interface-list: Ethernet port list, in the form of interface-list= { interface-type interface-number [ to interface-type interface-number ] } &<1-10>, in which interface-type specifies the type of an Ethernet port and interface-number is the number of the port. The string “&<1-10>” means that up to 10 port lists can be provided.

Description

Use the display dot1x command to display 802.1x-related information, such as configuration information, operation information (session information), and statistics.

When the interface-list argument is not provided, this command displays all the 802.1x-related information of the device. The output information can be used to verify 802.1 x-related configurations and to troubleshoot.

Related commands: reset dot1x statistics, dot1x, dot1x retry, dot1x max-user, dot1x port-control, dot1x port-method, and dot1x timer.

Examples

# Display 802.1x-related information.

<device> display dot1x

Global 802.1X protocol is enabled

CHAP authentication is enabled

DHCP-launch is disabled

Handshake is enabled

Proxy trap checker is disabled

Proxy logoff checker is disabled

EAD Quick Deploy is enabled

Configuration: Transmit Period 30 s, Handshake Period 15 s

ReAuth Period 3600 s, ReAuth MaxTimes 2

Quiet Period 60 s, Quiet Period Timer is disabled

Supp Timeout 30 s, Server Timeout 100 s

Interval between version requests is 30s

Maximal request times for version information is 3

The maximal retransmitting times 2

EAD Quick Deploy configuration:

