No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 V200R013C00 Command Reference

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
NAC Configuration Commands (Unified Mode)

NAC Configuration Commands (Unified Mode)

Command Support

Commands provided in this section and all the parameters in the commands are supported by all switch models by default, unless otherwise specified. For details, see specific commands.

access-context profile enable

Function

The access-context profile enable command enables the user context identification function.

The undo access-context profile enable command disables the user context identification function.

By default, the user context identification function is disabled.

Format

access-context profile enable

undo access-context profile enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

User context refers to association information of a user, such as the user name, user VLAN, and access interface.

To simplify the authentication server configuration, the administrator can add the users with the same network access rights to the same user context profile based on the user context, and configure the network access rights for the users based on the user context profile. When a user goes online after the user context identification function is enabled, the device can identify the user context information and add the user to the corresponding context profile based on the identification result.
  • If the user is authenticated successfully, the authentication server can assign the network access rights mapping the user context profile to the user based on the user context reported by the device.
  • If the user fails to be authenticated, the device assigns the user the network access rights in each phase before authentication success, which are bound to the context profile in the user authentication event authorization policy.

For example, on some enterprise networks, VLANs are used to divide the entire network into different areas with various security levels. The administrator requires that a user should obtain different network access rights when the user connects to the network from different areas. In this case, the user context identification function can be enabled on access devices, and a group of VLANs that belong to the same area are added to the same user context profile. The administrator then assigns the mapping network access rights to different user context profiles based on the security level of each area. When a user connects to the network from different areas, the user is added to different user context profiles matching their access VLANs and therefore obtains different network access rights.

Follow-up Procedure

  1. In the system view, run the access-context profile name profile-name command to create a user context profile.

  2. In the user context profile view, run the if-match vlan-id { start-vlan-id [ to end-vlan-id ] } &<1-10> command to configure the user identification policy based on VLAN IDs.

Precautions

  • The device can only identify user VLANs.

Example

# Enable the user context identification function.

<HUAWEI> system-view
[HUAWEI] access-context profile enable

access-context profile name

Function

The access-context profile name command creates a user context profile and displays the user context profile view.

The undo access-context profile name command deletes the created user context profile.

By default, no user context profile is created.

Format

access-context profile name profile-name

undo access-context profile name profile-name

Parameters

Parameter

Description

Value

profile-name

Specifies the name of a user context profile.

The value is a string of 1 to 32 case-sensitive characters without any space. The value cannot be set to - or --, and cannot contain the following characters: / \ : * ? " < > | @ ' %.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To simplify the authentication server configuration, the administrator can add the users with the same network access rights to the same user context profile based on the user context, and assign the network access rights to the users based on the user context profile.

Follow-up Procedure

In the user context profile view, run the if-match vlan-id start-vlan-id [ to end-vlan-id ] &<1-10> command to configure the user identification policy based on VLAN IDs.

Example

# Creates the user context profile p1.

<HUAWEI> system-view
[HUAWEI] access-context profile name p1

access-author policy global

Function

The access-author policy global command applies a user authentication event authorization policy.

The undo access-author policy global command restores the default configuration.

By default, no user authentication event authorization policy is applied.

Format

access-author policy policy-name global

undo access-author policy policy-name global

Parameters

Parameter

Description

Value

policy-name

Specifies the name of a user authentication event authorization policy.

The value must be the name of an existing user authentication event authorization policy on the device.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Users need basic network access rights before they are authenticated. For example, the users need to download 802.1X clients and update the antivirus database. A user authentication event authorization policy can be used to bind the network access rights of users in each phase before authentication success to a user context profile. When a user goes online after a user authentication event authorization policy is applied to the device, the device adds the user to the context profile based on the user context identification result, and assigns the network access rights to the user based on the user authentication result.

Prerequisites

A user authentication event authorization policy has been created using the access-author policy name policy-name command in the system view.

Precautions

This function takes effect only for users who go online after this function is successfully configured.

Example

# Globally apply the user authentication event authorization policy a1.

<HUAWEI> system-view
[HUAWEI] access-author policy name a1
[HUAWEI-access-author-a1] quit
[HUAWEI] access-author policy a1 global

access-author policy name

Function

The access-author policy name command creates a user authentication event authorization policy and displays the user authentication event authorization policy view.

The undo access-author policy name command deletes the created user authentication event authorization policy.

By default, no user authentication event authorization policy is created.

Format

access-author policy name policy-name

undo access-author policy name policy-name

Parameters

Parameter

Description

Value

policy-name

Specifies the name of a user authentication event authorization policy.

The value is a string of 1 to 32 case-sensitive characters without any space. The value cannot be set to - or --, and cannot contain the following characters: / \ : * ? " < > | @ ' %.

NOTE:
The value of profile-name cannot be set to the first character or first several characters of the name, and the name itself, and it also cannot be the uppercase and lowercase combination of the first character, first several characters, and the name. This prevents the conflict with the access-author policy global command.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Users need basic network access rights before they are authenticated. For example, the users need to download 802.1X clients and update the antivirus database. A user authentication event authorization policy can be used to bind the network access rights of users in each phase before authentication success to a user context profile. When a user goes online after a user authentication event authorization policy is applied to the device, the device adds the user to the context profile based on the user context identification result, and assigns the network access rights to the user based on the user authentication result.

Follow-up Procedure

  1. In the user authentication event authorization policy view, run the match access-context-profile action command to configure the network access rights for users in each phase before authentication success.

  2. In the system view, run the access-author policy global command to apply the user authentication event authorization policy.

Example

# Create the user authentication event authorization policy a1.

<HUAWEI> system-view
[HUAWEI] access-author policy name a1

access-domain

Function

The access-domain command configures a default or forcible domain in an authentication profile for users.

The undo access-domain command deletes a configured default or forcible domain in an authentication profile.

By default, no default or forcible domain is configured in an authentication profile.

Format

access-domain domain-name [ dot1x | mac-authen | portal ] * [ force ]

undo access-domain [ dot1x | mac-authen | portal ] * [ force ]

Parameters

Parameter

Description

Value

domain-name

Specifies the domain name.

The value must be the name of an existing domain.

dot1x

Specifies a default or forcible domain for 802.1X authentication users.

-

mac-authen

Specifies a default or forcible domain for MAC address authentication users.

-

portal

Specifies a default or forcible domain for Portal authentication users.

-

force

Specifies the configured domain as a forcible domain.

If this parameter is not specified, the configured domain is a default domain.

-

Views

Authentication profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The device manages users in domains. For example, AAA schemes and authorization information are bound to domains. During user authentication, the device assigns users to specified domains based on the domain names contained in user names. However, user names entered by many users on actual networks do not contain domain names. In this case, you can configure a default domain in an authentication profile. If users using this profile enter user names that do not contain domain names, the device manages the users in the default domain.

On actual networks, user names entered by some users contain domain names and those entered by other users do not. The device uses different domains to manage the users. Because authentication, authorization and accounting (AAA) information in the domains are different, users use different AAA information. To ensure that users using the same authentication profile use the same AAA information, you can configure a forcible domain in the authentication profile for the users. The device then manages the users in the forcible domain regardless of whether entered user names contain domain names or not.

Prerequisites

A domain has been configured using the domain (AAA view) command in the AAA view.

Precautions

When you configure a default or forcible domain in an authentication profile, the domain takes effect as follows:

  • If you do not specify the user authentication mode (dot1x, mac-authen, or portal), the domain takes effect for all access authentication users using the authentication profile.
  • If both a default domain and a forcible domain are configured, the device authenticates users in the forcible domain.

  • This function takes effect only for users who go online after this function is successfully configured.

  • In a wireless scenario, RADIUS accounting is performed only for AAA users who do not need to pass authentication in a forcible domain, and cannot be performed for such users in the default domain.

Example

# Configure the forcible domain huawei in the authentication profile p1.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] domain huawei
[HUAWEI-aaa-domain-huawei] quit
[HUAWEI-aaa] quit
[HUAWEI] authentication-profile name p1
[HUAWEI-authen-profile-p1] access-domain huawei force

access-user arp-detect

Function

The access-user arp-detect command sets the source IP address and source MAC address of offline detection packets in a VLAN.

The undo access-user arp-detect command deletes the source IP address and source MAC address of offline detection packets in a VLAN.

By default, the source IP address and source MAC address are not specified for offline detection packets in a VLAN.

Format

access-user arp-detect vlan vlan-id ip-address ip-address mac-address mac-address

undo access-user arp-detect vlan vlan-id ip-address ip-address mac-address mac-address

Parameters

Parameter

Description

Value

vlan vlan-id

Specifies a VLAN ID.

The value is an integer that ranges from 1 to 4094.

ip-address ip-address

Specifies the source IP address of offline detection packets.

The value is in dotted decimal notation and can be 0.0.0.0 or 255.255.255.255 or other valid IP address.

mac-address mac-address

Specifies the source MAC address of offline detection packets.

The value is a unicast MAC address in H-H-H format, where H can be one to four hexadecimal digits.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The device sends an ARP probe packet to check the user online status. If the user does not respond within a detection period, the device considers that the user is offline.

If the VLAN to which the user belongs does not have a VLANIF interface or the VLANIF interface does not have an IP address, the device sends an offline detection packet using 0.0.0.0 as the source IP address. If a user cannot respond to an ARP probe packet with the source IP address 0.0.0.0, you can specify a source IP address for the offline detection packet.

You are advised to specify the user gateway IP address and its corresponding MAC address as the source IP address and source MAC address of offline detection packets.

Precautions

This function does not take effect for users who use Layer 3 Portal authentication.

If a user on a physical interface is online, this command takes effect only after the user goes online again or the device re-authenticates the user.

Example

# Set the source IP address and MAC address of offline detection packets for users in VLAN 10 to 192.168.1.1 and 2222-1111-1234 respectively.

<HUAWEI> system-view
[HUAWEI] access-user arp-detect vlan 10 ip-address 192.168.1.1 mac-address 2222-1111-1234

access-user arp-detect default ip-address

Function

The access-user arp-detect default ip-address command sets the default source IP address of offline detection packets.

The undo access-user arp-detect default ip-address command restores the default setting.

By default, the default source IP address of offline detection packets is 0.0.0.0.

Format

access-user arp-detect default ip-address ip-address

undo access-user arp-detect default ip-address

Parameters

Parameter

Description

Value

ip-address

Specifies the default source IP address of offline detection packets.

The value is in dotted decimal notation and can be 0.0.0.0 or 255.255.255.255 or other valid IP address.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The device sends an ARP probe packet to check the user online status. If the user does not respond within a detection period, the device considers that the user is offline.

Precautions

  • This function does not take effect for users who use Layer 3 Portal authentication.

  • In the SVF or policy association scenario, you are advised to run the access-user arp-detect default ip-address command to set the source IP address of offline detection packets to 0.0.0.0. After the AS device sends a received ARP reply packet to the UC device, the UC device discards the packet if the destination IP address of the packet is 0.0.0.0 and the source IP address and source MAC address exist in the user entry. In this way, ARP packets do not occupy too many CPU resources on the main control card and do not cause authentication failures. In the SVF scenario, the command must be configured on the UC device and takes effect only for UC detection. The default source IP address of offline detection packets for AS detection is 0.0.0.0. In the policy association scenario, you can directly configure the command on the AS device.

