No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Command Reference

S1720, S2700, S5700, and S6720 V200R011C10

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
NAC Configuration Commands (Unified Mode)

NAC Configuration Commands (Unified Mode)

Command Support

The S2750EI, S5700-10P-LI-AC, and S5700-10P-PWR-LI-AC support external Portal authentication only when Layer 3 hardware forwarding of IPv4 packets is enabled. To configure Layer 3 hardware forwarding of IPv4 packets, see Configuring Layer 3 Hardware Forwarding of IPv4 Packets.

access-context profile enable

Function

The access-context profile enable command enables the user context identification function.

The undo access-context profile enable command disables the user context identification function.

By default, the user context identification function is disabled.

Format

access-context profile enable

undo access-context profile enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

User context refers to association information of a user, such as the user name, user VLAN, and access interface.

To simplify the authentication server configuration, the administrator can add the users with the same network access rights to the same user context profile based on the user context, and configure the network access rights for the users based on the user context profile. When a user goes online after the user context identification function is enabled, the device can identify the user context information and add the user to the corresponding context profile based on the identification result.
  • If the user is authenticated successfully, the authentication server can assign the network access rights mapping the user context profile to the user based on the user context reported by the device.
  • If the user fails to be authenticated, the device assigns the user the network access rights in each phase before authentication success, which are bound to the context profile in the user authentication event authorization policy.

For example, on some enterprise networks, VLANs are used to divide the entire network into different areas with various security levels. The administrator requires that a user should obtain different network access rights when the user connects to the network from different areas. In this case, the user context identification function can be enabled on access devices, and a group of VLANs that belong to the same area are added to the same user context profile. The administrator then assigns the mapping network access rights to different user context profiles based on the security level of each area. When a user connects to the network from different areas, the user is added to different user context profiles matching their access VLANs and therefore obtains different network access rights.

Follow-up Procedure

  1. In the system view, run the access-context profile name profile-name command to create a user context profile.

  2. In the user context profile view, run the if-match vlan-id { start-vlan-id [ to end-vlan-id ] } &<1-10> command to configure the user identification policy based on VLAN IDs.

Precautions

  • The device can only identify user VLANs.

Example

# Enable the user context identification function.

<HUAWEI> system-view
[HUAWEI] access-context profile enable

access-context profile name

Function

The access-context profile name command creates a user context profile and displays the user context profile view.

The undo access-context profile name command deletes the created user context profile.

By default, no user context profile is created.

Format

access-context profile name profile-name

undo access-context profile name profile-name

Parameters

Parameter

Description

Value

profile-name

Specifies the name of a user context profile.

The value is a string of 1 to 32 case-sensitive characters without any space. The value cannot be set to - or --, and cannot contain the following characters: / \ : * ? " < > | @ ' %.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To simplify the authentication server configuration, the administrator can add the users with the same network access rights to the same user context profile based on the user context, and assign the network access rights to the users based on the user context profile.

Follow-up Procedure

In the user context profile view, run the if-match vlan-id start-vlan-id [ to end-vlan-id ] &<1-10> command to configure the user identification policy based on VLAN IDs.

Example

# Creates the user context profile p1.

<HUAWEI> system-view
[HUAWEI] access-context profile name p1

access-author policy global

Function

The access-author policy global command applies a user authentication event authorization policy.

The undo access-author policy global command restores the default configuration.

By default, no user authentication event authorization policy is applied.

Format

access-author policy policy-name global

undo access-author policy policy-name global

Parameters

Parameter

Description

Value

policy-name

Specifies the name of a user authentication event authorization policy.

The value must be the name of an existing user authentication event authorization policy on the device.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Users need basic network access rights before they are authenticated. For example, the users need to download 802.1X clients and update the antivirus database. A user authentication event authorization policy can be used to bind the network access rights of users in each phase before authentication success to a user context profile. When a user goes online after a user authentication event authorization policy is applied to the device, the device adds the user to the context profile based on the user context identification result, and assigns the network access rights to the user based on the user authentication result.

Prerequisites

A user authentication event authorization policy has been created using the access-author policy name policy-name command in the system view.

Precautions

This function takes effect only for users who go online after this function is successfully configured.

Example

# Globally apply the user authentication event authorization policy a1.

<HUAWEI> system-view
[HUAWEI] access-author policy name a1
[HUAWEI-access-author-a1] quit
[HUAWEI] access-author policy a1 global

access-author policy name

Function

The access-author policy name command creates a user authentication event authorization policy and displays the user authentication event authorization policy view.

The undo access-author policy name command deletes the created user authentication event authorization policy.

By default, no user authentication event authorization policy is created.

Format

access-author policy name policy-name

undo access-author policy name policy-name

Parameters

Parameter

Description

Value

policy-name

Specifies the name of a user authentication event authorization policy.

The value is a string of 1 to 32 case-sensitive characters without any space. The value cannot be set to - or --, and cannot contain the following characters: / \ : * ? " < > | @ ' %.

NOTE:
The value of profile-name cannot be set to the first character or first several characters of the name, and the name itself, and it also cannot be the uppercase and lowercase combination of the first character, first several characters, and the name. This prevents the conflict with the access-author policy global command.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Users need basic network access rights before they are authenticated. For example, the users need to download 802.1X clients and update the antivirus database. A user authentication event authorization policy can be used to bind the network access rights of users in each phase before authentication success to a user context profile. When a user goes online after a user authentication event authorization policy is applied to the device, the device adds the user to the context profile based on the user context identification result, and assigns the network access rights to the user based on the user authentication result.

Follow-up Procedure

  1. In the user authentication event authorization policy view, run the match access-context-profile action command to configure the network access rights for users in each phase before authentication success.

  2. In the system view, run the access-author policy global command to apply the user authentication event authorization policy.

Example

# Create the user authentication event authorization policy a1.

<HUAWEI> system-view
[HUAWEI] access-author policy name a1

access-domain

Function

The access-domain command configures a default or forcible domain in an authentication profile for users.

The undo access-domain command deletes a configured default or forcible domain in an authentication profile.

By default, no default or forcible domain is configured in an authentication profile.

Format

access-domain domain-name [ dot1x | mac-authen | portal ] * [ force ]

undo access-domain [ dot1x | mac-authen | portal ] * [ force ]

Parameters

Parameter

Description

Value

domain-name

Specifies the domain name.

The value must be the name of an existing domain.

dot1x

Specifies a default or forcible domain for 802.1X authentication users.

-

mac-authen

Specifies a default or forcible domain for MAC address authentication users.

-

portal

Specifies a default or forcible domain for Portal authentication users.

-

force

Specifies the configured domain as a forcible domain.

If this parameter is not specified, the configured domain is a default domain.

-

Views

Authentication profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The device manages users in domains. For example, AAA schemes and authorization information are bound to domains. During user authentication, the device assigns users to specified domains based on the domain names contained in user names. However, user names entered by many users on actual networks do not contain domain names. In this case, you can configure a default domain in an authentication profile. If users using this profile enter user names that do not contain domain names, the device manages the users in the default domain.

On actual networks, user names entered by some users contain domain names and those entered by other users do not. The device uses different domains to manage the users. Because authentication, authorization and accounting (AAA) information in the domains are different, users use different AAA information. To ensure that users using the same authentication profile use the same AAA information, you can configure a forcible domain in the authentication profile for the users. The device then manages the users in the forcible domain regardless of whether entered user names contain domain names or not.

Prerequisites

A domain has been configured using the domain (AAA view) command in the AAA view.

Precautions

When you configure a default or forcible domain in an authentication profile, the domain takes effect as follows:

  • If you do not specify the user authentication mode (dot1x, mac-authen, or portal), the domain takes effect for all access authentication users using the authentication profile.
  • If both a default domain and a forcible domain are configured, the device authenticates users in the forcible domain.

  • This function takes effect only for users who go online after this function is successfully configured.

  • In a wireless scenario, RADIUS accounting is performed only for AAA users who do not need to pass authentication in a forcible domain, and cannot be performed for such users in the default domain.

Example

# Configure the forcible domain huawei in the authentication profile p1.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] domain huawei
[HUAWEI-aaa-domain-huawei] quit
[HUAWEI-aaa] quit
[HUAWEI] authentication-profile name p1
[HUAWEI-authen-profile-p1] access-domain huawei force

access-user arp-detect

Function

The access-user arp-detect command sets the source IP address and source MAC address of offline detection packets in a VLAN.

The undo access-user arp-detect command deletes the source IP address and source MAC address of offline detection packets in a VLAN.

By default, the source IP address and source MAC address are not specified for offline detection packets in a VLAN.

Format

access-user arp-detect vlan vlan-id ip-address ip-address mac-address mac-address

undo access-user arp-detect vlan vlan-id ip-address ip-address mac-address mac-address

Parameters

Parameter

Description

Value

vlan vlan-id

Specifies a VLAN ID.

The value is an integer that ranges from 1 to 4094.

ip-address ip-address

Specifies the source IP address of offline detection packets.

The value is in dotted decimal notation.

mac-address mac-address

Specifies the source MAC address of offline detection packets.

The value is a unicast MAC address in H-H-H format, where H can be one to four hexadecimal digits.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The device sends an ARP probe packet to check the user online status. If the user does not respond within a detection period, the device considers that the user is offline.

If the VLAN to which the user belongs does not have a VLANIF interface or the VLANIF interface does not have an IP address, the device sends an offline detection packet using 0.0.0.0 as the source IP address. If a user cannot respond to an ARP probe packet with the source IP address 0.0.0.0, you can specify a source IP address for the offline detection packet.

You are advised to specify the user gateway IP address and its corresponding MAC address as the source IP address and source MAC address of offline detection packets.

Precautions

This function does not take effect for users who use Layer 3 Portal authentication.

If a user on a physical interface is online, this command takes effect only after the user goes online again or the device re-authenticates the user.

Example

# Set the source IP address and MAC address of offline detection packets for users in VLAN 10 to 192.168.1.1 and 2222-1111-1234 respectively.

<HUAWEI> system-view
[HUAWEI] access-user arp-detect vlan 10 ip-address 192.168.1.1 mac-address 2222-1111-1234

access-user arp-detect default ip-address

Function

The access-user arp-detect default ip-address command sets the default source IP address of offline detection packets.

The undo access-user arp-detect default ip-address command restores the default setting.

By default, the default source IP address of offline detection packets is 0.0.0.0.

Format

access-user arp-detect default ip-address ip-address

undo access-user arp-detect default ip-address

Parameters

Parameter

Description

Value

ip-address

Specifies the default source IP address of offline detection packets.

The value is in dotted decimal notation and can be 0.0.0.0 or 255.255.255.255.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The device sends an ARP probe packet to check the user online status. If the user does not respond within a detection period, the device considers that the user is offline.

Precautions

  • This function does not take effect for users who use Layer 3 Portal authentication.

  • In the SVF or policy association scenario, you are advised to run the access-user arp-detect default ip-address command to set the source IP address of offline detection packets to 0.0.0.0. After the AS device sends a received ARP reply packet to the UC device, the UC device discards the packet if the destination IP address of the packet is 0.0.0.0 and the source IP address and source MAC address exist in the user entry. In this way, ARP packets do not occupy too many CPU resources of the device and do not cause authentication failures. In the SVF scenario, the command must be configured on the UC device and takes effect only for UC detection. The default source IP address of offline detection packets for AS detection is 0.0.0.0. In the policy association scenario, you can directly configure the command on the AS device.

  • In normal situations, after a device sends an ARP probe packet with a default source IP address, online clients will immediately respond with ARP reply packets. If online clients do not respond with ARP reply packets, the device logs them out unexpectedly. To resolve this problem, use either of the following methods:
    • Run the access-user arp-detect vlan vlan-id ip-address ip-address mac-address mac-address command to specify a VLAN ID, source IP address, and source MAC address for ARP probe packets.
    • Run the authentication timer handshake-period handshake-period command to increase the handshake period so that the device can detect gratuitous ARP packets that these clients send at an irregular period. Once the device detects such packets, it does not log them out.

Example

# Set the default source IP address of offline detection packets to 0.0.0.0.

<HUAWEI> system-view
[HUAWEI] access-user arp-detect default ip-address 0.0.0.0

access-user dot1x-identity speed-limit

Function

The access-user dot1x-identity speed-limit command configures the rate limit of Identity packets for wireless 802.1X authentication to be sent to the CPU.

The undo access-user dot1x-identity speed-limit command restores the default rate limit of Identity packets for wireless 802.1X authentication to be sent to the CPU.

By default, the maximum of Identity packets for wireless 802.1X authentication can be sent to the CPU every second depends on the device.

NOTE:

This function is supported only by S5720HI.

Format

access-user dot1x-identity speed-limit value

undo access-user dot1x-identity speed-limit [ value ]

Parameters

Parameter Description Value
value Specifies the rate limit of Identity packets for wireless 802.1X authentication to be sent to the CPU. The value is an integer in the range of 5 to 40, in pps.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

If a large number of Identity packets for wireless 802.1X authentication are sent to the CPU of a switch, the CPU usage is high and other services are affected. To prevent this problem, run the access-user dot1x-identity speed-limit command to configure the rate limit of Identity packets for wireless 802.1X authentication to be sent to the CPU, so that the switch discards excess Identity packets.

Example

# Set the rate limit of Identity packets for wireless 802.1X authentication to be sent to the CPU to 10 pps.

<HUAWEI> system-view
[HUAWEI] access-user dot1x-identity speed-limit 10

access-user syslog-restrain enable

Function

The access-user syslog-restrain enable command enables system log suppression.

The undo access-user syslog-restrain enable command disables system log suppression.

By default, system log suppression is enabled.

Format

access-user syslog-restrain enable

undo access-user syslog-restrain enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

When a user fails in authentication or goes offline, the device records a system log. The system log contains the MAC addresses of access device and access user and the authentication time.

If a user repeatedly attempts to go online after authentication failures or frequently goes online and offline in a short period, a lot of system logs are generated, which waste system resources and degrade system performance. System log suppression can address this problem. After the device generates a system log, it will not generate the same log within the suppression period (set by access-user syslog-restrain period).

NOTE:

The same system logs refer to the system logs containing the same MAC addresses. For example, after the device generates a system log for a user failing in authentication, the device will not generate new system log for this user in the suppression period if the user fails in authentication again. The system logs for users logging offline are generated in the same way. If a system log has no MAC address, such system logs are suppressed based on the user name.

Example

# Enable system log suppression.

<HUAWEI> system-view
[HUAWEI] access-user syslog-restrain enable

access-user syslog-restrain period

Function

The access-user syslog-restrain period command sets a period for system log suppression.

The undo access-user syslog-restrain period command restores the default period for system log suppression.

By default, the period of system log suppression is 300s.

Format

access-user syslog-restrain period period

undo access-user syslog-restrain period

Parameters

Parameter

Description

Value

period

Specifies the period for system log suppression.

The value is an integer that ranges from 60 to 604800, in seconds.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

After the system log suppression function is enabled using the access-user syslog-restrain enable command, use this command to set the system log suppression period. After generating a system log, the device will not generate the same log within the suppression period.

Example

# Set the period for system log suppression to 600s.

<HUAWEI> system-view
[HUAWEI] access-user syslog-restrain period 600

acl-id (service scheme view)

Function

The acl-id command binds an ACL to a service scheme.

The undo acl-id command unbinds the ACL from the service scheme.

By default, no ACL is bound to a service scheme.

NOTE:

S5720EI, S5720HI, S6720EI, and S6720S-EI do not support this command.

Format

acl-id acl-number

undo acl-id { acl-number | all }

Parameters

Parameter Description Value
acl-number

Specifies the number of an ACL bound to a service scheme.

The value is an integer that ranges from 3000 to 3999.
all

Deletes the numbers of all ACLs bound to a service scheme.

-

Views

Service scheme view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

After creating a service scheme using the service-scheme (AAA view) command, you can run the acl-id command to bind an ACL to the service scheme. The user assigned with the service scheme will have the ACL rules.

Prerequisites

An IPv4 ACL must have been created using the acl (system view) or acl name command.

Precautions

If all users in a group are required to have the same access rights, do not specify the source IP address in the ACL bound to the service scheme. If an ACL bound to a service scheme has defined the source IP address, only users with the same IP address as the source IP address in the ACL can match the ACL in the service scheme.

The maximum number of ACLs that can be bound to a service scheme is 4.

Example

# Bind ACL 3001 to the service scheme huawei.

<HUAWEI> system-view
[HUAWEI] acl 3001
[HUAWEI-acl-adv-3001] quit
[HUAWEI] aaa
[HUAWEI-aaa] service-scheme huawei
[HUAWEI-aaa-service-huawei] acl-id 3001

authentication handshake

Function

The authentication handshake command enables the handshake with pre-connection users and authorized users.

The undo authentication handshake command disables the handshake with pre-connection users and authorized users.

By default, the handshake with pre-connection users and authorized users is enabled.

Format

authentication handshake

undo authentication handshake

Parameters

None

Views

Authentication profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The device creates entries for pre-connection users, users who fail to be authenticated and are assigned network access rights, and users who are authenticated. After users go offline in normal situations, the system immediately deletes the corresponding user entries. However, if some users go offline due to exceptions such as network disconnections, the system cannot immediately delete the corresponding user entries. If there are too many such invalid user entries, other users may fail to access the network.

To solve this problem, run the authentication handshake command to enable the handshake with pre-connection users and authorized users. If a user does not respond to the handshake request from the device within the handshake interval, the device deletes the user entry.

Precautions

  • The handshake interval for MAC address authentication users, Layer 3 Portal authentication users, and 802.1X authentication users is configured using the authentication timer handshake-period command. The handshake interval for Layer 2 Portal authentication users is configured using the portal timer offline-detect command.

  • For Layer 3 Portal authentication users, only those who go online through S5720HI support this function.

  • This function takes effect only for the wired users who obtain IP addresses.

  • The handshake function is implemented using ARP probe packets or neighbor discovery (ND) probe packets.

  • The handshake function can also be implemented by detecting whether there is user traffic on the access device. Assuming that the handshake interval is 3n, the device will detect user traffic at n and 2n. The following uses the 0-n period as an example. The process during the n-2n period is similar to that during 0-n. (This process applies only to authentication users who go online from the S5720EI, S5720HI, S6720EI, and S6720S-EI. Other switch models do not detect user traffic and send probe packets at n and 2n.)
    • If user traffic passes the device during the 0-n period, the device considers that the user is online at n, so it will not send a probe packet to the user, but resets the handshake interval.
    • If no user traffic passes the device during the 0-n period, the device cannot determine whether the user is online at n, so it sends a probe packet to the user. If the device receives the reply packet from the user, it considers the user online and resets the handshake interval. If no reply packet is received, it considers the user offline.
    • If user traffic passes the device during the 2n-3n period, the device considers that the user is online at 3n and resets the handshake interval.
    • If no user traffic passes the device during the 2n-3n period, the device cannot determine whether the user is online at 3n and considers that the user is offline.
    If the device considers that the user is offline at n, 2n, and 3n, the device deletes all entries related to the user. To prevent the user from going offline unexpectedly when no operation is performed on the PC, do not set a short handshake period.

Example

# In the authentication profile p1, enable the handshake with pre-connection users and authorized users.

<HUAWEI> system-view
[HUAWEI] authentication-profile name p1
[HUAWEI-authen-profile-p1] authentication handshake

authentication control-direction

Function

The authentication control-direction command configures the direction of traffic controlled by the device.

By default, the device only controls the upstream traffic.

Format

authentication control-direction { all | inbound }

Parameters

Parameter Description Value
all

Configures bidirectional traffic control.

-

inbound

Controls only the upstream traffic.

-

Views

Authentication profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

By default, the access authentication device discards all the traffic sent from the users who fail the 802.1x authentication or MAC address authentication. However, these users can still receive broadcast packets sent from the successfully authenticated users in the same VLAN. To disable the users who fail the authentication from receiving the broadcast packets, run the authentication control-direction all command to configure bidirectional traffic control. To restore the default situation, run the authentication control-direction inbound command so that the device only controls the traffic sent from the users who fail the authentication.

Precaution

  • This function applies only to 802.1x authentication and MAC address authentication.

  • This function takes effect only when an access switch functions as the authentication device and an interface of the switch is connected to only one IP phone or PC.

  • This function does not take effect when users have pre-connection entries or authentication event entries. You are advised to run the undo authentication pre-authen-access enable command disable the function of keeping users who fail to be authenticated and do not have any network access rights in the pre-connection state, and do not run the authentication event command to configure the device to assign network access rights to users in each phase before authentication succeeds.

  • If users go online on the same interface in the same VLAN, bidirectional traffic control does not take effect on this interface.

  • Layer 3 interfaces do not support bidirectional traffic control.

  • You are advised to run the stp edged-port enable command to configure the interface on which the function is applied as an edge port. The interface can be added to a maximum of four VLANs.

  • The SVF and policy association scenarios do not support this function.

  • WLAN scenarios do not support this function.

  • When this function is configured, the recommended STP mode is VBST. If the STP mode is changed after users go online, traffic will be interrupted for a short time. If the STP mode is set to MSTP or STP, run the instance command to map VLANs to different spanning tree instances (MSTIs).
  • A user VLAN cannot be specified as an RRPP or ERPS control VLAN.

Example

# Configure bidirectional traffic control in the authentication profile authen1.

<HUAWEI> system-view
[HUAWEI] authentication-profile name authen1
[HUAWEI-authen-profile-authen1] authentication control-direction all

authentication device-type voice authorize

Function

The authentication device-type voice authorize command enables voice terminals to go online without authentication.

The undo authentication device-type voice authorize command disables voice terminals from going online without authentication.

By default, voice terminals are disabled from going online without authentication.

Format

authentication device-type voice authorize [ service-scheme scheme-name ]

undo authentication device-type voice authorize [ service-scheme ]

Parameters

Parameter

Description

Value

service-scheme scheme-name

Specifies the name of the service scheme based on which network access rights are assigned to voice terminals.

The value must be an existing service scheme name.

Views

Authentication profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When both data terminals (such as PCs) and voice terminals (such as IP phones) are connected to devices, NAC is configured on the devices to manage and control the data terminals. The voice terminals, however, only need to connect to the network without being managed and controlled. In this case, you can configure the voice terminals to go online without authentication on the devices. Then the voice terminals identified by the devices can go online without authentication.

Precautions

When a RADIUS server is used for dynamic VLAN delivery, the following RADIUS attributes must be used: (064) Tunnel-Type (which must be set to VLAN or 13), (065) Tunnel-Medium-Type (which must be set to 802 or 6), and (081) Tunnel-Private-Group-ID (which can be set to the VLAN ID , VLAN description). To ensure that the RADIUS server delivers VLAN attributes correctly, all the three RADIUS attributes must be used. In addition, the Tunnel-Type and Tunnel-Medium-Type attributes must be set to the specified values. When a voice VLAN is delivered, the RADIUS attribute (26-33) HW-Voice-Vlan must also be used.

To enable the switches to identify the voice terminals, enable LLDP or configure OUI for the voice VLAN on the switches. For details, see Configuring Basic LLDP Functions in "LLDP Configuration" in the S1720, S2700, S5700, and S6720 V200R011C10 Configuration Guide - Network Management and Monitoring or Configuring a Voice VLAN Based on a MAC Address in "Voice VLAN Configuration" in the S1720, S2700, S5700, and S6720 V200R011C10 Configuration Guide - Ethernet Switching. If a voice device supports only CDP but does not support LLDP, configure CDP-compatible LLDP on the switch using lldp compliance cdp receive command.

To identify voice terminals in a policy association scenario, the voice VLAN OUI must be configured.

After the voice VLAN function is enabled on an interface using the voice-vlan enable command, authenticated voice terminals are authorized to use the voice VLAN if the VLAN of the voice terminals is the same as the voice VLAN.

If an 802.1X user initiates authentication through a voice terminal, a device preferentially processes the authentication request. If the authentication succeeds, the terminal obtains the corresponding network access rights. If the authentication fails, the device identifies the terminal type and enables the terminal to go online without authentication.

If you run this command repeatedly, the latest configuration overrides the previous ones.

This function takes effect only for users who go online after this function is successfully configured.

Example

# In the authentication profile p1, enable the device to allow voice terminals to go online without authentication and assign the service scheme s1 to voice terminals that are not authenticated.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] service-scheme s1
[HUAWEI-aaa-service-s1] quit
[HUAWEI-aaa] quit
[HUAWEI] authentication-profile name p1
[HUAWEI-authen-profile-p1] authentication device-type voice authorize service-scheme s1

authentication dot1x-mac-bypass

Function

The authentication dot1x-mac-bypass command enables MAC address bypass authentication.

The undo authentication dot1x-mac-bypass command disables MAC address bypass authentication.

By default, MAC address bypass authentication is disabled.

Format

authentication dot1x-mac-bypass

undo authentication dot1x-mac-bypass

Parameters

None

Views

Authentication profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You can configure MAC address bypass authentication to authenticate terminals such as printers that cannot have the 802.1X client installed.

After MAC address bypass authentication is enabled in an authentication profile, the device performs 802.1X authentication for users using the authentication profile. If the user name request times out, the device starts the MAC address authentication process for the users.

Precautions

MAC address bypass authentication involves 802.1X authentication and MAC address authentication. Before enabling this function in an authentication profile, ensure that an 802.1X access profile and a MAC access profile have been bound to the authentication profile.

Example

# In the authentication profile p1, enable MAC address bypass authentication.

<HUAWEI> system-view
[HUAWEI] authentication-profile name p1
[HUAWEI-authen-profile-p1] authentication dot1x-mac-bypass

authentication event action authorize

Function

The authentication event action authorize command configures authentication event authorization information.

The undo authentication event action authorize command restores the default setting.

By default, authentication event authorization information is not configured.

Format

User authorization in the case of pre-connections:

authentication event pre-authen action authorize { vlan vlan-id | service-scheme service-scheme-name | ucl-group ucl-group-name }

undo authentication event pre-authen action authorize

User authorization when authentication fails:

authentication event authen-fail action authorize { vlan vlan-id | service-scheme service-scheme-name | ucl-group ucl-group-name } [ response-fail ]

undo authentication event authen-fail action authorize

User authorization when the authentication server is Down:

authentication event authen-server-down action authorize { vlan vlan-id | service-scheme service-scheme-name | ucl-group ucl-group-name } [ response-fail ]

undo authentication event authen-server-down action authorize

Parameters

Parameter Description Value
pre-authen

Configures the device to assign network access rights to users when the users establish pre-connections with the device.

-

authen-fail

Configures the device to assign network access rights to users when the authentication server sends authentication failure packets to the device.

-

authen-server-down

Configures the device to assign network access rights to users when the authentication server is Down.

-

response-fail

Configures the device to send authentication failure packets to users after assigning network access rights to the users.

If this parameter is not specified, the device by default sends authentication success packets to users and therefore the users cannot know the fact that they fail to be authenticated. To solve this problem, specify this parameter so that the device will send authentication failure packets for the users to know their authentication results.

-

vlan vlan-id

Specifies a VLAN ID. When this parameter is specified, users can access only the resources in the VLAN.

The value is an integer that ranges from 1 to 4094.

service-scheme service-scheme-name Specifies the name of the service scheme based on which network access rights are assigned to users.

The value must be an existing service scheme name on the device.

ucl-group ucl-group-name

Specifies the name of the UCL group based on which network access rights are assigned to users.

NOTE:

This parameter is supported only by the S5720EI, S5720HI, S6720EI, and S6720S-EI.

The value must be an existing UCL group name on the device.

Views

Authentication profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If users establish pre-connections with the device or fail to be authenticated, they have no network access rights.

To meet these users' basic network access requirements such as updating the antivirus database and downloading the client, configure authentication event authorization information. The device will assign network access rights to these users based on the authentication phase.

Precautions

If no network access right is configured for users who fail authentication or when the authentication server is Down, the users establish pre-connections with the device after the authentication fails and then have the network access rights mapping pre-connection users.

VLAN-based authorization does not apply to the authentication users who access through VLANIF interfaces.

If a user uses Portal authentication or combined authentication (including Portal authentication), the device cannot authorize a VLAN to the user.

This function takes effect only for users who go online after this function is successfully configured.

Wireless 802.1X authentication in EAP mode does not support this function.

For S5720EI, S6720EI, and S6720S-EI, if the user upstream rate limit is configured in the QoS profile bound to a service scheme, do not configure the device to use the service scheme to grant network access rights to users in the pre-connection phase. Otherwise, users go offline.