url http://192.168.19.23

free-ip 192.168.19.0 255.255.255.0

acl-timeout 30m

Total maximum 802.1x user resource number is 1024

Total current used 802.1x resource number is 1

GigabitEthernet1/0/1 is link-down

802.1X protocol is disabled

Proxy trap checker is disabled

Proxy logoff checker is disabled

Version-Check is disabled

The port is an authenticator

Authentication Mode is Auto

Port Control Type is Mac-based

ReAuthenticate is disabled

Max number of on-line users is 256

Authentication Success: 0, Failed: 0

EAPOL Packets: Tx 0, Rx 0

Sent EAP Request/Identity Packets : 0

EAP Request/Challenge Packets: 0

Received EAPOL Start Packets : 0

EAPOL LogOff Packets: 0

EAP Response/Identity Packets : 0

EAP Response/Challenge Packets: 0

Error Packets: 0

Controlled User(s) amount to 0

GigabitEthernet1/0/2 is link-down

802.1X protocol is disabled

Proxy trap checker is disabled

Proxy logoff checker is disabled

Version-Check is disabled

The port is an authenticator

Authentication Mode is Auto

Port Control Type is Mac-based

ReAuthenticate is disabled

Max number of on-line users is 256

Authentication Success: 0, Failed: 0

EAPOL Packets: Tx 0, Rx 0

Sent EAP Request/Identity Packets : 0

EAP Request/Challenge Packets: 0

Received EAPOL Start Packets : 0

EAPOL LogOff Packets: 0

EAP Response/Identity Packets : 0

EAP Response/Challenge Packets: 0

Error Packets: 0

Controlled User(s) amount to 0

GigabitEthernet1/0/3

……

Table 1-1 display dot1x command output description

Field	Description
Global 802.1X protocol is enabled	Whether 802.1x is enabled on the device globally.
CHAP authentication is enabled	802.1x authentication mode used, which can be CHAP, EAP, or PAP.
DHCP-launch is disabled	Whether the DHCP-triggered 802.1x authentication is enabled. Possible values include enabled and disabled. The value of enabled means that the device will perform 802.1x authentication for a user when the user runs DHCP to apply for an IP address.
Proxy trap checker is disabled	Whether to send Trap packets when detecting a supplicant system logs in through a proxy. l Disabled means the device does not send Trap packets when it detects that a supplicant system logs in through a proxy. l Enabled means the device sends Trap packets when it detects that a supplicant system logs in through a proxy.
Proxy logoff checker is disabled	Whether to disconnect a supplicant system when detecting it logs in through a proxy. l Disabled means the device does not disconnect a supplicant system when it detects that the latter logs in through a proxy. l Enabled means the device disconnects a supplicant system when it detects that the latter logs in through a proxy.
EAD Quick Deploy is enabled	Whether the quick EAD deployment is enabled.
Transmit Period	Setting of the Transmission period timer (the tx-period)
Handshake Period	Setting of the handshake period timer (the handshake-period)
ReAuth Period	Re-authentication interval
ReAuth MaxTimes	Maximum times of re-authentications
Quiet Period	Setting of the quiet period timer (the quiet-period)
Quiet Period Timer is disabled	Whether the quiet period timer is enabled.
Supp Timeout	Setting of the supplicant timeout timer (supp-timeout)
Server Timeout	Setting of the server-timeout timer (server-timeout)
The maximal retransmitting times	The maximum number of times that the device can send authentication request packets to a supplicant system
free-ip	Free IP range that users can access before passing authentication
acl-timeout	ACL timeout period
url	URL for HTTP redirection
Total maximum 802.1x user resource number	The maximum number of 802.1x users that the device can accommodate
Total current used 802.1x resource number	The number of online supplicant systems
GigabitEthernet1/0/1 is link-down	GigabitEthernet 1/0/1 port is down.
802.1X protocol is disabled	Whether 802.1x is enabled on the port.
Proxy trap checker is disabled	Whether to send Trap packets when detecting a supplicant system in logging in through a proxy. l Disabled means the device does not send Trap packets when it detects that a supplicant system logs in through a proxy. l Enabled means the device sends Trap packets when it detects that a supplicant system logs in through a proxy.
Proxy logoff checker is disabled	Whether to disconnect a supplicant system when detecting it in logging in through a proxy. l Disabled means the device does not disconnect a supplicant system when it detects that the latter logs in through a proxy. l Enabled means the device disconnects a supplicant system when it detects that the latter logs in through a proxy.
Version-Check is disabled	Whether the client version checking function is enabled: l Disabled means the device does not checks client version. l Enabled means the device checks client version.
The port is an authenticator	The port acts as an authenticator system.
Authentication Mode is Auto	The port authorization mode, which can be auto, authorized-force, or unauthorized-force. For description of the three modes, refer to parameter description of the dot1x port-control command.
Port Control Type is Mac-based	The access control method of the port, which can be: l MAC-based: Controls user access based on MAC address. l Port-based: Controls user access based on the port
ReAuthenticate is disabled	Whether 802.1x re-authentication is enabled.
Max number of on-line users	The maximum number of online users that the port can accommodate
…	Information omitted here

dot1x

Syntax

dot1x [ interface interface-list ]

undo dot1x [ interface interface-list ]

View

System view, Ethernet port view

Parameters

Description

Use the dot1x command to enable 802.1x globally or for specified Ethernet ports.

Use the undo dot1x command to disable 802.1x globally or for specified Ethernet ports.

By default, 802.1x is disabled globally and also on all ports.

In system view:

l If you do not provide the interface-list argument, the dot1x command enables 802.1x globally.

l If you specify the interface-list argument, the dot1x command enables 802.1x for the specified Ethernet ports.

In Ethernet port view, the interface-list argument is not available and the command enables 802.1x for only the current Ethernet port.

You can perform 802.1x-related configurations (globally or on specified ports) before or after 802.1x is enabled. If you do not previously perform other 802.1x-related configurations when enabling 802.1x globally, the device adopts the default 802.1x settings.

802.1x-related configurations take effect on a port only after 802.1x is enabled both globally and on the port.

l Configurations of 8021.x and the maximum number of MAX addresses that can be learnt are mutually exclusive. That is, when 802.1x is enabled for a port, it cannot also have the maximum number of MAX addresses to be learned configured at the same time. Conversely, if you configure the maximum number of MAX addresses that can be learnt for a port, 802.1x is unavailable to it.

l If you enable 802.1x for a port, it is not available to add the port to an aggregation group. Meanwhile, if a port has been added to an aggregation group, it is prohibited to enable 802.1x for the port.

Related commands: display dot1x.

Examples

# Enable 802.1x for GigabitEthernet1/0/1 port.

<device> system-view

System View: return to User View with Ctrl+Z.

[device] dot1x interface GigabitEthernet 1/0/1

# Enable 802.1x globally.

<device> system-view

System View: return to User View with Ctrl+Z.

[device] dot1x

dot1x authentication-method

Syntax

dot1x authentication-method { chap | pap | eap }

undo dot1x authentication-method

View

System view

Parameters

chap: Authenticates using challenge handshake authentication protocol (CHAP).

pap: Authenticates using password authentication protocol (PAP).

eap: Authenticates using extensible authentication protocol (EAP).

Description

Use the dot1x authentication-method command to set the 802.1x authentication method.

Use the undo dot1x authentication-method command to revert to the default 802.1x authentication method.

The default 802.1x authentication method is CHAP.

PAP applies a two-way handshaking procedure. In this method, passwords are transmitted in plain text.