  • In normal situations, after a device sends an ARP probe packet with a default source IP address, online clients will immediately respond with ARP reply packets. If online clients do not respond with ARP reply packets, the device logs them out unexpectedly. To resolve this problem, use either of the following methods:
    • Run the access-user arp-detect vlan vlan-id ip-address ip-address mac-address mac-address command to specify a VLAN ID, source IP address, and source MAC address for ARP probe packets.
    • Run the authentication timer handshake-period handshake-period command to increase the handshake period so that the device can detect gratuitous ARP packets that these clients send at an irregular period. Once the device detects such packets, it does not log them out.

Example

# Set the default source IP address of offline detection packets to 0.0.0.0.

<HUAWEI> system-view
[HUAWEI] access-user arp-detect default ip-address 0.0.0.0

access-user dot1x-identity speed-limit

Function

The access-user dot1x-identity speed-limit command configures the rate limit of Identity packets for 802.1X authentication to be sent to the CPU.

The undo access-user dot1x-identity speed-limit command restores the default rate limit of Identity packets for 802.1X authentication to be sent to the CPU.

By default, the maximum of Identity packets for 802.1X authentication can be sent to the CPU every second depends on the device.

Format

access-user dot1x-identity speed-limit value

undo access-user dot1x-identity speed-limit [ value ]

Parameters

Parameter Description Value
value Specifies the rate limit of Identity packets for 802.1X authentication to be sent to the CPU. The value is an integer in the range of 5 to 2000, in pps.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

If a large number of Identity packets for 802.1X authentication are sent to the CPU of a switch, the CPU usage is high and other services are affected. To prevent this problem, run the access-user dot1x-identity speed-limit command to configure the rate limit of Identity packets for 802.1X authentication to be sent to the CPU, so that the switch discards excess Identity packets.

Example

# Set the rate limit of Identity packets for 802.1X authentication to be sent to the CPU to 10 pps.

<HUAWEI> system-view
[HUAWEI] access-user dot1x-identity speed-limit 10

access-user arp-detect delay

Function

The access-user arp-detect delay command configures the delay for sending offline detection packets.

The undo access-user arp-detect delay command deletes the configured delay for sending offline detection packets.

By default, no delay for sending offline detection packets is configured.

Format

access-user arp-detect delay delay

undo access-user arp-detect delay

Parameters

Parameter

Description

Value

delay Specifies the delay for sending offline detection packets. The value is an integer in the range from 1 to 120, in seconds.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

A Windows client on the network sends a detection packet with the source address 0.0.0.0 after obtaining an IP address. If the device also initiates an ARP probe with the source address 0.0.0.0, a conflict occurs. To prevent this conflict, you can run the access-user arp-detect delay command to set the delay for sending offline detection packets. Typically, detection initiated by a Windows client takes 10 seconds. Therefore, a delay longer than 10 seconds is recommended.

Example

# Set the delay for sending offline detection packets to 20 seconds.

<HUAWEI> system-view
[HUAWEI] access-user arp-detect delay 20

access-user arp-detect fallback

Function

The access-user arp-detect fallback command configures an IP address required for calculating the source address of offline detection packets.

The undo access-user arp-detect fallback command deletes the IP address configured for calculating the source address of offline detection packets.

By default, no IP address is configured for the device to calculate the source address of offline detection packets.

Format

access-user arp-detect fallback ip-address { mask | mask-length }

undo access-user arp-detect fallback

Parameters

Parameter

Description

Value

ip-address Specifies the IP address required for calculating the source address of offline detection packets. The value is in dotted decimal notation.
mask Specifies the mask of the IP address. The value is in dotted decimal notation.

After the mask is converted into a binary number, all bits before the last 1 must be 1s. That is, 1s in the mask must be continuous and there cannot be any 0s before the last 1.

mask-length Specifies the mask length of the IP address.

The value is an integer in the range from 0 to 32.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When the device does not function as a gateway, it can send offline detection packets with the source address on the same network segment as clients. This source address is calculated based on the client network segment and the IP address specified in the access-user arp-detect fallback command. The operation AND is performed between this specified IP address and the wildcard mask to obtain result 1. Then result 1 is added to the network segment of clients to get the source address of offline detection packets. For example, if the network segment of clients is 192.168.1.0/24 and access-user arp-detect fallback 0.0.0.11 24 is configured, the source address of offline detection packets is 192.168.1.11. The calculated source address must be excluded from the address pool of the DHCP server to prevent IP address conflicts.

Precautions

This function does not take effect for users who use Layer 3 Portal authentication.

This command is effective for online users connected to physical interfaces only after the users go online again or the device re-authenticates the users.

Example

# Set the IP address required for calculating the source address of offline detection packets to 0.0.0.11.

<HUAWEI> system-view
[HUAWEI] access-user arp-detect fallback 0.0.0.11 24

access-user https speed-limit

Function

The access-user https speed-limit command sets the limit of the rate at which HTTPS protocol packets are sent to the CPU.

The undo access-user https speed-limit command restores the default limit of the rate at which HTTPS protocol packets are sent to the CPU.

By default, the limit of the rate at which HTTPS protocol packets are sent to the CPU depends on the switch model:
  • Switches with MPUD: 20 pps
  • Switches with other MPUs: 9 pps

Format

access-user https speed-limit value

undo access-user https speed-limit [ value ]

Parameters

Parameter Description Value
value Specifies the rate limit. The value is an integer in the range from 3 to 2000, in pps.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

When a switch processes two many HTTPS protocol packets, the CPU usage may become high and other services are affected. To address this issue, run the access-user https speed-limit command to set the limit of the rate at which HTTPS protocol packets are sent to the CPU. If the rate at which HTTPS protocol packets are sent to the CPU exceeds the specified value, the switch discards the excessive HTTPS protocol packets.

Example

# Set the limit of the rate at which HTTPS protocol packets are sent to the CPU to 50 pps.

<HUAWEI> system-view
[HUAWEI] access-user https speed-limit 50

access-user portal speed-limit

Function

The access-user portal speed-limit command sets the limit of the rate at which Portal protocol packets are sent to the CPU.

The undo access-user portal speed-limit command restores the default limit of the rate at which Portal protocol packets are sent to the CPU.

By default, the limit of the rate at which Portal protocol packets are sent to the CPU depends on the device model.

Format

access-user portal speed-limit value

undo access-user portal speed-limit [ value ]

Parameters

Parameter Description Value
value Specifies the rate limit. The value is an integer in the range from 5 to 2000, in pps.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

When a switch processes two many Portal protocol packets, the CPU usage may become high and other services are affected. To address this issue, run the access-user portal speed-limit command to set the limit of the rate at which Portal protocol packets are sent to the CPU. If the rate at which Portal protocol packets are sent to the CPU exceeds the specified value, the switch discards the excessive Portal protocol packets.

Example

# Set the limit of the rate at which Portal protocol packets are sent to the CPU to 50 pps.

<HUAWEI> system-view
[HUAWEI] access-user portal speed-limit 50

access-user syslog-restrain enable

Function

The access-user syslog-restrain enable command enables system log suppression.

The undo access-user syslog-restrain enable command disables system log suppression.

By default, system log suppression is enabled.

Format

access-user syslog-restrain enable

undo access-user syslog-restrain enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

When a user fails in authentication or goes offline, the device records a system log. The system log contains the MAC addresses of access device and access user and the authentication time.

If a user repeatedly attempts to go online after authentication failures or frequently goes online and offline in a short period, a lot of system logs are generated, which waste system resources and degrade system performance. System log suppression can address this problem. After the device generates a system log, it will not generate the same log within the suppression period (set by access-user syslog-restrain period).

NOTE:

The same system logs refer to the system logs containing the same MAC addresses. For example, after the device generates a system log for a user failing in authentication, the device will not generate new system log for this user in the suppression period if the user fails in authentication again. The system logs for users logging offline are generated in the same way. If a system log has no MAC address, such system logs are suppressed based on the user name.

Example

# Enable system log suppression.

<HUAWEI> system-view
[HUAWEI] access-user syslog-restrain enable

access-user syslog-restrain period

Function

The access-user syslog-restrain period command sets a period for system log suppression.

The undo access-user syslog-restrain period command restores the default period for system log suppression.

By default, the period of system log suppression is 300s.

Format

access-user syslog-restrain period period

undo access-user syslog-restrain period

Parameters

Parameter

Description

Value

period

Specifies the period for system log suppression.

The value is an integer that ranges from 60 to 604800, in seconds.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

After the system log suppression function is enabled using the access-user syslog-restrain enable command, use this command to set the system log suppression period. After generating a system log, the device will not generate the same log within the suppression period.

Example

# Set the period for system log suppression to 600s.

<HUAWEI> system-view
[HUAWEI] access-user syslog-restrain period 600

acl authorization statistics enable

Function

The acl authorization statistics enable command enables statistics collection on packets that match the ACLs assigned for authorization.

The undo acl authorization statistics enable command disables statistics collection on packets that match the ACLs assigned for authorization.

By default, statistics collection on packets that match the ACLs assigned for authorization is disabled.

Format

acl authorization statistics enable

undo acl authorization statistics enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

On a live network, the authentication server may assign ACLs to users who pass NAC authentication to grant the users access to the network. You can run the acl authorization statistics enable command to check the number of user packets that match the assigned ACLs.

Precautions

The function takes effect only for users who go online after this function is enabled.

Example

# Enable statistics collection on packets that match the ACLs assigned for authorization.

<HUAWEI> system-view
[HUAWEI] acl authorization statistics enable

acl-id (service scheme view)

Function

The acl-id command binds an ACL to a service scheme.

The undo acl-id command unbinds the ACL from the service scheme.

By default, no ACL is bound to a service scheme.

Format

acl-id acl-number

undo acl-id { acl-number | all }

Parameters

Parameter Description Value
acl-number

Specifies the number of an ACL bound to a service scheme.

The value is an integer that ranges from 3000 to 3999.
all

Deletes the numbers of all ACLs bound to a service scheme.

-

Views

Service scheme view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

After creating a service scheme using the service-scheme (AAA view) command, you can run the acl-id command to bind an ACL to the service scheme. The user assigned with the service scheme will have the ACL rules.

Prerequisites

An IPv4 ACL must have been created using the acl (system view) or acl name command.

Precautions

When different types of boards are installed, the minimum board specifications are used for the ACL rules delivered by a service scheme.

If the ACL authorized to users who go online through X series cards is not a user-defined one, the attribute of the source IP address in the ACL rule does not take effect. In all other cases, the IP address in the ACL rule is replaced with the user's IP address. The IP address in the ACL rule will be replaced with the user's IP address.

If you run this command multiple times, only the latest configuration takes effect.

Example

# Bind ACL 3001 to the service scheme huawei.

<HUAWEI> system-view
[HUAWEI] acl 3001
[HUAWEI-acl-adv-3001] quit
[HUAWEI] aaa
[HUAWEI-aaa] service-scheme huawei
[HUAWEI-aaa-service-huawei] acl-id 3001

authentication handshake

Function

The authentication handshake command enables the handshake with pre-connection users and authorized users.

The undo authentication handshake command disables the handshake with pre-connection users and authorized users.

By default, the handshake with pre-connection users and authorized users is enabled.

Format

authentication handshake

undo authentication handshake

Parameters

None

Views

Authentication profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The device creates entries for pre-connection users, users who fail to be authenticated and are assigned network access rights, and users who are authenticated. After users go offline in normal situations, the system immediately deletes the corresponding user entries. However, if some users go offline due to exceptions such as network disconnections, the system cannot immediately delete the corresponding user entries. If there are too many such invalid user entries, other users may fail to access the network.