When the authentication server is in Down state, user authentication fails, or the user is in pre-connection state, the redirection ACL function is not supported. For details about this function, see redirect-acl.

Example

# In the authentication profile authen1, configure the device to assign network access rights specified in VLAN 10 to pre-connection users.
<HUAWEI> system-view
[HUAWEI] vlan batch 10
[HUAWEI] authentication-profile name authen1
[HUAWEI-authen-profile-authen1] authentication event pre-authen action authorize vlan 10

authentication event authen-server-up action re-authen

Function

The authentication event authen-server-up action re-authen command enables the device to re-authenticate users in the survival state when the authentication server changes from Down to Up.

The undo authentication event authen-server-up action re-authen command restores the default setting.

By default, the device does not re-authenticate users in the survival state when the authentication server changes from Down to UP.

Format

authentication event authen-server-up action re-authen

undo authentication event authen-server-up action re-authen

Parameters

None

Views

Authentication profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The users in the survival state can only access limited network resources after the device assigns specified network access rights to users who fail authentication because the authentication server is Down. To meet the users' normal network access requirements, the device needs to re-authenticate users in the survival state in real time when the authentication server turns Up.

Prerequisites

The radius-server testuser command has been configured in the RADIUS server template so that the device can detect that the authentication server changes from Down to Up.

NOTE:

If the radius-server testuser command is not configured and the device sets the status of the authentication server to Down, the device will automatically set the status of the authentication server to Up after the interval (configured using the radius-server retransmit timeout dead-time command) for the server to restore to the active state. The device will not re-authenticate users.

Precautions

This function takes effect only for users who go online after this function is successfully configured.

Example

# In the authentication profile authen1, enable the device to re-authenticate users when the authentication server turns Up from Down.

<HUAWEI> system-view
[HUAWEI] authentication-profile name authen1
[HUAWEI-authen-profile-authen1] authentication event authen-server-up action re-authen

authentication event client-no-response action authorize

Function

The authentication event client-no-response action authorize command configures network access rights for users when the 802.1X client does not respond.

The undo authentication event client-no-response action authorize command restores the default setting.

By default, no network access right is configured for users when the 802.1X client does not respond.

Format

authentication event client-no-response action authorize { service-scheme service-scheme-name | ucl-group ucl-group-name | vlan vlan-id }

undo authentication event client-no-response action authorize

Parameters

Parameter Description Value
service-scheme service-scheme-name Specifies the name of a service scheme based on which network access rights are assigned. The value must be an existing service scheme name on the device.
ucl-group ucl-group-name

Specifies the name of a UCL group based on which network access rights are assigned.

NOTE:

This parameter is only supported by the S5720EI, S5720HI, S6720EI, and S6720S-EI.

The value must be an existing UCL group name on the device.
vlan vlan-id

Specifies a VLAN ID. When this parameter is specified, users can access only the resources in the VLAN.

The value is an integer that ranges from 1 to 4094.

Views

802.1X access profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If the 802.1X client does not respond, users cannot pass authentication and thereby have no network access right. Before being successfully authenticated, some users may need certain basic network access rights to download client software and update the antivirus database. The network access rights can be configured for the users when the 802.1X client does not respond, so that the users can access specified network resources.

Precautions

This function takes effect only for users who go online after this function is successfully configured.

When an 802.1X client does not respond, the redirection ACL function is not supported. For details about the function, see redirect-acl.

Example

# In the 802.1X access profile d1, configure the device to assign the network access rights specified in VLAN 10 for users when the 802.1X client does not respond.

<HUAWEI> system-view
[HUAWEI] vlan batch 10
[HUAWEI] dot1x-access-profile name d1
[HUAWEI-dot1x-access-profile-d1] authentication event client-no-response action authorize vlan 10

authentication event portal-server-down action authorize

Function

The authentication event portal-server-down action authorize command configures network access rights for users when the Portal server is Down.

The undo authentication event portal-server-down action authorize command deletes the network access rights configured for users when the Portal server is Down.

By default, no network access right is configured for users when the Portal server is Down.

Format

authentication event portal-server-down action authorize { service-scheme service-scheme-name | ucl-group ucl-group-name }

undo authentication event portal-server-down action authorize

Parameters

Parameter Description Value
service-scheme service-scheme-name

Specifies the name of the service scheme based on which network access rights are assigned to users.

The value must be an existing service scheme name.

ucl-group ucl-group-name

Specifies the name of the UCL group based on which network access rights are assigned to users.

NOTE:

This parameter is only supported by the S5720EI, S5720HI, S6720EI, and S6720S-EI.

The value must be an existing UCL group name.

Views

Portal access profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If the Portal server is Down, users cannot pass the authentication and thereby have no network access right. Before being successfully authenticated, some users may need certain basic network access rights to download client software and update the antivirus database. The network access rights can be configured for the users when the Portal server is Down, so that the users can access specified network resources.

Prerequisites

A UCL group has been created using the ucl-group command in the system view.

A service scheme has been created using the service-scheme command in the AAA view.

Precautions

  • This function takes effect only for users who go online after this function is successfully configured.

  • Only HTTP messages-triggered Portal authentication users support this function.

  • Before enabling the access device to assign network access rights to users when the Portal server is Down, enable the heartbeat detection function on the Portal server and run the server-detect command on the access device to enable the Portal server detection function.
  • When the Portal server is in Down state, the redirection ACL function is not supported. For details about this function, see redirect-acl.

Example

# In the Portal access profile p1, configure the device to assign network access rights based on the service scheme s1 to users when the Portal server is Down.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] service-scheme s1
[HUAWEI-aaa-service-s1] quit
[HUAWEI-aaa] quit
[HUAWEI] portal-access-profile name p1
[HUAWEI-portal-acces-profile-p1] authentication event portal-server-down action authorize service-scheme s1

authentication event portal-server-up action re-authen

Function

The authentication event portal-server-up action re-authen command enables the device to re-authenticate users when the Portal server turns Up from Down.

The undo authentication event portal-server-up action re-authen command restores the default setting.

By default, the device does not re-authenticate users when the Portal server turns Up from Down.

Format

authentication event portal-server-up action re-authen

undo authentication event portal-server-up action re-authen

Parameters

None

Views

Portal access profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If the device is configured to assign network access rights to users when the Portal server is Down, users can access limited network resources after the device detects that the Portal server is Down. To ensure that users can obtain normal network access rights after the Portal server goes Up, you can enable the device to re-authenticate users when the Portal server changes from Down to Up. After the Portal server goes Up, the device sets the status of users who display web-server-down to pre-connection. The re-authentication process starts when the users visit any web page. If the authentication succeeds, the device assigns normal network access rights to the users.

Precautions

  • This command does not apply to users connected to the route main interface.
  • This function takes effect only for users who go online after this function is successfully configured.

  • Before enabling the access device to assign network access rights to users when the Portal server is Down, enable the heartbeat detection function on the Portal server and run the server-detect command on the access device to enable the Portal server detection function.

Example

# In the Portal access profile p1, enable the device to re-authenticate users when the Portal server turns Up from Down.

<HUAWEI> system-view
[HUAWEI] portal-access-profile name p1
[HUAWEI-portal-acces-profile-p1] authentication event portal-server-up action re-authen

authentication mac-move enable

Function

The authentication mac-move enable command enables MAC address migration.

The undo authentication mac-move enable command disables MAC address migration.

By default, MAC address migration is disabled.

Format

authentication mac-move enable vlan { all | { vlan-id1 [ to vlan-id2 ] } & <1–10> }

undo authentication mac-move enable vlan { all | { vlan-id1 [ to vlan-id2 ] } & <1–10> }

Parameters

Parameter

Description

Value

vlan Specifies the VLAN range for enabling MAC address migration.

-

all Enables MAC address migration in all VLANs.

-

vlan-id1 [ to vlan-id2 ] Enables MAC address migration in the specified VLANs.
  • vlan-id1 specifies the ID of the first VLAN.
  • vlan-id2 specifies the ID of the second VLAN. The value of vlan-id2 must be greater than that of vlan-id1.

The value is an integer that ranges from 1 to 4094.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After a user is authenticated and accesses the network from one interface of the device, the network cable is pulled out from the interface and plugged in another interface on the device. In this case, the user cannot immediately initiate authentication and access the network. The user can initiate authentication on the current interface only after the user offline detection interval expires or the authentication interface is manually enabled and shut down to clear user online entries. To improve user experience, MAC address migration is enabled so that the user can immediately initiate authentication and access the network after be switched to another access interface.

MAC address migration allows online NAC authentication users to immediately initiate authentication and access the network after they are switched to other access interfaces. If the user is authenticated successfully on the new interface, the online user entry on the original interface is deleted immediately to ensure that only one interface records the online user entry.

In addition, VLANs need to be specified for users in MAC address migration. The VLANs before and after the migration can be specified for the users, and they can be the same or different.

Precautions

  • In normal case, enabling MAC address migration is not recommended. It should be enabled only when users have migration requirements during roaming. This prevents unauthorized users from forging MAC addresses of online users and sending ARP, 802.1X, or DHCP packets on other authentication control interfaces to trigger the MAC address migration function and force authorized user offline.

  • In the Policy Association and SVF scenario, the device does not support MAC address migration.
  • In the Layer 2 BNG scenario, the device does not support MAC address migration.
  • Cascading migration through intermediate devices is not supported, because ARP and DHCP packets are not sent after the cascading migration.
  • The device does not support MAC address migration for a terminal with one MAC address and multiple IP addresses.
  • MAC address migration is not supported for Layer 3 Portal authentication users.
  • A user is switched from an interface configured with NAC authentication to another interface not configured with NAC authentication. In this case, the user can access the network only after the original online entry is aged because the new interface cannot send authentication packets to trigger MAC migration.
  • In common mode, Portal authentication is triggered only after users who go online through a VLANIF interface send ARP packets and go offline; otherwise, the users can go online again only after the original user online entries age out. Portal authentication cannot be triggered after users who go online through physical interfaces migrate. The users can go online again only after the original user online entries age out.
  • After a user who goes online from a VLANIF interface is quieted because of multiple MAC address migrations, MAC address migration can be performed for the quieted user only after the quiet period expires and the ARP entry is aged out.
  • After authorized VLANs are delivered to users who go online on the S5720EI, S6720EI, and S6720S-EI, some users may fail to migrate. In this scenario, the users can go online again only after the user entries on the interface before the migration are aged out.
  • When an authorized VLAN is specified in the authentication mac-move enable vlan command, you are advised to enable the function of detecting the user status before user MAC address migration.

Example

# Enable MAC address migration in all VLANs.

<HUAWEI> system-view
[HUAWEI] authentication mac-move enable vlan all

authentication mac-move detect enable

Function

The authentication mac-move detect enable command enables a device to detect users' online status before user MAC address migration.

The undo authentication mac-move detect enable command disables a device from detecting users' online status before user MAC address migration.

By default, a device is disabled from detecting users' online status before user MAC address migration.

Format

authentication mac-move detect enable

undo authentication mac-move detect enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

To prevent unauthorized users from spoofing online users to attack a device, run the authentication mac-move detect enable command to enable the device to detect users' online status before user MAC address migration. If no users are online, the device permits MAC address migration and allows users to go online from a new access interface. If a user is online, the device terminates MAC address migration and does not allow the user to go online from a new access interface.

You can also run the authentication mac-move detect retry-interval retry-time command to set the detection interval and maximum number of detections before user MAC address migration.

Example

# Enable a device to detect users' online status before user MAC address migration.

<HUAWEI> system-view
[HUAWEI] authentication mac-move detect enable

authentication mac-move detect retry-interval retry-time

Function

The authentication mac-move detect retry-interval retry-time command sets the detection interval and maximum number of detections before user MAC address migration.

The undo authentication mac-move detect retry-interval retry-time command restores the default setting.

By default, a device detects users' online status once. The detection interval is 3 seconds.

Format

authentication mac-move detect { retry-interval interval | retry-time times } *

undo authentication mac-move detect { retry-interval | retry-time } *

Parameters

Parameter

Description

Value

interval

Specifies the interval at which a device detects users' online status before user MAC address migration.

The value is an integer that ranges from 1 to 5, in seconds.

times

Specifies the maximum number of detections before user MAC address migration.

The value is an integer that ranges from 1 to 3.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

After a device is enabled to detect users' online status before user MAC address migration, if no users are online, the device permits MAC address migration and allows users to go online from a new access interface. If a user is online, the device terminates MAC address migration and does not allow the user to go online from a new access interface. You can run the authentication mac-move detect { retry-interval interval | retry-time times } * command to modify the default detection interval and maximum number of detections.

Example

# Configure a device to detect users' online status twice at an interval of 5 seconds before user MAC address migration.

<HUAWEI> system-view
[HUAWEI] authentication mac-move detect retry-interval 5 retry-time 2

authentication mac-move quiet-log enable

Function

The authentication mac-move quiet-log enable command enables the device to record logs about MAC address migration quiet.

The undo authentication mac-move quiet-log enable command disables the device from recording logs about MAC address migration quiet.

By default, the device is enabled to record logs about MAC address migration quiet.

Format

authentication mac-move quiet-log enable

undo authentication mac-move quiet-log enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

The device can record logs when adding or deleting MAC address migration quiet entries. This helps the administrator to find out the cause for MAC address migration failure, and improves maintainability of the MAC address migration quiet function.

Example

# Enable the device to record logs about MAC address migration quiet.

<HUAWEI> system-view
[HUAWEI] authentication mac-move quiet-log enable

authentication mac-move quiet-times quiet-period

Function

The authentication mac-move quiet-times quiet-period command configures the quiet period and the maximum number of MAC address migration times within 60 seconds before users enter the quiet state.

The undo authentication mac-move quiet-times quiet-period command restores the default settings.

The default quiet period is 0 seconds and the maximum number of MAC address migration times within 60 seconds before users enter the quiet state is 3.

Format

authentication mac-move { quiet-times times | quiet-period quiet-value } *

undo authentication mac-move { quiet-times | quiet-period } *

Parameters

Parameter

Description

Value

times

Specifies the maximum number of MAC address migration times within 60 seconds before users enter the quiet state.

The value is an integer that ranges from 1 to 10.

quiet-value

Specifies the quiet period for MAC address migration users.

The value is an integer that ranges from 0 to 3600.

The value 0 indicates that the MAC address migration quiet function is disabled.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

When users frequently switch access interfaces (especially frequent switching due to loops), the device needs to process a large number of authentication packets and entries, which results in high CPU usage. To solve this problem, configure the MAC address migration quiet function.

If the number of MAC address migration times for a user within 60 seconds exceeds the value (times) after the MAC address migration quiet function is enabled, the device quiets the user for a certain period (quiet-value). During the quiet period, the device does not allow users to perform MAC address migration.

Example

# Configure the quiet period to 120 seconds and the maximum number of MAC address migration times within 60 seconds before users enter the quiet state to 5.

<HUAWEI> system-view
[HUAWEI] authentication mac-move quiet-times 5 quiet-period 120

authentication mac-move quiet-user-alarm enable

Function

The authentication mac-move quiet-user-alarm enable command enables the device to send alarms about MAC address migration quiet.

The undo authentication mac-move quiet-user-alarm enable command disables the device from sending alarms about MAC address migration quiet.

By default, the device is disabled from sending alarms about MAC address migration quiet.

Format

authentication mac-move quiet-user-alarm enable

undo authentication mac-move quiet-user-alarm enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

The device can send alarms about MAC address migration quiet to improve maintainability of the MAC address migration quiet function. The device sends alarms when the percentage of the actual user amount in the MAC address migration quiet table against the maximum number of users exceeds the upper alarm threshold configured. If the percentage decreases to be equal to or smaller than the lower alarm threshold, the device sends a clear alarm. The upper and lower alarm thresholds are configured using the authentication mac-move quiet-user-alarm percentage command.

Example

# Enable the device to send alarms about MAC address migration quiet.

<HUAWEI> system-view
[HUAWEI] authentication mac-move quiet-user-alarm enable

authentication mac-move quiet-user-alarm percentage

Function

The authentication mac-move quiet-user-alarm percentage command configures the upper and lower alarm thresholds for the percentage of MAC address migration users in quiet state.

The undo authentication mac-move quiet-user-alarm percentage command restores the default setting.

By default, the lower alarm threshold is 50 and upper alarm threshold is 100.

Format

authentication mac-move quiet-user-alarm percentage lower-threshold upper-threshold

undo authentication mac-move quiet-user-alarm percentage

Parameters

Parameter

Description

Value

lower-threshold

Specifies the lower alarm threshold.

The value is an integer that ranges from 1 to 100.

upper-threshold

Specifies the upper alarm threshold.

The value is an integer that ranges from 1 to 100.

The value must be greater than that of lower-threshold.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

The authentication mac-move quiet-user-alarm enable command can be run to enable the device to send alarms about MAC address migration quiet to improve maintainability of the MAC address migration quiet function. The device sends alarms when the percentage of the actual user amount in the MAC address migration quiet table against the maximum number of users exceeds the upper alarm threshold configured. If the percentage decreases to be equal to or smaller than the lower alarm threshold, the device sends a clear alarm. The upper and lower alarm thresholds are configured using the authentication mac-move quiet-user-alarm percentage command.

Example

# Configure the upper alarm threshold to 80 and lower alarm threshold to 40.

<HUAWEI> system-view
[HUAWEI] authentication mac-move quiet-user-alarm percentage 40 80

authentication pre-authen-access enable

Function

The authentication pre-authen-access enable command enables the function of keeping users who fail to be authenticated and do not have any network access rights in the pre-connection state.

The undo authentication pre-authen-access enable command disables the function of keeping users who fail to be authenticated and do not have any network access rights in the pre-connection state.

By default, the device keeps users who fail to be authenticated and do not have any network access rights in the pre-connection state.

Format

authentication pre-authen-access enable

undo authentication pre-authen-access enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When a user terminal connects to an NAC-enabled interface on the device, a pre-connection is set up between the terminal and device. If the device is not configured to grant network access rights to users in pre-connection or authentication failure state, users who fail to be authenticated remain in the pre-connection state by default. Because the device allows DHCP packets from pre-connection users to pass through, the users can still obtain IP addresses although they do not have any network access rights, wasting IP addresses and bringing network security risks.

You can run the undo authentication pre-authen-access enable command to disable the function of keeping users who fail to be authenticated and do not have any network access rights in the pre-connection state. This configuration ensures that the users cannot obtain IP addresses.

Precautions

This function does not take effect for users who use Portal authentication or combined authentication (including Portal authentication).

This function does not take effect for users for whom authorization information is configured based on an authentication event.

If the device connects to some terminals such as a MacBook laptop that is not authenticated after obtaining an IP address, it is recommended that you run the undo authentication pre-authen-access enable command on the device to disable the pre-connection function and then connect the terminal to the network again.

If a user in pre-connection state attempts to go online using DHCP packets containing the Option 82 field but fails to go online, it is recommended that you run the undo authentication pre-authen-access enable command on the device to disable the function of keeping users who fail to be authenticated and do not have any network access rights in the pre-connection state.

Example

# Disable the function of keeping users who fail to be authenticated and do not have any network access rights in the pre-connection state.

<HUAWEI> system-view
[HUAWEI] undo authentication pre-authen-access enable

authentication timer handshake-period

Function

The authentication timer handshake-period command sets the handshake interval of the device with pre-connection users and authorized users.

The undo authentication timer handshake-period command restores the default setting.

The default handshake interval of the device with pre-connection users and authorized users is 300 seconds.

Format

authentication timer handshake-period handshake-period

undo authentication timer handshake-period

Parameters

Parameter

Description

Value

handshake-period

Specifies the handshake interval.

The value is an integer that ranges from 5 to 7200, in seconds.

Views

Authentication profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After enabling the handshake with pre-connection users and authorized users using the authentication handshake command, you can run the this command to set the handshake interval. After that, if a user does not respond to the handshake request from the device within the handshake interval, the device deletes the user entry.

Precautions

  • This command only applies to MAC address authentication, Layer 3 Portal authentication, and 802.1X authentication.

  • For Layer 3 Portal authentication users, only those who go online through S5720HI support this function.

  • This function takes effect only for the wired users. For wired users who do not obtain IP addresses within 30 minutes, traffic detection will be performed (detection process can be seen as the following precautions). If traffic passes through the device, users are online. If no traffic passes through the device, users go offline.

  • This function takes effect only for users who go online after this function is successfully configured.

  • The handshake function is implemented using ARP probe packets or neighbor discovery (ND) probe packets.

  • The handshake function can also be implemented by detecting whether there is user traffic on the access device. Assuming that the handshake interval is 3n, the device will detect user traffic at n and 2n. The following uses the 0-n period as an example. The process during the n-2n period is similar to that during 0-n. (This process applies only to authentication users who go online from the S5720EI, S5720HI, S6720EI, and S6720S-EI. Other switch models do not detect user traffic and send probe packets at n and 2n.)
    • If user traffic passes the device during the 0-n period, the device considers that the user is online at n, so it will not send a probe packet to the user, but resets the handshake interval.
    • If no user traffic passes the device during the 0-n period, the device cannot determine whether the user is online at n, so it sends a probe packet to the user. If the device receives the reply packet from the user, it considers the user online and resets the handshake interval. If no reply packet is received, it considers the user offline.
    • If user traffic passes the device during the 2n-3n period, the device considers that the user is online at 3n and resets the handshake interval.
    • If no user traffic passes the device during the 2n-3n period, the device cannot determine whether the user is online at 3n and considers that the user is offline.
    If the device considers that the user is offline at n, 2n, and 3n, the device deletes all entries related to the user. To prevent the user from going offline unexpectedly when no operation is performed on the PC, do not set a short handshake period.
  • For the models that do not support implementing the handshake function by detecting whether there is user traffic on the access device, if the number of ARP probe packets exceeds the default CAR value, the probe fails and the users are logged out (The display cpu-defend statistics command can be run to check whether ARP request and response packets are lost.). To resolve the problem, the following methods are recommended:
    • Increase the handshake interval based on the number of users. The default handshake interval is recommended when there are less than 8000 users; the handshake interval should be no less than 600 seconds when there are more than 8000 users.
    • Deploy the port attack defense function on the access device and limit the rate of packets sent to the CPU.

Example

# In the authentication profile p1, set the handshake interval of the device with pre-connection users and authorized users to 200 seconds.

<HUAWEI> system-view
[HUAWEI] authentication-profile name p1
[HUAWEI-authen-profile-p1] authentication timer handshake-period 200

authentication timer authen-fail-aging

Function

The authentication timer authen-fail-aging command configures the aging time for entries of the users who fail to be authenticated.

The undo authentication timer authen-fail-aging command restores the default aging time for entries of the users who fail to be authenticated.

By default, the aging time for entries of the users who fail to be authenticated is 23 hours.

Format

authentication timer authen-fail-aging aging-time

undo authentication timer authen-fail-aging

Parameters

Parameter Description Value
aging-time

Specifies the aging time.

The value is an integer that ranges from 0 or 60 to 4294860, in seconds.

The value 0 indicates that the entry does not age.

Views

Authentication profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After network access policies are configured for users who fail to be authenticated, the device creates entries for these users. If the user still fails to be authenticated when the user aging time expires, the user entry is deleted.

The entries of the users who fail to be authenticated share device resources with the entries of the users who are authenticated. If there are excess entries of the users who fail to be authenticated, other users fail to be authenticated. To solve this problem, run the authentication timer authen-fail-aging command to reduce the aging time for entries of the users who fail to be authenticated. In addition, if the time that the users who fail to be authenticated have network access policies should be shortened, you can run this command to decrease the aging time for the user entries.

Precautions

This function takes effect only for users who go online after this function is successfully configured.

Only wired users support this function.

Example

# In the authentication profile p1, configure the aging time for entries of the users who fail to be authenticated to 3600 seconds.

<HUAWEI> system-view
[HUAWEI] authentication-profile name p1
[HUAWEI-authen-profile-p1] authentication timer authen-fail-aging 3600

authentication timer pre-authen-aging

Function

The authentication timer pre-authen-aging command configures the aging time for pre-connection user entries.

The undo authentication timer pre-authen-aging command restores the default aging time for pre-connection user entries.

By default, the aging time for pre-connection user entries is 23 hours.

Format

authentication timer pre-authen-aging aging-time

undo authentication timer pre-authen-aging

Parameters

Parameter Description Value
aging-time

Specifies the aging time.

The value is an integer that ranges from 0 or 60 to 4294860, in seconds.

The value 0 indicates that the entry does not age.

Views

Authentication profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When a pre-connection is established between the device and a user, the device creates the pre-connection user entry. If the user still fails to be authenticated when the user aging time expires, the user entry is deleted.

The pre-connection user entries share device resources with the entries of the users who are authenticated. If there are excess pre-connection user entries, other users fail to be authenticated. To solve this problem, run the authentication timer pre-authen-aging command to reduce the aging time for the pre-connection user entries. In addition, if the time that the pre-connection users have network access policies should be extended, you can run this command to increase the aging time for the pre-connection user entries.

Precautions

This function takes effect only for users who go online after this function is successfully configured.

Only wired users support this function.

Example

# In the authentication profile p1, configure the aging time for the pre-connection user entries to 3600 seconds.

<HUAWEI> system-view
[HUAWEI] authentication-profile name p1
[HUAWEI-authen-profile-p1] authentication timer pre-authen-aging 3600

authentication timer re-authen

Function

The authentication timer re-authen command configures the interval for re-authenticating pre-connection users or users who fail to be authenticated.

The undo authentication timer re-authen command restores the default setting.

By default, pre-connection users and users who fail to be authenticated are re-authenticated at an interval of 60 seconds.

Format

authentication timer re-authen { pre-authen re-authen-time | authen-fail re-authen-time }

undo authentication timer re-authen { pre-authen | authen-fail }

Parameters

Parameter Description Value
pre-authen re-authen-time

Specifies the interval for re-authenticating pre-connection users.

The value is an integer that ranges from 0 or 30 to 7200, in seconds.

The value 0 indicates that the re-authentication function is disabled for pre-connection users.

authen-fail re-authen-time

Specifies the interval for re-authenticating users who fail to be authenticated.

The value is an integer that ranges from 0 or 30 to 7200, in seconds.

The value 0 indicates that the re-authentication function is disabled for users who fail to be authenticated.

Views

Authentication profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The device creates the mapping user entries when network access policies are assigned to users who are in the pre-connection phase or fail authentication. To enable users to pass authentication in real time, the device periodically re-authenticates the users who are in the pre-connection phase or fail authentication according to the user entries. The administrator can adjust the re-authentication interval based on the actual network requirements.

Precautions

This command only applies to 802.1X authentication and MAC address authentication.

This function takes effect only for users who go online after this function is successfully configured.

The device cannot re-authenticates wireless users who are in the pre-connection phase or fail authentication. Therefore, the authentication timer re-authen command does not apply to wireless users.

To reduce the impact on the device performance when many users exist, the user re-authentication interval may be longer than the configured re-authentication interval.

If a static user configured with 802.1X authentication enters the pre-connection status after failing the authentication, 802.1X authentication is then performed. During the 802.1X authentication, the pre-authen re-authen-time timer does not take effect. If the 802.1X authentication also fails, the pre-authen re-authen-time timer takes effect, and re-authentication is triggered according to this timer.

Example

# In the authentication profile authen1, set the interval for re-authenticating users who fail to be authenticated to 300 seconds.

<HUAWEI> system-view
[HUAWEI] authentication-profile name authen1
[HUAWEI-authen-profile-authen1] authentication timer re-authen authen-fail 300

authentication wlan-max-user

Function

The authentication wlan-max-user command configures the maximum number of authenticated users allowed on a VAP.

The undo authentication wlan-max-user command restores the default setting.

By default, a maximum of 128 authenticated users are allowed on a VAP.

NOTE:

This function is supported only by S5720HI.

Format

authentication wlan-max-user max-user-number

undo authentication wlan-max-user

Parameters

Parameter

Description

Value

max-user-number

Specifies the maximum number of users.

The value is an integer that ranges from 1 to 128.

Views

Authentication profile view

Default Level

2: Configuration level

Usage Guidelines

To ensure high-quality network access services for online users in high-density wireless access scenarios, the administrator needs to limit the number of authenticated users to prevent excess access users from degrading user experience. The administrator can run the authentication wlan-max-user command to limit the number of access users allowed on a VAP of a single AP.
NOTE:

This function takes effect only when the authentication profile is bound to the VAP profile.