CHAP applies a three-way handshaking procedure. In this method, user names are transmitted rather than passwords. Therefore this method is safer.

In EAP authentication, the device authenticates supplicant systems by encapsulating 802.1x authentication information in EAP packets and sending the packets to the RADIUS server, instead of converting the packets into RADIUS packets before forwarding to the RADIUS server. You can use EAP authentication in one of the four sub-methods: PEAP, EAP-TLS, EAP-TTLS and EAP-MD5.

Related commands: display dot1x.

When the current device operates as the authentication server, EAP authentication is unavailable.

Examples

# Specify the authentication method to be PAP.

<device> system-view

System View: return to User View with Ctrl+Z.

[device] dot1x authentication-method pap

dot1x dhcp-launch

Syntax

dot1x dhcp-launch

undo dot1x dhcp-launch

View

System view

Parameters

None

Description

Use the dot1x dhcp-launch command to specify the device to launch the 802.1x to authenticate a supplicant system once the supplicant system applies for a dynamic IP address through DHCP.

Use the undo dot1x dhcp-launch command to disable the 802.1x-enabled device from authenticating a supplicant system when the supplicant system applies for a dynamic IP address through DHCP.

By default, the device does not launch an 802.1x authentication for a supplicant system when the supplicant system applies for a dynamic IP address through DHCP.

Related commands: display dot1x.

Examples

# Configure to authenticate a supplicant system when it applies for a dynamic IP address through DHCP.

<device> system-view

System View: return to User View with Ctrl+Z.

[device] dot1x dhcp-launch

dot1x guest-vlan

Syntax

dot1x guest-vlan vlan-id [ interface interface-list ]

undo dot1x guest-vlan [ interface interface-list ]

View

System view, Ethernet port view

Parameters

vlan-id: VLAN ID of a Guest VLAN, in the range 1 to 4094.

Description

Use the dot1x guest-vlan command to enable the Guest VLAN function for ports.

Use the undo dot1x guest-vlan command to disable the Guest VLAN function for ports.

In system view,

l If you do not provide the interface-list argument, these two commands apply to all the ports of the device.

l If you specify the interface-list argument, these two commands apply to the specified ports.

In Ethernet port view, the interface-list argument is not available and these two commands apply to only the current Ethernet port.

l The Guest VLAN function is available only when the device operates in the port-based authentication mode.

l Only one Guest VLAN can be configured on one device.

l The Guest VLAN function is unavailable when the dot1x dhcp-launch command is executed on the device, because the device does not send authentication request packets in this case.

Examples

# Configure the device to operate in the port-based access control mode.

<device> system-view

System View: return to User View with Ctrl+Z.

[device] dot1x port-method portbased

# Enable the Guest VLAN function for all the ports.

[device] dot1x guest-vlan 1

dot1x handshake

Syntax

dot1x handshake enable

undo dot1x handshake enable

View

System view

Parameters

None

Description

Use the dot1x handshake enable command to enable the online user handshaking function.

Use the undo dot1x handshake enable command to disable the online user handshaking function.

By default, the online user handshaking function is enabled.

l To enable the proxy detecting function, you need to enable the online user handshaking function first.

l Handshaking packets are used to test whether a user is online or not. Users need to run the client that supports the handshaking function to respond to the handshaking packets.

l If a user runs a client that does not support the online user handshaking function, the device cannot receive handshaking acknowledgement packets from the client in handshaking periods. To prevent the user being falsely considered offline, you need to disable the online user handshaking function in this case.

Examples

# Enable the online user handshaking function.

<device> system-view

System View: return to User View with Ctrl+Z.

[device] dot1x handshake enable

dot1x handshake secure

Syntax

dot1x handshake secure

undo dot1x handshake secure

View

Ethernet port view

Parameters

None

Description

Use the dot1x handshake secure command to enable the handshaking packet secure function, preventing the device from attacks resulted from simulating clients.

Use the undo dot1x handshake secure command to disable the handshaking packet secure function.

By default, the handshaking packet secure function is disabled.

For the handshaking packet secure function to take effect, the clients that enable the function need to cooperate with the authentication server. If either the clients or the authentication server does not support the function, disabling the handshaking packet secure function is needed.

Examples

# Enable the handshaking packet secure function.

<device> system-view

System View: return to User View with Ctrl+Z.

[device] interface GigabitEthernet 1/0/1

[device-GigabitEthernet1/0/1] dot1x handshake secure

dot1x max-user

Syntax

dot1x max-user user-number [ interface interface-list ]

undo dot1x max-user [ interface interface-list ]

View

System view, Ethernet port view

Parameters

user-number: Maximum number of users a port can accommodate, in the range 1 to 256.

