guidelines

The online user handshake security feature is applicable only to the network that deploys the iNode client and IMC server for 802.1X authentication. It prevents users from using illegal client software to bypass iNode security check.

To have this feature take effect, make sure the online user handshake feature is enabled.

Examples

# Enable the online user handshake security feature on HundredGigE 1/0/1.

<Sysname> system-view

[Sysname] interface hundredgige 1/0/1

[Sysname-HundredGigE1/0/1] dot1x handshake secure

Related commands

display dot1x

dot1x handshake

dot1x max-user

Use dot1x max-user to set the maximum number of concurrent 802.1X users on a port.

Use undo dot1x max-user to restore the default.

Syntax

dot1x max-user max-number

undo dot1x max-user

Default

A port allows a maximum of 4294967295 concurrent 802.1X users.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Parameters

max-number: Specifies the maximum number of concurrent 802.1X users on a port. The value range is 1 to 4294967295.

Usage guidelines

Set the maximum number of concurrent 802.1X users on a port to prevent the system resources from being overused. When the maximum number is reached, the port denies subsequent 802.1X users.

Examples

# Set the maximum number of concurrent 802.1X users to 32 on HundredGigE 1/0/1.

<Sysname> system-view

[Sysname] interface hundredgige 1/0/1

[Sysname-HundredGigE1/0/1] dot1x max-user 32

Related commands

display dot1x

dot1x offline-detect enable

Use dot1x offline-detect enable to enable 802.1X offline detection on a port.

Use undo dot1x offline-detect enable to disable 802.1X offline detection.

Syntax

dot1x offline-detect enable

undo dot1x offline-detect enable

Default

802.1X offline detection is disabled on a port.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Usage guidelines

The 802.1X offline detection feature monitors the online status of 802.1X users. This feature uses an offline detect timer to set the interval that the device must wait for traffic from a user before the device determines that the user is idle. If the device has not received traffic from a user before the timer expires, the device logs off that user and requests the accounting server to stop accounting for the user.

To have 802.1X offline detection take effect, you must configure the port to perform MAC-based access control. If you change the port access mode to port-based, the 802.1X offline detection feature cannot take effect.

To set the offline detect timer, use the dot1x timer command.

Examples

# Disable 802.1X offline detection on HundredGigE 1/0/1.

<Sysname> system-view

[Sysname] interface hundredgige 1/0/1

[Sysname-HundredGigE1/0/1] undo dot1x offline-detect enable

Related commands

display dot1x

dot1x port-method

dot1x timer

dot1x port-control

Use dot1x port-control to set the authorization state for the port.

Use undo dot1x port-control to restore the default.

Syntax

dot1x port-control { authorized-force | auto | unauthorized-force }

undo dot1x port-control

Default

The default port authorization state is auto.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Parameters

authorized-force: Places the port in authorized state, enabling users on the port to access the network without authentication.

auto: Places the port initially in unauthorized state to allow only EAPOL packets to pass, and places the port in authorized state after a user passes authentication. You can use this option in most scenarios.

unauthorized-force: Places the port in unauthorized state, denying any access requests from users on the port.

Usage guidelines

You can use this command to set the port authorization state to determine whether a client is granted access to the network.

Examples

# Set the authorization state of HundredGigE 1/0/1 to unauthorized-force.

<Sysname> system-view

[Sysname] interface hundredgige 1/0/1

[Sysname-HundredGigE1/0/1] dot1x port-control unauthorized-force

Related commands

display dot1x

dot1x port-method

Use dot1x port-method to specify an access control method for the port.

Use undo dot1x port-method to restore the default.

Syntax

dot1x port-method { macbased | portbased }

undo dot1x port-method

Default

MAC-based access control applies.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Parameters

macbased: Uses MAC-based access control on the port to separately authenticate each user attempting to access the network. Using this method, when an authenticated user logs off, no other online users are affected.

portbased: Uses port-based access control on the port. Using this method, once an 802.1X user passes authentication on the port, any subsequent user can access the network through the port without authentication. When the authenticated user logs off, all other users are logged off.

Usage guidelines

CAUTION:

If online 802.1X users are present on a port, changing its access control method will cause the online users to go offline.

MAC-based access control provides higher security than port-based access control.

Examples

# Configure HundredGigE 1/0/1 to implement port-based access control.

<Sysname> system-view

[Sysname] interface hundredgige 1/0/1

[Sysname-HundredGigE1/0/1] dot1x port-method portbased

Related commands

display dot1x

dot1x timer

Use dot1x timer to set an 802.1X timer.

Use undo dot1x timer to restore the default of an 802.1X timer.

Syntax

dot1x timer { handshake-period handshake-period-value | offline-detect offline-detect-value | server-timeout server-timeout-value | supp-timeout supp-timeout-value | tx-period tx-period-value }

undo dot1x timer { handshake-period | offline-detect | server-timeout | supp-timeout | tx-period }

Default

The following 802.1X timers apply:

· Handshake timer: 15 seconds.

· Offline detect timer: 300 seconds.

· Server timeout timer: 100 seconds.