Example

# In the authentication profile authen1, set the maximum number of allowed authenticated users to 100 on a VAP.

<HUAWEI> system-view
[HUAWEI] authentication-profile name authen1
[HUAWEI-authen-profile-authen1] authentication wlan-max-user 100

authentication mode

Function

The authentication mode command configures the user access mode.

The undo authentication mode command restores the default user access mode.

By default, the user access mode is multi-authen.

Format

authentication mode { single-terminal | single-voice-with-data | multi-share | multi-authen [ max-user max-user-number [ dot1x | mac-authen | portal ] * ] }

undo authentication mode [ multi-authen max-user [ dot1x | mac-authen | portal ] * ]

Parameters

Parameter Description Value
single-terminal

Specifies the interface to allow only one user to go online.

-

single-voice-with-data

Specifies the interface to allow only one data user and one voice user to go online.

This mode applies to the scenario in which a data user connects to a network through a voice terminal.

-

multi-share

Specifies the interface to allow multiple users to go online.

In this mode, the device only authenticates the first user. If the first user can be authenticated, the subsequent users share the same network access rights with the first user. If the first user goes offline, other users are also offline.

-

multi-authen

Specifies the interface to allow multiple users to go online.

In this mode, the device authenticates each access user. If users can be authenticated, the users have their individual network access rights. If a user goes offline, other users are not affected.

-

max-user max-user-number

Specifies the maximum number of access users on the interface in multi-authen mode.

The value is an integer that depends on the device.

dot1x

Specifies the maximum number of 802.1X authentication users allowed to connect to the interface in multi-authen mode.

-

mac-authen

Specifies the maximum number of MAC address authentication users allowed to connect to the interface in multi-authen mode.

-

portal

Specifies the maximum number of Portal authentication users allowed to connect to the interface in multi-authen mode.

-

Views

Authentication profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After enabling NAC authentication, you can configure a user access mode based on the user access on the interface. The user access modes include:
  • single-terminal: applies to the scenario in which only one data terminal is connected to the network through the interface.
  • single-voice-with-data: applies to the scenario in which only one data terminal is connected to the network on the device interface through a voice terminal.
  • multi-share: applies to the scenario that does not require high security and in which multiple data terminals are connected to the network on the device interface.
  • multi-authen: applies to the scenario that requires high security and in which multiple data terminals are connected to the network on the device interface. In this access mode, you can configure the maximum number of access users based on the actual user quantity on the interface. This prevents malicious users from occupying a large amount of device resources and ensures that the users on other device interfaces can normally go online.

Precautions

  • VLANIF interfaces do not support this function.
  • The authentication mode multi-authen max-user max-user-number command only indicates the maximum number of access users allowed by the interface in multi-authen mode, not the access mode of the specified interface. The interface access mode needs to be modified to multi-authen using the authentication mode multi-authen command.

  • If the multi-share mode is configured on an Eth-Trunk of the S5720HI, the upstream rate limit cannot be delivered to users who go online through this Eth-Trunk.
  • If the first access user fails to be authenticated on a physical interface and sets up a pre-connection after the multi-share mode is configured on the physical interface, new access users will also fail to be authenticated on the interface. Therefore, the following operations are recommended if the first access user may fail to be authenticated after the multi-share mode is configured on a physical interface.
    • Configure users to not set up pre-connections when 802.1X authentication or MAC address authentication is used. You can run the undo authentication pre-authen-access enable command to configure the device to not generate entries for users who obtain rights in the pre-connection phase.
    • Do not use the multi-share mode with Portal authentication.
  • In the policy association scenario, the authentication mode multi-authen max-user max-user-number command configured on an access device does not take effect. To configure the number of access users on an access device, run the authentication access-point max-user max-user-number command to set the maximum number of access users allowed on the interface of the access device.

  • When authentication mode is set to multi-authen in the authentication profile, set the interface type to hybrid or trunk in policy association scenarios or to hybrid in other scenarios when you configure the authorization VLAN.

Example

# In the authentication profile p1, set the user access mode to multi-authen.

<HUAWEI> system-view
[HUAWEI] authentication-profile name p1
[HUAWEI-authen-profile-p1] authentication mode multi-authen

authentication single-access

Function

The authentication single-access command configures the device to allow users to access in only one authentication mode.

The undo authentication single-access command restores the default setting.

By default, the device allows users to access in different authentication modes.

Format

authentication single-access

undo authentication single-access

Parameters

None

Views

Authentication profile view

Default Level

2: Configuration level

Usage Guidelines

After hybrid authentication is configured, the device by default allows users to access in different authentication modes. You can run the authentication single-access command to disable this default function. The device then allows users to access in only one authentication mode and does not process the packets of other authentication modes.

Example

# In the authentication profile authen1, configure the device to allow users to access in only one authentication mode.

<HUAWEI> system-view
[HUAWEI] authentication-profile name authen1
[HUAWEI-authen-profile-authen1] authentication single-access

authentication speed-limit auto

Function

The authentication speed-limit auto command enables the device to dynamically adjust the rate of packets from NAC users.

The undo authentication speed-limit auto command disables the device from dynamically adjusting the rate of packets from NAC users.

By default, the device does not dynamically adjust the rate of packets from NAC users.

Format

authentication speed-limit auto

undo authentication speed-limit auto

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

When a lot of NAC users send authentication or log off requests to the device, the CPU usage may be overloaded especially when the CPU or memory usage is already high (for example, above 80%). After the device is enabled to dynamically adjust the rate of packets from NAC users, the device limits the number of NAC packets received per second if the CPU or memory usage is high. This function reduces loads on the device CPU.

Example

# Enable the device to dynamically adjust the rate of packets from NAC users.

<HUAWEI> system-view
[HUAWEI] authentication speed-limit auto

authentication unified-mode

Function

The authentication unified-mode command switches the NAC mode to unified mode.

The undo authentication unified-mode command switches the NAC mode to common mode.

By default, the unified NAC configuration mode is used.

Format

authentication unified-mode

undo authentication unified-mode

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Compared with the common mode, the unified mode uses the modular configuration, making the configuration clearer and configuration model easier to understand.

Considering advantages of the unified mode, you are advised to deploy NAC in unified mode. You can run the authentication unified-mode command to switch the NAC mode to unified mode.

Precautions

  • Starting from V200R005C00, the default NAC mode changes from common mode to unified mode. Therefore, if the system software of a switch is upgraded from a version earlier than V200R005C00 to V200R005C00 or a later version, the switch automatically runs the undo authentication unified-mode command to configure the NAC mode to common mode.
  • After the common mode and unified mode are switched, the device automatically restarts, causing service interruption.
  • In V200R008C00, some NAC commands do not differentiate the common and unified modes. Their formats and views remain unchanged after being switched from one mode to the other. After devices are switched from the common mode in V200R008C00 or later versions to the unified mode in V200R009C00 or later versions, these NAC commands can be switched to the unified mode.
  • In the unified mode, only the commands of the common mode are unavailable; in the common mode, only the commands of the unified mode are unavailable. In addition, after the configuration mode is switched, the commands supported by both the common mode and unified mode still take effect.

Example

# Switch the NAC mode to unified mode.

<HUAWEI> system-view
[HUAWEI] authentication unified-mode

authentication trigger-condition (802.1X authentication)

Function

The authentication trigger-condition command configures the packet types that can trigger 802.1X authentication.

The undo authentication trigger-condition command restores the default configuration.

By default, DHCP/ARP packets can trigger 802.1X authentication.

Format

authentication trigger-condition { dhcp | arp | any-l2-packet } *

undo authentication trigger-condition [ dhcp | arp | any-l2-packet ] *

Parameters

Parameter Description Value
dhcp

Triggers 802.1X authentication through DHCP packets.

-

arp

Triggers 802.1X authentication through ARP packets.

-

any-l2-packet

Triggers 802.1X authentication through any packets.

-

Views

802.1X access profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After 802.1X authentication is enabled, the device can trigger 802.1X authentication on users by default when receiving DHCP or ARP packets. Based on user information on the actual network, the administrator can adjust the packet types that can trigger 802.1X authentication. For example, if all users on a network dynamically obtain IPv4 addresses, the device can be configured to trigger 802.1X authentication only through DHCP packets. This prevents the device from continuously sending ARP packets to trigger 802.1X authentication when static IPv4 addresses are configured for unauthorized users on the network, and reduces device CPU occupation.

If a static IPv4 address is configured for a client, 802.1X authentication cannot be triggered because they do not exchange DHCP or ARP packets. You can run the authentication trigger-condition any-l2-packet command to trigger 802.1X authentication through any packets. To prevent unauthorized users from occupying user entries on the device maliciously, you are advised to configure the function of triggering 802.1X authentication through any packets on the access device, and run the authentication mode max-user max-user-number command in the authentication profile view to configure the maximum number of access users allowed on an interface. The recommended value is 10.

Precautions

This function takes effect only for users who go online after this function is successfully configured.

To allow BPDUs to trigger 802.1X authentication, you must enable the function corresponding to the BPDUs globally. For example, to allow LLDPDUs to trigger 802.1X authentication, run the lldp enable (system view) command to enable LLDP globally.

The function does not take effect when multiple authentication modes are used together.

When any-l2-packet is configured and 802.1X authentication is enabled on an interface, EAP packets sent from a client trigger 802.1X authentication first.

When MAC address authentication and 802.1X authentication are both enabled on an interface, packets that can trigger authentication include all the packet types that can trigger authentication in the MAC access profile and 802.1X access profile. For example, assume that ARP packets in the MAC access profile are unable to trigger authentication and ARP packets in the 802.1X access profile can trigger authentication. If MAC address authentication and 802.1X authentication are both enabled on an interface, ARP packets can trigger MAC address authentication.

Example

# In the 802.1X access profile d1, configure the device to use DHCP packets to trigger 802.1X authentication.

<HUAWEI> system-view
[HUAWEI] dot1x-access-profile name d1
[HUAWEI-dot1x-access-profile-d1] authentication trigger-condition dhcp

authentication trigger-condition (MAC address authentication)

Function

The authentication trigger-condition command configures the packet types that can trigger MAC address authentication.

The undo authentication trigger-condition command restores the default configuration.

By default, DHCP/ARP/DHCPv6/ND packets can trigger MAC address authentication.

Format

authentication trigger-condition { dhcp | arp | dhcpv6 | nd | any-l2-packet } *

undo authentication trigger-condition [ dhcp | arp | dhcpv6 | nd | any-l2-packet ] *

Parameters

Parameter Description Value
dhcp

Triggers MAC address authentication through DHCP packets.

-

arp

Triggers MAC address authentication through ARP packets.

-

dhcpv6

Triggers MAC address authentication through DHCPv6 packets.

-

nd

Triggers MAC address authentication through ND packets.

-

any-l2-packet

Triggers MAC address authentication through any packets.

-

Views

MAC access profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After MAC address authentication is enabled, the device can trigger MAC address authentication on users by default when receiving DHCP/ARP/DHCPv6/ND packets. Based on user information on the actual network, the administrator can adjust the packet types that can trigger MAC address authentication. For example, if all users on a network dynamically obtain IPv4 addresses, the device can be configured to trigger MAC address authentication only through DHCP packets. This prevents the device from continuously sending ARP packets to trigger MAC address authentication when static IPv4 addresses are configured for unauthorized users on the network, and reduces device CPU occupation.

If a static IPv4 address is configured for a client, MAC address authentication cannot be triggered because they do not exchange DHCP or ARP packets. You can run the authentication trigger-condition any-l2-packet command to trigger MAC address authentication through any packets. To prevent unauthorized users from occupying user entries on the device maliciously, you are advised to configure the function of triggering MAC address authentication through any packets on the access device, and run the authentication mode max-user max-user-number command in the authentication profile view to configure the maximum number of access users allowed on an interface. The recommended value is 10.

Precautions

  • MAC address authentication configured on a VLANIF interface can only be triggered by ARP packets.

  • This function takes effect only for users who go online after this function is successfully configured.

  • There is a situation that you should notice. A device is configured to trigger MAC address authentication through DHCP packets and DHCP options are used as the user names for MAC address authentication (for the configuration of user names in MAC address authentication, see mac-authen username). If the authentication server delivers Huawei extended RADIUS attribute HW-Forwarding-VLAN (No. 26-161) to the device, the user packet must carry double VLAN tags and the outer VLAN ID cannot be the same as the ID of HW-Forwarding-VLAN; otherwise, the delivered attribute cannot take effect.

  • Only wired users support MAC address authentication triggered by DHCP/ARP/DHCPv6/ND/any packets. For wireless users, MAC address authentication is triggered by association packets.

  • After the authentication trigger-condition { dhcp | dhcpv6 | nd } * command is run, static users cannot go online.

  • To allow BPDUs to trigger MAC address authentication, you must enable the function corresponding to the BPDUs globally. For example, to allow LLDPDUs to trigger MAC address authentication, run the lldp enable (system view) command to enable LLDP globally.
  • In a policy association scenario, MAC address authentication can only be triggered by DHCP or ARP packets.

  • The function does not take effect when multiple authentication modes are used together.
  • When MAC address authentication is performed for IP phones and the authentication trigger-condition any-l2-packet command is run to configure the device to trigger MAC address authentication through any packets, run the authentication mac-move enable command to configure MAC address migration and run the authentication mac-move detect enable command to configure the device to detect users' online status before MAC address migration.
  • When any-l2-packet is configured and 802.1X authentication is enabled on an interface, EAP packets sent from a client trigger 802.1X authentication first.
  • When MAC address authentication and 802.1X authentication are both enabled on an interface, packets that can trigger authentication include all the packet types that can trigger authentication in the MAC access profile and 802.1X access profile. For example, assume that ARP packets in the MAC access profile are unable to trigger authentication and ARP packets in the 802.1X access profile can trigger authentication. If MAC address authentication and 802.1X authentication are both enabled on an interface, ARP packets can trigger MAC address authentication.

Example

# In the MAC access profile m1, configure the device to trigger MAC address authentication only through ARP packets.

<HUAWEI> system-view
[HUAWEI] mac-access-profile name m1
[HUAWEI-mac-access-profile-m1] authentication trigger-condition arp

authentication trigger-condition dhcp dhcp-option

Function

The authentication trigger-condition dhcp dhcp-option command enables the device to send DHCP option information to the authentication server when triggering MAC address authentication through DHCP packets.

The undo authentication trigger-condition dhcp dhcp-option command restores the default configuration.

By default, the device does not send DHCP option information to the authentication server when triggering MAC address authentication through DHCP packets.

Format

authentication trigger-condition dhcp dhcp-option option-code

undo authentication trigger-condition dhcp dhcp-option option-code

Parameters

Parameter Description Value
option-code

Specifies the option that the device sends to the authentication server.

The value is fixed as 82.

Views

MAC access profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Option82 records information about DHCP user locations and services (voice and data services). After this command is run, if the device can trigger MAC address authentication though DHCP packets, it sends Option82 information to the authentication server when triggering MAC address authentication through DHCP packets. Based on the user information recorded in Option82, the authentication server then assigns different network access rights to users with different services in different locations. This implements accurate control on the network access rights of each user.

Precautions

  • MAC address authentication users who go online through VLANIF interfaces do not support this function.

  • This function takes effect only for users who go online after this function is successfully configured.

  • Only wired users support MAC address authentication triggered by DHCP/ARP/DHCPv6/ND/any packets. For wireless users, MAC address authentication is triggered by association packets.

Example

# In the MAC access profile m1, enable the device to send Option82 information to the authentication server when triggering MAC address authentication through DHCP packets.

<HUAWEI> system-view
[HUAWEI] mac-access-profile name m1
[HUAWEI-mac-access-profile-m1] authentication trigger-condition dhcp dhcp-option 82

authentication-profile (Interface view or VAP profile view)

Function

The authentication-profile command applies an authentication profile to the interface or VAP profile.

The undo authentication-profile command restores the default setting.

By default, no authentication profile is applied to the interface or VAP profile.

Format

authentication-profile authentication-profile-name

undo authentication-profile

Parameters

Parameter

Description

Value

authentication-profile-name

Specifies the name of an authentication profile.

The value must be an existing authentication profile name.

Views

Interface view, or VAP profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An authentication profile uniformly manages NAC configuration. The authentication profile is bound to the interface or VAP profile view to enable NAC, implementing access control on the users in the interface or VAP profile. The authentication type of the users in the interface or VAP profile is determined by the access profile bound to the authentication profile.

Prerequisites

An authentication profile has been created using the authentication-profile (system view) command in the system view.

Precautions
When configuring NAC, pay attention to the following points:
  • VLANIF interfaces, Ethernet interfaces, GE interfaces, MultiGE interfaces, XGE interfaces, 40GE interfaces, Eth-Trunks, port groups, and VAP profiles support NAC. The support for NAC on different interfaces is as follows:
    • Only Layer 2 interfaces support 802.1X authentication.
    • Layer 2 interfaces and VLANIF interfaces support MAC address authentication. (Only S5720SI, S5720S-SI, S1720X, S1720X-E, S5730SI, S5730S-EI, S5720EI, S5720HI, S6720LI, S6720S-LI, S6720SI, S6720S-SI, S6720EI, and S6720S-EI support configuration of MAC address authentication on VLANIF interfaces.)
    • The support for Portal authentication varies depending on different interfaces, routed main interfaces (Only S5720EI, S5720HI, S6720EI, and S6720S-EI) support only Layer 3 Portal authentication, Layer 2 interfaces support only Layer 2 Portal authentication, and VLANIF interfaces support both Layer 2 and Layer 3 Portal authentication.

    • The VLANIF interface corresponding to the super VLAN does not support Portal authentication.
  • For the access of wireless users through APs, ensure that the APs can be authenticated (for example, adding the APs to static users) when NAC authentication is deployed for users. Otherwise, the wireless users cannot be authenticated.
  • NAC authentication cannot be enabled both on a Layer 2 Ethernet interface and the VLANIF interface mapping the VLAN of the Ethernet interface. Otherwise, the users have no network access rights after connecting to the network. In addition, NAC authentication cannot be enabled both on WLAN-ESS and VLANIF interfaces in wireless scenarios.

  • After enabling NAC on an interface, you cannot run the following commands on the interface. Similarly, after running the following commands on an interface, you cannot enable NAC on the interface.

    Command

    Function

    mac-limit

    Sets the maximum number of MAC addresses that can be learned by an interface.

    mac-address learning disable

    Disables MAC address learning on an interface.

    port link-type dot1q-tunnel

    Sets the link type of an interface to QinQ.

    port vlan-mapping vlan map-vlan

    port vlan-mapping vlan inner-vlan

    Configures VLAN mapping on an interface.

    port vlan-stacking

    Configures selective QinQ.

    port-security enable

    Enables interface security.

    mac-vlan enable

    Enables MAC address-based VLAN assignment on an interface.

    ip-subnet-vlan enable

    Enables IP subnet-based VLAN assignment on an interface.

    user-bind ip sticky-mac

    NOTE:

    This command conflicts with only 802.1X authentication and MAC address authentication.

    Enables the device to generate snooping MAC entries.
  • After the encapsulation mode of packets allowed to pass a Layer 2 sub-interface is set to default using the encapsulation (Layer 2 sub-interface view) command, NAC cannot be configured on the main interface of the Layer 2 sub-interface.

Example

# Apply the authentication profile m1 to VLANIF10.

<HUAWEI> system-view
[HUAWEI] authentication-profile name m1
[HUAWEI-authen-profile-m1] quit
[HUAWEI] interface vlanif 10
[HUAWEI-Vlanif10] authentication-profile m1

authentication-profile (system view)

Function

The authentication-profile command creates an authentication profile and displays the authentication profile view.

The undo authentication-profile command deletes the authentication profile.

By default, the device has six built-in authentication profiles: default_authen_profile, dot1x_authen_profile, mac_authen_profile, portal_authen_profile, dot1xmac_authen_profile, and multi_authen_profile.

Format

authentication-profile name authentication-profile-name

undo authentication-profile name authentication-profile-name

Parameters

Parameter

Description

Value

name authentication-profile-name

Specifies the name of an authentication profile.

The value is a string of 1-31 case-sensitive characters, which cannot be configured to - and --. It cannot contain spaces and the following symbols: / \ : * ? " < > | @ ' %.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

NAC can implement access control on users. The device uses authentication profiles to uniformly manage NAC configuration so that users can easily configure NAC functions. The parameters (for example, the bound access profile and authentication type) in the authentication profile can be configured to provide various access control modes for different users. After the configuration is complete, the authentication profile is applied to the interface or VAP profile to enable NAC.

Follow-up Procedure

  1. Configuring authentication profiles: Configure the access profile, and authorization information in the authentication profiles.
  2. Applying authentication profiles: Run the authentication-profile (Interface view or VAP profile view) command to apply the authentication profiles to the interface or VAP profile.

Precautions

  • The built-in authentication profile default_authen_profile and the compatibility profile converted after an upgrade are not counted in the configuration specification. The six built-in authentication profiles (default_authen_profile, dot1x_authen_profile, mac_authen_profile, portal_authen_profile, dot1xmac_authen_profile, and multi_authen_profile) can be modified and applied, but cannot be deleted.
  • Before deleting an authentication profile, ensure that this profile is not bound to any interface or VAP profile. You can run the display authentication-profile configuration command to check whether the authentication profile is bound to an interface or VAP profile

Example

# Create the authentication profile named mac_authen_profile1.

<HUAWEI> system-view
[HUAWEI] authentication-profile name mac_authen_profile1

authentication update-ip-accounting enable

Function

The authentication update-ip-accounting enable command enables a device to send accounting packets for address updating.

The undo authentication update-ip-accounting enable command disables a device from sending accounting packets for address updating.

By default, the device is enabled to send accounting packets for address updating.

Format

authentication update-ip-accounting enable

undo authentication update-ip-accounting enable

Parameters

None

Views

Authentication profile view

Default Level

2: Configuration level

Usage Guidelines

By default, the device sends accounting packets for address updating to the accounting server. Some accounting servers may not require the accounting packets. In this case, resources on the device are occupied. You can run the undo authentication update-ip-accounting enable command to disable the device from sending accounting packets for address updating, saving resources on the device. After address updating are complete, the device sends accounting packets again and the accounting function is not affected.

  • update-info-accounting indicates that accounting packets are immediately sent during address updating.

Example

# Disable a device from sending accounting packets for address updating.

<HUAWEI> system-view
[HUAWEI] authentication-profile name test 
[HUAWEI-authen-profile-test] undo authentication update-ip-accounting enable

band-width share-mode

Function

The band-width share-mode command enable the bandwidth share mode.

The undo band-width share-mode command restores the default configuration.

By default, the bandwidth share mode is disabled.

NOTE:

This command is only supported by the S5720HI.

Format

band-width share-mode

undo band-width share-mode

Parameters

None

Views

System view, AAA domain view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

On a home network, all family members go online using the same account. To improve service experience of family members, you can enable the bandwidth share mode so that all members can share the bandwidth.

Precautions

  • This function does not apply to users who are connected through the inter-card Eth-Trunk interface.

  • If this command is run in the system view, it takes effect for all new online users who connected to the device. If this command is run in the AAA domain view, it takes effect only for new online users in the domain.
  • If the local or remote RADIUS server does not assign CAR settings to the users who will go online and the online users, the share mode is invalid to the users.

  • If the bandwidth share mode is enabled and different users use the same account for authentication, the users going online with no CAR settings assigned will not be affected when CAR settings are assigned to the users who go online later.

Example

# Enable the bandwidth share mode in the system view.

<HUAWEI> system-view
[HUAWEI] band-width share-mode

# Enable the bandwidth share mode in the AAA domain view.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] domain huawei
[HUAWEI-aaa-domain-huawei] band-width share-mode

cut access-user ucl-group

Function

The cut access-user ucl-group command forces UCL group users offline.

NOTE:

This command is supported only by the S5720EI, S5720HI, S6720EI, and S6720S-EI.

Format

cut access-user ucl-group { group-index | name group-name }

Parameters

Parameter

Description

Value

group-index

Specifies the index of a UCL group.

The UCL group must exist.

name group-name

Specifies the name of a UCL group.

The UCL group must exist.

Views

AAA view

Default Level

3: Management level

Usage Guidelines

After a user goes online, if you want to modify the user's network access rights or detect that the user is unauthorized, run this command to force the user offline.

Example

# Force UCL group users offline.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] cut access-user ucl-group name huawei

device-type

Function

The device-type command sets a terminal type identifier.

The undo device-type command deletes a terminal type identifier that has been set.

By default, no terminal type identifier exists in the system.

NOTE:

This function is supported only by S5720HI.

Format

device-type device-name

undo device-type

Parameters

Parameter

Description

Value

device-name

Specifies a terminal type identifier.

The value is a string of 1 to 31 case-sensitive characters without spaces. The value cannot be - or --, and cannot contain ?, ', ".

Views

Terminal type identification profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After a terminal type identifier is configured in a terminal type identification profile, the terminal type can be identified in the profile. Assume that the terminal type identifier is set to huawei. If the MAC address, UA, or DHCP Option information that an AC receives from a terminal matches the identification rule configured in the terminal type profile, the terminal type is huawei. This helps administrators to perform access control and rights management for the terminal based on the identified terminal type.

Precautions

The device-type command is cyclic in nature, and only the latest configuration takes effect.

Example

# In the terminal type identification profile huawei, configure the terminal type identifier huawei_1.

<HUAWEI> system-view
[HUAWEI] device-profile profile-name huawei
[HUAWEI-device-profile-huawei] device-type huawei_1

device-profile

Function

The device-profile command creates a terminal type identification profile and enters the terminal type identification profile view, or directly enters the view of a terminal type identification profile that has already been created.

The undo device-profile command deletes a terminal type identification profile that has been created.

By default, no terminal type identification profile is created.

NOTE:

This function is only supported by the S5720HI and the function takes effect only for wireless access users.

The AP3010DN-AGN does not support terminal type identification.

Format

device-profile profile-name profile-name

undo device-profile { all | profile-name profile-name }

Parameters

Parameter

Description

Value

profile-name profile-name

Specifies the name of a terminal type identification profile.

The valueThe value

The value is a string of 1 to 31 case-sensitive characters without characters including spaces and the following:/ \ : * ? " < > | @ ' %. The value cannot be - or --.

all

Deletes all terminal type identification profiles.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

With the development of Internet, many enterprises allow employees to wirelessly access the enterprise intranet using their own intelligent devices such as cellphones, tablets, and laptops, which satisfies employees' pursuit of new technology and desire of being unique, and improves their efficiency as well. This is called Bring Your Own Device (BYOD). However, access to enterprise intranet through PCs may cause potential security risks, and traditional security technology based on user identity authentication and authorization can no longer guarantee network security. It is in such a background that the terminal type identification technology comes out. With this technology, the types of the devices that employees use to access the intranet can be identified, facilitating access control. During the implementation of BYOD, administrators can limit intranet access rights to specified types of mobile devices and perform authentication and authorization based on users, device types, access time, access points, and environment information about the devices.

A terminal type identification profile is configured with terminal types that can be identified by devices, and identification rules. With the configured identification rules, the types of devices using which employees access the intranet can be identified, helping administrators to control employees' access rights.

Example

# Create a terminal type identification profile named huawei.

<HUAWEI> system-view
[HUAWEI] device-profile profile-name huawei

device-sensor dhcp option

Function

The device-sensor dhcp option command enables the DHCP-based terminal type awareness function.

The undo device-sensor dhcp option command disables the DHCP-based terminal type awareness function.

By default, the DHCP-based terminal type awareness function is disabled.

Format

device-sensor dhcp option option-code &<1-6>

undo device-sensor dhcp option option-code &<1-6>

Parameters

Parameter Description Value
option-code

Specifies the DHCP option field that the device needs to resolve.

The option fields in a DHCP packet carry the control information and parameters, for example, terminal type.

The value is an integer that ranges from 1 to 254.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A device usually connects to many types of terminals. You may need to assign different network access rights or packet processing priorities to the terminals of different types. For example, the voice devices, such as IP phones, should be assigned a high packet processing priority because voice signals require low delay and jitter.

After the DHCP-based terminal type awareness function is enabled, the device can resolve the option fields that carry terminal type information in the received DHCP Request packets. The device then sends the option information to the RADIUS server through RADIUS accounting packets. Through the option information, the RADIUS server knows the terminal types and controls the network access rights and packet processing priorities of the terminals.

Precautions

  • The command takes effect only when the authentication or accounting mode in the AAA scheme is RADIUS.

  • To make this command take effect, you must run the dhcp snooping enable command on the interfaces or in VLANs.