Description

Use the dot1x max-user command to set the maximum number of users an Ethernet port can accommodate.

Use the undo dot1x max-user command to revert to the default maximum user number.

By default, a port can accommodate up to 256 users.

In system view:

l If you do not provide the interface-list argument, these two commands apply to all the ports of the device.

l If you specify the interface-list argument, these two commands apply to the specified ports.

In Ethernet port view, the interface-list argument is not available and the commands apply to only the current port.

Related commands: display dot1x.

Examples

# Configure the maximum number of users that GigabitEthernet1/01 port can accommodate to be 32.

<device> system-view

System View: return to User View with Ctrl+Z.

[device] dot1x max-user 32 interface GigabitEthernet 1/0/1

dot1x port-control

Syntax

dot1x port-control { auto | authorized-force | unauthorized-force } [ interface interface-list ]

undo dot1x port-control [ interface interface-list ]

View

System view, Ethernet port view

Parameters

auto: Specifies to operate in auto authorization mode. When a port operates in this mode, it is in the unauthorized state initially. In this case, only EAPoL packets can be exchanged between the device and the hosts, which are not allowed to access the network before they pass the authentication. After the hosts pass the authentication, the port changes to the authorized state and allows the hosts to access the network resources. Normally, a port operates in this mode.

authorized-force: Specifies to operate in the authorized-force authorization mode. When a port operates in this mode, the port is always in authorized state, so that all the hosts connected to it can access the network resources without being authenticated.

unauthorized-force: Specifies to operate in the unauthorized-force authorization mode. When a port operates in this mode, the port is always in unauthorized mode. Therefore the hosts connected to it cannot access the network resources.

Description

Use the dot1x port-control command to specify the 802.1x’s authorization mode for the specified ports.

Use the undo dot1x port-control command to revert to the default port authorization mode.

The default port authorization mode is auto.

In system view:

l If you do not provide the interface-list argument, these two commands apply to all the ports of the device.

l If you specify the interface-list argument, these commands apply to the specified ports.

In Ethernet port view, the interface-list argument is not available and the commands apply to only the current Ethernet port.

Related commands: display dot1x.

Examples

# Specify GigabitEthernet 1/0/1 port to operate in unauthorized-force mode.

<device> system-view

System View: return to User View with Ctrl+Z.

[device] dot1x port-control unauthorized-force interface GigabitEthernet 1/0/1

dot1x port-method

Syntax

dot1x port-method { macbased | portbased } [ interface interface-list ]

undo dot1x port-method [ interface interface-list ]

View

System view, Ethernet port view

Parameters

macbased: Performs MAC address-based access control for users..

portbased: Performs port-based access control for users..

Description

Use the dot1x port-method command to specify the 802.1x’s access control method on the specified ports.

Use the undo dot1x port-method command to restore the default access control method.

By default, the access control method is macbased.

This command specifies the way in which the specified ports control the access of users.

l When a port works the MAC-based control mode, all users connected to the port are authenticated separately. And if a user logs off, others are not affected.

l When a port works in the port-based control mode, all the users connected to the port are able to access the network without being authenticated after a user among them passes the authentication. When the user logs off, the network is inaccessible to all other users either.

l Changing the access control method on a port by the dot1x port-method command will forcibly log off the online 802.1x users on the port.

In system view:

l If you do not provide the interface-list argument, these two commands apply to all the ports of the device.

l If you specify the interface-list argument, these commands apply to the specified ports.

In Ethernet port view, the interface-list argument is not available and the commands apply to only the current Ethernet port.

Related commands: display dot1x.

Examples

# Specify the access control method for users on GigabitEthernet1/0/1 as port-based.

<device> system-view

System View: return to User View with Ctrl+Z.

[device] dot1x port-method portbased interface GigabitEthernet 1/0/1

dot1x quiet-period

Syntax

dot1x quiet-period

undo dot1x quiet-period

View

System view

Parameters

None

Description

Use the dot1x quiet-period command to enable the quiet-period timer.

Use the undo dot1x quiet-period command to disable the quiet-period timer.

When a user fails to pass the authentication, the authenticator system will stay quiet for a period (determined by the quiet-period timer) before it performs another authentication. During the quiet period, the authenticator system performs no 802.1x authentication of the user.

By default, the quiet-period timer is disabled.

Related commands: display dot1x, dot1x timer.