To solve this problem, run the authentication handshake command to enable the handshake with pre-connection users and authorized users. If a user does not respond to the handshake request from the device within the handshake interval, the device deletes the user entry.

Precautions

  • The handshake interval for MAC address authentication users, Layer 3 Portal authentication users, and 802.1X authentication users is configured using the authentication timer handshake-period command. The handshake interval for Layer 2 Portal authentication users is configured using the portal timer offline-detect command.

  • For Layer 3 Portal authentication users, only those who go online through X series cards support this function.

  • This function takes effect only for the wired users who obtain IP addresses.

  • The handshake function is implemented using ARP probe packets or neighbor discovery (ND) probe packets.

  • The handshake function can also be implemented by detecting whether there is user traffic on the access device. Assuming that the handshake interval is 3n, the device will detect user traffic at n and 2n. The following uses the 0-n period as an example. The process during the n-2n period is similar to that during 0-n.
    • If user traffic passes the device during the 0-n period, the device considers that the user is online at n, so it will not send a probe packet to the user, but resets the handshake interval.
    • If no user traffic passes the device during the 0-n period, the device cannot determine whether the user is online at n, so it sends a probe packet to the user. If the device receives the reply packet from the user, it considers the user online and resets the handshake interval. If no reply packet is received, it considers the user offline.
    • If user traffic passes the device during the 2n-3n period, the device considers that the user is online at 3n and resets the handshake interval.
    • If no user traffic passes the device during the 2n-3n period, the device cannot determine whether the user is online at 3n and considers that the user is offline.
    If the device considers that the user is offline at n, 2n, and 3n, the device deletes all entries related to the user. To prevent the user from going offline unexpectedly when no operation is performed on the PC, do not set a short handshake period.

Example

# In the authentication profile p1, enable the handshake with pre-connection users and authorized users.

<HUAWEI> system-view
[HUAWEI] authentication-profile name p1
[HUAWEI-authen-profile-p1] authentication handshake

authentication control-direction

Function

The authentication control-direction command configures the direction of traffic controlled by the device.

By default, the device only controls the upstream traffic.

Format

authentication control-direction { all | inbound }

Parameters

Parameter Description Value
all

Configures bidirectional traffic control.

-

inbound

Controls only the upstream traffic.

-

Views

Authentication profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

By default, the access authentication device discards all the traffic sent from the users who fail the 802.1x authentication or MAC address authentication. However, these users can still receive broadcast packets sent from the successfully authenticated users in the same VLAN. To disable the users who fail the authentication from receiving the broadcast packets, run the authentication control-direction all command to configure bidirectional traffic control. To restore the default situation, run the authentication control-direction inbound command so that the device only controls the traffic sent from the users who fail the authentication.

Precaution

  • This function applies only to 802.1x authentication and MAC address authentication.

  • This function takes effect only when an access switch functions as the authentication device and an interface of the switch is connected to only one IP phone or PC.

  • This function does not take effect when users have pre-connection entries or authentication event entries. You are advised to run the undo authentication pre-authen-access enable command disable the function of keeping users who fail to be authenticated and do not have any network access rights in the pre-connection state, and do not run the authentication event command to configure the device to assign network access rights to users in each phase before authentication succeeds.

  • If users go online on the same interface in the same VLAN, bidirectional traffic control does not take effect on this interface.

  • Layer 3 interfaces do not support bidirectional traffic control.

  • You are advised to run the stp edged-port enable command to configure the interface on which the function is applied as an edge port. The interface can be added to a maximum of four VLANs.

  • The SVF and policy association scenarios do not support this function.

  • WLAN scenarios do not support this function.

  • When this function is configured, the recommended STP mode is VBST. If the STP mode is changed after users go online, traffic will be interrupted for a short time. If the STP mode is set to MSTP or STP, run the instance command to map VLANs to different spanning tree instances (MSTIs).
  • A user VLAN cannot be specified as an RRPP or ERPS control VLAN.

Example

# Configure bidirectional traffic control in the authentication profile authen1.

<HUAWEI> system-view
[HUAWEI] authentication-profile name authen1
[HUAWEI-authen-profile-authen1] authentication control-direction all

authentication device-type voice authorize

Function

The authentication device-type voice authorize command enables voice terminals to go online without authentication.

The undo authentication device-type voice authorize command disables voice terminals from going online without authentication.

By default, voice terminals are disabled from going online without authentication.

Format

authentication device-type voice authorize [ service-scheme scheme-name ]

undo authentication device-type voice authorize [ service-scheme ]

Parameters

Parameter

Description

Value

service-scheme scheme-name

Specifies the name of the service scheme based on which network access rights are assigned to voice terminals.

The value must be an existing service scheme name.

Views

Authentication profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When both data terminals (such as PCs) and voice terminals (such as IP phones) are connected to devices, NAC is configured on the devices to manage and control the data terminals. The voice terminals, however, only need to connect to the network without being managed and controlled. In this case, you can configure the voice terminals to go online without authentication on the devices. Then the voice terminals identified by the devices can go online without authentication.

Precautions

When a RADIUS server is used for dynamic VLAN delivery, the following RADIUS attributes must be used: (064) Tunnel-Type (which must be set to VLAN or 13), (065) Tunnel-Medium-Type (which must be set to 802 or 6), and (081) Tunnel-Private-Group-ID (which can be set to the VLAN ID , VLAN description, VLAN name, or VLAN pool). To ensure that the RADIUS server delivers VLAN attributes correctly, all the three RADIUS attributes must be used. In addition, the Tunnel-Type and Tunnel-Medium-Type attributes must be set to the specified values. When a voice VLAN is delivered, the RADIUS attribute (26-33) HW-Voice-Vlan must also be used.

To enable the switches to identify the voice terminals, enable LLDP or configure OUI for the voice VLAN on the switches. For details, see Configuring Basic LLDP Functions in "LLDP Configuration" in the S12700 V200R013C00 Configuration Guide - Network Management and Monitoring or Configuring a Voice VLAN Based on a MAC Address in "Voice VLAN Configuration" in the S12700 V200R013C00 Configuration Guide - Ethernet Switching. If a voice device supports only CDP but does not support LLDP, configure CDP-compatible LLDP on the switch using lldp compliance cdp receive command.

After the voice VLAN function is enabled on an interface using the voice-vlan enable command, authenticated voice terminals are authorized to use the voice VLAN if the VLAN of the voice terminals is the same as the voice VLAN.

If an 802.1X user initiates authentication through a voice terminal, a device preferentially processes the authentication request. If the authentication succeeds, the terminal obtains the corresponding network access rights. If the authentication fails, the device identifies the terminal type and enables the terminal to go online without authentication.

If you run this command repeatedly, the latest configuration overrides the previous ones.

This function takes effect only for users who go online after this function is successfully configured.

Example

# In the authentication profile p1, enable the device to allow voice terminals to go online without authentication and assign the service scheme s1 to voice terminals that are not authenticated.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] service-scheme s1
[HUAWEI-aaa-service-s1] quit
[HUAWEI-aaa] quit
[HUAWEI] authentication-profile name p1
[HUAWEI-authen-profile-p1] authentication device-type voice authorize service-scheme s1

authentication dot1x-mac-bypass

Function

The authentication dot1x-mac-bypass command enables MAC address bypass authentication.

The undo authentication dot1x-mac-bypass command disables MAC address bypass authentication.

By default, MAC address bypass authentication is disabled.

Format

authentication dot1x-mac-bypass

undo authentication dot1x-mac-bypass

Parameters

None

Views

Authentication profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You can configure MAC address bypass authentication to authenticate terminals such as printers that cannot have the 802.1X client installed.

After MAC address bypass authentication is enabled in an authentication profile, the device performs 802.1X authentication for users using the authentication profile. If the user name request times out, the device starts the MAC address authentication process for the users.

Precautions

MAC address bypass authentication involves 802.1X authentication and MAC address authentication. Before enabling this function in an authentication profile, ensure that an 802.1X access profile and a MAC access profile have been bound to the authentication profile.

Example

# In the authentication profile p1, enable MAC address bypass authentication.

<HUAWEI> system-view
[HUAWEI] authentication-profile name p1
[HUAWEI-authen-profile-p1] authentication dot1x-mac-bypass

authentication event action authorize

Function

The authentication event action authorize command configures authentication event authorization information.

The undo authentication event action authorize command restores the default setting.

By default, authentication event authorization information is not configured.

Format

User authorization in the case of pre-connections:

authentication event pre-authen action authorize { vlan vlan-id | service-scheme service-scheme-name | ucl-group ucl-group-name }

undo authentication event pre-authen action authorize

User authorization when authentication fails:

authentication event authen-fail action authorize { vlan vlan-id | service-scheme service-scheme-name | ucl-group ucl-group-name } [ response-fail ]

undo authentication event authen-fail action authorize

User authorization when the authentication server is Down:

authentication event authen-server-down action authorize { vlan vlan-id | service-scheme service-scheme-name | ucl-group ucl-group-name } [ response-fail ]

authentication event authen-server-down action authorize keep [ no-response | response-fail ]

undo authentication event authen-server-down action authorize

User authorization when the authentication server does not respond:

authentication event authen-server-noreply action authorize keep [ no-response | response-fail ]

undo authentication event authen-server-noreply action authorize

Parameters

Parameter Description Value
pre-authen

Configures the device to assign network access rights to users when the users establish pre-connections with the device.

-

authen-fail

Configures the device to assign network access rights to users when the authentication server sends authentication failure packets to the device.

-

authen-server-down

Configures the device to assign network access rights to users when the authentication server is Down or the server is in the forcible Up state.

-

authen-server-noreply

Configures the device to assign network access rights to users when the authentication server does not respond.

-

response-fail

Configures the device to send authentication failure packets to users after assigning network access rights to the users.

If this parameter is not specified, the device by default sends authentication success packets to users and therefore the users cannot know the fact that they fail to be authenticated. To solve this problem, specify this parameter so that the device will send authentication failure packets for the users to know their authentication results.

-

vlan vlan-id

Specifies a VLAN ID. When this parameter is specified, users can access only the resources in the VLAN.

The value is an integer that ranges from 1 to 4094.

service-scheme service-scheme-name Specifies the name of the service scheme based on which network access rights are assigned to users.

The value must be an existing service scheme name on the device.

ucl-group ucl-group-name

Specifies the name of the UCL group based on which network access rights are assigned to users.

The value must be an existing UCL group name on the device.

keep

Configures online uses to retain original network access rights.

-

no-response

Configures the device not to send response packets to users after assigning network access rights to the users.

If this parameter is not specified, the device sends an authentication success packet to users.

-

Views

Authentication profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If users establish pre-connections with the device or fail to be authenticated, they have no network access rights.

To meet these users' basic network access requirements such as updating the antivirus database and downloading the client, configure authentication event authorization information. The device will assign network access rights to these users based on the authentication phase.

Precautions

If no network access right is configured for users who fail authentication or when the authentication server is Down, the users establish pre-connections with the device after the authentication fails and then have the network access rights mapping pre-connection users.

VLAN-based authorization does not apply to the authentication users who access through VLANIF interfaces.

If a user uses Portal authentication or combined authentication (including Portal authentication), the device cannot authorize a VLAN to the user.

If a user uses Portal authentication, the keep parameter cannot be configured.

The configured vlan, service-scheme, or ucl-group parameter takes effect only for new online users.

Wireless 802.1X authentication in EAP mode does not support this function.