Example

# Set the option fields to be resolved by the device to option 60.
<HUAWEI> system-view
[HUAWEI] device-sensor dhcp option 60

device-sensor lldp tlv

Function

The device-sensor lldp tlv command enables the LLDP-based terminal type awareness function.

The undo device-sensor lldp tlv command disables the LLDP-based terminal type awareness function.

By default, the LLDP-based terminal type awareness function is disabled.

Format

device-sensor lldp tlv tlv-type &<1-4>

undo device-sensor lldp tlv

Parameters

Parameter Description Value
tlv-type

Specifies the LLDP TLV type as the terminal type to be aware of the device.

The value is an integer that can be 1, 2, 5, 6, 7, 8, and 127. The values are as follows:
  • 1: Chassis ID TLV, indicating the bridge MAC address of the device
  • 2: Port ID TLV, indicating the port identifying the LLD PDU sending end
  • 5: System Name TLV, indicating the device name
  • 6: System Description TLV, indicating the system description
  • 7: System Capabilities TLV, indicating the system capabilities
  • 8: Management Address TLV, indicating the management address
  • 127: Organization Specific TLV, indicating the user-defined organization information

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A device usually connects to many types of terminals. You may need to assign different network access rights or packet processing priorities to the terminals of different types. For example, the voice devices, such as IP phones, should be assigned a high packet processing priority because voice signals require low delay and jitter.

Using the LLDP-based terminal type awareness function, the device parses the required TLV type containing terminal type information from the received LLDP packets. The device then sends the TLV type information to the RADIUS server through a RADIUS accounting packet. Through the TLV type information, the RADIUS server knows the terminal types and controls the network access rights and packet processing priorities of the terminals.

Precautions

  • The command takes effect only when the authentication or accounting mode in the AAA scheme is RADIUS.

  • The command takes effect only when the LLDP function is enabled on the device and the connected peer device.

Example

# Enable the terminal type awareness function based on LLDP TLV type 5.
<HUAWEI> system-view
[HUAWEI] device-sensor lldp tlv 5

display aaa statistics access-type-authenreq

Function

The display aaa statistics access-type-authenreq command displays the number of requests for MAC, Portal, or 802.1X authentication.

Format

display aaa statistics access-type-authenreq

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

When users send authentication requests, the device collects statistics on the number of initiating MAC, Portal, or 802.1X authentications.

To view the number of requests for MAC, Portal, or 802.1X authentication, run the display aaa statistics access-type-authenreq command.

Example

# Display the number of requests for MAC, Portal, or 802.1X authentication.

<HUAWEI> display aaa statistics access-type-authenreq
mac     authentication request     :2
portal  authentication request     :0
dot1x   authentication request     :0
Table 13-34  Description of the display aaa statistics access-type-authenreq command output

Item

Description

mac authentication request

Number of MAC authentication requests.

portal authentication request

Number of Portal authentication requests.

dot1x authentication request

Number of 802.1X authentication requests.

display access-context profile

Function

The display access-context profile command displays the configuration of a user context profile.

Format

display access-context profile [ name profile-name ]

Parameters

Parameter

Description

Value

name profile-name

Displays the configuration of the user context profile with a specified name.

If name profile-name is not specified, all user context profiles configured on the device are displayed.

The value must be the name of an existing user context profile on the device.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After configuring a user context profile, you can run this command to check whether the configuration is correct.

Example

# Display all user context profiles configured on the device.

<HUAWEI> display access-context profile
-------------------------------------------------------------------------------                                                     
    ID        Access-context profile name                                                                                           
-------------------------------------------------------------------------------                                                     
     0        p1                                                                                                                    
     1        aA                                                                                                                    
-------------------------------------------------------------------------------                                                     
    Total 2, printed 2

# Display the configuration of the user context profile p1.

<HUAWEI> display access-context profile name p1
  Profile name               : p1                                                                                                   
  if-match vlan-id           : 13 to 20 
Table 13-35  Description of the display access-context profile command output

Item

Description

ID

Index of a user context profile.

Access-context profile name or Profile name

Name of a user context profile.

To configure the parameter, run the access-context profile name command.

if-match vlan-id

VLAN matching a user context profile.

To configure the parameter, run the if-match vlan-id command.

display access-author policy

Function

The display access-author policy command displays the configuration of a user authentication event authorization policy.

Format

display access-author policy [ name policy-name ]

Parameters

Parameter

Description

Value

name policy-name

Displays the configuration of the user authentication event authorization policy with a specified name.

If name policy-name is not specified, all user authentication event authorization policies configured on the device are displayed.

The value must be the name of an existing user authentication event authorization policy on the device.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After configuring a user authentication event authorization policy, you can run this command to check whether the configuration is correct.

Example

# Display all user authentication event authorization policies configured on the device.

<HUAWEI> display access-author policy
-------------------------------------------------------------------------------                                                     
    ID        Access-author policy name                                                                                             
-------------------------------------------------------------------------------                                                     
     0        a1                                                                                                                    
     1        a2                                                                                                                    
-------------------------------------------------------------------------------                                                     
    Total 2, printed 2 

# Display the configuration of the user authentication event authorization policy a1.

<HUAWEI> display access-author policy name a1
  Policy name               : a1                                                                                                    
  match access-context-profile p1 action authen-fail service-scheme s1
Table 13-36  Description of the display access-author policy command output

Item

Description

ID

Index of a user authentication event authorization policy.

Access-author policy name or Policy name

Name of a user authentication event authorization policy.

To configure the parameter, run the access-author policy name command.

match access-context-profile profile-name action authen-fail service-scheme scheme-name

User authorization information specified based on a user context profile.

To configure the parameter, run the match access-context-profile action command.

display access-user dot1x-identity statistics

Function

The display access-user dot1x-identity statistics command displays statistics about Identity packets for wireless 802.1X authentication on a switch.

NOTE:

This function is supported only by S5720HI.

Format

display access-user dot1x-identity statistics

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

You can run this command to view the statistics about Identity packets for wireless 802.1X authentication on a switch.

Example

# Display statistics about Identity packets for wireless 802.1X authentication on the switch.

<HUAWEI> display access-user dot1x-identity statistics
-----------------------------------------------------------------------
Receive(Packet)    Pass(Packet)    Drop(Packet)    Last-dropping-time  
-----------------------------------------------------------------------
0                  0               0               -                   
-----------------------------------------------------------------------
Table 13-37  Description of the display access-user dot1x-identity statistics command output
Item Description
Receive(Packet) Total number of Identity packets for wireless 802.1X authentication received by the switch.
Pass(Packet) Number of Identity packets for wireless 802.1X authentication sent to and processed by the CPU of the switch.
Drop(Packet) Number of Identity packets for wireless 802.1X authentication discarded by the switch.
Last-dropping-time Latest time when the switch discarded Identity packets for wireless 802.1X authentication. If no packet loss record exists on the switch, this field displays -.

display access-user

Function

The display access-user command displays information about NAC access users.

Format

display access-user service-scheme service-scheme

display access-user access-type { dot1x | mac-authen | portal | none | static }

display access-user event { pre-authen | authen-fail | client-no-response | authen-server-down }

display access-user ucl-group { group-index | name ucl-group-name } [ detail ] (This command is only supported by S5720EI, S5720HI, S6720EI, and S6720S-EI.)

display access-user option82 { circuit-id text | remote-id text }

Parameters

Parameter

Description

Value

service-scheme service-scheme

Displays information about users assigned with a specified service scheme.

The value must be the name of an existing service scheme.

access-type

Displays information about users using a specified authentication mode.

-

dot1x

Displays information about users who pass 802.1X authentication.

-

mac-authen

Displays information about users who pass MAC address authentication.

-

portal

Displays information about users who pass Portal authentication.

-

none

Displays information about users whose AAA scheme is non-authentication.

-

static

Displays static user information.

-

event

Displays information about users in a specified authentication phase.

-

pre-authen

Displays information about users in the pre-connection phase.

-

authen-fail

Displays information about users who fail to be authenticated and are assigned network access policies when the authentication server sends authentication failure packets to the device.

-

client-no-response

Displays information about 802.1X authentication users who fail to be authenticated and are assigned network access policies when the 802.1X client does not respond.

-

authen-server-down

Displays information about users who fail to be authenticated due to the Down status of the authentication server and are assigned network access policies.

-

ucl-group

Displays information about users in a specified UCL group.

-

group-index

Specifies the index of a UCL group.

The value must be an existing UCL group index.

name ucl-group-name

Specifies the name of a UCL group.

The value must be an existing UCL group name.

detail

Displays detailed user information.

-

option82

Displays information about MAC address authentication users who use the Option 82 field as user names.

-

circuit-id text

Displays information about MAC address authentication users who specify the circuit ID as user names.

The value must be existing circuit-id information.

remote-id text

Displays information about MAC address authentication users who specify the remote ID as user names.

The value must be existing remote-id information.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run this command to check information about online NAC users.

Example

# Display information about users who are assigned the service scheme huawei.
<HUAWEI> display access-user service-scheme huawei
 ------------------------------------------------------------------------------ 
 UserID Username                IP address       MAC            Status          
 ------------------------------------------------------------------------------ 
 16018  zqm                     10.12.12.254     78ac-c0c2-0175 Pre-authen      
 ------------------------------------------------------------------------------ 
 Total: 1, printed: 1  
# Display information about users in the pre-connection phase.
<HUAWEI> display access-user event pre-authen
 ------------------------------------------------------------------------------ 
 UserID Username                IP address       MAC            Status          
 ------------------------------------------------------------------------------ 
 16018  zqm                     10.12.12.254     78ac-c0c2-0175 Pre-authen      
 ------------------------------------------------------------------------------ 
 Total: 1, printed: 1  
NOTE:

Only letters, digits, and special characters can be displayed for username.

When the value of username contains special characters or characters in other languages except English, the device displays dots (.) for these characters. If there are more than three such consecutive characters, three dots (.) are displayed. Here, the special characters are the ASCII codes smaller than 32 (space) or larger than 126 (~).

When the value of username is longer than 20 characters, the device displays up to three dots (.) for the characters following 19; that is, only 22 characters are displayed.

Table 13-38  Description of the display access-user command output

Item

Description

UserID ID automatically allocated to an online user by the device.
Username User name.
IP address User IP address.

When both IPv4 and IPv6 addresses exist, only the IPv4 address is recorded.

When only IPv6 addresses exist, only the latest updated IPv6 address is recorded.

MAC User MAC address.
Status User status.
  • Open: For wired users, the user goes online through the open function upon authentication failure. For wireless users, no authentication is performed.
  • Success: authentication is successful
  • Pre-authen: pre-authentication
  • Client-no-resp: the client does not respond
  • Fail-authorized: authorization upon authentication failure
  • Web-server-down: web server is Down
  • Aaa-server-down: AAA server is Down

display access-user-num

Function

The display access-user-num command displays the maximum number of concurrent users and the number of current online users on a virtual access point (VAP).

NOTE:

This function is supported only by S5720HI.

Format

display access-user-num [ interface wlan-dbss wlan-dbss-interface-id ]

Parameters

Parameter

Description

Value

interface wlan-dbss wlan-dbss-interface-id

Displays the maximum number of concurrent users and the number of current online users on a VAP.

If this parameter is not specified, the maximum number of concurrent users and the number of current online users on all VAPs are displayed.

The value is an existing WLAN-DBSS interface id.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After configuring the maximum number of authenticated users allowed in a VAP profile, you can run the display access-user-num command to view the maximum number of concurrent users and the number of current online users.

Example

# Display the maximum number of concurrent users and the number of current online users on all VAPs.

<HUAWEI> display access-user-num                                                 
2016-09-30 11:09:27.790
----------------------------------------------------------------------          
 Interface name              max-user-num              online-user-num          
----------------------------------------------------------------------          
 Wlan-Dbss0                            30                           10          
 Wlan-Dbss1                             2                            0          
----------------------------------------------------------------------
 Total: 8, printed: 2  
Table 13-39  Description of the display access-user-num command output

Item

Description

Interface name WLAN-DBSS interface id.
max-user-num Maximum number of concurrent users. This parameter is specified by the authentication wlan-max-user command.
online-user-num Number of current online users.
Total Total number of interfaces.
printed Number of printed entries.

display authentication mac-move configuration

Function

The display authentication mac-move configuration command displays the MAC address migration configuration.

Format

display authentication mac-move configuration

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the display authentication mac-move configuration command to view the MAC address migration configuration. The configuration includes the number of times that MAC address migration users are allowed to migrate their MAC addresses 60s before they enter the quiet state, the period that MAC address migration users stay in the quiet state, the interval at which a device detects users' online status before user MAC address migration, and the number of detections before user MAC address migration.

Example

# Display the MAC address migration configuration.

<HUAWEI> display authentication mac-move configuration
Mac-move vlan config:all                                                                                                            
Mac-move quiet times:1                                                                                                              
Mac-move quiet period(s):120                                                                                                        
Mac-move quiet log:ENABLE                                                                                                           
Mac-move quiet user alarm:ENABLE                                                                                                    
Mac-move quiet user alarm lower percentage(%):50                                                                                    
Mac-move quiet user alarm upper percentage(%):100
Mac-move detect:DISABLE                                                         
Mac-move detect retry-interval(s):3                                             
Mac-move detect retry-time:1 
Table 13-40  Description of the display authentication mac-move configuration command output

Item

Description

Mac-move vlan config

VLAN ID range in which MAC address migration is enabled.

For details, see the authentication mac-move enable command.

Mac-move quiet times

Number of times that MAC address migration users are allowed to migrate their MAC addresses 60s before they enter the quiet state.

For details, see the authentication mac-move quiet-times quiet-period command.

Mac-move quiet period(s)

Period that MAC address migration users stay in the quiet state.

For details, see the authentication mac-move quiet-times quiet-period command.

Mac-move quiet log
Whether a device is enabled to record logs about user quietness triggered by MAC address migration:
  • ENABLE
  • DISABLE

For details, see the authentication mac-move quiet-log enable command.

Mac-move quiet user alarm
Whether a device is enabled to send alarms about user quietness triggered by MAC address migration:
  • ENABLE
  • DISABLE

For details, see the authentication mac-move quiet-user-alarm enable command.

Mac-move quiet user alarm lower percentage(%)

Lower alarm threshold for the percentage of MAC address migration users in quiet state.

For details, see the authentication mac-move quiet-user-alarm percentage command.

Mac-move quiet user alarm upper percentage(%)

Upper alarm threshold for the percentage of MAC address migration users in quiet state.

For details, see the authentication mac-move quiet-user-alarm percentage command.

Mac-move detect
Whether a device is enabled to detect users' online status before user MAC address migration:
  • ENABLE
  • DISABLE

For details, see the authentication mac-move detect enable command.

Mac-move detect retry-interval(s)

Interval at which a device detects users' online status before user MAC address migration.

For details, see the authentication mac-move detect retry-interval retry-time command.

Mac-move detect retry-time

Number of detections before user MAC address migration.

For details, see the authentication mac-move detect retry-interval retry-time command.

display authentication mac-move quiet-user

Function

The display authentication mac-move quiet-user command displays information about MAC address migration users in quiet state.

Format

display authentication mac-move quiet-user { all | mac-address mac-address }

Parameters

Parameter

Description

Value

all

Displays information about all MAC address migration users in quiet state.

-

mac-address mac-address

Displays information about MAC address migration users in quiet state with a specified MAC address.

The value is in the H-H-H format. An H contains 1 to 4 hexadecimal digits.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Run this command to view information about MAC address migration users in quiet state.

Example

# Display information about all MAC address migration users in quiet state.

<HUAWEI> display authentication mac-move quiet-user all
Quiet MAC Information
-------------------------------------------------------------------------------
Quiet MAC                                                 Quiet Remain Time(Sec)
-------------------------------------------------------------------------------
0001-0002-0003                                            143
-------------------------------------------------------------------------------
1 quiet MAC found, 1 printed. 
Table 13-41  Description of the display authentication mac-move quiet-user all command output

Item

Description

Quiet MAC

MAC address of MAC address migration users in quiet state.

Quiet Remain Time(Sec)

Remaining quiet time of MAC address migration users in quiet state, in seconds.

display authentication interface

Function

The display authentication interface command displays the configuration of the NAC authentication mode on an interface.

Format

display authentication interface interface-type interface-number

Parameters

Parameter

Description

Value

interface-type interface-number

Displays the configuration of the NAC authentication mode on a specified interface.
  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After configuring the NAC authentication mode, you can run this command to check the configuration.

Example

# Display the configuration of the NAC authentication mode on GE0/0/1.
<HUAWEI> display authentication interface gigabitethernet 0/0/1
Authentication profile: p1
Authentication access-point: Enable
Authentication access-point max-user: 10
Port authentication order:
                          MAC
                          DOT1X
                          WEB   
Table 13-42  Description of the display authentication interface command output

Item

Description

Authentication profile Name of the authentication profile applied to the interface.
Authentication access-point Whether the interface functions as an access control point.
NOTE:
This field is displayed only on access devices used in policy association solutions.
Authentication access-point max-user Maximum number of users who are allowed to log in through an access point
NOTE:
This field is displayed only on access devices used in policy association solutions.
Port authentication order Authentication mode configured in the authentication profile applied to the interface. Authentication modes include:
  • MAC: indicates the MAC address authentication mode.
  • DOT1X: indicates the 802.1X authentication mode.
  • WEB: indicates the Portal authentication mode.
NOTE:
  • On a standalone device, if MAC address bypass authentication is enabled in the authentication profile using the authentication dot1x-mac-bypass command, DOT1X is displayed before MAC. If MAC address bypass authentication is disabled, MAC is displayed before DOT1X.

  • On an AS device in an SVF system or a policy association scenario, this item only indicates authentication modes configured in the authentication profile, and does not indicate the authentication sequence.

display authentication mode

Function

The display authentication mode command displays the current NAC configuration mode and the mode after restart.

Format

display authentication mode

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the display authentication mode command to view the current NAC configuration mode.

Example

# Display the current NAC configuration mode and the mode after restart.
<HUAWEI> display authentication mode
  Current authentication mode is unified-mode                               
  Next authentication mode is unified-mode  
Table 13-43  Description of the display authentication mode command output

Item

Description

Current authentication mode is unified-mode Current NAC configuration mode.
Next authentication mode is unified-mode NAC configuration mode after the device restarts.

Run the authentication unified-mode command to switch the NAC mode to unified mode.

Run the undo authentication unified-mode command to switch the NAC mode to common mode.

display authentication-profile configuration

Function

The display authentication-profile configuration command displays the configuration of an authentication profile.

Format

display authentication-profile configuration [ name authentication-profile-name ]

Parameters

Parameter

Description

Value

name authentication-profile-name

Displays the configuration of a specified authentication profile.

If name authentication-profile-name is not specified, the device displays all the authentication profiles configured on the device.

The value must be the name of an existing authentication profile.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After configuring an authentication profile, you can run this command to check whether the configuration is correct.

NOTE:

The built-in authentication profile default_authen_profile is not counted in the configuration specification. The name of the compatibility profile converted after an upgrade begins with the at sign (@) and the profile is also not counted in the configuration specification.

Example

# Display all the authentication profiles configured on the device.

<HUAWEI> display authentication-profile configuration
------------------------------------------------------------------------------- 
    ID        Auth-profile name                                                 
------------------------------------------------------------------------------- 
     0        default_authen_profile                                            
     1        dot1x_authen_profile                                              
     2        mac_authen_profile                                                
     3        portal_authen_profile                                             
     4        dot1xmac_authen_profile                                           
     5        multi_authen_profile                                              
------------------------------------------------------------------------------- 
    Total 6, printed 6
Table 13-44  Description of the display authentication-profile configuration command output

Item

Description

ID

Authentication profile ID.

Auth-profile name

Authentication profile name.

# Display the configuration of the authentication profile p1.

<HUAWEI> display authentication-profile configuration name p1
  Profile name                                : p1
  Dot1x access profile name                   : -
  Mac access profile name                     : -
  Portal access profile name                  : testdel
  Free rule template                          : -
  Force domain                                : -
  Dot1x force domain                          : -
  Mac-authen force domain                     : -
  Portal force domain                         : -
  Default domain                              : 110
  Dot1x default domain                        : -
  Mac-authen default domain                   : -
  Portal default domain                       : -
  Permit domain                               : -
  Authentication handshake                    : Enable                                                                              
  Authentication handshake period             : 300s   
  Auth-fail re-auth period                    : 60s
  Pre-auth Re-auth period                     : 60s
  Auth-fail aging time                        : 82800s
  Pre-auth aging time                         : 82800s
  Dot1x-mac-bypass                            : Disable
  Single-access                               : Disable
  Device-type authorize service-scheme        : -
  Authentication mode                         : multi-authen
  Authen-fail authorize service-scheme        : -
  Authen-server-down authorize service-scheme : -
  Pre-authen authorize service-scheme         : -
  Security-name-delimiter                     : -
  Domain-name-delimiter                       : -
  Domain-location                             : -
  Domainname-parse-direction                  : -
  WLAN max user number                        : 128
  Bound vap profile                           : -
  SVF flag                                    : Disable
  Ip-static-user                              : Disable
  Roam-realtime-accounting                    : Enable                          
  Update-IP-realtime-accounting               : Enable  
  Linkdown offline delay time                 : 10 
Table 13-45  Description of the display authentication-profile configuration name command output

Item

Description

Profile name

Authentication profile name.

Dot1x access profile name

802.1X access profile bound to the authentication profile.

To configure an 802.1X access profile, run the dot1x-access-profile (authentication profile view) command.

Mac access profile name

MAC access profile bound to the authentication profile.

To configure a MAC access profile, run the mac-access-profile (authentication profile view) command.

Portal access profile name

Portal access profile bound to the authentication profile.

To configure a Portal access profile, run the portal-access-profile (authentication profile view) command.

Free rule template

Authentication-free rule profile bound to the authentication profile.

To configure an authentication-free rule profile, run the free-rule-template (authentication profile view) command.

Force domain

Forcible domain for users.

To configure a forcible domain, run the access-domain command.

Dot1x force domain

Forcible domain for 802.1X authentication users.

To configure a forcible domain for 802.1X authentication users, run the access-domain command.

Mac-authen force domain

Forcible domain for MAC address authentication users.

To configure a forcible domain for MAC address authentication users, run the access-domain command.

Portal force domain

Forcible domain for Portal authentication users.

To configure a forcible domain for Portal authentication users, run the access-domain command.

Default domain

Default domain for users.

To configure a default domain for users, run the access-domain command.

Dot1x default domain

Default domain for 802.1X authentication users.

To configure a default domain for 802.1X authentication users, run the access-domain command.

Mac-authen default domain

Default domain for MAC address authentication users.

To configure a default domain for MAC address authentication users, run the access-domain command.

Portal default domain

Default domain for Portal authentication users.

To configure a default domain for Portal authentication users, run the access-domain command.

Permit domain

Permitted domain for users.

To configure a permitted domain, run the permit-domain command.

Authentication handshake

Whether the handshake function is enabled.

  • Enable
  • Disable

To enable the handshake function, run the authentication handshake command.

Authentication handshake period

Handshake interval.

To configure the handshake interval, run the authentication timer handshake-period command.

Auth-fail re-auth period

Interval for re-authenticating users who fail to be authenticated.

To configure the interval, run the authentication timer re-authen command.

Pre-auth re-auth period

Interval for re-authenticating pre-connection users.

To configure the interval, run the authentication timer re-authen command.

Auth-fail aging Time

Aging time for entries of the users who fail to be authenticated.

To configure the aging time, run the authentication timer authen-fail-aging command.

Pre-auth aging Time

Aging time for pre-connection user entries.

To configure the aging time, run the authentication timer pre-authen-aging command.

Dot1x-mac-bypass

Whether MAC address bypass authentication is enabled.

  • Enable
  • Disable

To configure the function, run the authentication dot1x-mac-bypass command.

Single-access

Whether the device allows users to access in only one authentication mode.

To configure the function, run the authentication single-access command.

Device-type authorize service-scheme

Name of the service scheme based on which the device assigns network access rights to voice terminals that are not authenticated.

To configure the name, run the authentication device-type voice authorize command.

Authentication mode

User access mode.

To configure the mode, run the authentication mode command.

Authen-fail authorize service-scheme

Name of the service scheme based on which the device assigns network access rights to users who fail to be authenticated.

To configure the name, run the authentication event action authorize command.

Authen-server-down authorize service-scheme

Name of the service scheme based on which the device assigns network access rights to users when the authentication server is Down.

To configure the name, run the authentication event action authorize command.

Pre-authen authorize service-scheme

Name of the service scheme based on which the device assigns network access rights to users who are in the pre-connection state.

To configure the name, run the authentication event action authorize command.

Security-name-delimiter

Security string delimiter.

To configure the delimiter, run the security-name-delimiter command.

Domain-name-delimiter

Domain name delimiter.

To configure the delimiter, run the domain-name-delimiter command.

Domain-location

Domain name location.

To configure the location, run the domain-location command.

Domainname-parse-direction

Domain name resolution direction.

To configure the direction, run the domainname-parse-direction command.

WLAN max user number

Maximum number of authenticated users allowed in a VAP profile.

To configure the maximum number, run the authentication wlan-max-user command.

Bound vap profile

VAP profile to which the authentication profile is bound.

To configure the VAP profile, run the authentication-profile (Interface view or VAP profile view) command.

SVF flag

The flag of SVF status.

Ip-static-user

Whether the function of identifying static users through IP addresses is enabled.

  • Enable
  • Disable

To configure the function, run the ip-static-user enable command.

Roam-realtime-accounting

Whether a device is enabled to send accounting packets for roaming.

  • Enable
  • Disable

Update-IP-realtime-accounting

Whether a device is enabled to send accounting packets for address updating.

  • Enable
  • Disable

To configure the function, run the authentication update-ip-accounting enable command.

Linkdown offline delay time

User logout delay when an interface link is faulty.

To configure the delay, run the link-down offline delay command.

display device-profile

Function

The display device-profile command displays the configuration of a specified terminal type identification profile or all terminal type identification profiles.

NOTE:

This function is supported only by S5720HI.

Format

display device-profile { all | profile-name profile-name }

Parameters

Parameter

Description

Value

all

Displays summary of all terminal type identification profiles.

-

profile-name profile-name

Displays detailed information about a specified terminal type identification profile.

The value must be the name of an existing terminal type identification profile.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After configuring terminal type identification, you can run the display device-profile command to view the terminal type identification profile configuration, including the profile name, terminal type identifier, and ACL rule.

Example

# Display summary of all terminal type identification profiles.

<HUAWEI> display device-profile all
  ----------------------------------------------------------------------------
  Name                             Device type                      Rule num
  test                             huawei                           1  
  ----------------------------------------------------------------------------
  Total count : 1

# Display detailed information about the terminal type identification profile test.

<HUAWEI> display device-profile profile-name test
  ----------------------------------------------------------------------------
  Name        : test
  Device type : huawei
  State       : disabled
  Rule        :
    rule 1 mac 0006-0045-0078 mask 12
  Match       :
    if-match rule id 1
  ----------------------------------------------------------------------------
Table 13-46  Description of the display device-profile command output

Item

Description

Name

Name of a terminal type identification profile.

To set a terminal type identification profile name, run the device-profile command.

Device type

Terminal type identifier.

To set a terminal type identifier, run the device-type command.

Rule num

Number of ACL rules.

State
Whether to enable terminal type identification:
  • enable: Terminal type identification is enabled.
  • disabled: Terminal type identification is disabled.

To enable terminal type identification, run the enable command.

Rule

Terminal identification rule.

To set a terminal identification rule, run the rule command.

Match

Matching mode of terminal type identification rules.

To set a matching mode of terminal type identification rules, run the if-match command.

display dot1x

Function

The display dot1x command displays 802.1X authentication information.

Format

display dot1x [ statistics ] [ interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10> ]

Parameters

Parameter

Description

Value

statistics

Displays statistics on 802.1X authentication.

The statistics about 802.1X authentication is displayed only when this parameter is specified.

-

interface { interface-type interface-number1 [ to interface-number2 ] }

Displays 802.1X authentication information of a specified interface.

  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

If this parameter is not specified, 802.1X authentication information of all interfaces is displayed.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

You can run the display dot1x command to view configuration results of all configuration commands in 802.1X authentication and statistics about 802.1X packets.

The command output helps you to check whether the current 802.1X authentication configuration is correct and isolate faults accordingly.

Follow-up Procedure

The display dot1x command displays the statistics on 802.1X packets. You can locate the fault according to the packet statistics. When the fault is rectified, run the reset dot1x statistics command to clear the packet statistics. After a period of time, run the display dot1x command again to check the packet statistics. If no error packet is found, the fault is rectified.