Examples

# Enable the quiet-period timer.

<device> system-view

System View: return to User View with Ctrl+Z.

[device] dot1x quiet-period

dot1x retry

Syntax

dot1x retry max-retry-value

undo dot1x retry

View

System view

Parameters

max-retry-value: Maximum number of times that the device sends authentication request packets to a user. This argument ranges from 1 to 10.

Description

Use the dot1x retry command to specify the maximum number of times that the device sends authentication request packets to a user.

Use the undo dot1x retry command to revert to the default value.

By default, the device sends authentication request packets to a user for up to 2 times.

After the device sends an authentication request packet to a user, it sends another authentication request packet if it does not receive response from the user after a specific period of time. If the device still receives no response when the configured maximum number of authentication request transmission attempts is reached, it no longer sends an authentication request packet to the user. This command applies to all ports.

Related commands: display dot1x.

Examples

# Specify the maximum number of times that the device sends authentication request packets to be 9.

<device> system-view

System View: return to User View with Ctrl+Z.

[device] dot1x retry 9

dot1x retry-version-max

Syntax

dot1x retry-version-max max-retry-version-value

undo dot1x retry-version-max

View

System view

Parameters

max-retry-version-value: Maximum number of times that the device sends version request packets to a user. This argument ranges from 1 to 10.

Description

Use the dot1x retry-version-max command to set the maximum number of times that the device sends version request packets to a user.

Use the undo dot1x retry-version-max command to revert to the default value.

By default, the device sends version request packets to a user for up to 3 times.

After the device sends a version request packet to a user, it sends another version request packet if it does receive response from the user after a specific period of time (as determined by the client version request timer). When the number set by this command has reached and there is still no response from the user, the device continues the following authentication procedures without sending version requests. This command applies to all the ports with the version checking function enabled.

Related commands: display dot1x, dot1x timer.

Examples

# Configure the maximum number of times that the device sends version request packets to be 6.

<device> system-view

System View: return to User View with Ctrl+Z.

[device] dot1x retry-version-max 6

dot1x re-authenticate

Syntax

dot1x re-authenticate [ interface interface-list ]

undo dot1x re-authenticate [ interface interface-list ]

View

System view/Ethernet port view

Parameters

Description

Use the dot1x re-authenticate command to enable 802.1x re-authentication on specific ports or on all ports of the device.

Use the undo dot1x re-authenticate command to disable 802.1x re-authentication on specific ports or on all ports of the device.

By default, 802.1x re-authentication is disabled on all ports.

In system view:

l If you do not specify the interface-list argument, this command will enable 802.1x re-authentication on all ports.

l If you specify the interface-list argument, the command will enable 802.1x on the specified ports.

In Ethernet port view, the interface-list argument is not available and 8021.x re-authentication is enabled on the current port only.

802.1x must be enabled globally and on the current port before 802.1x re-authentication can be configured on a port.

Examples

# Enable 802.1x re-authentication on port GigabitEthernet 1/0/1.

<device> system-view

System View: return to User View with Ctrl+Z.

[device] dot1x

802.1X is enabled globally.

[device] interface GigabitEthernet 1/0/1

[device-GigabitEthernet1/0/1] dot1x

802.1X is enabled on port GigabitEthernet1/0/1 already.

[device-GigabitEthernet1/0/1] dot1x re-authenticate

Re-authentication is enabled on port GigabitEthernet1/0/1

dot1x supp-proxy-check

Syntax

dot1x supp-proxy-check { logoff | trap } [ interface interface-list ]

undo dot1x supp-proxy-check { logoff | trap } [ interface interface-list ]

View

System view, Ethernet port view

Parameters

logoff: Disconnects a user upon detecting it logging in through a proxy or through multiple network adapters.

trap: Sends Trap packets upon detecting a user logging in through a proxy or through multiple network adapters.

Description

Use the dot1x supp-proxy-check command to enable 802.1x proxy checking for specified ports.

Use the undo dot1x supp-proxy-check command to disable 802.1x proxy checking for specified ports.

By default, 802.1x proxy checking is disabled on all Ethernet ports.

In system view:

l If you do not specify the interface-list argument, the configurations performed by these two commands are global.

l If you specify the interface-list argument, these two commands apply to the specified Ethernet ports.

In Ethernet port view, the interface-list argument is not available and the commands apply to only the current Ethernet port.

The proxy checking function takes effect on a port only when the function is enabled both globally and on the port.