For the non-X series cards, if the user upstream rate limit is configured in the QoS profile bound to a service scheme, do not configure the device to use the service scheme to grant network access rights to users in the pre-connection phase. Otherwise, users go offline.

When the authentication server is in Down state, user authentication fails, or the user is in pre-connection state, the redirection ACL function is not supported. For details about this function, see redirect-acl.

Example

# In the authentication profile authen1, configure the device to assign network access rights specified in VLAN 10 to pre-connection users.
<HUAWEI> system-view
[HUAWEI] vlan batch 10
[HUAWEI] authentication-profile name authen1
[HUAWEI-authen-profile-authen1] authentication event pre-authen action authorize vlan 10

authentication event authen-server-down action close re-authen

Function

The authentication event authen-server-down action close re-authen command disables re-authentication when the authentication server is Down.

The undo authentication event authen-server-down action close re-authen command restores the default setting.

By default, re-authentication is enabled when the authentication server is Down.

Format

authentication event authen-server-down action close re-authen

undo authentication event authen-server-down action close re-authen

Parameters

None

Views

Authentication profile view

Default Level

2: Configuration level

Usage Guidelines

In a re-authentication scenario, after the authentication event action authorize keep command is run, online users retain the original network access rights when the authentication server is Down. If re-authentication is performed on these users, the client frequently initiates re-authentication and may remain silent after multiple times. As a result, these users cannot access the network. To prevent this problem, you are advised to run the authentication event authen-server-down action close re-authen command to disable re-authentication when the authentication server is Down.

Example

# Disable re-authentication when the authentication server is Down.

<HUAWEI> system-view
[HUAWEI] authentication-profile name authen1
[HUAWEI-authen-profile-authen1] authentication event authen-server-down action close re-authen

authentication event authen-server-up action re-authen

Function

The authentication event authen-server-up action re-authen command enables the device to re-authenticate users in the survival state when the authentication server changes from Down or forcible Up to Up.

The undo authentication event authen-server-up action re-authen command restores the default setting.

By default, the device does not re-authenticate users in the survival state when the authentication server changes from Down or forcible Up to UP.

Format

authentication event authen-server-up action re-authen

undo authentication event authen-server-up action re-authen

Parameters

None

Views

Authentication profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The users in the survival state can only access limited network resources after the device assigns specified network access rights to users who fail authentication because the authentication server is Down. To meet the users' normal network access requirements, the device needs to re-authenticate users in the survival state in real time when the authentication server turns Up.

After the status of the RADIUS server is set to Down, you can run the radius-server dead-time dead-time command to set the interval for the RADIUS server to return to the active state. When the value of dead-time expires, the status of the RADIUS server is set to forcible Up. When the server successfully transmits and receives packets, the status is set to Up. The device can re-authenticate users in the survival state when the server changes from Down or forcible Up to Up. Re-authentication cannot be triggered when the server turns from Down to forcible Up.

Prerequisites

The radius-server testuser command has been configured in the RADIUS server template so that the device can detect that the authentication server changes from Down to Up.

Precautions

This function takes effect only for users who go online after this function is successfully configured.

Example

# In the authentication profile authen1, enable the device to re-authenticate users when the authentication server turns Up from Down or forcible Up .

<HUAWEI> system-view
[HUAWEI] authentication-profile name authen1
[HUAWEI-authen-profile-authen1] authentication event authen-server-up action re-authen

authentication event client-no-response action authorize

Function

The authentication event client-no-response action authorize command configures network access rights for users when the 802.1X client does not respond.

The undo authentication event client-no-response action authorize command restores the default setting.

By default, no network access right is configured for users when the 802.1X client does not respond.

Format

authentication event client-no-response action authorize { service-scheme service-scheme-name | ucl-group ucl-group-name | vlan vlan-id }

undo authentication event client-no-response action authorize

Parameters

Parameter Description Value
service-scheme service-scheme-name Specifies the name of a service scheme based on which network access rights are assigned. The value must be an existing service scheme name on the device.
ucl-group ucl-group-name

Specifies the name of a UCL group based on which network access rights are assigned.

The value must be an existing UCL group name on the device.
vlan vlan-id

Specifies a VLAN ID. When this parameter is specified, users can access only the resources in the VLAN.

The value is an integer that ranges from 1 to 4094.

Views

802.1X access profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If the 802.1X client does not respond, users cannot pass authentication and thereby have no network access right. Before being successfully authenticated, some users may need certain basic network access rights to download client software and update the antivirus database. The network access rights can be configured for the users when the 802.1X client does not respond, so that the users can access specified network resources.

Precautions

This function takes effect only for users who go online after this function is successfully configured.

When an 802.1X client does not respond, the redirection ACL function is not supported. For details about the function, see redirect-acl.

Example

# In the 802.1X access profile d1, configure the device to assign the network access rights specified in VLAN 10 for users when the 802.1X client does not respond.

<HUAWEI> system-view
[HUAWEI] vlan batch 10
[HUAWEI] dot1x-access-profile name d1
[HUAWEI-dot1x-access-profile-d1] authentication event client-no-response action authorize vlan 10

authentication event portal-server-down action authorize

Function

The authentication event portal-server-down action authorize command configures network access rights for users when the Portal server is Down.

The undo authentication event portal-server-down action authorize command deletes the network access rights configured for users when the Portal server is Down.

By default, no network access right is configured for users when the Portal server is Down.

Format

authentication event portal-server-down action authorize { service-scheme service-scheme-name | ucl-group ucl-group-name }

undo authentication event portal-server-down action authorize

Parameters

Parameter Description Value
service-scheme service-scheme-name

Specifies the name of the service scheme based on which network access rights are assigned to users.

The value must be an existing service scheme name.

ucl-group ucl-group-name

Specifies the name of the UCL group based on which network access rights are assigned to users.

The value must be an existing UCL group name.

Views

Portal access profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If the Portal server is Down, users cannot pass the authentication and thereby have no network access right. Before being successfully authenticated, some users may need certain basic network access rights to download client software and update the antivirus database. The network access rights can be configured for the users when the Portal server is Down, so that the users can access specified network resources.

Prerequisites

A UCL group has been created using the ucl-group command in the system view.

A service scheme has been created using the service-scheme command in the AAA view.

Precautions

  • This function takes effect only for users who go online after this function is successfully configured.

  • Only HTTP messages-triggered Portal authentication users support this function.

  • Before enabling the access device to assign network access rights to users when the Portal server is Down, enable the heartbeat detection function on the Portal server and run the server-detect command on the access device to enable the Portal server detection function.
  • When the Portal server is in Down state, the redirection ACL function is not supported. For details about this function, see redirect-acl.

Example

# In the Portal access profile p1, configure the device to assign network access rights based on the service scheme s1 to users when the Portal server is Down.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] service-scheme s1
[HUAWEI-aaa-service-s1] quit
[HUAWEI-aaa] quit
[HUAWEI] portal-access-profile name p1
[HUAWEI-portal-acces-profile-p1] authentication event portal-server-down action authorize service-scheme s1

authentication event portal-server-up action re-authen

Function

The authentication event portal-server-up action re-authen command enables the device to re-authenticate users when the Portal server turns Up from Down.

The undo authentication event portal-server-up action re-authen command restores the default setting.

By default, the device does not re-authenticate users when the Portal server turns Up from Down.

Format

authentication event portal-server-up action re-authen

undo authentication event portal-server-up action re-authen

Parameters

None

Views

Portal access profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If the device is configured to assign network access rights to users when the Portal server is Down, users can access limited network resources after the device detects that the Portal server is Down. To ensure that users can obtain normal network access rights after the Portal server goes Up, you can enable the device to re-authenticate users when the Portal server changes from Down to Up. After the Portal server goes Up, the device sets the status of users who display web-server-down to pre-connection. The re-authentication process starts when the users visit any web page. If the authentication succeeds, the device assigns normal network access rights to the users.

Precautions

  • This command does not apply to users connected to the route main interface.
  • This function takes effect only for users who go online after this function is successfully configured.

  • Before enabling the access device to assign network access rights to users when the Portal server is Down, enable the heartbeat detection function on the Portal server and run the server-detect command on the access device to enable the Portal server detection function.

Example

# In the Portal access profile p1, enable the device to re-authenticate users when the Portal server turns Up from Down.

<HUAWEI> system-view
[HUAWEI] portal-access-profile name p1
[HUAWEI-portal-acces-profile-p1] authentication event portal-server-up action re-authen

authentication ip-address in-accounting-start

Function

The authentication ip-address in-accounting-start command enables the function of carrying users' IP addresses in Accounting-Start packets.

The undo authentication ip-address in-accounting-start command disables the function of carrying users' IP addresses in Accounting-Start packets.

By default, the function of carrying users' IP addresses in Accounting-Start packets is disabled.

Format

authentication ip-address in-accounting-start

undo authentication ip-address in-accounting-start

Parameters

None

Views

Authentication profile view

Default Level

2: Configuration level

Usage Guidelines

The device reports access information and basic network information (IP address) of users through Accounting-Start packets. Therefore, the device needs to support carrying users' IP addresses in Accounting-Start packets.

In the following situations, the device cannot learn IP addresses of users and does not send Accounting-Start packets:
  • For wireless users, STA address learning has been disabled using the learn-address-client disable command.
  • For wired users, they have obtained IP addresses or have static IP addresses configured.

This command takes effect only for 802.1X authentication and MAC address authentication users. By default, Accounting-Start packets for Portal authentication carry users' IP addresses.

This command takes effect on both IPv4 and IPv6 users.

Example

# Enable the function of carrying users' IP addresses in Accounting-Start packets.

<HUAWEI> system-view
[HUAWEI] authentication-profile name test 
[HUAWEI-authen-profile-test] authentication ip-address in-accounting-start

authentication ip-conflict-check enable

Function

The authentication ip-conflict-check enable command enables the client IP address conflict detection function.

The undo authentication ip-conflict-check enable command disables the client IP address conflict detection function.

By default, the device detects whether client IP addresses conflict with each other.

Format

authentication ip-conflict-check enable

undo authentication ip-conflict-check enable

Parameters

None

Views

Authentication profile view

Default Level

2: Configuration level

Usage Guidelines

IP address conflict detection is performed based on an IP hash table. If the hash value of a client IP address conflicts with a value in the IP hash table on the device, the client cannot be authenticated. To prevent unauthorized users from accessing the network using forged IP addresses, you can enable the IP address conflict detection function. Some clients may use the same fixed source IP address to send ARP probe packets. If multiple such clients exist on the network, IP address conflict occurs. In this case, you can disable the IP address conflict detection function.
NOTE:
After this function is disabled, IP address-based authorization does not take effect.

Example

# Enable the client IP address conflict detection function.

<HUAWEI> system-view
[HUAWEI] authentication-profile name test 
[HUAWEI-authen-profile-test] authentication ip-conflict-check enable

authentication ipv6-control enable

Function

The authentication ipv6-control enable command enables network admission control for IPv6 users.

The undo authentication ipv6-control enable command disables network admission control for IPv6 users.

By default, the network admission control function is disabled for IPv6 users.

NOTE:

This command does not take effect on X series cards.

Format

authentication ipv6-control enable

undo authentication ipv6-control enable

Parameters

None

Views

Authentication profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

By default, after NAC authentication is enabled on the device, IPv6 users can access the network without being authenticated in some scenarios. To ensure security, access right control can be enabled for IPv6 users, so that IPv6 users can access the network after being authenticated.