Example

# Display 802.1X authentication information.
<HUAWEI> display dot1x
  Max users: 1024                                                               
  Current users: 0                                                              
  Global default domain is huawei                                               
  Quiet function is Enabled                                                     
  Mc-trigger port-up-send is Disabled                                           
  Parameter set:Quiet Period                 600s   Quiet-times          2      
                Tx Period                     30s   Mac-By-Pass Delay   30s  
  dot1x URL: http://www.123.com.cn                                              

 GigabitEthernet0/0/3 status: UP  802.1x protocol is Enabled                    
  Dot1x access profile is dot                                                   
  Authentication mode is multi-authen                                           
  Authentication method is CHAP                                                 
  Reauthentication is disabled                                                  
  Dot1x retry times: 2                                                          
  Authenticating users: 1
  Maximum users: 1024                                                           
  Current users: 0                                                              
                                                                                
  Authentication Success: 1          Failure: 0                                 
  Enter Enquence        : 0                                                     
  EAPOL Packets: TX     : 16         RX     : 8                                 
  Sent      EAPOL Request/Identity Packets       : 10                           
            EAPOL Request/Challenge Packets      : 1                            
            Multicast Trigger Packets            : 0                            
            EAPOL Success Packets                : 1                            
            EAPOL Failure Packets                : 4                            
  Received  EAPOL Start Packets                  : 1                            
            EAPOL Logoff Packets                 : 1                            
            EAPOL Response/Identity Packets      : 1                            
            EAPOL Response/Challenge Packets     : 1              

# Display 802.1X statistics.

<HUAWEI> display dot1x statistics
  Max users: 1024
  Current users: 0
  Global default domain is yx
  Quiet function is Enabled
  Mc-trigger port-up-send is Enabled
  Parameter set:Quiet Period                 600s   Quiet-times          2      
                Tx Period                     30s   Mac-By-Pass Delay   30s           
  dot1x URL: http://www.123.com.cn                                              

 GigabitEthernet0/0/1 status: DOWN  802.1x protocol is Enabled
  Controlled User(s) amount to  0                                                                                                   

  Authentication Success: 0          Failure: 0                                 
  Enter Enquence        : 0                                                     
  EAPOL Packets: TX     : 1          RX     : 0                                 
  Sent      EAPOL Request/Identity Packets       : 0                            
            EAPOL Request/Challenge Packets      : 0                            
            Multicast Trigger Packets            : 1                            
            EAPOL Success Packets                : 0                            
            EAPOL Failure Packets                : 0                            
  Received  EAPOL Start Packets                  : 0                            
            EAPOL Logoff Packets                 : 0                            
            EAPOL Response/Identity Packets      : 0                            
            EAPOL Response/Challenge Packets     : 0    
Table 13-47  Description of the display dot1x command output

Item

Description

Max users

Maximum number of global online users, the value varies according to device models.

Current users

Number of current online users.

Global default domain is

Global default authentication domain.

To configure the global default authentication domain, run the domain (system view) command.

Quiet function is

Whether the quiet function is enabled.

  • Enabled.
  • Disabled.

To configure the quiet function, run the dot1x quiet-period command.

Mc-trigger port-up-send is

Whether the function of triggering 802.1X authentication through multicast packets immediately after an interface goes Up is enabled.

  • Enabled.
  • Disabled.

To configure the function, run the dot1x mc-trigger port-up-send enable command.

Parameter set

Settings of 802.1X parameters:
  • Quiet Period: specifies the quiet period set by the quiet timer. To configure the quiet period, run the dot1x timer quiet-period command.
  • Quiet-times: specifies the maximum number of authentication failures before the device quiets a user. To configure the maximum value, run the dot1x quiet-times command.
  • Tx Period: specifies the interval for sending authentication requests. To configure the interval, run the dot1x timer tx-period command.

dot1x URL

Redirect-to URL for HTTP access of 802.1X users.

To configure the redirect-to URL, run the dot1x url command.

interface status

Interface status:
  • UP: The interface is enabled.
  • DOWN: The interface is shut down.

802.1x protocol is

Whether 802.1X authentication is enabled on the interface.

  • Enabled.
  • Disabled.

Dot1x access profile is

802.1X access profile name.

To configure the 802.1X access profile name, run the dot1x-access-profile (system view) command.

Authentication mode is

User access mode.

To configure the user access mode, run the authentication mode command.

Authentication method is

Authentication mode of 802.1X users.

To configure the authentication mode of 802.1X users, run the dot1x authentication-method command.

Reauthentication is

Whether re-authentication is enabled for online 802.1X users.

To configure the function, run the dot1x reauthenticate command.

Dot1x retry times

Maximum number of attempts to send authentication requests to 802.1X users.

To configure maximum number of attempts to send authentication requests to 802.1X users, run the dot1x retry command.

Authenticating users

Number of users who are being authenticated.

Maximum users

Maximum number of online users on the interface.

The value depends on device types.

Current users

Number of online users on the interface.

Authentication Success Failure

Number of successful and failed authentications.

The statistics include statistics on online 802.1X users but not on the users using MAC address bypass authentication.

Enter Enquence

Number of packets entering the queue.

EAPOL Packets: TX RX

Number of globally received and sent EAPOL packets.

EAPOL Request/Identity Packets

Number of globally received and sent EAPOL Request/Identity packets.

EAPOL Request/Challenge Packets

Number of globally received and sent EAPOL Request/Challenge packets.

Multicast Trigger Packets

Number of globally received and sent multicast packets that trigger authentication.

EAPOL Success Packets

Number of globally received and sent EAPOL Success packets.

EAPOL Failure Packets

Number of globally received and sent EAPOL Failure packets.

EAPOL Start Packets

Number of globally received and sent EAPOL Start packets.

EAPOL Logoff Packets

Number of globally received and sent EAPOL LogOff packets.

EAPOL Response/Identity Packets

Number of globally received and sent EAPOL Response/Identity packets.

EAPOL Response/Challenge Packets

Number of globally received and sent EAPOL Response/Challenge packets.

Controlled User(s) amount to Number of users who pass authentication successfully.

display dot1x-access-profile configuration

Function

The display dot1x-access-profile configuration command displays the configuration of an 802.1X access profile.

Format

display dot1x-access-profile configuration [ name access-profile-name ]

Parameters

Parameter

Description

Value

name access-profile-name

Displays the configuration of an 802.1X access profile with a specified name.

If name access-profile-name is not specified, the device displays all the 802.1X access profiles configured on the device. If name access-profile-name is specified, the device displays the configuration of a specified 802.1X access profile.

The value must be the name of an existing 802.1X access profile.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After configuring an 802.1X access profile, you can run this command to check whether the configuration is correct.

NOTE:

The name of the compatibility profile converted after an upgrade begins with the at sign (@) and the profile is not counted in the configuration specification.

Example

# Display all the 802.1X access profiles configured on the device.

<HUAWEI> display dot1x-access-profile configuration
-------------------------------------------------------------------------------                                                     
 ID             Dot1x-Access-Profile Name                                                                                           
-------------------------------------------------------------------------------                                                     
 0              dot1x_access_profile                                                                                                
 1              d1                                                                                                                  
 2              d2                                                                                                                   
 3              d3                                                                                                                   
 4              d4                                                                                                        
-------------------------------------------------------------------------------                                                     
 Total: 5 printed: 5. 
Table 13-48  Description of the display dot1x-access-profile configuration command output

Item

Description

ID

802.1X access profile ID.

Dot1x-Access-Profile Name

802.1X access profile name.

# Display the configuration of the 802.1X access profile d1.

<HUAWEI> display dot1x-access-profile configuration name d1
  Profile Name                 : d1
  Authentication method        : EAP
  Port control                 : authorized-force
  Re-authen                    : Enable
  Client-no-response authorize : -
  Trigger condition            : arp
  Unicast trigger              : Enable
  Trigger dhcp-bind            : Enable
  Handshake                    : Disable
  Handshake packet-type        : request-identity
  Max retry value              : 2
  Reauthen Period              : 3600s
  Client Timeout               : 5s
  Handshake Period             : 60s
  Eth-trunk handshake period   : 120s
  Bound authentication profile : -
Table 13-49  Description of the display dot1x-access-profile configuration name command output

Item

Description

Profile Name

802.1X access profile name.

Authentication method

Authentication mode of 802.1X users:
  • CHAP
  • PAP
  • EAP

To configure the authentication mode, run the dot1x authentication-method command.

Port control

802.1X authentication interface's authorization status:
  • auto
  • authorized-force
  • unauthorized-force

To set an authorization state for an interface, run the dot1x port-control command.

Re-authen

Whether re-authentication for online 802.1X users is enabled:
  • Enable
  • Disable

To configure the re-authentication function, run the dot1x reauthenticate command.

Client-no-response authorize

Network access rights granted to users when the 802.1X client does not respond.

  • service-scheme: The name of a service scheme based on which network access rights are assigned.
  • ucl-group: The name of a UCL group based on which network access rights are assigned.
  • vlan: The VLAN based on which network access rights are assigned.

To configure the network access rights, run the authentication event client-no-response action authorize command.

Trigger condition

Packet type that can trigger 802.1X authentication:
  • dhcp
  • arp
  • any-l2-packet

To configure the packet type, run the authentication trigger-condition (802.1X authentication) command.

Unicast trigger

Whether 802.1X authentication triggered by unicast packets is enabled:
  • Enable
  • Disable

To configure the function, run the dot1x unicast-trigger command.

Trigger dhcp-bind

Whether the device is enabled to automatically generate DHCP snooping binding entries for users with static IP addresses:
  • Enable
  • Disable

To configure the function, run the dot1x trigger dhcp-binding command.

Handshake

Whether handshake with online 802.1X authentication users is enabled:
  • Enable
  • Disable

To configure the function, run the dot1x handshake command.

Handshake packet-type

Type of 802.1X authentication handshake packets:
  • request-identity
  • srp-sha1-part2

To configure the type, run the dot1x handshake packet-type command.

Max retry value

Maximum number of attempts to send authentication requests to 802.1X users.

To configure the maximum value, run the dot1x retry command.

Reauthen Period

Re-authentication interval for online 802.1X users.

To configure the re-authentication interval, run the dot1x timer command.

Client Timeout

Authentication timeout period for 802.1X clients.

To configure the authentication timeout period, run the dot1x timer command.

Handshake Period

Interval at which the device handshakes with an 802.1X client on a non-Eth-Trunk interface.

To configure the interval, run the dot1x timer command.

Eth-trunk handshake period

Interval at which the device handshakes with an 802.1X client on an Eth-Trunk.

To configure the interval, run the dot1x timer command.

Bound authentication profile

Authentication profile to which the 802.1X access profile is bound.

To configure the authentication profile, run the dot1x-access-profile (authentication profile view) command.

display dot1x quiet-user

Function

The display dot1x quiet-user command displays information about 802.1X authentication users who are quieted.

Format

display dot1x quiet-user { all | mac-address mac-address }

Parameters

Parameter

Description

Value

all

Displays information about all 802.1X authentication users who are quieted.

-

mac-address mac-address

Displays information about a quiet 802.1X authentication user with a specified MAC address.

The value is in H-H-H format. Each H is a hexadecimal number of 1 to 4 digits.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run this command to view information about 802.1X authentication users who are quieted.

Example

# Display information about all 802.1X authentication users who are quieted.

<HUAWEI> display dot1x quiet-user all
-------------------------------------------------------------------------------
MacAddress                                                Quiet Remain Time(Sec)
-------------------------------------------------------------------------------
0001-0002-0003                                            50
-------------------------------------------------------------------------------
1 silent mac address(es) found, 1 printed. 
Table 13-50  Description of the display dot1x quiet-user all command output

Item

Description

MacAddress

MAC address of an 802.1X authentication user who is quieted.

Quiet Remain Time(Sec)

Remaining quiet time of an 802.1X authentication user who is quieted, in seconds.

display free-rule

Function

The display free-rule command displays whether an authentication-free rule defined by ACL is delivered.

Format

display free-rule

Parameters

None.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the display free-rule command to view the delivery status of an authentication-free rule defined by ACL.

Example

# Display whether an authentication-free rule defined by ACL is delivered.

<HUAWEI> display free-rule
 ------------------------------------------------------------------------------                                                     
     Slot-ID                        Acl-ID                          Status                                                          
 ------------------------------------------------------------------------------                                                     
        0                            6000                           SUCCESS                                                         
 ------------------------------------------------------------------------------                                                     
Total 1 free-rule(s) 
Table 13-51  Description of the display free-rule command output

Item

Description

Slot-ID Slot ID.
Acl-ID ACL number.
Status Whether an authentication-free rule defined by ACL is successfully delivered to a slot.

display free-rule-template configuration

Function

The display free-rule-template configuration command displays the configuration of an authentication-free rule profile.

Format

display free-rule-template configuration [ name free-rule-name ]

Parameters

Parameter

Description

Value

name free-rule-name

Displays the configuration of an authentication-free rule profile with a specified name.

If name free-rule-name is not specified, the device displays all the authentication-free rule profiles configured on the device. If name free-rule-name is specified, the device displays the configuration of a specified authentication-free rule profile.

The value must be the name of an existing authentication-free rule profile.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After configuring an authentication-free rule profile, you can run this command to check whether the configuration is correct.

Example

# Display all the authentication-free rule profiles configured on the device.

<HUAWEI> display free-rule-template configuration
-------------------------------------------------------------------------------                                                     
 ID             Free-rule-template Name                                                                                                      
-------------------------------------------------------------------------------                                                     
 0              default_free_rule                                                                                                     
-------------------------------------------------------------------------------                                                     
 Total: 1 printed: 1.
Table 13-52  Description of the display free-rule-template configuration command output

Item

Description

ID

ID of an authentication-free rule profile.

Free-rule-template Name

Name of an authentication-free rule profile.

display mac-address authen

Function

The display mac-address authen command displays the current authen MAC address entries in the system.

Format

display mac-address authen [ interface-type interface-number | vlan vlan-id ] * [ verbose ]

Parameters

Parameter Description Value
vlan vlan-id

Displays MAC address entries in a specified VLAN.

If no VLAN is specified, MAC address entries in all VLANs of the device are displayed.

The value is an integer that ranges from 1 to 4094.
interface-type interface-number

Displays MAC address entries on a specified interface.

If no interface is specified, MAC address entries on all interfaces of the device are displayed.

-

verbose

Displays detailed information about MAC address entries.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

After MAC address authentication or 802.1X authentication is configured successfully, the administrator can run this command to check the existing authen MAC address entries on the device. The administrator can check information about user access based on these MAC address entries to locate user access faults.The authen entry is generated after a user passes MAC address authentication or 802.1X authentication.

Precautions

If there are a lot of authen MAC address entries, you can specify a VLAN or use a pipe operator (|) to filter the output information. Otherwise, the following problems may occur due to excessive output information:
  • The displayed information is refreshed repeatedly on the terminal screen and the administrator cannot obtain the required information.

  • The device traverses and retrieves information for a long time, and does not respond to any request.

Example

# Display all authen MAC address entries in the system.

<HUAWEI> display mac-address authen
-------------------------------------------------------------------------------  
MAC Address    VLAN/VSI/BD                          Learned-From        Type        
-------------------------------------------------------------------------------
0000-0000-0100 3000/-/-                              GE0/0/1            authen
0000-0000-0400 3000/-/-                              GE0/0/1            authen
0000-0000-0200 3000/-/-                              GE0/0/1            authen
-------------------------------------------------------------------------------  
Total items displayed = 3                     
Table 13-53  Description of the display mac-address authen command output

Item

Description

MAC Address

MAC address of a user to be authenticated.

VLAN/VSI/BD

VLAN/VSI/BD that the outbound interface belongs to.

Learned-From

Interface on which a MAC address is learned.

Type

Type of a MAC address entry.

Total items displayed

Total number of MAC address entries that match the filter condition.

display mac-address pre-authen

Function

The display mac-address pre-authen command displays the current pre-authen MAC address entries in the system.

Format

display mac-address pre-authen [ interface-type interface-number | vlan vlan-id ] * [ verbose ]

Parameters

Parameter Description Value
vlan vlan-id

Displays MAC address entries in a specified VLAN.

If no VLAN is specified, MAC address entries in all VLANs of the device are displayed.

The value is an integer that ranges from 1 to 4094.
interface-type interface-number

Displays MAC address entries on a specified interface.

If no interface is specified, MAC address entries on all interfaces of the device are displayed.

-

verbose

Displays detailed information about MAC address entries.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

You can run this command to check the existing MAC address entries of the pre-connection type to obtain access information about pre-connection users and locate faults.

Precautions

If there are a lot of pre-authen MAC address entries, you can specify a VLAN or use a pipe operator (|) to filter the output information. Otherwise, the following problems may occur due to excessive output information:
  • The displayed information is refreshed repeatedly on the terminal screen and the administrator cannot obtain the required information.

  • The device traverses and retrieves information for a long time, and does not respond to any request.

Example

# Display all pre-authen MAC address entries in the system.

<HUAWEI> display mac-address pre-authen
-------------------------------------------------------------------------------  
MAC Address    VLAN/VSI/BD                          Learned-From        Type        
-------------------------------------------------------------------------------
0000-0000-0100 3000/-/-                              GE0/0/1             pre-authen
0000-0000-0400 3000/-/-                              GE0/0/1             pre-authen
0000-0000-0200 3000/-/-                              GE0/0/1             pre-authen
-------------------------------------------------------------------------------  
Total items displayed = 3                     
Table 13-54  Description of the display mac-address pre-authen command output

Item

Description

MAC Address

MAC address of a user to be authenticated.

VLAN/VSI/BD

VLAN/VSI/BD that the interface belongs to.

Learned-From

Interface on which a MAC address of a user to be authenticated is learned.

Type

Type of a MAC address entry.

Total items displayed

Total number of MAC address entries that match the filter condition.

display mac-access-profile configuration

Function

The display mac-access-profile configuration command displays the configuration of a MAC access profile.

Format

display mac-access-profile configuration [ name access-profile-name ]

Parameters

Parameter

Description

Value

name access-profile-name

Displays the configuration of a MAC access profile with a specified name.

If name access-profile-name is not specified, the device displays all the MAC access profiles configured on the device. If name access-profile-name is specified, the device displays the configuration of a specified MAC access profile.

The value must be the name of an existing MAC access profile.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After configuring a MAC access profile, you can run this command to check whether the configuration is correct.

NOTE:

The name of the compatibility profile converted after an upgrade begins with the at sign (@) and the profile is not counted in the configuration specification.

Example

# Display all the MAC access profiles configured on the device.

<HUAWEI> display mac-access-profile configuration
-------------------------------------------------------------------------------                                                     
 ID             Mac-Access-Profile Name                                                                                           
-------------------------------------------------------------------------------                                                     
 0              mac_access_profile                                                                                                
 1              m1                                                                                                                  
 2              m2                                                                                                                   
 3              m3                                                                                                                   
 4              m4                                                                                                        
-------------------------------------------------------------------------------                                                     
 Total: 5 printed: 5. 
Table 13-55  Description of the display mac-access-profile configuration command output

Item

Description

ID

MAC access profile ID.

Mac-Access-Profile Name

MAC access profile name.

# Display the configuration of the MAC access profile m1 (the MAC address authentication user configures a password).

<HUAWEI> display mac-access-profile configuration name m1
  Profile Name                 : m1                                             
  Username format              : fixed username: a1                             
  Password type                : cipher                                         
  Re-authen                    : Disable                                        
  Trigger condition            : arp dhcp nd dhcpv6                             
  Offline dhcp-release         : Disable                                        
  Re-authen dhcp-renew         : Disable                                      
  Reauthen Period              : 1800s                                          
  Bound authentication profile : -  

# Display the configuration of the MAC access profile m2 (the MAC address authentication user does not configure a password).

<HUAWEI> display mac-access-profile configuration name m2
  Profile Name                 : m2                                             
  Username format              : fixed username: a1                             
  Password                     : not configured 
  Re-authen                    : Disable                                        
  Trigger condition            : arp dhcp nd dhcpv6                             
  Offline dhcp-release         : Disable                                        
  Re-authen dhcp-renew         : Disable                                        
  Reauthen Period              : 1800s                                          
  Bound authentication profile : -  
Table 13-56  Description of the display mac-access-profile configuration name command output

Item

Description

Profile Name

MAC access profile name.

Username format

User name format for MAC address authentication.

  • use MAC address without-hyphen as username: A user name is a MAC address that does not contain hyphens (-), for example, 0005e01c02e3.
  • use MAC address with-hyphen as username: A user name is a MAC address that contains hyphens (-) and the hyphens are inserted between every four digits, for example, 0005-e01c-02e3.
  • use MAC address with-hyphen normal as username: A user name is a MAC address that contains hyphens (-) and the hyphens are inserted between every two digits, for example, 00-05-e0-1c-02-e3.
  • use MAC address without-hyphen upper as username: A user name is a MAC address in the uppercase format that does not contain hyphens (-), for example, 0005E01C02E3.
  • use MAC address with-hyphen upper as username: A user name is a MAC address in the uppercase format that contains hyphens (-) and the hyphens are inserted between every four digits, for example, 0005-E01C-02E3.
  • use MAC address with-hyphen normal upper as username: A user name is a MAC address in the uppercase format that contains hyphens (-) and the hyphens are inserted between every two digits, for example, 00-05-E0-1C-02-E3.
  • fixed username: The user name is fixed.
  • use option82 as username: The content of the Option 82 field is used as the user name.
  • not configured: The user name format is not configured.

To configure the user name format, run the mac-authen username command.

Password type

Password display mode for MAC address authentication.

  • cipher

To configure the password display mode, run the mac-authen username command.

password

Password of the MAC address authentication user. This field has the following fixed value:
  • not configured: indicates that the MAC address authentication user does not configure a password.

Re-authen

Whether re-authentication for online MAC address authentication users is enabled:
  • Enable: indicates that re-authentication is enabled.
  • Disable: indicates that re-authentication is disabled.

To configure the re-authentication function, run the mac-authen reauthenticate command.

Trigger condition

Packet type that can trigger MAC address authentication.

To configure the packet type, run the authentication trigger-condition (MAC address authentication) command.

Offline dhcp-release

Whether the device is enabled to clear user entries when receiving DHCP release packets from MAC address authentication users.

  • Enable
  • Disable

To configure the function, run the mac-authen offline dhcp-release command.

Re-authen dhcp-renew

Whether the device is enabled to re-authenticate MAC address authentication users when receiving DHCP lease renewal packets from the users.

  • Enable
  • Disable

To configure the function, run the mac-authen reauthenticate dhcp-renew command.

Reauthen Period

Re-authentication interval for online MAC address authentication users.

To configure the re-authentication interval, run the mac-authen timer reauthenticate-period command.

Bound authentication profile

Authentication profile to which the MAC access profile is bound.

To configure the authentication profile, run the mac-access-profile (authentication profile view) command.

display mac-authen

Function

The display mac-authen command displays information about MAC address authentication.

Format

display mac-authen [ interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10> | configuration ]

Parameters

Parameter

Description

Value

interface { interface-type interface-number1 [ to interface-number2 ] }

Displays MAC authentication information of a specified interface.

  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

If this parameter is not specified, MAC authentication information of all interfaces is displayed.

-

configuration

Displays the global information about MAC address authentication.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

You can run the display mac-authen command to view configuration results of all configuration commands in MAC address authentication. The command output helps you to check whether the MAC address authentication configuration is correct and isolate faults accordingly.

Follow-up Procedure

You can locate the fault according to the packet statistics that is displayed using the display mac-authen command. When the fault is rectified, run the reset mac-authen statistics command to clear the packet statistics. After a period of time, run the display mac-authen command again to check the packet statistics. If no error packet is found, the fault is rectified.

Example

# Display the configuration of MAC address authentication.

<HUAWEI> display mac-authen
  Quiet period is 60s
  Authentication fail times before quiet is 1
  Maximum users: 16384
  Current users: 1
  Global default domain is default

 GigabitEthernet0/0/1 state: UP.  MAC address authentication is enabled
  MAC access profile is mac_access_profile
  Reauthentication is disabled
  Maximum users: 16384
  Current users: 1
  Username format: fixed username: gcs
  Password type: cipher
  Fixed password: %^%#2}*{%bMY.D*Kw3HxDgU3CW7g'|54H&<]S,Zfu;%^%#
  Authentication Success: 22, Failure: 85

 Online user(s) info:
 UserId   MAC/VLAN            AccessTime              UserName
 ------------------------------------------------------------------------------
 37223    a088-b44d-573c/2003 2014/09/28 15:45:45     gcs
 ------------------------------------------------------------------------------
 Total: 1, printed: 1 
Table 13-57  Description of the display mac-authen command output

Item

Description

Quiet period

Quiet period during which the device quiets a user who fails to be authenticated. The default value of the quiet timer is 60 seconds.

To configure the quiet period, run the mac-authen timer quiet-period command.

Authentication fail times before quiet

Maximum number of authentication failures before the device quiets a user.

To configure the maximum value, run the mac-authen quiet-times command.

Maximum users

Maximum number of users allowed on the device.

Current users

Number of online users, the value varies according to device models.

Global default domain

Global default authentication domain.

To configure the global default authentication domain, run the domain (system view) command.

interface state

Interface status:

  • UP: The interface is enabled.
  • DOWN: The interface is shut down.

MAC address authentication

Whether MAC address authentication is enabled on the interface.

  • enabled
  • disabled

MAC access profile

MAC access profile name.

To configure the MAC access profile name, run the mac-access-profile (system view) command.

Reauthentication

Whether re-authentication for MAC address authentication users is enabled.

  • enabled
  • disabled

To configure whether re-authentication for MAC address authentication users is enabled, run the mac-authen reauthenticate command.

Current users

Number of current online users on the interface.

Username format

User name format for MAC address authentication.

  • use MAC address without-hyphen as username: A user name is a MAC address that does not contain hyphens (-), for example, 0005e01c02e3.
  • use MAC address with-hyphen as username: A user name is a MAC address that contains hyphens (-) and the hyphens are inserted between every four digits, for example, 0005-e01c-02e3.
  • use MAC address with-hyphen normal as username: A user name is a MAC address that contains hyphens (-) and the hyphens are inserted between every two digits, for example, 00-05-e0-1c-02-e3.
  • use MAC address without-hyphen upper as username: A user name is a MAC address in the uppercase format that does not contain hyphens (-), for example, 0005E01C02E3.
  • use MAC address with-hyphen upper as username: A user name is a MAC address in the uppercase format that contains hyphens (-) and the hyphens are inserted between every four digits, for example, 0005-E01C-02E3.
  • use MAC address with-hyphen normal upper as username: A user name is a MAC address in the uppercase format that contains hyphens (-) and the hyphens are inserted between every two digits, for example, 00-05-E0-1C-02-E3.
  • fixed username: The user name is fixed.
  • use option82 as username: The content of the Option 82 field is used as the user name.
  • not configured: The user name format is not configured.

To configure the user name format for MAC address authentication, run the mac-authen username command.

Password type

Password display mode for MAC address authentication.

  • cipher

To configure the password display mode for MAC address authentication, run the mac-authen username command.

Fixed password

Password for MAC address authentication.

To configure the password for MAC address authentication, run the mac-authen username command.

Authentication Success: m, Failure: n

Numbers of successful authentications (m) and failed authentications (n) on the interface.

Online user(s) info

Online user information.
  • UserId: ID of an online user.
  • MAC/VLAN: MAC address and VLAN of an online user.
  • AccessTime: access time of an online user.
  • UserName: name of an online user.
  • Total: total number of online users.
  • printed: number of displayed online users.

display mac-authen quiet-user

Function

The display mac-authen quiet-user command displays information about MAC address authentication users who are quieted.

Format

display mac-authen quiet-user { all | mac-address mac-address }

Parameters

Parameter

Description

Value

all

Displays information about all MAC address authentication users who are quieted.

-

mac-address mac-address

Displays information about a specified MAC address authentication user who is quieted.

The value is in the H-H-H format. Each H is a hexadecimal number of 1 to 4 digits.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run this command to view information about MAC address authentication users who are quieted.

Example

# Display information about all MAC address authentication users who are quieted.

<HUAWEI> display mac-authen quiet-user all
-------------------------------------------------------------------------------
MacAddress                                                Quiet Remain Time(Sec)
-------------------------------------------------------------------------------
0001-0002-0003                                            50
-------------------------------------------------------------------------------
1 silent mac address(es) found, 1 printed. 
Table 13-58  Description of the display mac-authen quiet-user all command output

Item

Description

MacAddress

MAC address of a MAC address authentication user who is quieted.