802.1x proxy checking checks for:

l Users logging in through proxies

l Users logging in through IE proxies

l Whether or not a user logs in through multiple network adapters (that is, when the user attempts to log in, it contains more than one active network adapters.)

The device can optionally take the following actions in response to any of the above three cases:

l Only disconnects the user but sends no Trap packets, which can be achieved by using the dot1x supp-proxy-check logoff command.

l Sends Trap packets without disconnecting the user, which can be achieved by using the dot1x supp-proxy-check trap command.

This function needs the cooperation of 802.1x clients and the CAMS server:

l Multiple network adapter checking, proxy checking, and IE proxy checking are enabled on the 802.1x client.

l The CAMS server is configured to disable the use of multiple network adapters, proxies, and IE proxy.

By default, proxy checking is disabled on 802.1x client. In this case, if you configure the CAMS server to disable the use of multiple network adapters, proxies, and IE proxy, it sends messages to the 802.1x client to ask the latter to disable the use of multiple network adapters, proxies, and IE proxy after the user passes the authentication.

l The 802.1x proxy checking function needs the cooperation of an 802.1x client program.

l The proxy checking function takes effect only after the client version checking function is enabled on the device (using the dot1x version-check command).

Related commands: display dot1x.

Examples

# Configure to disconnect the users connected to GigabitEthernet 1/0/1 through GigabitEthernet 1/0/8 ports if they are detected logging in through proxies.

<device> system-view

System View: return to User View with Ctrl+Z.

[device] dot1x supp-proxy-check logoff

[device] dot1x supp-proxy-check logoff interface GigabitEthernet 1/0/1 to GigabitEthernet 1/0/8

# Configure the device to send Trap packets if the users connected to GigabitEthernet 1/0/9 port is detected logging in through proxies.

[device] dot1x supp-proxy-check trap

[device] dot1x supp-proxy-check trap interface GigabitEthernet 1/0/9

dot1x timer

Syntax

dot1x timer { handshake-period handshake-period-value | quiet-period quiet-period-value | server-timeout server-timeout-value | supp-timeout supp-timeout-value | tx-period tx-period-value | ver-period ver-period-value }

undo dot1x timer { handshake-period | quiet-period | server-timeout | supp-timeout | tx-period | ver-period }

View

System view

Parameters

handshake-period handshake-period-value: Sets the handshake timer. This timer sets the handshake-period and is triggered after a supplicant system passes the authentication. It sets the interval for the device to send handshake request packets to online users. If you set the number of retries to N by using the dot1x retry command, an online user is considered offline when the device does not receive response packets from it in a period N times of the handshake-period.

The handshake-period-value argument ranges from 5 to 1,024 (in seconds). By default, the handshake timer is set to 15 seconds.

quiet-period quiet-period-value: Sets the quiet-period timer. This timer sets the quiet-period. When a supplicant system fails to pass the authentication, the device quiets for the set period (set by the quiet-period timer) before it processes another authentication request re-initiated by the supplicant system. During this quiet period, the device does not perform any 802.1x authentication-related actions for the supplicant system.

The quiet-period-value argument ranges from 10 to 120 (in seconds). By default, the quiet-period timer is set to 60 seconds.

server-timeout server-timeout-value: Sets the RADIUS server timer. This timer sets the server-timeout period. After sending an authentication request packet to the RADIUS server, the device sends another authentication request packet if it does not receive the response from the RADIUS server when this timer times out.

The server-timeout-value argument ranges from 100 to 300 (in seconds). By default, the RADIUS server timer is set to 100 seconds.

supp-timeout supp-timeout-value: Sets the supplicant system timer. This timer sets the supp-timeout period and is triggered by the device after the device sends a request/challenge packet to a supplicant system (The packet is used to request the supplicant system for the MD5 encrypted string.) The device sends another request/challenge packet to the supplicant system if the device does not receive the response from the supplicant system when this timer times out..

The supp-timeout-value argument ranges from 10 to 120 (in seconds). By default, the supplicant system timer is set to 30 seconds.

tx-period tx-period-value: Sets the transmission timer. This timer sets the tx-period and is triggered in two cases. The first case is when the client requests for authentication. The device sends a unicast request/identity packet to a supplicant system and then triggers the transmission timer. The device sends another request/identity packet to the supplicant system if it does not receive the reply packet from the supplicant system when this timer times out. The second case is when the device authenticates the 802.1x client who cannot request for authentication actively. The device sends multicast request/identity packets periodically through the port enabled with 802.1x function. In this case, this timer sets the interval to send the multicast request/identity packets.