· Client timeout timer: 30 seconds.

· Username request timeout timer: 30 seconds.

Views

System view

Predefined user roles

network-admin

Parameters

handshake-period handshake-period-value: Sets the handshake timer in seconds. The value range for the handshake-period-value argument is 5 to 1024.

offline-detect offline-detect-value: Sets the offline detect timer in seconds. The value range for the offline-detect-value argument is 60 to 2147483647.

server-timeout server-timeout-value: Sets the server timeout timer in seconds. The value range for the server-timeout-value argument is 100 to 300.

supp-timeout supp-timeout-value: Sets the client timeout timer in seconds. The value range for the supp-timeout-value argument is 1 to 120.

tx-period tx-period-value: Sets the username request timeout timer in seconds. The value range for the tx-period-value argument is 1 to 120.

Usage guidelines

In most cases, the default settings are sufficient. You can edit the timers, depending on the network conditions.

· In a low-speed network, increase the client timeout timer.

· In a network with authentication servers of different performance, adjust the server timeout timer.

The network device uses the following 802.1X timers:

· Handshake timer (handshake-period)—Sets the interval at which the access device sends client handshake requests to check the online status of a client that has passed authentication. If the device does not receive a response after sending the maximum number of handshake requests, it considers that the client has logged off.

· Offline detect timer (offline-detect)—Sets the interval that the device must wait for traffic from a user before the device determines that the user is idle. If the device has not received traffic from a user before the timer expires, the device logs off that user and requests the accounting server to stop accounting for the user. This timer takes effect only when the 802.1X offline detection feature is enabled.

· Server timeout timer (server-timeout)—Starts when the access device sends a RADIUS Access-Request packet to the authentication server. If no response is received when this timer expires, the 802.1X authentication fails.

To avoid forced logoff before the server timeout timer expires, set the server timeout timer to a value that is lower than or equal to the product of the following values:

¡ The maximum number of RADIUS packet transmission attempts set by using the retry command in RADIUS scheme view.

¡ The RADIUS server response timeout timer set by using the timer response-timeout command in RADIUS scheme view.

For information about setting the maximum number of RADIUS packet transmission attempts and the RADIUS server response timeout timer, see AAA configuration in User Access and Authentication Configuration Guide.

· Client timeout timer (supp-timeout)—Starts when the access device sends an EAP-Request/MD5-Challenge packet to a client. If no response is received when this timer expires, the access device retransmits the request to the client.

· Username request timeout timer (tx-period)—Starts when the device sends an EAP-Request/Identity packet to a client in response to an authentication request. If the device does not receive a response before this timer expires, it retransmits the request. The timer also sets the interval at which the network device sends multicast EAP-Request/Identity packets to detect clients that cannot actively request authentication.

Timer changes take effect immediately on the device.

For the device to take action on 802.1X users as expected, do not set the offline detect timer to the same value as the handshake timer (set by using the dot1x timer handshake-period command).

Examples

# Set the server timeout timer to 150 seconds.

<Sysname> system-view

[Sysname] dot1x timer server-timeout 150

Related commands

display dot1x

retry

timer response-timeout (RADIUS scheme view)

reset dot1x access-user

Use reset dot1x access-user to log off 802.1X users.

Syntax

reset dot1x access-user [ interface interface-type interface-number | mac mac-address | username username | vlan vlan-id ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies a port by its type and number.

mac mac-address: Specifies an 802.1X user by its MAC address. The mac-address argument is in the format of H-H-H.

username username: Specifies an 802.1X user by its name. The username argument is a case-sensitive string of 1 to 253 characters.

vlan vlan-id: Specifies a VLAN by its VLAN ID. The value range for the vlan-id argument is 1 to 4094.

Usage guidelines

Use this command to log off the specified 802.1X users and clear information about these users from the device. These users must perform 802.1X authentication to come online again.

With a VLAN specified, this command logs off the following 802.1X users:

· Users that have passed 802.1X authentication and have been assigned the specified VLAN as the authorization VLAN by the server.

· Users that stay in the specified VLAN after they have passed 802.1X authentication, because they have not been assigned an authorization VLAN yet.

· Users that are performing 802.1X authentication in the specified VLAN.

To identify the VLAN in which a user is staying, use the display mac-address command.

If you do not specify any parameters, the reset dot1x access-user command logs off all 802.1X users on the device.

Examples

# Log off all 802.1X users on HundredGigE 1/0/1.

<Sysname> reset dot1x access-user interface hundredgige 1/0/1

Related commands

display dot1x connection

reset dot1x statistics

Use reset dot1x statistics to clear 802.1X statistics.

Syntax

reset dot1x statistics [ interface interface-type interface-number ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command clears 802.1X statistics on all ports.

Examples

# Clear 802.1X statistics on HundredGigE 1/0/1.

<Sysname> reset dot1x statistics interface hundredgige 1/0/1

Related commands

display dot1x

14-User Access and Authentication Command Reference

802.1X commands

dot1x handshake

dot1x handshake secure

dot1x offline-detect enable

dot1x port-control

dot1x timer

reset dot1x access-user

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us