Precautions

The following table lists how different cards process IPv6 packets for users in different authentication states.
Card Authentication Mode Disable Network Admission Control for IPv6 Users (by Default) Enable Network Admission Control for IPv6 Users
Not Authenticated Pre-connected Authenticated Not Authenticated Pre-connected Authenticated
X series cards 802.1X authentication on Layer 2 Ethernet interfaces Not permitted Not permitted Permitted

This command does not take effect.

MAC address authentication on VLANIF interfaces Not permitted Not permitted Permitted
MAC address authentication on Layer 2 Ethernet interfaces Not permitted Not permitted Permitted
Layer 2 Portal authentication on VLANIF interfaces Not permitted Not permitted Permitted
Layer 2 Portal authentication on Layer 2 Ethernet interfaces Not permitted Not permitted Permitted
Layer 3 Portal authentication on VLANIF interfaces Not permitted Layer 3 Portal authentication does not support pre-connection. Not permitted
Layer 3 Portal authentication on Layer 3 Ethernet interfaces Not permitted Layer 3 Portal authentication does not support pre-connection. Not permitted
All the other cards except for the preceding cards 802.1X authentication on Layer 2 Ethernet interfaces Not permitted Permitted Permitted Not permitted Not permitted Permitted
MAC address authentication on VLANIF interfaces Permitted Permitted Permitted Not permitted Not permitted Permitted
MAC address authentication on Layer 2 Ethernet interfaces Not permitted Permitted Permitted Not permitted Not permitted Permitted
Layer 2 Portal authentication on VLANIF interfaces Permitted Permitted Permitted Not permitted Not permitted Permitted
Layer 2 Portal authentication on Layer 2 Ethernet interfaces Not permitted Permitted Permitted Not permitted Not permitted Permitted
Layer 3 Portal authentication on VLANIF interfaces Permitted Layer 3 Portal authentication does not support pre-connection. Permitted Not permitted Layer 3 Portal authentication does not support pre-connection. Not permitted
Layer 3 Portal authentication on Layer 3 Ethernet interfaces Not permitted Layer 3 Portal authentication does not support pre-connection. Not permitted Not permitted Layer 3 Portal authentication does not support pre-connection. Not permitted

Example

# Enable network admission control for IPv6 users.

<HUAWEI> system-view
[HUAWEI] authentication-profile name test 
[HUAWEI-authen-profile-test] authentication ipv6-control enable

authentication mode

Function

The authentication mode command configures the user access mode.

The undo authentication mode command restores the default user access mode.

By default, the user access mode is multi-authen.

Format

authentication mode { single-terminal | single-voice-with-data | multi-share | multi-authen [ max-user max-user-number [ dot1x | mac-authen | portal | none ] * ] }

undo authentication mode [ multi-authen max-user [ dot1x | mac-authen | portal | none ] * ]

Parameters

Parameter Description Value
single-terminal

Specifies the interface to allow only one user to go online.

-

single-voice-with-data

Specifies the interface to allow only one data user and one voice user to go online.

This mode applies to the scenario in which a data user connects to a network through a voice terminal.

-

multi-share

Specifies the interface to allow multiple users to go online.

In this mode, the device only authenticates the first user. If the first user can be authenticated, the subsequent users share the same network access rights with the first user. If the first user goes offline, other users are also offline.

-

multi-authen

Specifies the interface to allow multiple users to go online.

In this mode, the device authenticates each access user. If users can be authenticated, the users have their individual network access rights. If a user goes offline, other users are not affected.

-

max-user max-user-number

Specifies the maximum number of access users on the interface in multi-authen mode.

The value is an integer that depends on card types.

dot1x

Specifies the maximum number of 802.1X authentication users allowed to connect to the interface in multi-authen mode.

-

mac-authen

Specifies the maximum number of MAC address authentication users allowed to connect to the interface in multi-authen mode.

-

portal

Specifies the maximum number of Portal authentication users allowed to connect to the interface in multi-authen mode.

-

none

Specifies the maximum number of pre-connection users allowed to connect to the interface in multi-authen mode.

-

Views

Authentication profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After enabling NAC authentication, you can configure a user access mode based on the user access on the interface. The user access modes include:
  • single-terminal: applies to the scenario in which only one data terminal is connected to the network through the interface.
  • single-voice-with-data: applies to the scenario in which only one data terminal is connected to the network on the device interface through a voice terminal.
  • multi-share: applies to the scenario that does not require high security and in which multiple data terminals are connected to the network on the device interface.
  • multi-authen: applies to the scenario that requires high security and in which multiple data terminals are connected to the network on the device interface. In this access mode, you can configure the maximum number of access users based on the actual user quantity on the interface. This prevents malicious users from occupying a large amount of device resources and ensures that the users on other device interfaces can normally go online.

Precautions

  • VLANIF interfaces do not support this function.
  • The authentication mode multi-authen max-user max-user-number command only indicates the maximum number of access users allowed by the interface in multi-authen mode, not the access mode of the specified interface. The interface access mode needs to be modified to multi-authen using the authentication mode multi-authen command.

  • If the first access user fails to be authenticated on a physical interface and sets up a pre-connection after the multi-share mode is configured on the physical interface, new access users will also fail to be authenticated on the interface. Therefore, the following operations are recommended if the first access user may fail to be authenticated after the multi-share mode is configured on a physical interface.
    • Configure users to not set up pre-connections when 802.1X authentication or MAC address authentication is used. You can run the undo authentication pre-authen-access enable command to configure the device to not generate entries for users who obtain rights in the pre-connection phase.
    • Do not use the multi-share mode with Portal authentication.
  • In the policy association scenario, the authentication mode multi-authen max-user max-user-number command configured on an access device does not take effect. To configure the number of access users on an access device, run the authentication access-point max-user max-user-number command to set the maximum number of access users allowed on the interface of the access device.

  • When authentication mode is set to multi-authen in the authentication profile, set the interface type to hybrid or trunk in policy association scenarios or to hybrid in other scenarios when you configure the authorization VLAN.

Example

# In the authentication profile p1, set the user access mode to multi-authen.

<HUAWEI> system-view
[HUAWEI] authentication-profile name p1
[HUAWEI-authen-profile-p1] authentication mode multi-authen

authentication mac-authen-first force

Function

The authentication mac-authen-first force command configures forcible MAC address authentication before 802.1X authentication.

The undo authentication mac-authen-first force command restores the default setting.

By default, the forcible MAC address authentication is not configured before 802.1X authentication.

Format

authentication mac-authen-first force

undo authentication mac-authen-first force

Parameters

None

Views

Authentication profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If high security is required, users who access the network must use registered terminals for 802.1X authentication. To prevent users from using unregistered terminals to perform 802.1X authentication and occupying device and server resources, you can configure this function to force the users to perform MAC address authentication first. 802.1X authentication can be performed only after MAC address authentication succeeds. For an unregistered terminal, users go offline directly after MAC address authentication fails, and 802.1X authentication is not performed.

Precautions

This function is only supported in the wireless scenario.

Example

# Configure forcible MAC address authentication before 802.1X authentication.

<HUAWEI> system-view
[HUAWEI] authentication-profile name authen1
[HUAWEI-authen-profile-authen1] authentication mac-authen-first force

authentication mac-move enable

Function

The authentication mac-move enable command enables MAC address migration.

The undo authentication mac-move enable command disables MAC address migration.

By default, MAC address migration is disabled.

Format

authentication mac-move enable vlan { all | { vlan-id1 [ to vlan-id2 ] } & <1–10> }

undo authentication mac-move enable vlan { all | { vlan-id1 [ to vlan-id2 ] } & <1–10> }

Parameters

Parameter

Description

Value

vlan Specifies the VLAN range for enabling MAC address migration.

-

all Enables MAC address migration in all VLANs.

-

vlan-id1 [ to vlan-id2 ] Enables MAC address migration in the specified VLANs.
  • vlan-id1 specifies the ID of the first VLAN.
  • vlan-id2 specifies the ID of the second VLAN. The value of vlan-id2 must be greater than that of vlan-id1.

The value is an integer that ranges from 1 to 4094.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After a user is authenticated and accesses the network from one interface of the device, the network cable is pulled out from the interface and plugged in another interface on the device. In this case, the user cannot immediately initiate authentication and access the network. The user can initiate authentication on the current interface only after the user offline detection interval expires or the authentication interface is manually enabled and shut down to clear user online entries. To improve user experience, MAC address migration is enabled so that the user can immediately initiate authentication and access the network after be switched to another access interface.

MAC address migration allows online NAC authentication users to immediately initiate authentication and access the network after they are switched to other access interfaces. If the user is authenticated successfully on the new interface, the online user entry on the original interface is deleted immediately to ensure that only one interface records the online user entry.

In addition, VLANs need to be specified for users in MAC address migration. The VLANs before and after the migration can be specified for the users, and they can be the same or different.

Precautions

  • In normal case, enabling MAC address migration is not recommended. It should be enabled only when users have migration requirements during roaming. This prevents unauthorized users from forging MAC addresses of online users and sending ARP, 802.1X, or DHCP packets on other authentication control interfaces to trigger the MAC address migration function and force authorized user offline.

  • In the Policy Association and SVF scenario, the device does not support MAC address migration.
  • In the Layer 2 BNG scenario, the device does not support MAC address migration.
  • Cascading migration through intermediate devices is not supported, because ARP and DHCP packets are not sent after the cascading migration.
  • The device does not support MAC address migration for a terminal with one MAC address and multiple IP addresses.
  • MAC address migration is not supported for Layer 3 Portal authentication users and PPPoE authentication users.
  • A user is switched from an interface configured with NAC authentication to another interface not configured with NAC authentication. In this case, the user can access the network only after the original online entry is aged because the new interface cannot send authentication packets to trigger MAC migration.
  • In common mode, Portal authentication is triggered only after users who go online through a VLANIF interface send ARP packets and go offline; otherwise, the users can go online again only after the original user online entries age out. Portal authentication cannot be triggered after users who go online through physical interfaces migrate. The users can go online again only after the original user online entries age out.
  • After a user who goes online from a VLANIF interface is quieted because of multiple MAC address migrations, MAC address migration can be performed for the quieted user only after the quiet period expires and the ARP entry is aged out.
  • After authorized VLANs are delivered to users who go online on the cards except X series cards, some users may fail to migrate. In this scenario, the users can go online again only after the user entries on the interface before the migration are aged out.
  • When an authorized VLAN is specified in the authentication mac-move enable vlan command, you are advised to enable the function of detecting the user status before user MAC address migration.

Example

# Enable MAC address migration in all VLANs.

<HUAWEI> system-view
[HUAWEI] authentication mac-move enable vlan all

authentication mac-move detect enable

Function

The authentication mac-move detect enable command enables a device to detect users' online status before user MAC address migration.

The undo authentication mac-move detect enable command disables a device from detecting users' online status before user MAC address migration.

By default, a device is disabled from detecting users' online status before user MAC address migration.

Format

authentication mac-move detect enable

undo authentication mac-move detect enable

Parameters

None

Views

System view, authentication profile view

Default Level

2: Configuration level

Usage Guidelines

To prevent unauthorized users from spoofing online users to attack a device, run the authentication mac-move detect enable command to enable the device to detect users' online status before user MAC address migration. If no users are online, the device permits MAC address migration and allows users to go online from a new access interface. If a user is online, the device terminates MAC address migration and does not allow the user to go online from a new access interface.

You can also run the authentication mac-move detect retry-interval retry-time command to set the detection interval and maximum number of detections before user MAC address migration.