The tx-period-value argument ranges from 10 to 120 (in seconds). By default, the transmission timer is set to 30 seconds.

ver-period ver-period-value: Sets the client version request timer. This timer sets the version period and is triggered after the device sends a version request packet. The device sends another version request packet if it does receive version response packets from the supplicant system when the timer expires.

The ver-period-value argument ranges from 1 to 30 (in seconds). By default, the client version request timer is set to 30 seconds.

Description

Use the dot1x timer command to set a specified 802.1x timer.

Use the undo dot1x timer command to restore a specified 802.1x timer to the default setting.

During an 802.1x authentication process, multiple timers are triggered to ensure that the supplicant systems, the authenticator systems, and the Authentication servers interact with each other in an orderly way. To make authentications being processed in the desired way, you can use the dot1x timer command to set the timers as needed. This may be necessary in some special situations or in tough network environments. Normally, the defaults are recommended. (Note that some timers cannot be adjusted.)

Related commands: display dot1x.

Examples

# Set the RADIUS server timer to 150 seconds.

<device> system-view

System View: return to User View with Ctrl+Z.

[device] dot1x timer server-timeout 150

dot1x timer reauth-period

Syntax

dot1x timer reauth-period reauth-period-value

undo dot1x timer reauth-period

View

System view

Parameters

reauth-period reauth-period-value: Specifies re-authentication interval, in seconds. After this timer expires, the device initiates 802.1x re-authentication. The value of the reauth-period-value argument ranges from 60 to 7,200.

Description

Use the dot1x timer reauth-period command to configure the interval for 802.1x re-authentication.

Use the undo dot1x timer reauth-period command to restore the default 802.1x re-authentication interval.

By default, the 802.1x re-authentication interval is 3,600 seconds.

Examples

# Set the 802.1x re-authentication interval to 150 seconds.

<device> system-view

System View: return to User View with Ctrl+Z.

[device] dot1x timer reauth-period 150

dot1x version-check

Syntax

dot1x version-check [ interface interface-list ]

undo dot1x version-check [ interface interface-list ]

View

System view, Ethernet port view

Parameters

Description

Use the dot1x version-check command to enable 802.1x client version checking for specified Ethernet ports.

Use the undo dot1x version-check command to disable 802.1x client version checking for specified Ethernet ports.

By default, 802.1x client version checking is disabled on all the Ethernet ports.

In system view:

l If you do not provide the interface-list argument, these two commands apply to all the ports of the device.

l If you specify the interface-list argument, these commands apply to the specified ports.

In Ethernet port view, the interface-list argument is not available and the commands apply to only the current Ethernet port.

Examples

# Configure GigabitEthernet 1/0/1 port to check the version of the 802.1x client upon receiving authentication packets.

<device> system-view

System View: return to User View with Ctrl+Z.

[device] interface GigabitEthernet 1/0/1

[device-GigabitEthernet1/0/1] dot1x version-check

reset dot1x statistics

Syntax

reset dot1x statistics [ interface interface-list ]

View

User view

Parameters

Description

Use the reset dot1x statistics command to clear 802.1x-related statistics.

To retrieve the latest 802.1x-related statistics, you can use this command to clear the existing 802.1x-related statistics first.

When you execute this command,

If the interface-list argument is not specified, this command clears the global 802.1x statistics and the 802.1x statistics on all the ports.

If the interface-list argument is specified, this command clears the 802.1x statistics on the specified ports.

Related commands: display dot1x.

Examples

# Clear 802.1x statistics on GigabitEthernet 1/0/1 port.

<device> reset dot1x statistics interface GigabitEthernet 1/0/1

2 Quick EAD Deployment Configuration Commands

Quick EAD Deployment Configuration Commands

dot1x free-ip

Syntax

dot1x free-ip ip-address { mask-address | mask-length }

undo dot1x free-ip [ ip-address { mask-address | mask-length } ]

View

System view

Parameters

ip-address: Free IP address, in dotted decimal notation.

mask-address: Subnet mask of the free IP address, in dotted decimal notation.

mask-length: Length of the subnet mask of the free IP address, in the range 0 to 32.

Description

Use the dot1x free-ip command to configure a free IP range. A free IP range is an IP range that users can access before passing 802.1x authentication.

Use the undo dot1x free-ip command to remove a specified free IP range or all free IP ranges.

By default, no free IP range is configured.

l You must configure the URL for HTTP redirection before configuring a free IP range.

l A device supports up to two free IP ranges.