Quiet Remain Time(Sec)

Remaining quiet time of a MAC address authentication user who is quieted, in seconds.

display portal

Function

The display portal command displays the Portal authentication configuration.

Format

display portal [ interface interface-type interface-number | configuration ]

Parameters

Parameter

Description

Value

interface interface-type interface-number

Displays Portal authentication information of a specified interface.

  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

If this parameter is not specified, Portal authentication information of all interfaces is displayed.

-

configuration

Displays the global Portal authentication information.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the display portal command to view the Portal authentication configuration and check whether the configuration is correct.

Example

# Display the Portal authentication configuration.

<HUAWEI> display portal
  Portal max-user number:16384
  Quiet function is Enabled
  Different-server is Enabled 
  Parameter set:Quiet Period        60s   Quiet-times          3
  Logout packets resend: Resend-times 3  Timeout 5s
  Portal Https Redirect: Enable

  Vlanif10 protocol status: down, web-auth-server layer2(direct)
Table 13-59  Description of the display portal command output

Item

Description

Portal max-user number

Maximum number of concurrent Portal authentication users allowed to access the device, the value varies according to device models.

To set the maximum number of concurrent Portal authentication users allowed to access the device, run the portal max-user command.

Quiet function is Enabled or Quiet function is Disabled

Whether the quiet function in Portal authentication is enabled:
  • Enabled
  • Disabled

To enable the quiet function, run the portal quiet-period command.

Different-server is Enabled or Different-server is Disabled

Whether a device is enabled to process user logout requests sent by a Portal server other than the one from which users log in:
  • Enabled
  • Disabled

To configure a device to process user logout requests sent by a Portal server other than the one from which users log in, run the portal logout different-server enable command.

Parameter set

Parameter settings of the quiet function in Portal authentication.
  • Quiet Period: indicates the quiet period in Portal authentication. To set the quiet period in Portal authentication, run the portal timer quiet-period command.
  • Quiet-times: indicates the maximum number of authentication failures within 60 seconds before a Portal authentication user enters the quiet state. To set the maximum number of authentication failures, run the portal quiet-times command.

Logout packets resend

Configuration of the logout packet re-transmission function for Portal authentication users.
  • Resend-times: indicates the number of re-transmission times for Portal authentication user logout packets.
  • Timeout: indicates the re-transmission interval of Portal authentication user logout packets.

To set the re-transmission interval, run the portal logout resend timeout command.

Portal Https Redirect

Whether HTTPS redirection of Portal authentication is enabled:

  • Enable
  • Disable

To enable this function, run the portal https-redirect enable command.

interface protocol status

Link layer protocol state of the interface and the enabled Portal authentication mode.

  • up: indicates that the interface is running properly.
  • down: indicates that the interface is disabled.
  • web-auth-server layer3: indicates that the authentication mode is set to Layer 3 Portal authentication on a specified interface.
  • web-auth-server layer2(direct): indicates that the authentication mode is set to Layer 2 Portal authentication on a specified interface.

display portal local-server connect

Function

The display portal local-server connect command displays the connection status of users to be authenticated on a built-in Portal server.

Format

display portal local-server connect [ user-ip ip-address ]

Parameters

Parameter

Description

Value

user-ip ip-address

Displays the connection entry of a user with a specified IP address on a built-in Portal server.

The connection entries of all users on the built-in Portal server are displayed if this parameter is not specified.

The value of ip-address is in dotted decimal notation.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the display portal local-server connect command to check the authentication mode and status of users to be authenticated on a built-in Portal server.

Example

# Display the connection status of the user with the IP address 10.1.1.10 on a built-in Portal server.

<HUAWEI> display portal local-server connect user-ip 10.1.1.10
-----------------------------------------------------------------------------------------
 CID  IP Address   AuthMode  State    Session-timeout(hours)  
-----------------------------------------------------------------------------------------
 1    10.1.1.10    CHAP      ONLINE   8                       
------------------------------------------------------------------------------------------
Table 13-60  Description of the display portal local-server connect command output

Item

Description

CID

User table index.

IP Address

IP address of a user.

AuthMode

Authentication mode:
  • CHAP: The built-in Portal server uses CHAP to authenticate the user.
  • PAP: The built-in Portal server uses PAP to authenticate the user.

To set the authentication method, run the portal local-server authentication-method command.

State

User status:
  • WAIT_CHALLENGE: waiting for the challenge
  • WAIT_AUTHACK: waiting for the authentication response
  • ONLINE: online
  • WAIT_LOGOUTACK: waiting for logout

Session-timeout(hours)

The session timeout interval.

To set the session timeout interval, run the portal local-server timer session-timeout.

display portal local-server

Function

The display portal local-server command displays the configurations of a built-in Portal server.

Format

display portal local-server

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After configuring the built-in Portal authentication, run this command to view the configurations of a built-in Portal server.

Example

# Display the configurations of a built-in Portal server.

<HUAWEI> display portal local-server
 Portal local-server config:
  server status                 : disable
  Heartbeat-check status        : auto
  Heartbeat-timeout value       : 60(s)
  server ip                     : 10.1.1.1
  authentication method         : chap
  protocol                      : -
  https ssl-policy              : -
  server port                   : 0
  session-timeout               : 8(h)
  syslog-limit                  : enable
  syslog-limit period           : 300(s)
  server pagename               : -
  server page-text              : -
  server policy-text            : -
  server background-image       : default-image0
  server background-color       : -
  server logo                   : -
  server ad-image               : -
Table 13-61  Description of the display portal local-server command output
Item Description
server status Status of a built-in Portal server. To enable the built-in Portal server function, run the portal local-server command.
  • disable: Portal authentication is disabled.
  • enable: Portal authentication is enabled.

Heartbeat-check status

Heartbeat detection status of the built-in Portal server. To set the heartbeat detection status, run the portal local-server keep-alive command.
  • disable: indicates that the heartbeat detection function is disabled.
  • enable: indicates the forcible detection mode.
  • auto: indicates the automatic detection mode.

Heartbeat-timeout value

Heartbeat detection interval of the built-in Portal server. To set the heartbeat detection interval, run the portal local-server keep-alive command.

This parameter is unavailable when the value of Heartbeat-check status is disable.

server ip IP address of a built-in Portal server. To set the server IP address, run the portal local-server ip command.
authentication method Authentication method used by a built-in Portal server for web users. To set the authentication method, run the portal local-server authentication-method command.
  • chap: CHAP-based authentication (CHAP stands for Challenge Handshake Authentication Protocol.)
  • pap: PAP-based authentication (PAP stands for Password Authentication Protocol.)
protocol Protocol used for authentication information exchange between a built-in Portal server and users. To enable the built-in Portal server function, run the portal local-server command.
https ssl-policy SSL policy used for authentication information exchange between a built-in Portal server and users. To enable the built-in Portal server function, run the portal local-server command.

server port

TCP port number used by HTTPS. To specify a TCP port number used by HTTPS, run the portal local-server command.

session-timeout

User session timeout interval configured on the built-in Portal server. To set the session timeout interval, run the portal local-server timer session-timeout command.

syslog-limit

Status of the log suppression function for built-in Portal authentication users. To enable or disable the log suppression function, run the portal local-server syslog-limit enable command.

  • disable: indicates that the log suppression function is disabled for built-in Portal authentication users.
  • enable: indicates that the log suppression function is enabled for built-in Portal authentication users.

syslog-limit period

Log suppression duration for built-in Portal authentication users. To set the log suppression duration, run the portal local-server syslog-limit period command.

server pagename

Name of the page file package loaded to the built-in Portal server. To set the package name, run the portal local-server load command.

server page-text

Loaded use instruction page file of the built-in Portal server. To load a use instruction page file, run the portal local-server page-text load command.

server policy-text

Disclaimer page loaded to the built-in Portal server. To load a disclaimer page, run the portal local-server policy-text load command.

server background-image

Background image of the built-in Portal server login page. To set the background image, run the portal local-server background-image load command.

server background-color

Background color of the built-in Portal server login page. To set the background color, run the portal local-server background-color command.

server logo

Logo file of the built-in Portal server login page. To load a logo file, run the portal local-server logo load command.

server ad-image

Advertisement image file of the built-in Portal server login page. To load an advertisement image file, run the portal local-server ad-image load command.

display portal local-server page-information

Function

The display portal local-server page-information command displays the page files loaded to the memory of a built-in Portal server.

Format

display portal local-server page-information

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the display portal local-server page-information command to check the page files loaded to the memory of a built-in Portal server.

Example

# Display the page files loaded to the memory of a built-in Portal server.

<HUAWEI> display portal local-server page-information
--------------------------------------------------------------------------------
	  Number of backup pages:35                                                     
	  Size of backup pages:94438 byte                                            
--------------------------------------------------------------------------------
	  Name:/logout_success.html                                                  
	  Size:4042 byte                                                               
	  Last-Modified-Time:2011-12-16 20:24:46                                    
--------------------------------------------------------------------------------
Table 13-62  Description of the display portal local-server page-information command output

Item

Description

Number of backup pages

Number of page files loaded.

Size of backup pages

Total size of the loaded page files.

Name

Name of a page file.

Size

Size of a page file.

Last-Modified-Time

Last modification time.

display portal-access-profile configuration

Function

The display portal-access-profile configuration command displays the configuration of a Portal access profile.

Format

display portal-access-profile configuration [ name access-profile-name ]

Parameters

Parameter

Description

Value

name access-profile-name

Displays the configuration of a Portal access profile with a specified name.

If name access-profile-name is not specified, the device displays all the Portal access profiles configured on the device. If name access-profile-name is specified, the device displays the configuration of a specified Portal access profile.

The value must be the name of an existing Portal access profile.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After configuring a Portal access profile, you can run this command to check whether the configuration is correct.

NOTE:

The name of the compatibility profile converted after an upgrade begins with the at sign (@) and the profile is not counted in the configuration specification.

Example

# Display all the Portal access profiles configured on the device.

<HUAWEI> display portal-access-profile configuration
-------------------------------------------------------------------------------                                                     
 ID             Portal-access-profile Name                                                                                          
-------------------------------------------------------------------------------                                                     
 0              portal_access_profile                                                                                               
 1              p1                                                                                                                  
 2              p2                                                                                                                  
-------------------------------------------------------------------------------                                                     
 Total: 3 printed: 3.
Table 13-63  Description of the display portal-access-profile configuration command output

Item

Description

ID

Portal access profile ID.

Portal-access-profile Name

Portal access profile name.

# Display the configuration of the Portal access profile p1.

<HUAWEI> display portal-access-profile configuration name p1
  Profile name                      : p1
  Portal timer offline-detect length: 300
  Service-scheme name               : -
  Ucl-group name                    : -
  Re-auth                           : Disable
  Network IP Num                    : 1
  Network IP List                   : 10.1.1.0 255.255.255.0
  Web-auth-server Name              : abc
  Layer                             : Layer two portal
  Local-server                      : Disable
  Local-server anonymous            : Disable
  Pushed URL for anonymous users    : http://www.huawei.com
  Bound authentication profile      : p1
Table 13-64  Description of the display portal-access-profile configuration name command output

Item

Description

Profile name

Portal access profile name.

Portal timer offline-detect length

Offline detection interval for Portal authentication users.

To configure the interval, run the portal timer offline-detect command.

Service-scheme name

Name of the service scheme based on which the device assigns network access rights to users when the Portal server is Down.

To configure the service scheme name, run the authentication event portal-server-down action authorize command.

Ucl-group name

Name of the UCL group based on which the device assigns network access rights to users when the Portal server is Down.

To configure the UCL group name, run the authentication event portal-server-down action authorize command.

Re-auth

Whether the device is enabled to re-authenticate users when the Portal server changes from Down to Up.

  • Enable
  • Disable

To configure the function, run the authentication event portal-server-up action re-authen command.

Network IP Num

Number of source IP address segments for Portal authentication.

To configure the number, run the portal auth-network command.

Network IP List

Source IP address segment for Portal authentication.

To configure the source IP address segment, run the portal auth-network command.

Web-auth-server Name

Portal server profile bound to the Portal access profile.

To configure the Portal server profile, run the web-auth-server (Portal access profile view) command.

Layer

Portal authentication mode.

  • Layer two portal: Layer 2 authentication mode.
  • Layer three portal: Layer 3 authentication mode.

To configure the Portal authentication mode, run the web-auth-server (Portal access profile view) command.

Local-server

Whether the built-in Portal server function is enabled.

  • Enable
  • Disable

To configure the built-in Portal server function, run the portal local-server enable command.

Local-server anonymous

Whether the anonymous login function is enabled for users authenticated through the built-in Portal server.

  • Enable
  • Disable

To configure the anonymous login function, run the portal local-server anonymous command.

Pushed URL for anonymous users

Redirection URL specified during configuration of the anonymous login function for users authenticated through the built-in Portal server.

To configure the URL, run the portal local-server anonymous command.

Bound authentication profile

Authentication profile to which the portal access profile is bound.

To configure the authentication profile, run the portal-access-profile (authentication profile view) command.

display portal quiet-user

Function

The display portal quiet-user command displays information about Portal authentication users in quiet state.

Format

display portal quiet-user { all | user-ip ip-address | server-ip ip-address }

Parameters

Parameter Description Value
all

Displays information about all Portal authentication users in quiet state.

-

user-ip ip-address

Displays information about the quiet user with the specified IP address.

The value is in dotted decimal notation.

server-ip ip-address

Displays information about all the users in quiet state authenticated by the Portal authentication server with a specified IP address.

The value is in dotted decimal notation.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After the quiet timer is enabled, you can run the display portal quiet-user command to view information about Portal authentication users in quiet state.

Example

# Display information about all Portal authentication users in quiet state.

<HUAWEI> display portal quiet-user all
Quiet IP information
-------------------------------------------------------------------------------------
Quiet ip                                                    Quiet Remain Time(Sec)
------------------------------------------------------------------------------------
192.168.1.1                                                   10
192.168.1.2                                                   20
------------------------------------------------------------------------------------
2 quiet IP found, 2 printed.

# Display information about all the users in quiet state authenticated by the Portal authentication server with IP address 192.168.2.1.

<HUAWEI> display portal quiet-user server-ip 192.168.2.1
Quiet IP information
-------------------------------------------------------------------------------------
Quiet ip                                                    Quiet Remain Time(Sec)
------------------------------------------------------------------------------------
192.168.1.3                                                   10
192.168.1.4                                                   20
------------------------------------------------------------------------------------
2 quiet IP found, 2 printed.

# Display information about the user in quiet state at 192.168.1.1.

<HUAWEI> display portal quiet-user user-ip 192.168.1.1
 Quiet remain second     100
Table 13-65  Description of the display portal quiet-user command output

Item

Description

Quiet IP information

Information about the user in quiet state.

Quiet ip

IP address of the user in quiet state.

Quiet Remain Time(Sec)

Remaining quiet time of the user in quiet state, in seconds.

Quiet remain second

Remaining quiet period of the user in quiet state.

display portal url-encode configuration

Function

The display portal url-encode configuration command displays the configuration of URL encoding and decoding.

Format

display portal url-encode configuration

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After configuring URL encoding and decoding, you can run the display portal url-encode configuration command to check the configuration.

Example

# Display the configuration of URL encoding and decoding.

<HUAWEI> display portal url-encode configuration
  Portal URL Encode : Disable
Table 13-66  Description of the display portal url-encode configuration command output

Item

Description

Portal URL Encode

Whether URL encoding and decoding are enabled:
  • Disable
  • Enable

To configure the function, run the portal url-encode enable command.

display portal user-logout

Function

The display portal user-logout command displays temporary logout entries of Portal authentication users.

Format

display portal user-logout [ ip-address ip-address [ vpn-instance vpn-instance-name ] ]

NOTE:

The vpn-instance vpn-instance-name command is supported only by the S1720GW, S1720GW-E, S1720GWR, S1720GWR-E, S1720X, S1720X-E, S2720EI, S5720LI, S5720S-LI, S5720SI, S5720S-SI, S5730SI, S5730S-EI, S5720EI, S5720HI, S6720LI, S6720S-LI, S6720SI, S6720S-SI, S6720EI, and S6720S-EI.

Parameters

Parameter

Description

Value

ip-address ip-address

Displays temporary logout entries of the Portal authentication user with a specified IP address.

The value is in dotted decimal notation.

vpn-instance vpn-instance-name

Displays temporary logout entries of the Portal authentication user with a specified VPN instance.

The value must be an existing VPN instance name.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After a Portal authentication user goes offline, the device sends an offline request packet to the Portal server. If the device does not receive an ACK packet from the Portal server, it records a temporary logout entry of the user. You can run the display portal user-logout command to check temporary logout entries of Portal authentication users.

If the parameter ip-address ip-address [ vpn-instance vpn-instance-name ] is not specified, the temporary logout entries of all Portal authentication users are displayed.

Example

# Display the temporary logout entries of all Portal authentication users.

<HUAWEI> display portal user-logout
 --------------------------------------------------------------                                                                     
 UserIP           Vrf      Resend Times TableID                                                                                     
 --------------------------------------------------------------                                                                     
 192.168.111.100  1        3            0                                                                                           
 --------------------------------------------------------------                                                                     
 Total: 1, printed: 1
Table 13-67  Description of the display portal user-logout command output

Item

Description

UserIP

IP address of the Portal authentication user.

Vrf

VPN instance that the Portal authentication user belongs to.

Resend Times

Number of logout packet re-transmission times.

To set the number of logout packet re-transmission times, run the portal logout resend timeout command.

TableID

Index of the temporary logout entry.

Total: m, printed: n

Total number of temporary logout entries and number of displayed entries.

display server-detect state

Function

The display server-detect state command displays the status of a Portal server.

Format

display server-detect state [ web-auth-server server-name ]

Parameters

Parameter Description Value
web-auth-server server-name Displays information about the Portal server status configured in the specified Portal server profile.

If this parameter is not specified, status of all Portal servers is displayed.

The Portal server profile name must exist.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

When an external Portal server is used for Portal authentication, you can run the display server-detect state command to check information about the Portal server status.

Example

# Display information about the Portal server status configured in the Portal server profile abc.

<HUAWEI> display server-detect state web-auth-server abc
  Web-auth-server     :    abc                      
  Total-servers       :    4                                                    
  Live-servers        :    1                                                    
  Critical-num        :    0                                                    
  Status              :    Normal                                               
  Ip-address               Status                                               
  192.168.2.1              UP                                                   
  192.168.2.2              DOWN                                                 
  192.168.2.3              DOWN                                                 
  192.168.2.4              DOWN  
Table 13-68  Description of the display server-detect state command output

Item

Description

Web-auth-server

Name of the Portal server profile.

Total-servers

Number of Portal servers configured.

Live-servers

Number of Portal servers in Up state.

Critical-num

Minimum number of Portal servers in Up state. If the number of Portal servers is less than this value, enable the survival function in the corresponding Portal server profile view.

Status

Status of the Portal server. The values are as follows:
  • Normal: indicates that the Portal server is in normal state. When Total-servers in the command output is larger than Critical-num, Status is displayed as Normal. If the server-ip server-ip-address &<1-10> command is not run in the Portal server template view to configure an IP address for the Portal server, Status is displayed as Normal.
  • Abnormal: indicates that the Portal server is in abnormal state. When Total-servers in the command output is less than or equal to Critical-num, Status is displayed as Abnormal.

Ip-address

IP address of the Portal server.

Status

Whether the Portal server with the specified IP address is reachable. The values are as follows:
  • UP: reachable
  • DOWN: unreachable

display static-user

Function

The display static-user command displays static user information.

Format

display static-user [ domain-name domain-name | interface interface-type interface-number | ip-address start-ip-address [ end-ip-address ] | vpn-instance vpn-instance-name ] *

NOTE:

The vpn-instance vpn-instance-name command is supported only by the S1720GW, S1720GW-E, S1720GWR, S1720GWR-E, S1720X, S1720X-E, S2720EI, S5720LI, S5720S-LI, S5720SI, S5720S-SI, S5730SI, S5730S-EI, S5720EI, S5720HI, S6720LI, S6720S-LI, S6720SI, S6720S-SI, S6720EI, and S6720S-EI.

Parameters

Parameter

Description

Value

domain-name domain-name

Displays static user information in a specified domain.

The value must be an existing domain name on the device.

interface interface-type interface-number

Displays static user information on a specified interface.
  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

-

ip-address start-ip-address [ end-ip-address ]

Displays static user information in a specified IP address range.

The value is in dotted decimal notation.

vpn-instance vpn-instance-name

Displays static user information in a specified VPN instance.

The value must be an existing VPN instance name on the device.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After a static user is configured, you can run the display static-user command to view the static user information.

Example

# Display information about all static users configured.

<HUAWEI> display static-user
 IP-address       Interface       MAC-address    VPN
-------------------------------------------------------------------------------
 10.1.1.6         GE0/0/1         0001-0001-0001 -
 10.1.1.7         GE0/0/1         0001-0001-0001 -
 10.1.1.8         GE0/0/1         0001-0001-0001 -
 10.1.1.10        -               0002-0002-0002 -
 10.1.1.11        -               0002-0002-0002 -
 10.1.1.12        -               0002-0002-0002 -
-------------------------------------------------------------------------------
Total item(s) number= 6, displayed number= 6 

Ip-static-user enable status:
-------------------------------------------------------------------------------
 Vlanif10 : success
------------------------------------------------------------------------------- 
Total item(s) number= 1, displayed number= 1 
Table 13-69  Description of the display static-user command output

Item

Description

IP-address

IP address of a static user.

Interface

Interface connected to a static user.

MAC-address

MAC address of a static user.

VPN

VPN instance to which a static user belongs.

Total item(s) number= m, displayed number= n

The total number of entries is m and the number of displayed entries is n.

Ip-static-user enable status

Whether the function of identifying static users through IP addresses is enabled.

To configure the function, run the ip-static-user enable command.

if-n : success

The function of identifying static users through IP addresses is enabled on interface if-n.

display ucl-group all

Function

The display ucl-group all command displays information about all UCL groups that are created.

NOTE:

This command is supported only by the S5720EI, S5720HI, S6720EI, and S6720S-EI.

Format

display ucl-group all

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After creating UCL groups using the ucl-group command, you can run the display ucl-group all command to check information about the UCL groups.

Example

# Display information about all UCL groups.
<HUAWEI> display ucl-group all
ID       UCL group name                                                         
--------------------------------------------------------------------------------
10       huawei                                                                 
--------------------------------------------------------------------------------
Total : 1    
Table 13-70  Description of the display ucl-group all command output

Item

Description

ID Index of a UCL group.
UCL group name Name of a UCL group.

display ucl-group ip

Function

The display ucl-group ip command displays IP address information of static UCL groups.

NOTE:

This command is supported only by the S5720EI, S5720HI, S6720EI, and S6720S-EI.

Format

display ucl-group ip ip-address { mask-length | ip-mask }

display ucl-group ip { group-index | name group-name | static | local-access-user | all } [ verbose ]

Parameters

Parameter

Description

Value

ip-address

Displays information about the static UCL group with a specified IP address.

The value must be the IP address of an existing static UCL group.

mask-length

Specifies the mask length of the IP address.

The value must be the IP address mask length of an existing static UCL group.

ip-mask

Specifies the mask of the IP address.

The value must be the IP address mask of an existing static UCL group.

group-index

Displays information about the static UCL group with a specified index.

The value must be the index of an existing static UCL group.

name group-name

Displays information about the static UCL group with a specified name.

The value must be the name of an existing static UCL group.

static

Displays information about static UCL groups.

-

local-access-user

Displays information about dynamic UCL groups.

-

all

Displays information about all static UCL groups.

-

verbose

Displays detailed information about the static UCL group.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can view UCL groups' IP addresses that are manually added (using the ucl-group ip command) and dynamically generated when users go online and are granted UCL groups. When a user goes online successfully, the device grants a UCL group to the user and adds the user's IP address (with a 32-bit mask) to the UCL group. When the user goes offline or the user's IP address changes, the device deletes the corresponding IP address from the UCL group.

Example

# Display IP address information of all UCL groups.
<HUAWEI> display ucl-group ip all
S : static L : local-access-user                                                
IP/Mask              ID    UCL group name                   Type                
--------------------------------------------------------------------------------
10.9.9.4/32          1     g1                               S                   
10.10.0.0/16         2     g2                               S                   
10.9.9.6/32          1     g1                               L                   
--------------------------------------------------------------------------------
Total : 3        Static : 2        Local-access-user : 1    
# Display detailed information about all static UCL groups.
<HUAWEI> display ucl-group ip static verbose
--------------------------------------------------------------------------------                                                    
IP/Mask              : 10.9.9.4/32                                                                                                 
UCL group ID         : 1                                                                                                           
UCL group name       : g1                                                                                                           
Type                 : static                                                                                                       
Status on slot 0     : Success                                                                                                      
                                                                                                                                    
IP/Mask              : 10.10.0.0/16                                                                                                  
UCL group ID         : 2                                                                                                           
UCL group name       : g2                                                                                                           
Type                 : static                                                                                                       
Status on slot 0     : Success                                                                                                      
--------------------------------------------------------------------------------                                                    
Total : 2        Static : 2        Local-access-user : 0 
# Display detailed information about all dynamic UCL groups.
<HUAWEI> display ucl-group ip local-access-user verbose
--------------------------------------------------------------------------------                                                    
IP/Mask              : 10.9.9.6/32                                                                                                 
UCL group ID         : 1                                                                                                           
UCL group name       : g1                                                                                                           
Type                 : local-access-user                                        
Status on slot 0     : Success                                                                                                      
--------------------------------------------------------------------------------                                                    
Total : 1        Static : 0        Local-access-user : 1 
Table 13-71  Description of the display ucl-group ip command output

Item

Description

IP/Mask IP address and mask of a UCL group.
ID Index of a UCL group.
UCL group ID Index of a UCL group.
UCL group name Name of a UCL group.
Type UCL group types, including:
  • static: static UCL group
  • local-access-user: UCL group to which local users belong
Status on slot n UCL group status on slot n.

display url-template

Function

The display url-template command displays information about URL templates.

Format

display url-template { all | name template-name }

Parameters

Parameter

Description

Value

all

Displays information about all configured URL templates.

-

name template-name

Displays information about the URL template with a specified name.

The value must be the name of an existing URL template.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After a URL template is configured, run the display url-template command to view information about the URL template.

Example

# Display information about all configured URL templates.
<HUAWEI> display url-template all

-------------------------------------------------------------------------------
  Name                              URL     Start  Assignment  Isolate
                                    Number  Mark   Mark        Mark
-------------------------------------------------------------------------------
  huawei                            0       ?      =           &
  huawei2                           0       ?      =           &
  huawei3                           0       ?      =           &
-------------------------------------------------------------------------------
  Total 3                 
# Display information about the URL template huawei.
<HUAWEI> display url-template name huawei
  Name : huawei
  URL  :
  Start mark      : ?
  Assignment mark : =
  Isolate mark    : &

  AC IP           :
  AC MAC          :
  AP IP           :
  AP MAC          :
  SSID            :
  User MAC        :
  Redirect URL    :
  User IP address :
  Sysname         :
  Delimiter       :
  Format          :
  Login URL Key   : logiurl
  Login URL       : http:\\huawei.com
Table 13-72  Description of the display url-template command output

Item

Description

Name

Name of a URL template.

URL Number

Number of URLs.

URL

URL of the Portal server. To configure this parameter, run the url (URL template view) command.

Start mark/Start Mark

Start character in the URL. To configure this parameter, run the parameter command.

Assignment mark/Assignment Mark

Assignment character in the URL. To configure this parameter, run the parameter command.

Isolate mark/Isolate Mark

Delimiter between URLs. To configure this parameter, run the parameter command.

AC IP

Name of ac-ip in the URL. To configure this parameter, run the url-parameter command.

AC MAC

Name of ac-mac in the URL. To configure this parameter, run the url-parameter command.

AP IP

Name of ap-ip in the URL. To configure this parameter, run the url-parameter command.

AP MAC

Name of ap-mac in the URL. To configure this parameter, run the url-parameter command.

SSID

Name of ssid in the URL. To configure this parameter, run the url-parameter command.

User MAC

Name of user-mac in the URL. To configure this parameter, run the url-parameter command.

Redirect URL

Name of redirect-url in the URL. To configure this parameter, run the url-parameter command.