By default, the user status detection function before user MAC address migration is disabled in the system view, but it is enabled in the authentication profile view. This function takes effect only when it is enabled both in the system view and authentication profile view. To disable the device from detecting the online status of users connected to certain interfaces before user MAC address migration, run the undo authentication mac-move detect enable command in the authentication profiles bound to these interfaces.

Example

# Enable a device to detect users' online status before user MAC address migration.

<HUAWEI> system-view
[HUAWEI] authentication mac-move detect enable

authentication mac-move detect retry-interval retry-time

Function

The authentication mac-move detect retry-interval retry-time command sets the detection interval and maximum number of detections before user MAC address migration.

The undo authentication mac-move detect retry-interval retry-time command restores the default setting.

By default, a device detects users' online status once. The detection interval is 3 seconds.

Format

authentication mac-move detect { retry-interval interval | retry-time times } *

undo authentication mac-move detect { retry-interval | retry-time } *

Parameters

Parameter

Description

Value

interval

Specifies the interval at which a device detects users' online status before user MAC address migration.

The value is an integer that ranges from 1 to 5, in seconds.

times

Specifies the maximum number of detections before user MAC address migration.

The value is an integer that ranges from 1 to 3.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

After a device is enabled to detect users' online status before user MAC address migration, if no users are online, the device permits MAC address migration and allows users to go online from a new access interface. If a user is online, the device terminates MAC address migration and does not allow the user to go online from a new access interface. You can run the authentication mac-move detect { retry-interval interval | retry-time times } * command to modify the default detection interval and maximum number of detections.

Example

# Configure a device to detect users' online status twice at an interval of 5 seconds before user MAC address migration.

<HUAWEI> system-view
[HUAWEI] authentication mac-move detect retry-interval 5 retry-time 2

authentication mac-move quiet-log enable

Function

The authentication mac-move quiet-log enable command enables the device to record logs about MAC address migration quiet.

The undo authentication mac-move quiet-log enable command disables the device from recording logs about MAC address migration quiet.

By default, the device is enabled to record logs about MAC address migration quiet.

Format

authentication mac-move quiet-log enable

undo authentication mac-move quiet-log enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

The device can record logs when adding or deleting MAC address migration quiet entries. This helps the administrator to find out the cause for MAC address migration failure, and improves maintainability of the MAC address migration quiet function.

Example

# Enable the device to record logs about MAC address migration quiet.

<HUAWEI> system-view
[HUAWEI] authentication mac-move quiet-log enable

authentication mac-move quiet-times quiet-period

Function

The authentication mac-move quiet-times quiet-period command configures the quiet period and the maximum number of MAC address migration times within 60 seconds before users enter the quiet state.

The undo authentication mac-move quiet-times quiet-period command restores the default settings.

The default quiet period is 0 seconds and the maximum number of MAC address migration times within 60 seconds before users enter the quiet state is 3.

Format

authentication mac-move { quiet-times times | quiet-period quiet-value } *

undo authentication mac-move { quiet-times | quiet-period } *

Parameters

Parameter

Description

Value

times

Specifies the maximum number of MAC address migration times within 60 seconds before users enter the quiet state.

The value is an integer that ranges from 1 to 10.

quiet-value

Specifies the quiet period for MAC address migration users.

The value is an integer that ranges from 0 to 3600.

The value 0 indicates that the MAC address migration quiet function is disabled.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

When users frequently switch access interfaces (especially frequent switching due to loops), the device needs to process a large number of authentication packets and entries, which results in high CPU usage. To solve this problem, configure the MAC address migration quiet function.

If the number of MAC address migration times for a user within 60 seconds exceeds the value (times) after the MAC address migration quiet function is enabled, the device quiets the user for a certain period (quiet-value). During the quiet period, the device does not allow users to perform MAC address migration.

Example

# Configure the quiet period to 120 seconds and the maximum number of MAC address migration times within 60 seconds before users enter the quiet state to 5.

<HUAWEI> system-view
[HUAWEI] authentication mac-move quiet-times 5 quiet-period 120

authentication mac-move quiet-user-alarm enable

Function

The authentication mac-move quiet-user-alarm enable command enables the device to send alarms about MAC address migration quiet.

The undo authentication mac-move quiet-user-alarm enable command disables the device from sending alarms about MAC address migration quiet.

By default, the device is disabled from sending alarms about MAC address migration quiet.

Format

authentication mac-move quiet-user-alarm enable

undo authentication mac-move quiet-user-alarm enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

The device can send alarms about MAC address migration quiet to improve maintainability of the MAC address migration quiet function. The device sends alarms when the percentage of the actual user amount in the MAC address migration quiet table against the maximum number of users exceeds the upper alarm threshold configured. If the percentage decreases to be equal to or smaller than the lower alarm threshold, the device sends a clear alarm. The upper and lower alarm thresholds are configured using the authentication mac-move quiet-user-alarm percentage command.

Example

# Enable the device to send alarms about MAC address migration quiet.

<HUAWEI> system-view
[HUAWEI] authentication mac-move quiet-user-alarm enable

authentication mac-move quiet-user-alarm percentage

Function

The authentication mac-move quiet-user-alarm percentage command configures the upper and lower alarm thresholds for the percentage of MAC address migration users in quiet state.

The undo authentication mac-move quiet-user-alarm percentage command restores the default setting.

By default, the lower alarm threshold is 50 and upper alarm threshold is 100.

Format

authentication mac-move quiet-user-alarm percentage lower-threshold upper-threshold

undo authentication mac-move quiet-user-alarm percentage

Parameters

Parameter

Description

Value

lower-threshold

Specifies the lower alarm threshold.

The value is an integer that ranges from 1 to 100.

upper-threshold

Specifies the upper alarm threshold.

The value is an integer that ranges from 1 to 100.

The value must be greater than that of lower-threshold.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

The authentication mac-move quiet-user-alarm enable command can be run to enable the device to send alarms about MAC address migration quiet to improve maintainability of the MAC address migration quiet function. The device sends alarms when the percentage of the actual user amount in the MAC address migration quiet table against the maximum number of users exceeds the upper alarm threshold configured. If the percentage decreases to be equal to or smaller than the lower alarm threshold, the device sends a clear alarm. The upper and lower alarm thresholds are configured using the authentication mac-move quiet-user-alarm percentage command.

Example

# Configure the upper alarm threshold to 80 and lower alarm threshold to 40.

<HUAWEI> system-view
[HUAWEI] authentication mac-move quiet-user-alarm percentage 40 80

authentication no-ip-check

Function

The authentication no-ip-check command disables the device from creating an IP hash table for client IP addresses.

The undo authentication no-ip-check command allows the device to create an IP hash table for client IP addresses.

By default, the device creates an IP hash table for client IP addresses.

Format

authentication no-ip-check

undo authentication no-ip-check

Parameters

None

Views

Authentication profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After users obtain IP addresses, the device creates an IP hash table. If the hash value of a client IP address conflicts with a value in the IP hash table on the device, the client cannot be authenticated. When two branches are connected to the device, the address pools of the branches may overlap. As a result, two clients in different branches may have the same IP address. When the device detects conflicting IP addresses, the clients fail to go online. To address this problem, you can run the authentication no-ip-check command to disable the device from creating an IP hash table for client IP addresses.

Precautions

You are advised not to configure the authentication no-ip-check command. If this command is configured and two clients with the same IP address go online through the same interface, the rules (such as ACL rulesand static UCL groups) configured based on this IP address may be mismatched.

This function cannot be used with Portal authentication together.

This function cannot be configured with ip-static-user enable together.

After this function is enabled, network access permissions are granted only to users in the ARP table.

Example

# Disable the device from creating an IP hash table for client IP addresses.

<HUAWEI> system-view
[HUAWEI] authentication-profile name test 
[HUAWEI-authen-profile-test] authentication no-ip-check

authentication no-replace dot1x

Function

The authentication no-replace dot1x command configures the device not to respond to the EAP start packets sent from users who have successfully passed MAC address authentication or Portal authentication.

The undo authentication no-replace dot1x command configures the device to respond to the EAP start packets sent from users who have successfully passed MAC address authentication or Portal authentication.

By default, the device responds to the EAP start packets sent from users who have successfully passed MAC address authentication or Portal authentication.

Format

authentication no-replace dot1x [ device-type voice ]

undo authentication no-replace dot1x [ device-type voice ]

Parameters

Parameter Description Value
device-type voice

Configures the function to be effective only for voice terminals.

When this parameter is not specified, the function is effective for all terminals.

-

Views

Authentication profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After passing MAC address authentication, some voice terminals still send EAP start packets. If the device returns response packets, the voice terminals go offline. To address this problem, you can configure the device not to respond to the EAP start packets sent from users who have successfully passed MAC address authentication or Portal authentication.

Precautions

This function is effective only for wired users.

No matter whether this function is configured, the device responds to EAP Start packets sent from 802.1X users.

Example

# Configure the device not to respond to the EAP start packets sent from users who have successfully passed MAC address authentication or Portal authentication.

<HUAWEI> system-view
[HUAWEI] authentication-profile name p1
[HUAWEI-authen-profile-p1] authentication no-replace dot1x device-type voice

authentication pre-authen-access enable

Function

The authentication pre-authen-access enable command enables the function of keeping users who fail to be authenticated and do not have any network access rights in the pre-connection state.

The undo authentication pre-authen-access enable command disables the function of keeping users who fail to be authenticated and do not have any network access rights in the pre-connection state.

By default, the device keeps users who fail to be authenticated and do not have any network access rights in the pre-connection state.

Format

authentication pre-authen-access enable

undo authentication pre-authen-access enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When a user terminal connects to an NAC-enabled interface on the device, a pre-connection is set up between the terminal and device. If the device is not configured to grant network access rights to users in pre-connection or authentication failure state, users who fail to be authenticated remain in the pre-connection state by default. Because the device allows DHCP packets from pre-connection users to pass through, the users can still obtain IP addresses although they do not have any network access rights, wasting IP addresses and bringing network security risks.

You can run the undo authentication pre-authen-access enable command to disable the function of keeping users who fail to be authenticated and do not have any network access rights in the pre-connection state. This configuration ensures that the users cannot obtain IP addresses.

Precautions

This function does not take effect for users who use Portal authentication or combined authentication (including Portal authentication).

This function does not take effect for users for whom authorization information is configured based on an authentication event.

If the device connects to some terminals such as a MacBook laptop that is not authenticated after obtaining an IP address, it is recommended that you run the undo authentication pre-authen-access enable command on the device to disable the pre-connection function and then connect the terminal to the network again.

If a user in pre-connection state attempts to go online using DHCP packets containing the Option 82 field but fails to go online, it is recommended that you run the undo authentication pre-authen-access enable command on the device to disable the function of keeping users who fail to be authenticated and do not have any network access rights in the pre-connection state.

Example

# Disable the function of keeping users who fail to be authenticated and do not have any network access rights in the pre-connection state.

<HUAWEI> system-view
[HUAWEI] undo authentication pre-authen-access enable

authentication port-vlan-modify user-online

Function

The authentication port-vlan-modify user-online command enables the function of keeping users online when the port type or VLAN is changed.

The undo authentication port-vlan-modify user-online command restores the default setting.

By default, the function of keeping users online when the port type or VLAN is changed is disabled.