Examples

# Configure a free IP range for users to access before passing authentication.

<device> system-view

System View: return to User View with Ctrl+Z.

[device] dot1x free-ip 192.168.19.23 24

dot1x timer acl-timeout

Syntax

dot1x timer acl-timeout acl-timeout-value

undo dot1x timer acl-timeout

View

System view

Parameters

acl-timeout-value: ACL timeout period (in minutes), in the range of 1 to 1440.

Description

Use the dot1x timer acl-timeout command to configure the ACL timeout period.

Use the undo dot1x timer acl-timeout command to restore the default.

By default, the ACL timeout period is 30 minutes.

Related commands: dot1x configuration commands.

Examples

# Set the ACL timeout period to 40 minutes.

<device> system-view

System View: return to User View with Ctrl+Z.

[device] dot1x timer acl-timeout 40

dot1x url

Syntax

dot1x url url-string

undo dot1x url

View

System view

Parameters

url-string: URL for HTTP redirection, in the format of http://x.x.x.x.

Description

Use the dot1x url command to configure the URL for HTTP redirection.

Use the undo dot1x url command to remove the configuration.

By default, no URL is configured for HTTP redirection.

Related commands: dot1x configuration commands.

Examples

# Configure the URL for HTTP redirection.

<device> system-view

System View: return to User View with Ctrl+Z.

[device] dot1x url http://192.168.19.23

3 System-Guard Configuration Commands

System-Guard Configuration Commands

display system-guard attack-record

Syntax

display system-guard attack-record

View

Any view

Parameters

None

Description

Use the display system-guard attack-record command to display the record of detected attacks.

Examples

# Display the record of detected attacks.

<device> display system-guard attack-record

Not found attack

display system-guard state

Syntax

display system-guard state

View

Any view

Parameters

None

Description

Use the display system-guard state command to display the state of the system-guard feature.

Related commands: system-guard enable, system-guard detect-threshold, and system-guard timer-interval.

Examples

# Display the state of the system-guard feature.

<device> display system-guard state

System-guard Status: Enabled

Detect Threshold: 201

Isolated Time: 20

Attack Number: 0

Table 3-1 display system-guard state command output description

Field	Description
System-guard Status	The enable/disable status of the system-guard feature
Detect Threshold	The threshold for the number of packets when an attack is detected
Isolated Time	The length of the isolation after an attack is detected
Attack Number	The times of detected attacks

system-guard detect-threshold

Syntax

system-guard detect-threshold threshold-value

undo system-guard detect-threshold

View

System view

Parameters

threshold-value: Threshold for the number of packets when an attack is detected, in the range of 200 to 1,000.

Description

Use the system-guard detect-threshold command to set the threshold for the number of packets when an attack is detected. When the number of inbound packets of the same type exceeds the threshold, one attack is detected and recorded.

Use the undo system-guard detect-threshold command to restore the threshold to the default value.

By default, the threshold is 200.

Related commands: display system-guard state.

Examples

# Set the threshold for the number of packets when an attack is detected to 300.

<device> system-view

System View: return to User View with Ctrl+Z.

[device]system-guard detect-threshold 300

system-guard enable

Syntax

system-guard enable

undo system-guard enable

View

System view

Parameters

None

Description

Use the system-guard enable command to enable the system-guard feature.

Use the undo system-guard enable command to disable the system-guard feature.

By default, the system-guard feature is disabled.

Related commands: display system-guard state.

Examples

# Enable the system-guard feature.

<device> system-view

System View: return to User View with Ctrl+Z.

[device]system-guard enable

System-guard is enabled

system-guard timer-interval

Syntax

system-guard timer-interval isolate-timer

undo system-guard timer-interval

View

System view

Parameters

isolate-timer: Length of the isolation after an attack is detected, in the range of 1 to 10,000 in minutes.

Description

Use the system-guard timer-interval command to set the length of the isolation after an attack is detected.

Use the undo system-guard timer-interval command to restore the length of the isolation to the default value.

By default, the length of the isolation after an attack is detected is 10 minutes.

Related commands: display system-guard state.

Examples

# Set the length of the isolation after an attack is detected to 20 minutes.

<device> system-view

System View: return to User View with Ctrl+Z.

[device]system-guard timer-interval 20

H3C WX3000 Series Unified Switches Switching Engine Command Reference-6W103

1 802.1x Configuration Commands

dot1x dhcp-launch

dot1x guest-vlan

dot1x port-method

dot1x re-authenticate

3 System-Guard Configuration Commands

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us