User IP address

Name of user-mac in the URL. To configure this parameter, run the url-parameter command.

Sysname

Name of sysname in the URL. To configure this parameter, run the url-parameter command.

Delimiter

Delimiter between MAC addresses in the URL. To configure this parameter, run the url-parameter mac-address format command.

Format

Format of MAC addresses in the URL. To configure this parameter, run the url-parameter mac-address format command.

Login URL Key

Identification keyword for the login URL sent to the Portal server during redirection. To configure this parameter, run the url-parameter command.

Login URL

Device login URL. To configure this parameter, run the url-parameter command.

display snmp-agent trap feature-name mid_aaa all

Function

The display snmp-agent trap feature-name mid_aaa all command displays the status of all traps on the AAA module.

Format

display snmp-agent trap feature-name mid_aaa all

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

After enabling the trap function for the AAA module, you can run this command to check the status of all traps on the AAA module. To enable the trap function for the AAA module, run the snmp-agent trap enable feature-name mid_aaa command.

Prerequisites

The SNMP function has been enabled on the device. For details, see snmp-agent.

Example

# Display the status of all traps on the AAA module.

<HUAWEI> display snmp-agent trap feature-name mid_aaa all
------------------------------------------------------------------------------  
Feature name: MID_AAA                                                           
Trap number : 2                                                                 
------------------------------------------------------------------------------  
Trap name                       Default switch status   Current switch status   
hwMacMovedQuietMaxUserAlarm     on                      on                      
hwMacMovedQuietUserClearAlarm   on                      on                      
Table 13-73  Description of the display snmp-agent trap feature-name mid_aaa all command output

Item

Description

Feature name

Name of the module to which a trap belongs.

Trap number

Number of traps.

Trap name

Name of a trap. Traps on the AAA module include:

  • hwMacMovedQuietMaxUserAlarm: A Huawei proprietary trap message is sent when the percentage of current MAC address migration users in quiet state against the maximum number of users exceeds the upper alarm threshold.

  • hwMacMovedQuietUserClearAlarm: A Huawei proprietary trap message is sent when the percentage of current MAC address migration users in quiet state against the maximum number of users decreases to be equal to or smaller than the lower alarm threshold.

Default switch status

Default status of the trap function:
  • on: The trap function is enabled by default.

  • off: The trap function is disabled by default.

Current switch status

Trap status:

  • on: The trap is enabled.

  • off: The trap is disabled.

display snmp-agent trap feature-name mid_eapol all

Function

The display snmp-agent trap feature-name mid_eapol all command displays the status of all traps on the DOT1X module.

Format

display snmp-agent trap feature-name mid_eapol all

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

After enabling the trap function for the DOT1X module, you can run this command to check the status of all traps on the DOT1X module. To enable the trap function for the DOT1X module, run the snmp-agent trap enable feature-name mid_eapol command.

Prerequisites

The SNMP function has been enabled on the device. For details, see snmp-agent.

Example

# Display the status of all traps on the DOT1X module.

<HUAWEI> display snmp-agent trap feature-name mid_eapol all
------------------------------------------------------------------------------                                                      
Feature name: MID_EAPOL                                                                                                             
Trap number : 2                                                                                                                     
------------------------------------------------------------------------------                                                      
Trap name                       Default switch status   Current switch status                                                       
hwSrvcfgEapMaxUserAlarm         on                      on                                                                          
hwMacAuthenMaxUserAlarm         on                      on 
Table 13-74  Description of the display snmp-agent trap feature-name mid_eapol all command output

Item

Description

Feature name

Name of the module to which a trap belongs.

Trap number

Number of traps.

Trap name

Name of a trap. Traps on the DOT1X module include:

  • hwSrvcfgEapMaxUserAlarm: The device sends a Huawei proprietary trap when the number of 802.1X authentication users reaches the maximum number allowed on an interface.

  • hwMacAuthenMaxUserAlarm: The device sends a Huawei proprietary trap when the number of MAC address authentication users reaches the maximum number allowed on an interface.

Default switch status

Default status of the trap function:
  • on: The trap function is enabled by default.

  • off: The trap function is disabled by default.

Current switch status

Trap status:

  • on: The trap is enabled.

  • off: The trap is disabled.

display snmp-agent trap feature-name mid_web all

Function

The display snmp-agent trap feature-name mid_web all command displays the status of all traps on the web authentication module.

Format

display snmp-agent trap feature-name mid_web all

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

After enabling the trap function for the web authentication module, you can run this command to check the status of all traps on the web authentication module. To enable the trap function for the web authentication module, run the snmp-agent trap enable feature-name mid_web command.

Prerequisites

The SNMP function has been enabled on the device. For details, see snmp-agent.

Example

# Display the status of all traps on the web authentication module.

<HUAWEI> display snmp-agent trap feature-name mid_web all
------------------------------------------------------------------------------                                                      
Feature name: MID_WEB                                                                                                               
Trap number : 4                                                                                                                     
------------------------------------------------------------------------------                                                      
Trap name                       Default switch status   Current switch status                                                       
hwPortalServerUp                on                      on                                                                          
hwPortalServerDown              on                      on                                                                          
hwPortalMaxUserAlarm            on                      on                                                                          
hwPortalUserClearAlarm          on                      on 
Table 13-75  Description of the display snmp-agent trap feature-name mid_web all command output

Item

Description

Feature name

Name of the module to which a trap belongs.

Trap number

Number of traps.

Trap name

Name of a trap. Traps on the web authentication module include:

  • hwPortalServerUp: The device sends a Huawei proprietary trap when it detects that the Portal server changes from Down to Up.

  • hwPortalServerDown: The device sends a Huawei proprietary trap when it detects that the Portal server changes from Up to Down.

  • hwPortalMaxUserAlarm: The device sends a Huawei proprietary trap when the number of online Portal authentication users exceeds the upper threshold.

  • hwPortalUserClearAlarm: The device sends a Huawei proprietary trap when the number of online Portal authentication users falls below the lower threshold.

Default switch status

Default status of the trap function:
  • on: The trap function is enabled by default.

  • off: The trap function is disabled by default.

Current switch status

Trap status:

  • on: The trap is enabled.

  • off: The trap is disabled.

display web-auth-server configuration

Function

The display web-auth-server configuration command displays the Portal server configuration.

Format

display web-auth-server configuration

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After the Portal server template is configured, the display web-auth-server configuration displays the Portal server configuration.

Example

# Display the Portal server configuration.

<HUAWEI> display web-auth-server configuration
  Listening port        : 2000
  Portal                : version 1, version 2
  Include reply message : enabled

------------------------------------------------------------------------------- 
  Enabled protocol      : https
  Listening port        : 8443 
  SSL policy            : default_policy

-------------------------------------------------------------------------------
  Web-auth-server Name : huawei
  IP-address           :
  Shared-key           :
  Source-IP            : -
  Port / PortFlag      : 50100 / NO
  URL                  : https://192.168.2.10:8443/webauth
  URL Template         :
  URL Template ParaName:                                                        
  URL Template IVName  :                                                        
  URL Template Key     :                       
  Redirection          : Enable
  Sync                 : Disable
  Sync Seconds         : 300
  Sync Max-times       : 3
  Detect               : Disable
  Detect Seconds       : 60
  Detect Max-times     : 3
  Detect Critical-num  : 0
  Detect Action        :
  VPN Instance         :
  Bound Portal profile :

  Protocol             : http
  Http Get-method      : disable 
  Password Encrypt     : none
  Cmd ParseKey         : cmd
  Username ParseKey    : username
  Password ParseKey    : password
  MAC Address ParseKey : macaddress
  IP Address ParseKey  : ipaddress
  Initial URL ParseKey : initurl
  Login Cmd            : login  
  Logout Cmd           : logout
  Login Success 
       Reply Type      : redirect initial URL
       Redirect URL    :
       Message         : LoginSuccess!
  Login Fail 
       Reply Type      : redirect login URL
       Redirect URL    :
       Message         : LoginFail!
  Logout Success 
       Reply Type      : message
       Redirect URL    :
       Message         : LogoutSuccess!
  Logout Fail 
       Reply Type      : message
       Redirect URL    :
       Message         : LogoutFail!

-------------------------------------------------------------------------------
  1 Web authentication server(s) in total                    
Table 13-76  Description of the display web-auth-server configuration command output

Item

Description

Listening port

Listening port for Portal protocol packets.

To configure a listening port, run the web-auth-server listening-port command.

Portal

Portal protocol version.

  • version 1, version 2: The device supports both the versions V1.0 and V2.0.
  • version 2: The device supports the versions V2.0.

To configure the Portal protocol version, run the web-auth-server version command.

Include reply message

Whether the packets sent from the device to the Portal server contain authentication responses.

  • enabled
  • disabled

To enable the device to transparently transmit authentication responses of users sent by the authentication server to the Portal server, run the web-auth-server reply-message command.

Enabled protocol

Enabled HTTP or HTTPS protocol.

  • http
  • https

To enable the HTTP or HTTPS protocol, run the portal web-authen-server command.

Listening port

HTTP or HTTPS port number.

To configure the HTTP or HTTPS port number, run the portal web-authen-server command.

SSL policy

SSL policy referenced by the HTTPS protocol.

To configure the SSL policy referenced by the HTTPS protocol, run the portal web-authen-server command.

Web-auth-server Name

Name of the Portal server template.

To configure the Portal server template name, run the web-auth-server (system view) command.

IP-address

IP address of the Portal server.

To configure the IP address of the Portal server, run the server-ip (Portal server profile view) command.

Shared-key

Shared key of the Portal server.

To configure the shared key of the Portal server, run the shared-key (Portal server profile view) command.

Source-IP

IP address used for communication with the Portal server.

To configure the IP address used for communication with the Portal server, run the source-ip (Portal server profile view) command.

Port / PortFlag

  • Port: indicates the port number of the Portal server.
  • PortFlag: indicates whether packets are always sent through this port.

To configure the port number of the Portal server, run the port (Portal server profile view) command.

URL

URL of the Portal server.

To configure the URL of the Portal server, run the url (Portal server profile view) command.

URL Template

URL template bound to the Portal server template.

To configure the URL template, run the url-template (Portal server profile view) command.

URL Template ParaName

Encrypted URL parameter name.

To configure the URL template, run the url-template (Portal server profile view) command.

URL Template IVName

Initialization vector (IV) used in URL parameter encryption.

To configure the URL template, run the url-template (Portal server profile view) command.

URL Template Key

Key used in URL parameter encryption.

To configure the URL template, run the url-template (Portal server profile view) command.

Redirection

Redirection status of Portal authentication.
  • Disable: Redirection of Portal authentication is disabled.
  • Enable: Redirection of Portal authentication is enabled.

To configure redirection of Portal authentication, run the web-redirection disable (Portal server profile view) command.

Sync

User information synchronization.

To enable user information synchronization, run the user-sync command.

Sync Seconds

User information synchronization interval.

To set the user information synchronization interval, run the user-sync command.

Sync Max-times

Maximum number of times that user information synchronization fails.

To set the maximum number of times that user information synchronization fails, run the user-sync command.

Detect

Portal server detection function.

To configure Portal server detection function, run the server-detect command.

Detect Seconds

Detection interval of the Portal server.

To set the detection interval of the Portal server, run the server-detect command.

Detect Max-times

Maximum number of detection failures.

To set the maximum number of detection failures, run the server-detect command.

Detect Critical-num

Minimum number of Portal servers in Up state.

To configure this function, run the server-detect command.

Detect Action

Action taken after the number of detection failures exceeds the maximum.
  • log: The device sends logs after the number of detection failures exceeds the maximum.
  • trap: The device sends traps after the number of detection failures exceeds the maximum.

To configure an action taken after the number of detection failures exceeds the maximum, run the server-detect command.

VPN Instance

VPN instance used in Portal authentication.

To configure the VPN instance, run the vpn-instance (Portal server template view) command.

Bound Portal profile

Portal access profile to which the Portal server template is bound.

To configure the Portal access profile, run the web-auth-server (Portal access profile view) command.

Http Get-method

Whether users submit user name and password information to the device in GET mode:

  • disable: GET mode is not used.
  • enable: GET mode is used.

To configure the GET mode, run the http get-method enable command.

Protocol

Protocol used in Portal authentication.

  • Portal
  • http

To configure the protocol used in Portal authentication, run the protocol (Portal server template view) command.

Password Encrypt

Whether the password is encrypted:

  • none: The password is not encrypted.
  • uam: The password is encrypted using the ASCII character mode.

To configure the password encryption mode, run the protocol (Portal server template view) command.

Cmd ParseKey

Command identification keyword.

To configure the command identification keyword, run the http-method post command.

Username ParseKey

User name identification keyword.

To configure the user name identification keyword, run the http-method post command.

Password ParseKey

User password identification keyword.

To configure the user password identification keyword, run the http-method post command.

MAC Address ParseKey

User MAC address identification keyword.

To configure the user MAC address identification keyword, run the http-method post command.

IP Address ParseKey

User IP address identification keyword.

To configure the user IP address identification keyword, run the http-method post command.

Initial URL ParseKey

User initial login URL identification keyword.

To configure the user initial login URL identification keyword, run the http-method post command.

Login Cmd

User login identification keyword.

To configure the user login identification keyword, run the http-method post command.

Logout Cmd

User logout identification keyword.

To configure the user logout identification keyword, run the http-method post command.

Login Success

User login success.

Reply Type

Redirection response type.

  • redirect initial URL: A user is redirected to the initial login URL after successful login.
  • redirect login URL: A user is redirected to the login URL after a login failure.
  • message: specifies the displayed message.
  • redirect URL: A user is redirected to a specified URL.

To configure the redirection response type, run the http-method post command.

Redirect URL

Redirection URL.

To configure the redirection URL, run the http-method post command.

Message

Displayed message.

To configure the displayed message, run the http-method post command.

Login Fail

User login failure.

Logout Success

User logout success.

Logout Fail

User logout failure.

domain mac-authen force

Function

The domain mac-authen force command configures a forcible domain for MAC address authentication users.

The undo domain mac-authen force command deletes a configured forcible domain for MAC address authentication users.

By default, no forcible domain is configured for MAC address authentication users.

Format

domain domain-name mac-authen force mac-address mac-address mask mask

undo domain domain-name mac-authen force mac-address mac-address

Parameters

Parameter

Description

Value

domain-name

Specifies the forcible domain name.

The value must be an existing domain name on the device.

mac-address mac-address mask mask
Specifies a MAC address range within which the MAC address authentication users use the forcible domain.
  • mac-address mac-address: specifies the user MAC address.
  • mask mask: specifies the MAC address mask.
NOTE:
A maximum of 16 MAC address ranges can be specified.

Both the MAC address and mask are in the H-H-H format. Each H is a hexadecimal number of 1 to 4 digits.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You can configure a forcible domain for MAC address authentication users within a specified MAC address range in the system view.

Prerequisites

A domain has been created using the domain (AAA view) command.

Precautions

The priorities of the forcible domain, domain carried in the user name, and default domain in different views are as follows in descending order: forcible domain with a specified authentication mode in an authentication profile > forcible domain in an authentication profile > authentication domain carried in the user name > default domain with a specified authentication mode in an authentication profile > default domain in an authentication profile > global default domain. Note that a forcible domain specified for MAC address authentication users within a MAC address range has the highest priority and takes precedence over that configured in an authentication profile.

This function takes effect only for users who go online after this function is successfully configured.

Example

# In the system view, configure the forcible domain huawei for MAC address authentication users within the MAC address range specified using MAC address E024-7F95-7231 and mask FFFF-FFFF-FF00.
<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] domain huawei
[HUAWEI-aaa-domain-huawei] quit
[HUAWEI-aaa] quit
[HUAWEI] domain huawei mac-authen force mac-address e024-7f95-7231 mask ffff-ffff-ff00

dot1x authentication-method

Function

The dot1x authentication-method command configures an 802.1X authentication mode.

The undo dot1x authentication-method command restores the default configuration.

The default 802.1X authentication mode is eap, which indicates Extensible Authentication Protocol (EAP) relay authentication.

Format

dot1x authentication-method { chap | pap | eap }

undo dot1x authentication-method

Parameters

Parameter

Description

Value

chap

Specifies EAP termination authentication using the Challenge Handshake Authentication Protocol (CHAP).

-

pap

Specifies EAP termination authentication using the Password Authentication Protocol (PAP).

-

eap

Specifies Extensible Authentication Protocol (EAP) relay authentication.

-

Views

802.1X access profile view

Default Level

2: Configuration level

Usage Guidelines

During 802.1X authentication, users exchange authentication information with the device using EAP packets. The device uses two modes to exchange authentication information with the RADIUS server.
  • EAP termination: The device directly parses EAP packets, encapsulates user authentication information into a RADIUS packet, and sends the packet to the RADIUS server for authentication. EAP termination is classified into PAP or CHAP authentication.

    • PAP is a two-way handshake authentication protocol. It transmits passwords in plain text format in RADIUS packets.
    • CHAP is a three-way handshake authentication protocol. It transmits only user names but not passwords in RADIUS packets. CHAP is more secure and reliable than PAP. If higher security is required, CHAP is recommended.
  • EAP relay (specified by eap): The device encapsulates EAP packets into RADIUS packets and sends the RADIUS packets to the RADIUS server. The device does not parse the received EAP packets but encapsulates them into RADIUS packets. This mechanism is called EAP over Radius (EAPoR).

The processing capability of the RADIUS server determines whether EAP termination or EAP relay is used. If the RADIUS server has a higher processing capability and can parse a large number of EAP packets before authentication, the EAP relay mode is recommended. If the RADIUS server has a processing capability not good enough to parse a large number of EAP packets and complete authentication, the EAP termination mode is recommended and the device parses EAP packets for the RADIUS server. When the authentication packet processing method is configured, ensure that the client and server both support this method; otherwise, the users cannot pass authentication.
NOTE:
  • The EAP relay can be configured for 802.1X users only when RADIUS authentication is used.

  • If AAA local authentication is used, the authentication mode for 802.1X users can only be set to EAP termination.

  • Because mobile phones do not support EAP termination mode (PAP and CHAP), the 802.1X authentication + local authentication mode cannot be configured for mobile phones. Terminals such as laptop computers support EAP termination mode only after having third-party clients installed.

  • If the 802.1X client uses the MD5 encryption mode, the user authentication mode on the device can be set to EAP or CHAP; if the 802.1X client uses the PEAP authentication mode, the authentication mode on the device can be set to EAP.

  • In a wireless access scenario, if WPA or WPA2 authentication mode is configured in the security policy profile, 802.1X authentication does not support pre-authentication domain-based authorization.
  • If 802.1X users on an interface have gone online, changing the user authentication mode in the 802.1X access profile bound to the interface will make the online 802.1X users go offline.

Example

# In the 802.1X access profile d1, configure the device to use PAP authentication for 802.1X users.

<HUAWEI> system-view
[HUAWEI] dot1x-access-profile name d1
[HUAWEI-dot1x-access-profile-d1] dot1x authentication-method pap

dot1x eap-notify-packet

Function

The dot1x eap-notify-packet command configures the device to send EAP packets with a code number to 802.1X users.

The undo dot1x eap-notify-packet command restores the default configuration.

By default, the device does not send EAP packets with a code number to users.

Format

dot1x eap-notify-packet eap-code code-number data-type type-number

undo dot1x eap-notify-packet [ eap-code code-number data-type type-number ]

Parameters

Parameter

Description

Value

eap-code code-number

Specifies the code number in EAP packets sent by the device.

The value is an integer that ranges from 5 to 255, the default value is 255.

data-type type-number

Specifies the data type in EAP packets sent by the device.

The value is an integer that ranges from 1 to 255, the default value is 255.

Views

802.1X access profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When a non-Huawei device used as the RADIUS server sends RADIUS packets with attribute 61, EAP packet code number 0xa (hexadecimal notation, 10 in decimal notation), and data type being 0x19 (hexadecimal notation, 25 in decimal notation) to the device, run the dot1x eap-notify-packet command on the device so that the device can send EAP packets with code number 0xa and data type 0x19 to users. If the dot1x eap-notify-packet command is not executed, the device does not process EAP packets of this type and users are disconnected.

Precautions

The device can only send EAP packets with code number 10 and data type 25.

Example

# In the 802.1X access profile d1, configure the device to send EAP packets with code number 10 and data type 25 to users.

<HUAWEI> system-view
[HUAWEI] dot1x-access-profile name d1
[HUAWEI-dot1x-access-profile-d1] dot1x eap-notify-packet eap-code 10 data-type 25

dot1x handshake

Function

The dot1x handshake command enables the device to send handshake packets to online 802.1X users.

The undo dot1x handshake command disables the device from sending handshake packets to online 802.1X users.

By default, the device handshake function is disabled for online 802.1X users.

Format

dot1x handshake

undo dot1x handshake

Parameters

None

Views

802.1X access profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To check whether an 802.1X user is online in real time, you can run the dot1x handshake command to enable the device to send handshake packets to the 802.1X user. The device sends handshake request packets to the user. If the user sends a response packet within the handshake interval (set using the dot1x timer command), the device considers that the user is online. If the user does not send any response packet within the interval, the device considers that the user is offline.

Precautions

If a client does not support the handshake function, the device will not receive handshake response packets within the handshake interval and considers that the user is offline. Therefore, disable the device from sending handshake packets to an online 802.1X user when the user's client does not support the handshake function.

This function takes effect only for the wired users.

Example

# In the 802.1X access profile d1, enable the device to send handshake packets to online 802.1X users.

<HUAWEI> system-view
[HUAWEI] dot1x-access-profile name d1
[HUAWEI-dot1x-access-profile-d1] dot1x handshake

dot1x handshake packet-type

Function

The dot1x handshake packet-type command sets the type of 802.1X authentication handshake packets.

The undo dot1x handshake packet-type command restores the default type of 802.1X authentication handshake packets.

By default, the type of 802.1X authentication handshake packets is request-identity.

Format

dot1x handshake packet-type { request-identity | srp-sha1-part2 }

undo dot1x handshake packet-type

Parameters

Parameter Description Value
request-identity Indicates that the type of 802.1X authentication handshake packets is request-identity. -
srp-sha1-part2 Indicates that the type of 802.1X authentication handshake packets is srp-sha1-part2. -

Views

802.1X access profile view

Default Level

2: Configuration level

Usage Guidelines

During 802.1X authentication, different vendors' devices support different handshake packet types. By default, the device uses 802.1X authentication handshake packets of the request-identity type. If a device connected to the switch uses the 802.1X authentication handshake packets of the srp-sha1-part2 type, run the dot1x handshake packet-type command to set the type of 802.1X authentication handshake packets to srp-sha1-part2.
NOTE:

The dot1x handshake packet-type command takes effect only for users that log in after the command is run.

This function takes effect only for the wired users.

Example

# In the 802.1X access profile d1, set the type of 802.1X authentication handshake packets to srp-sha1-part2.

<HUAWEI> system-view
[HUAWEI] dot1x-access-profile name d1
[HUAWEI-dot1x-access-profile-d1] dot1x handshake packet-type srp-sha1-part2

dot1x mc-trigger

Function

The dot1x mc-trigger command enables multicast-triggered 802.1X authentication.

The undo dot1x mc-trigger command disables multicast-triggered 802.1X authentication.

By default, multicast-triggered 802.1X authentication is enabled.

Format

dot1x mc-trigger

undo dot1x mc-trigger

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

If a client (for example, the built-in 802.1X client of the Windows operating system) cannot send an EAPOL-Start packet to perform 802.1X authentication, you can enable multicast-triggered 802.1X authentication. After that, the device multicasts an EAP-Request/Identity packet to the client to trigger authentication.

Example

# Enable multicast-triggered 802.1X authentication.

<HUAWEI> system-view
[HUAWEI] dot1x mc-trigger

dot1x mc-trigger port-up-send enable

Function

The dot1x mc-trigger port-up-send enable command enables the function of triggering 802.1X authentication through multicast packets immediately after an interface goes Up.

The undo dot1x mc-trigger port-up-send enable command disables the function of triggering 802.1X authentication through multicast packets immediately after an interface goes Up.

By default, the function of triggering 802.1X authentication through multicast packets immediately after an interface goes Up is disabled.

Format

dot1x mc-trigger port-up-send enable

undo dot1x mc-trigger port-up-send enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

By default, the device periodically multicasts EAP-Request/Identity packets to clients so that the clients are triggered to send EAPOL-Start packets for 802.1X authentication. If the device interface connecting to a client changes from Down to Up, the client needs to send EAPOL-Start packets again for 802.1X authentication, which takes a long time. You can run the dot1x mc-trigger port-up-send enable command on the device to enable the device interface to multicast EAP-Request/Identity packets to the client to trigger 802.1X authentication immediately after the interface goes Up. This configuration shortens the re-authentication time.

Example

# Enable the function of triggering 802.1X authentication through multicast packets immediately after an interface goes Up.

<HUAWEI> system-view
[HUAWEI] dot1x mc-trigger port-up-send enable

dot1x port-control

Function

The dot1x port-control command sets the authorization state of an interface.

The undo dot1x port-control command restores the default authorization state of an interface.

By default, the authorization state of an interface is auto.

Format

dot1x port-control { auto | authorized-force | unauthorized-force }

undo dot1x port-control

Parameters

Parameter

Description

Value

auto

Indicates the auto identification mode. In this mode, an interface is initially in Unauthorized state and only allows users to send and receive EAPOL packets. Users cannot access network resources. After the users are authenticated, the interface becomes authorized and allows the users to access network resources.

-

authorized-force

Indicates the forcible authorization mode. In this mode, the interface is always in Authorized state and allows users to access network resources without authentication and authorization.

-

unauthorized-force

Indicates the forcible unauthorized mode. In this mode, the interface is always in Unauthorized state and forbids users to access network resources.

-

Views

802.1X access profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The auto mode is recommended. Only authenticated users can access network resources. To trust all users on an interface without authentication, configure the authorized-force mode. To disable access rights of all users on an interface to ensure security, configure the unauthorized-force mode.

Precautions

If 802.1X users on an interface have gone online, changing the authorization state in the 802.1X access profile bound to the interface will make the online 802.1X users go offline.

It is recommended that you set the authorization state of an interface in the early stage of network deployment. When the network is running properly, run the cut access-user command to disconnect all users from the interface before changing the authorization state.

Example

# Configure the authorization state of an interface as unauthorized-force in 802.1X access profile d1.

<HUAWEI> system-view
[HUAWEI] dot1x-access-profile name d1
[HUAWEI-dot1x-access-profile-d1] dot1x port-control unauthorized-force

dot1x quiet-period

Function

The dot1x quiet-period command enables the quiet function for 802.1X authentication users.

The undo dot1x quiet-period command disables the quiet function for 802.1X authentication users.

By default, the quiet function is enabled for 802.1X authentication users.

Format

dot1x quiet-period

undo dot1x quiet-period

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

After the quiet timer function is enabled, if the number of authentication failures of an 802.1X user exceeds a specified value (set using the dot1x quiet-times command) within 60 seconds, the user enters a quiet period. During the quiet period, the device discards the 802.1X authentication request packets from the user. This prevents the impact on the system due to frequent user authentication.

The value of the quiet timer is set using the dot1x timer quiet-period command. When the quiet timer expires, the device re-authenticates the user.

Example

# Enable the quiet timer.

<HUAWEI> system-view
[HUAWEI] dot1x quiet-period

dot1x quiet-times

Function

The dot1x quiet-times command sets the maximum number of authentication failures within 60 seconds before an 802.1X user enters the quiet state.

The undo dot1x quiet-times command restores the default setting.

By default, an 802.1X user enters the quiet state after 10 authentication failures within 60 seconds.

Format

dot1x quiet-times fail-times

undo dot1x quiet-times

Parameters

Parameter

Description

Value

fail-times

Specifies the maximum number of authentication failures before the 802.1X user enters the quiet state.

The value is an integer that ranges from 1 to 10.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

After the quiet timer function of the device is enabled using the dot1x quiet-period command, if the number of authentication failures of an 802.1X user exceeds the value that is set using the dot1x quiet-times command within 60 seconds, the user enters the quiet state. This prevents the impact on the system due to frequent user authentication.

Example

# Set the maximum number of authentication failures within 60 seconds before an 802.1X user enters the quiet state to 4.

<HUAWEI> system-view
[HUAWEI] dot1x quiet-times 4

dot1x reauthenticate mac-address

Function

The dot1x reauthenticate mac-address command enables re-authentication for an online 802.1X user with the specified MAC address.

By default, re-authentication is disabled for an online 802.1X user with the specified MAC address.