Format

authentication port-vlan-modify user-online

undo authentication port-vlan-modify user-online

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

After user access authentication succeeds, you can change the VLAN allowed to access or the access interface type through the RADIUS server. For example, you can assign VLANs to clients through the server for network planning and deployment. After the deployment is complete, to reduce the impact of link faults and device restart on the network and implement rapid network restoration, you can change the user access VLAN to the authorized VLAN. In this case, you can enable the function of keeping users online when the port type or VLAN is changed to modify interface or VLAN configurations.

NOTE:
Only 802.1X authentication and MAC address authentication support this command.

Example

# Enable the function of keeping users online when the port type or VLAN is changed.

<HUAWEI> system-view
[HUAWEI] authentication port-vlan-modify user-online

authentication { update-info-accounting | update-ip-accounting } * enable

Function

The authentication { update-info-accounting | update-ip-accounting } * enable command enables a device to send accounting packets for terminal information and address updating.

The undo authentication { update-info-accounting | update-ip-accounting } * enable command disables a device from sending accounting packets for terminal information and address updating.

By default, the device is enabled to send accounting packets for terminal information and address updating.

Format

authentication { update-info-accounting | update-ip-accounting } * enable

undo authentication { update-info-accounting | update-ip-accounting } * enable

Parameters

None

Views

Authentication profile view

Default Level

2: Configuration level

Usage Guidelines

By default, the device sends accounting packets for terminal information and address updating to the accounting server. Some accounting servers may not require the accounting packets. In this case, resources on the device are occupied. You can run the undo authentication { update-info-accounting | update-ip-accounting } * enable command to disable the device from sending accounting packets for terminal information and address updating, saving resources on the device. After terminal information and address updating are complete, the device sends accounting packets again and the accounting function is not affected.

  • update-info-accounting indicates that accounting packets are immediately sent during terminal information updating.

    To configure this function, the terminal type identification function must be configured simultaneously.

    After the authentication update-info-accounting enable command is configured, the device checks whether the terminal information (including the DHCP Option, UA, or LLDP information) in the accounting packet is consistent with the saved information after obtaining the accounting packet. If they are inconsistent, the accounting packet is sent immediately when the device receives the packet for the first time, and the accounting packet is not sent immediately after the device receives the packet again. In other cases, the device does not send accounting packets immediately and waits until the real-time accounting timer expires.

    After the undo authentication update-info-accounting enable command is configured, the device does not send the accounting packet immediately after obtaining the packet, and waits until the real-time accounting timer expires.

  • update-info-accounting indicates that accounting packets are immediately sent during address updating.

Example

# Disable a device from sending accounting packets for address updating.

<HUAWEI> system-view
[HUAWEI] authentication-profile name test 
[HUAWEI-authen-profile-test] undo authentication update-ip-accounting enable

authentication roam pre-authen mac-authen enable

Function

The authentication roam pre-authen mac-authen enable command enables MAC address authentication for roaming STAs.

The undo authentication roam pre-authen mac-authen enable command disables MAC address authentication for roaming STAs.

By default, MAC address authentication is disabled for roaming STAs.

Format

authentication roam pre-authen mac-authen enable

undo authentication roam pre-authen mac-authen enable

Parameters

None

Views

Authentication profile view

Default Level

2: Configuration level

Usage Guidelines

In versions earlier than V200R012C00, MAC address authentication is enabled for roaming STAs. A STA connects to the network through MAC address authentication or MAC address-prioritized Portal authentication. If the STA roams, MAC address authentication is triggered after successful roaming. However, MAC address authentication may fail, and the STA enters the pre-connection state and no longer has the original access permission. To prevent this problem, the MAC address authentication is disabled for roaming STAs by default in V200R012C00 and later versions. You are not advised to retain the default configuration.

Example

# Enable MAC address authentication for roaming STAs.

<HUAWEI> system-view
[HUAWEI] authentication-profile name test 
[HUAWEI-authen-profile-test] authentication roam pre-authen mac-authen enable

authentication single-access

Function

The authentication single-access command configures the device to allow users to access in only one authentication mode.

The undo authentication single-access command restores the default setting.

By default, the device allows users to access in different authentication modes.

Format

authentication single-access

undo authentication single-access

Parameters

None

Views

Authentication profile view

Default Level

2: Configuration level

Usage Guidelines

After hybrid authentication is configured, the device by default allows users to access in different authentication modes. You can run the authentication single-access command to disable this default function. The device then allows users to access in only one authentication mode and does not process the packets of other authentication modes.

Example

# In the authentication profile authen1, configure the device to allow users to access in only one authentication mode.

<HUAWEI> system-view
[HUAWEI] authentication-profile name authen1
[HUAWEI-authen-profile-authen1] authentication single-access

authentication single-stack-control enable

Function

The authentication single-stack-control enable command enables the single-stack authentication function.

The undo authentication single-stack-control enable command disables the single-stack authentication function.

By default, the single-stack authentication function is disabled.

NOTE:

The command takes effect only on the X series cards.

Format

authentication single-stack-control { ipv4 | ipv6 } enable

undo authentication single-stack-control enable

Parameters

Parameter Description Value
ipv4

Enables the single-stack authentication function for IPv4 traffic.

-

ipv6

Enables the single-stack authentication function for IPv6 traffic.

-

Views

Authentication profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

By default, access control is not performed for IPv4 or IPv6 traffic. You can use this command to configure single-stack authentication to control IPv4 or IPv6 traffic separately.

Precautions

This function takes effect only on wired Portal users.

Example

# Enable single-stack authentication for IPv6 traffic in the authentication profile p1.

<HUAWEI> system-view
[HUAWEI] authentication-profile name p1
[HUAWEI-authen-profile-p1] authentication single-stack-control ipv6 enable

authentication speed-limit auto

Function

The authentication speed-limit auto command enables the device to dynamically adjust the rate of packets from NAC users.

The undo authentication speed-limit auto command disables the device from dynamically adjusting the rate of packets from NAC users.

By default, the device does not dynamically adjust the rate of packets from NAC users.

Format

authentication speed-limit auto

undo authentication speed-limit auto

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

When a lot of NAC users send authentication or log off requests to the device, the CPU usage may be overloaded especially when the CPU or memory usage is already high (for example, above 80%). After the device is enabled to dynamically adjust the rate of packets from NAC users, the device limits the number of NAC packets received per second if the CPU or memory usage is high. This function reduces loads on the device CPU.

Example

# Enable the device to dynamically adjust the rate of packets from NAC users.

<HUAWEI> system-view
[HUAWEI] authentication speed-limit auto

authentication termination-action reauthenticate

Function

The authentication termination-action reauthenticate command configures the device to re-authenticate users when the time exceeds the value of Session-Timeout delivered by the RADIUS server.

The undo authentication termination-action command restores the default setting.

By default, the device is not configured to re-authenticate users when the time exceeds the value of Session-Timeout delivered by the RADIUS server.

Format

authentication termination-action reauthenticate

undo authentication termination-action

Parameters

None

Views

Authentication profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The RADIUS server uses the Session-Timeout attribute to control the remaining online time of a user, and uses the Termination-Action attribute to determine whether to re-authenticate the user when the timeout interval expires. By default, if the RADIUS server delivers Session-Timeout but no Termination-Action, the device disconnects users when the time exceeds the value of Session-Timeout. To re-authenticate users without modifying the server configuration, you can run this command to configure the device to re-authenticate users when the timeout interval expires.

Precautions

Only 802.1X authentication and MAC address authentication on Layer 2 interfaces support this function.

Example

# In authentication profile authen1, configure the device to re-authenticate users when the time exceeds the value of Session-Timeout delivered by the RADIUS server.

<HUAWEI> system-view
[HUAWEI] authentication-profile name authen1
[HUAWEI-authen-profile-authen1] authentication termination-action reauthenticate

authentication timer handshake-period

Function

The authentication timer handshake-period command sets the handshake interval of the device with pre-connection users and authorized users.

The undo authentication timer handshake-period command restores the default setting.

The default handshake interval of the device with pre-connection users and authorized users is 300 seconds.

Format

authentication timer handshake-period handshake-period

undo authentication timer handshake-period

Parameters

Parameter

Description

Value

handshake-period

Specifies the handshake interval.

The value is an integer that ranges from 5 to 7200, in seconds.

Views

Authentication profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After enabling the handshake with pre-connection users and authorized users using the authentication handshake command, you can run the this command to set the handshake interval. After that, if a user does not respond to the handshake request from the device within the handshake interval, the device deletes the user entry.

Precautions

  • This command only applies to MAC address authentication, Layer 3 Portal authentication, and 802.1X authentication.

  • For Layer 3 Portal authentication users, only those who go online through X series cards support this function.

  • This function takes effect only for the wired users. For wired users who do not obtain IP addresses within 30 minutes, traffic detection will be performed (detection process can be seen as the following precautions). If traffic passes through the device, users are online. If no traffic passes through the device, users go offline.

  • This function takes effect only for users who go online after this function is successfully configured.

  • The handshake function is implemented using ARP probe packets or neighbor discovery (ND) probe packets.

  • The handshake function can also be implemented by detecting whether there is user traffic on the access device. Assuming that the handshake interval is 3n, the device will detect user traffic at n and 2n. The following uses the 0-n period as an example. The process during the n-2n period is similar to that during 0-n.
    • If user traffic passes the device during the 0-n period, the device considers that the user is online at n, so it will not send a probe packet to the user, but resets the handshake interval.
    • If no user traffic passes the device during the 0-n period, the device cannot determine whether the user is online at n, so it sends a probe packet to the user. If the device receives the reply packet from the user, it considers the user online and resets the handshake interval. If no reply packet is received, it considers the user offline.
    • If user traffic passes the device during the 2n-3n period, the device considers that the user is online at 3n and resets the handshake interval.
    • If no user traffic passes the device during the 2n-3n period, the device cannot determine whether the user is online at 3n and considers that the user is offline.
    If the device considers that the user is offline at n, 2n, and 3n, the device deletes all entries related to the user. To prevent the user from going offline unexpectedly when no operation is performed on the PC, do not set a short handshake period.

Example

# In the authentication profile p1, set the handshake interval of the device with pre-connection users and authorized users to 200 seconds.

<HUAWEI> system-view
[HUAWEI] authentication-profile name p1
[HUAWEI-authen-profile-p1] authentication timer handshake-period 200

authentication timer authen-fail-aging

Function

The authentication timer authen-fail-aging command configures the aging time for entries of the users who fail to be authenticated.

The undo authentication timer authen-fail-aging command restores the default aging time for entries of the users who fail to be authenticated.

By default, the aging time for entries of the users who fail to be authenticated is 23 hours.

Format

authentication timer authen-fail-aging aging-time

undo authentication timer authen-fail-aging

Parameters

Parameter Description Value
aging-time

Specifies the aging time.

The value is an integer that ranges from 0 or 60 to 4294860, in seconds.

The value 0 indicates that the entry does not age.

Views

Authentication profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After network access policies are configured for users who fail to be authenticated, the device creates entries for these users. If the user still fails to be authenticated when the user aging time expires, the user entry is deleted.

The entries of the users who fail to be authenticated share device resources with the entries of the users who are authenticated. If there are excess entries of the users who fail to be authenticated, other users fail to be authenticated. To solve this problem, run the authentication timer authen-fail-aging command to reduce the aging time for entries of the users who fail to be authenticated. In addition, if the time that the users who fail to be authenticated have network access policies should be shortened, you can run this command to decrease the aging time for the user entries.

Precautions

This function takes effect only for users who go online after this function is successfully configured.

Example

# In the authentication profile p1, configure the aging time for entries of the users who fail to be authenticated to 3600 seconds.