Format

dot1x reauthenticate mac-address mac-address

Parameters

Parameter

Description

Value

mac-address

Specifies the MAC address of an 802.1X user to be re-authenticated.

The value is a unicast MAC address in H-H-H format, where H can be one to four hexadecimal digits.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

For details, see dot1x reauthenticate.

The dot1x reauthenticate mac-address and dot1x reauthenticate commands re-authenticate online 802.1X users and their difference is as follows:
  • The dot1x reauthenticate mac-address command configures the device to re-authenticate a specified user for once.
  • The dot1x reauthenticate command configures the device to re-authenticate all users at intervals.

Example

# Enable re-authentication for an 802.1X user with the MAC address of 00e0-fc01-0005.

<HUAWEI> system-view
[HUAWEI] dot1x reauthenticate mac-address 00e0-fc01-0005

dot1x reauthenticate

Function

The dot1x reauthenticate command configures re-authentication for online 802.1X authentication users.

The undo dot1x reauthenticate command restores the default configuration.

By default, re-authentication is not configured for online 802.1X authentication users.

Format

dot1x reauthenticate

undo dot1x reauthenticate

Parameters

None

Views

802.1X access profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After modifying the authentication parameters of a user on the authentication server, the administrator must re-authenticate the user in real time to ensure user validity if the user has been online.

After the user goes online, the device saves authentication parameters of the user. After re-authentication is configured for online 802.1X authentication users using the dot1x reauthenticate command in the 802.1X access profile, the device automatically sends the user authentication parameters in the 802.1X access profile to the authentication server at an interval (specified using the dot1x timer reauthenticate-period reauthenticate-period-value command) for re-authentication. If the user authentication information on the authentication server remains unchanged, the users are kept online. If the information has been changed, the users are disconnected and need to be re-authenticated based on the changed authentication parameters.

Precautions

After re-authentication is configured for online 802.1X authentication users, a large number of 802.1X authentication logs are generated.

If the device is connected to a server for re-authentication and the server replies with a re-authentication deny message that makes an online user go offline, it is recommended that you locate the cause of the re-authentication failure on the server or disable the re-authentication function on the device.

Example

# In the 802.1X access profile d1, configure re-authentication for online 802.1X authentication users.

<HUAWEI> system-view
[HUAWEI] dot1x-access-profile name d1
[HUAWEI-dot1x-access-profile-d1] dot1x reauthenticate

dot1x retry

Function

The dot1x retry command configures the number of times an authentication request or handshake packet is retransmitted to an 802.1X user.

The undo dot1x retry command restores the default configuration.

By default, the device can retransmit an authentication request or handshake packet to an 802.1X user twice.

Format

dot1x retry max-retry-value

undo dot1x retry

Parameters

Parameter

Description

Value

max-retry-value

Specifies the number of times an authentication request or handshake packet is retransmitted to an 802.1X user.

The value is an integer that ranges from 1 to 10.

Views

802.1X access profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If the device does not receive any response from a user within a specified time after sending an authentication request or handshake packet to the user, the device sends the authentication request or handshake packet again. If the authentication request or handshake packet has been sent for the maximum retransmission times and no response is received, the user authentication or handshake fails. In this process, the total number of authentication requests or handshake packets sent by the device is max-retry-value plus 1.

Precautions

Repeated authentication requests occupy a lot of system resources. When using the dot1x retry command, you can set the maximum number of times according to user requirements and device resources. The default value is recommended.

The following table lists the intervals at which the device retransmits different types of packets and related commands.

Packet Type

Interval for Retransmitting Packets

Command

EAP-Request/Identity packet (MAC address bypass authentication is disabled) tx-period-value dot1x timer tx-period tx-period-value
EAP-Request/Identity packet (MAC address bypass authentication is enabled) Integer part of the value calculated using the following formula: delay-time-value/(max-retry-value + 1) dot1x timer mac-bypass-delay delay-time-value
EAP-Request/MD5 Challenge packet client-timeout-value dot1x timer client-timeout client-timeout-value
Handshake packet handshake-period-value dot1x timer handshake-period handshake-period-value

Example

# In the 802.1X access profile d1, configure the number of times an authentication request or handshake packet can be retransmitted to 802.1X users to 4.

<HUAWEI> system-view
[HUAWEI] dot1x-access-profile name d1
[HUAWEI-dot1x-access-profile-d1] dot1x retry 4

dot1x timer

Function

The dot1x timer command configures the parameters of each 802.1X timer.

The undo dot1x timer command restores the default settings.

For the default parameter settings of each 802.1X timer, see the parameter description.

Format

dot1x timer { client-timeout client-timeout-value | reauthenticate-period reauthenticate-period-value | handshake-period handshake-period-value | eth-trunk-access handshake-period handshake-period-value }

undo dot1x timer { client-timeout | reauthenticate-period | handshake-period | eth-trunk-access handshake-period }

Parameters

Parameter

Description

Value

client-timeout client-timeout-value

Specifies the client authentication timeout interval.

NOTE:

On the network, some terminals may delay in responding to EAP-Request/MD5 Challenge packets sent from the device. If the delay is long, you can increase client-timeout client-timeout-value so that these terminals can go online. The adjustment rule is as follows:

3 x client-timeout client-timeout-value > Terminal response delay

The value is an integer that ranges from 1 to 120, in seconds.

By default, the client authentication timeout interval is 5 seconds.

reauthenticate-period reauthenticate-period-value

Specifies the periodic re-authentication period for online 802.1X users.

The value is an integer that ranges from 60 to 7200, in seconds.

By default, the periodic re-authentication period is 3600 seconds for online 802.1X users.

handshake-period handshake-period-value

Specifies the interval at which the device handshakes with an 802.1X client on a non-Eth-Trunk interface.

The value is an integer that ranges from 5 to 7200, in seconds.

By default, the interval for sending handshake packets is 15s.

eth-trunk-access handshake-period handshake-period-value

Specifies the interval at which the device handshakes with an 802.1X client on an Eth-Trunk.

The value is an integer that ranges from 30 to 7200, in seconds.

By default, the interval for sending handshake packets is 120s.

Views

802.1X access profile view

Default Level

2: Configuration level

Usage Guidelines

During 802.1X authentication, multiple timers are started to implement proper and orderly interactions between access users, access devices, and the authentication server. You can change the values of timers by running the dot1x timer command to adjust the interaction process. (The values of some timers cannot be changed.) This command is necessary in special network environments. It is recommended that you retain the default settings of the timers.

This command only sets the values of the timers. To enable the timers, perform corresponding configurations or use default settings.

  • The client authentication timeout timer and the interval for sending authentication requests are enabled by default. You can run the dot1x retry command to configure the number of retransmissions of authentication request packets when the client authentication times out.
  • The re-authentication timer for online 802.1X users is disabled by default. To enable this timer, run the dot1x reauthenticate command.
  • The online 802.1X user handshake function is disabled by default. You can run the dot1x handshake command to enable the online 802.1X user handshake function. The handshake function takes effect only for the wired users.
NOTE:

It is recommended that the re-authentication interval be set to the default value. If multiple ACLs need to be delivered during user authorization, you are advised to disable the re-authentication function or set a longer re-authentication interval to improve the device's processing performance.

In remote authentication and authorization, if the re-authentication interval is set to a shorter time, the CPU usage may be higher.

To reduce the impact on the device performance when many users exist, the user re-authentication interval may be longer than the configured re-authentication interval.

Example

# In the 802.1X access profile d1, set the client authentication timeout interval to 90 seconds.

<HUAWEI> system-view
[HUAWEI] dot1x-access-profile name d1
[HUAWEI-dot1x-access-profile-d1] dot1x timer client-timeout 90

dot1x timer mac-bypass-delay

Function

The dot1x timer mac-bypass-delay command configures the 802.1X authentication timeout timer after which MAC address authentication is performed.

The undo dot1x timer mac-bypass-delay command restores the default configuration.

By default, the device performs MAC address authentication if 802.1X authentication is not successful within 30 seconds.

Format

dot1x timer mac-bypass-delay delay-time-value

undo dot1x timer mac-bypass-delay

Parameters

Parameter

Description

Value

delay-time-value

Specifies the value of the 802.1X authentication timeout timer after which MAC address authentication is performed.

The value is an integer in the range 1 to 300, in seconds.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

After MAC address bypass authentication is configured, the device performs 802.1X authentication first and starts the timer configured using the dot1x timer mac-bypass-delay delay-time-value command. If 802.1X authentication is not successful before the timer expires, the device performs MAC address authentication on users. You can run the dot1x retry max-retry-value command to set the number of times an authentication request is retransmitted to an 802.1X user. The retransmission interval is the integer part of the value calculated using the following formula: delay-time-value/(max-retry-value + 1)

Example

# Configure the device to perform MAC address authentication if 802.1X authentication is not successful within 60 seconds.

<HUAWEI> system-view
[HUAWEI] dot1x timer mac-bypass-delay 60

dot1x timer quiet-period

Function

The dot1x timer quiet-period command configures the quiet period for 802.1X users who fail to be authenticated.

The undo dot1x timer quiet-period command restores the default quiet period.

By default, the quiet period is 60 seconds for 802.1X users who fail to be authenticated.

Format

dot1x timer quiet-period quiet-period-times

undo dot1x timer quiet-period

Parameters

Parameter

Description

Value

quiet-period-times

Sets the quiet period for 802.1X users who fail to be authenticated.

The value is an integer that ranges from 1 to 3600, in seconds.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

If an 802.1X authentication user fails to be authenticated consecutively within a short period, the system is affected and a large number of duplicated authentication failure logs are generated.

After the quiet function is enabled using the dot1x quiet-period command, if the number of times that an 802.1X user fails to be authenticated within 60s exceeds the upper limit (configured using the dot1x quiet-times command), the device discards the user's 802.1X authentication request packets for a period to avoid frequent authentication failures.

Example

# Set the quiet period to 100 seconds for 802.1X users who fail to be authenticated.

<HUAWEI> system-view
[HUAWEI] dot1x timer quiet-period 100

dot1x trigger dhcp-binding

Function

The dot1x trigger dhcp-binding command enables the device to automatically generate the DHCP snooping binding table after static IP users pass 802.1X authentication or when the users are at the pre-connection phase.

The undo dot1x trigger dhcp-binding command restores the default setting.

By default, the device does not automatically generate the DHCP snooping binding table after static IP users pass 802.1X authentication or when the users are at the pre-authentication phase.

Format

dot1x trigger dhcp-binding

undo dot1x trigger dhcp-binding

Parameters

None

Views

802.1X access profile view

Default Level

2: Configuration level

Usage Guidelines

Scenario

There are unauthorized users who modify their MAC addresses to those of authorized users. After authorized users are connected through 802.1X authentication, the unauthorized users can obtain the same identities as the authorized users and connect to the network without authentication. This results in security risks of authentication and accounting. After accessing the network, unauthorized users can also initiate ARP spoofing attacks by sending bogus ARP packets. In this case, the device records incorrect ARP entries, greatly affecting normal communication between authorized users. To prevent the previous attacks, configure IPSG and DAI. These two functions are implemented based on binding tables. For static IP users, you can run the user-bind static command to configure the static binding table. However, if there are many static IP users, it takes more time to configure static binding entries one by one.

To reduce the workload, you can configure the device to automatically generate the DHCP snooping binding table for static IP users. After the static IP users who pass 802.1X authentication or are at the pre-authentication phase send EAP packets to trigger generation of the user information table, the device automatically generates the DHCP snooping binding table based on the MAC address, IP address, and interface recorded in the table.

You can run the display dhcp snooping user-bind command to check the DHCP snooping binding table that is generated by the device for static IP users who pass 802.1X authentication or are at the pre-authentication phase. The DHCP snooping binding table generated using this function will be deleted after the users are disconnected.

Follow-up Procedure

Configure IPSG and DAI after the DHCP snooping binding table is generated, prevent attacks from unauthorized users.

Precautions

  • To make this function take effect, you must run the dhcp snooping enable command on the interface to which the 802.1X access profile is bound to enable the DHCP snooping function on the interface and globally.

  • The EAP protocol does not specify a standard attribute to carry IP address information. Therefore, if the EAP request packet sent by a static IP user does not contain an IP address, the IP address information in the DHCP snooping binding table is obtained from the user' first ARP request packet with the same MAC address as the user information table after the user passes authentication. On a network, unauthorized users may forge authorized users' MAC addresses to initiate ARP snooping attacks to devices, and the DHCP snooping binding table generated accordingly may be unreliable. Therefore, the dot1x trigger dhcp-binding command is not recommended and you are advised to run the user-bind static command to configure the static binding table.

  • For users who are assigned IP addresses using DHCP, you do not need to run the dot1x trigger dhcp-binding command on the device. The DHCP snooping binding table is generated through the DHCP snooping function.

  • The IP address in the DHCP snooping binding table is extracted from the ARP request packet (the first ARP request packet sent by the user after the user is authenticated or in the pre-connection state that has the same MAC address in the user information table). If the static IP address of a user is changed, the user needs to be authenticated again.

Example

# In the 802.1X access profile d1, enable the device to automatically generate the DHCP snooping binding table after static IP users pass 802.1X authentication or when the users are at the pre-authentication phase.

<HUAWEI> system-view
[HUAWEI] dot1x-access-profile name d1
[HUAWEI-dot1x-access-profile-d1] dot1x trigger dhcp-binding

dot1x timer tx-period

Function

The dot1x timer tx-period command sets the interval at which the device sends authentication requests.

The undo dot1x timer tx-period command restores the default configuration.

By default, the device sends authentication requests at an interval of 30 seconds.

Format

dot1x timer tx-period tx-period-value

undo dot1x timer tx-period

Parameters

Parameter

Description

Value

tx-period-value

Specifies the interval for sending authentication requests.

The value is an integer that ranges from 1 to 120, in seconds.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

The device starts the tx-period timer in either of the following situations:
  • When the client initiates authentication and MAC address bypass authentication is not configured, the device sends a unicast Request/Identity packet to the client and starts the tx-period timer. If the client does not respond within the period set by the timer, the device retransmits the authentication request.
  • To authenticate the 802.1X clients that cannot initiate authentication, the device periodically sends multicast Request/Identity packets through the 802.1X-enabled interface to the clients at the interval set by the tx-period timer.

After MAC address bypass authentication is enabled on a device, the interval at which the device sends unicast Request/Identity packets to clients is determined by delay-time-value configured in the dot1x timer mac-bypass-delay command and max-retry-value configured in the dot1x retry command. The retransmission interval is the integer part of the value calculated using the following formula: delay-time-value/(max-retry-value + 1)

Normally, it is recommended that you retain the default setting of the timer.

Example

# Set the interval at which the device sends authentication requests to 90 seconds.

<HUAWEI> system-view
[HUAWEI] dot1x timer tx-period 90

dot1x unicast-trigger

Function

The dot1x unicast-trigger command enables 802.1X authentication triggered by unicast packets.

The undo dot1x unicast-trigger command disables 802.1X authentication triggered by unicast packets.

By default, 802.1X authentication triggered by unicast packets is disabled.

Format

dot1x unicast-trigger

undo dot1x unicast-trigger

Parameters

None

Views

802.1X access profile view

Default Level

2: Configuration level

Usage Guidelines

After the dot1x unicast-trigger command is used on the device, the device sends a unicast packet to respond to the received ARP or DHCP Request packet from a client. If the client does not respond within the timeout interval (set by the dot1x timer client-timeout client-timeout-value command), the device retransmits the unicast packet (the maximum of retransmission times is set by the dot1x retry max-retry-value command). This function allows users to use the 802.1X client provided by the operating system for authentication, helping quickly deploy an 802.1X network.

After receiving a packet that triggers 802.1X authentication from a client, the device sends a unicast packet to the client. For clients that cannot send packets to trigger 802.1X authentication, configure multicast packets to trigger 802.1X authentication.

Example

# In the 802.1X access profile d1, enable 802.1X authentication triggered by unicast packets.

<HUAWEI> system-view
[HUAWEI] dot1x-access-profile name d1
[HUAWEI-dot1x-access-profile-d1] dot1x unicast-trigger

dot1x url

Function

The dot1x url command configures the redirect-to URL in 802.1X authentication.

The undo dot1x url command cancels the redirect-to URL configuration in 802.1X authentication.

By default, no redirect-to URL is configured in 802.1X authentication.

Format

dot1x url url-string

undo dot1x url

Parameters

Parameter Description Value
url-string Specifies the redirect-to URL.

It is a string of 1 to 200 case-sensitive characters that do not contain spaces and question marks (?). When double quotation marks are used around the string, spaces are allowed in the string.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

In the early stage of network deployment, 802.1X client deployment is difficult with heavy workload. You can run the dot1x url command to set the redirect-to URL to the 802.1X client download web page address. When a user attempts to access a non-free IP subnet, the device redirects the user to the redirect-to URL where the user can download and install the 802.1X client software.

Example

# Set the redirect-to URL in 802.1X authentication to http://www.123.com.cn.

<HUAWEI> system-view
[HUAWEI] dot1x url http://www.123.com.cn

dot1x-access-profile (authentication profile view)

Function

The dot1x-access-profile command binds an authentication profile to an 802.1X access profile.

The undo dot1x-access-profile command unbinds an authentication profile from an 802.1X access profile.

By default, an authentication profile is not bound to an 802.1X access profile.

Format

dot1x-access-profile access-profile-name

undo dot1x-access-profile

Parameters

Parameter

Description

Value

access-profile-name

Specifies the name of an 802.1X access profile.

The value must be the name of an existing 802.1X access profile.

Views

Authentication profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The authentication type used by an authentication profile is determined by the access profile bound to the authentication profile. After being bound to an 802.1X access profile, the authentication profile is enabled with 802.1X authentication. After the authentication profile is applied to the interface or VAP profile, 802.1X authentication can be performed on online users.

Prerequisites

An 802.1X access profile has been created using the dot1x-access-profile (system view) command.

Follow-up Procedure

Run the authentication-profile (Interface view or VAP profile view) command to apply the authentication profile to the interface or VAP profile.

Precautions

An authentication profile can be bound to only one 802.1X access profile.

Example

# Bind the authentication profile dot1x_authen_profile1 to the 802.1X access profile dot1x_access_profile1.

<HUAWEI> system-view
[HUAWEI] dot1x-access-profile name dot1x_access_profile1
[HUAWEI-dot1x-access-profile-dot1x_access_profile1] quit
[HUAWEI] authentication-profile name dot1x_authen_profile1
[HUAWEI-authen-profile-dot1x_authen_profile1] dot1x-access-profile dot1x_access_profile1

dot1x-access-profile (system view)

Function

The dot1x-access-profile command creates an 802.1X access profile and displays the 802.1X access profile view.

The undo dot1x-access-profile command deletes an 802.1X access profile.

By default, the device has a built-in 802.1X access profile named dot1x_access_profile.

Format

dot1x-access-profile name access-profile-name

undo dot1x-access-profile name access-profile-name

Parameters

Parameter

Description

Value

name access-profile-name

Specifies the name of an 802.1X access profile.

The value is a string of 1-31 case-sensitive characters, which cannot be configured to - and --. It cannot contain spaces and the following symbols: / \ : * ? " < > | @ ' %.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The device uses 802.1X access profiles to uniformly manage all 802.1X users access configurations. To perform 802.1X authentication for the users in the interface or VAP profile, bind the authentication profile applied to the interface or VAP profile to an 802.1X access profile.

Follow-up Procedure

Run the dot1x-access-profile (authentication profile view) command in the authentication profile view to bind the authentication profile to an 802.1X access profile.

Precautions

  • The compatibility profile converted after an upgrade is not counted in the configuration specification. The built-in 802.1X access profile dot1x_access_profile can be modified and applied, but cannot be deleted.
  • Before deleting an 802.1X access profile, ensure that this profile is not bound to any authentication profile.

Example

# Create the 802.1X access profile named dot1x_access_profile1.

<HUAWEI> system-view
[HUAWEI] dot1x-access-profile name dot1x_access_profile1

enable (terminal type identification profile view)

Function

The enable command enables terminal type identification.

The undo enable command disables terminal type identification.

By default, terminal type identification is disabled.

NOTE:

This function is supported only by S5720HI.

Format

enable

undo enable

Parameters

None

Views

Terminal type identification profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The terminal type identification profile takes effect immediately when terminal type identification is enabled. The AC analyzes the terminal's MAC address, DHCP Option, and UA information. If the information matches the rules configured in the profile, the AC identifies the terminal type.

Prerequisite

A terminal type identifier has been configured using the device-type command.

Example

# Enable terminal type identification.

<HUAWEI> system-view
[HUAWEI] device-profile profile-name huawei
[HUAWEI-device-profile-huawei] device-type huawei
[HUAWEI-device-profile-huawei] enable

free-rule

Function

The free-rule command configures authentication-free rules for NAC authentication users.

The undo free-rule command restores the default settings.

By default, no authentication-free rule is configured for NAC authentication users.

Format

Common authentication-free rule:

free-rule rule-id { destination { any | ip { ip-address mask { mask-length | ip-mask } [ tcp destination-port port | udp destination-port port ] | any } } | source { any | { interface interface-type interface-number | ip { ip-address mask { mask-length | ip-mask } | any } | vlan vlan-id } * } } *

undo free-rule { rule-id | all }

Authentication-free rule defined by ACL:

free-rule acl { acl-id | acl-name acl-name }

undo free-rule { acl { acl-id | acl-name acl-name } | all }

NOTE:

Only the S5720EI, S5720HI, S6720EI, and S6720S-EI support the authentication-free rule defined by ACL.

Parameters

Parameter Description Value
rule-id

Specifies the number of an authentication-free rule for NAC authentication users.

The value is an integer that ranges from 0 to 511.

destination

Specifies the destination network resource that NAC authentication users can access without authentication.

-

source

Specifies source information for NAC authentication users without authentication.

-

any

Indicates any condition. When any is used together with different keywords, the effect of the command is different.

-

interface interface-type interface-number

Specifies the source interface in the rule.

  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

-

ip ip-address

Specifies the source or destination IP address depending on the keyword.

The value is in dotted decimal notation.

mask mask-length

Specifies the mask length of the source or destination IP address depending on the keyword.

The value is an integer that ranges from 1 to 32.

mask ip-mask

Specifies the mask of the source or destination IP address depending on the keyword.

The value is in dotted decimal notation.

tcp destination-port port

Specifies a TCP destination port number.

The value is an integer that ranges from 1 to 65535.

udp destination-port port

Specifies the UDP destination port number.

The value is an integer that ranges from 1 to 65535.

vlan vlan-id

Specifies the VLAN ID of source packets.

The value is an integer that ranges from 1 to 4094.

acl

Specifies an authentication-free rule defined by ACL.

-

acl-id

Specifies the number of an IPv4 ACL.

The value is an integer that ranges from 6000 to 6031.

acl-name acl-name

Specifies the name of an IPv4 ACL.

The value must be an existing IPv4 ACL name. The value of the named ACL ranges from 6000 to 6031.

all

Specifies all rules.

-

Views

Authentication-free rule profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To meet basic network access requirements of users who have not passed authentication, the users need to obtain some network access rights without authentication, for example, download 802.1X client software and update the antivirus database. After running the free-rule-template (system view) command to create an authentication-free rule profile, run the free-rule command to configure authentication-free rules in the profile. The users then can obtain some network access rights without authentication.

An authentication-free rule can be a common authentication-free rule or defined by an ACL. A common authentication-free rule is determined by parameters such as IP address, MAC address, interface, and VLAN. An authentication-free rule defined by an ACL is determined by the ACL rule (configured using the rule command). The destination IP address that users can access without authentication can be specified in an authentication-free rule defined by either of the two methods. In addition, the destination domain name that users can access without authentication can be specified in an authentication-free rule defined by an ACL.

Compared with the authentication-free rule defined by IP address, the one defined by domain name is sometimes simple and convenient. For example, some authentication users who do not have an authentication account must first log in to the official website of a carrier and apply for a member account, or log in using the account of a third party such as Twitter or Facebook. This requires that the users can access specified websites before successful authentication. The domain name of a website is easier to remember than the IP address; therefore, the authentication-free rule defined by ACL can be configured to enable the users to access the domain names of websites without authentication.

Prerequisites

To use the authentication-free rule defined by ACL: an ACL rule has been configured using the rule command. This ACL rule can be based on an IP address or a domain name. If the rule is defined by IP address, the source and destination parameters can be configured; if the rule is defined by domain name, only the destination parameter can be configured.
NOTE:
If the user ACL is created using a name (specified by acl-name), a name-based ACL has been created and the ACL number (6000-6031) has been specified using the acl name acl-name acl-number command.

Follow-up Procedure

The domain name specified in an ACL only supports dynamic DNS resolution. Therefore, when you define the authentication-free rule by domain name, configure dynamic DNS resolution on the device and enable users to access the DNS server without authentication. The steps are as follows:
  1. Run the dns resolve command in the system view to enable dynamic DNS resolution.
  2. Run the dns server ip-address command in the system view to specify an IP address for the DNS server.
  3. Run the free-rule rule-id destination ip ip-address mask { mask-length | ip-mask } command in the authentication-free rule profile to enable users to access the DNS server without authentication.

Precautions

Pay attention to the following when you use common authentication-free rules:
  • When multiple authentication-free rules are configured simultaneously, the system matches the rules one by one.
  • In a wireless scenario or an SVF system, only the authentication-free rules with IDs in the range of 0 to 127 on the AP or AS can take effect. On the AC or parent, all configured authentication-free rules take effect.
  • In a wireless scenario, the VLAN ID and interface number cannot be specified in authentication-free rules configured on an AP. You are advised to set the authentication-free rule ID to 128 or a larger value when specifying the VLAN ID and interface number.
  • In an SVF system, interface information in an authentication-free rule is invalid.
  • If you specify both the VLAN ID and interface number in an authentication-free rule, the interface must belong to the VLAN. Otherwise, the rule is invalid.
  • If the destination port number is configured in an authentication-free rule, fragments cannot match the rule and packets cannot be forwarded.
  • No authentication-free rule needs to be configured for DHCP, CAPWAP, ARP, and HTTP packets before user authentication, the DHCP, CAPWAP, ARP, and HTTP packets can be directly forwarded. Authentication-free rules must be configured for other packets that need to be forwarded. When the packets need to be processed locally, authentication-free rules need to be configured on only the S5720HI.
    • DHCP packet: If authentication and DHCP are enabled on an interface, authentication can be triggered by DHCP packets and the switch acts as the DHCP relay or DHCP server to forward or process DHCP packets. If only authentication is configured on the interface and the DHCP function is not configured, authentication can be triggered by DHCP packets and the switch broadcasts the DHCP packets.
    • CAPWAP packet: CAPWAP packets are classified into control packets and data packets. Generally, NAC is still effective for CAPWAP data packets after they are decapsulated, and the authentication-free rule takes effect (except for ARP and DHCP packets that are encapsulated in CAPWAP data packets). CAPWAP control packets are sent to the CPU for processing (such as SVF and wireless scenarios). If authentication is enabled on the physical interface connected to an AP, you need to configure the authentication-free rule to transmit packets from the management VLAN. In this scenario, the server may be overloaded due to multiple times of re-authentication. Therefore, this scenario is not recommended.
    • ARP packet: No authentication-free rule needs to be configured for ARP packets, which can be directly processed or forwarded.
    • HTTP packet: If Portal authentication is enabled on an interface and the destination URL of HTTP packets is not the URL of the Portal server, the switch redirects HTTP packets to the Portal server for authentication.
Pay attention to the following when you define authentication free rules by ACL:
  • Authentication-free rules based on domain names are valid for only wireless users.
  • When SVF is enabled, authentication-free rules cannot be delivered to an AS.
  • When multiple authentication-free rules are configured at the same time, only the last one takes effect.
  • An authentication-free rule can be dynamically modified. The authentication-free rule does not differentiate the deny or permit action of the ACL rule (configured using the rule command) and uniformly performs the permit action. The ACL rule number ranges from 0 to 127.
  • If multiple domain names correspond to the same IP address and one matches the authentication-free rule, other domain names also match the authentication-free rule.

The free-rule command configures a rule for specifying the resources accessible to users before authentication. However, this command does not mean that users matching the rule do not need to be authenticated. To free specified users from authentication, run the access-context profile enable command to enable the user context identification function, and run the if-match vlan-id { start-vlan-id [ to end-vlan-id ] } &<1-10> command in the user context profile to configure the VLAN ID-based user identification policy. In addition, run the authentication-mode none