<HUAWEI> system-view
[HUAWEI] authentication-profile name p1
[HUAWEI-authen-profile-p1] authentication timer authen-fail-aging 3600

authentication timer authorize-keep-aging

Function

The authentication timer authorize-keep-aging command configures the aging time for entries of online users that retain original network access rights.

The undo authentication timer authorize-keep-aging command restores the default setting.

By default, the aging time for entries of online users that retain the original network access rights is 0. That is, these entries are not aged out by default.

Format

authentication timer authorize-keep-aging aging-time

undo authentication timer authorize-keep-aging

Parameters

Parameter Description Value
aging-time

Specifies the aging time.

The value is an integer that ranges from 0 or 60 to 4294860, in seconds.

Views

Authentication profile view

Default Level

2: Configuration level

Usage Guidelines

After the authentication event action authorize keep command is run, if the authentication server is Down or does not respond, online users retain the original network access rights. In this case, the device creates entries for the online users that retain the original network access rights. If the authentication server is always Down or does not respond, these users always retain the original network access rights. To prevent this problem, run the authentication timer authorize-keep-aging command to adjust the aging time of these online user entries. When the aging time expires, these online users are logged out.

Example

# Set the aging time for entries of online users that retain the original network access rights to 600s.

<HUAWEI> system-view
[HUAWEI] authentication-profile name p1
[HUAWEI-authen-profile-p1] authentication timer authorize-keep-aging 600

authentication timer pre-authen-aging

Function

The authentication timer pre-authen-aging command configures the aging time for pre-connection user entries.

The undo authentication timer pre-authen-aging command restores the default aging time for pre-connection user entries.

By default, the aging time for pre-connection user entries is 23 hours.

Format

authentication timer pre-authen-aging aging-time

undo authentication timer pre-authen-aging

Parameters

Parameter Description Value
aging-time

Specifies the aging time.

The value is an integer that ranges from 0 or 60 to 4294860, in seconds.

The value 0 indicates that the entry does not age.

Views

Authentication profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When a pre-connection is established between the device and a user, the device creates the pre-connection user entry. If the user still fails to be authenticated when the user aging time expires, the user entry is deleted.

The pre-connection user entries share device resources with the entries of the users who are authenticated. If there are excess pre-connection user entries, other users fail to be authenticated. To solve this problem, run the authentication timer pre-authen-aging command to reduce the aging time for the pre-connection user entries. In addition, if the time that the pre-connection users have network access policies should be extended, you can run this command to increase the aging time for the pre-connection user entries.

Precautions

This function takes effect only for users who go online after this function is successfully configured.

Example

# In the authentication profile p1, configure the aging time for the pre-connection user entries to 3600 seconds.

<HUAWEI> system-view
[HUAWEI] authentication-profile name p1
[HUAWEI-authen-profile-p1] authentication timer pre-authen-aging 3600

authentication timer re-authen

Function

The authentication timer re-authen command configures the interval for re-authenticating pre-connection users or users who fail to be authenticated.

The undo authentication timer re-authen command restores the default setting.

By default, pre-connection users and users who fail to be authenticated are re-authenticated at an interval of 60 seconds.

Format

authentication timer re-authen { pre-authen re-authen-time | authen-fail re-authen-time }

undo authentication timer re-authen { pre-authen | authen-fail }

Parameters

Parameter Description Value
pre-authen re-authen-time

Specifies the interval for re-authenticating pre-connection users.

The value is an integer that ranges from 0 or 30 to 7200, in seconds.

The value 0 indicates that the re-authentication function is disabled for pre-connection users.

authen-fail re-authen-time

Specifies the interval for re-authenticating users who fail to be authenticated.

The value is an integer that ranges from 0 or 30 to 7200, in seconds.

The value 0 indicates that the re-authentication function is disabled for users who fail to be authenticated.

Views

Authentication profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The device creates the mapping user entries when network access policies are assigned to users who are in the pre-connection phase or fail authentication. To enable users to pass authentication in real time, the device periodically re-authenticates the users who are in the pre-connection phase or fail authentication according to the user entries. The administrator can adjust the re-authentication interval based on the actual network requirements.

Precautions

This command only applies to 802.1X authentication and MAC address authentication.

This function takes effect only for users who go online after this function is successfully configured.

The device cannot re-authenticates wireless users who are in the pre-connection phase or fail authentication. Therefore, the authentication timer re-authen command does not apply to wireless users.

To reduce the impact on the device performance when many users exist, the user re-authentication interval may be longer than the configured re-authentication interval.

If a static user configured with 802.1X authentication enters the pre-connection status after failing the authentication, 802.1X authentication is then performed. During the 802.1X authentication, the pre-authen re-authen-time timer does not take effect. If the 802.1X authentication also fails, the pre-authen re-authen-time timer takes effect, and re-authentication is triggered according to this timer.

Example

# In the authentication profile authen1, set the interval for re-authenticating users who fail to be authenticated to 300 seconds.

<HUAWEI> system-view
[HUAWEI] authentication-profile name authen1
[HUAWEI-authen-profile-authen1] authentication timer re-authen authen-fail 300

authentication trigger-condition (802.1X authentication)

Function

The authentication trigger-condition command configures the packet types that can trigger 802.1X authentication.

The undo authentication trigger-condition command restores the default configuration.

By default, DHCP/ARP/DHCPv6/ND packets can trigger 802.1X authentication.

Format

authentication trigger-condition { dhcp | arp | dhcpv6 | nd | any-l2-packet } *

undo authentication trigger-condition [ dhcp | arp | dhcpv6 | nd | any-l2-packet ] *

Parameters

Parameter Description Value
dhcp

Triggers 802.1X authentication through DHCP packets.

-

arp

Triggers 802.1X authentication through ARP packets.

-

dhcpv6

Triggers MAC address authentication through DHCPv6 packets.

-

nd

Triggers MAC address authentication through ND packets.

-

any-l2-packet

Triggers 802.1X authentication through any packets.

-

Views

802.1X access profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After 802.1X authentication is enabled, the device can trigger 802.1X authentication on users by default when receiving DHCP or ARP packets. Based on user information on the actual network, the administrator can adjust the packet types that can trigger 802.1X authentication. For example, if all users on a network dynamically obtain IPv4 addresses, the device can be configured to trigger 802.1X authentication only through DHCP packets. This prevents the device from continuously sending ARP packets to trigger 802.1X authentication when static IPv4 addresses are configured for unauthorized users on the network, and reduces device CPU occupation.

If a static IPv4 address is configured for a client, 802.1X authentication cannot be triggered because they do not exchange DHCP or ARP packets. You can run the authentication trigger-condition any-l2-packet command to trigger 802.1X authentication through any packets. To prevent unauthorized users from occupying user entries on the device maliciously, you are advised to configure the function of triggering 802.1X authentication through any packets on the access device, and run the authentication mode max-user max-user-number command in the authentication profile view to configure the maximum number of access users allowed on an interface. The recommended value is 10.

Precautions

This function takes effect only for users who go online after this function is successfully configured.

To allow BPDUs to trigger 802.1X authentication, you must enable the function corresponding to the BPDUs globally. For example, to allow LLDPDUs to trigger 802.1X authentication, run the lldp enable (system view) command to enable LLDP globally.

The function does not take effect when multiple authentication modes are used together.

When any-l2-packet is configured and 802.1X authentication is enabled on an interface, EAP packets sent from a client trigger 802.1X authentication first.

When MAC address authentication and 802.1X authentication are both enabled on an interface, packets that can trigger authentication include all the packet types that can trigger authentication in the MAC access profile and 802.1X access profile. For example, assume that ARP packets in the MAC access profile are unable to trigger authentication and ARP packets in the 802.1X access profile can trigger authentication. If MAC address authentication and 802.1X authentication are both enabled on an interface, ARP packets can trigger MAC address authentication.

Example

# In the 802.1X access profile d1, configure the device to use DHCP packets to trigger 802.1X authentication.

<HUAWEI> system-view
[HUAWEI] dot1x-access-profile name d1
[HUAWEI-dot1x-access-profile-d1] authentication trigger-condition dhcp

authentication trigger-condition (MAC address authentication)

Function

The authentication trigger-condition command configures the packet types that can trigger MAC address authentication.

The undo authentication trigger-condition command restores the default configuration.

By default, DHCP/ARP/DHCPv6/ND packets can trigger MAC address authentication.

Format

authentication trigger-condition { dhcp | arp | dhcpv6 | nd | any-l2-packet } *

undo authentication trigger-condition [ dhcp | arp | dhcpv6 | nd | any-l2-packet ] *

Parameters

Parameter Description Value
dhcp

Triggers MAC address authentication through DHCP packets.

-

arp

Triggers MAC address authentication through ARP packets.

-

dhcpv6

Triggers MAC address authentication through DHCPv6 packets.

-

nd

Triggers MAC address authentication through ND packets.

-

any-l2-packet

Triggers MAC address authentication through any packets.

-

Views

MAC access profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After MAC address authentication is enabled, the device can trigger MAC address authentication on users by default when receiving DHCP/ARP/DHCPv6/ND packets. Based on user information on the actual network, the administrator can adjust the packet types that can trigger MAC address authentication. For example, if all users on a network dynamically obtain IPv4 addresses, the device can be configured to trigger MAC address authentication only through DHCP packets. This prevents the device from continuously sending ARP packets to trigger MAC address authentication when static IPv4 addresses are configured for unauthorized users on the network, and reduces device CPU occupation.

If a static IPv4 address is configured for a client, MAC address authentication cannot be triggered because they do not exchange DHCP or ARP packets. You can run the authentication trigger-condition any-l2-packet command to trigger MAC address authentication through any packets. To prevent unauthorized users from occupying user entries on the device maliciously, you are advised to configure the function of triggering MAC address authentication through any packets on the access device, and run the authentication mode max-user max-user-number command in the authentication profile view to configure the maximum number of access users allowed on an interface. The recommended value is 10.

Precautions

  • MAC address authentication configured on a VLANIF interface can only be triggered by ARP packets.

  • This function takes effect only for users who go online after this function is successfully configured.

  • There is a situation that you should notice. A device is configured to trigger MAC address authentication through DHCP packets and DHCP options are used as the user names for MAC address authentication (for the configuration of user names in MAC address authentication, see mac-authen username). If the authentication server delivers Huawei extended RADIUS attribute HW-Forwarding-VLAN (No. 26-161) to the device, the user packet must carry double VLAN tags and the outer VLAN ID cannot be the same as the ID of HW-Forwarding-VLAN; otherwise, the delivered attribute cannot take effect.

  • Only wired users support MAC address authentication triggered by DHCP/ARP/DHCPv6/ND/any packets. For wireless users, MAC address authentication is triggered by association packets.

  • After the authentication trigger-condition { dhcp | dhcpv6 | nd } * command is run, static users cannot go online.

  • To allow BPDUs to trigger MAC address authentication, you must enable the function corresponding to the BPDUs globally. For example, to allow LLDPDUs to trigger MAC address authentication, run the lldp enable (system view) command to enable LLDP globally.
  • In a policy association scenario, MAC address authentication can only be triggered by DHCP or ARP packets.

  • The function does not take effect when multiple authentication modes are used together.
  • When MAC address authentication is performed for IP phones and the authentication trigger-condition any-l2-packet command is run to configure the device to trigger MAC address authentication through any packets, run the authentication mac-move enable command to configure MAC address migration and run the authentication mac-move detect enable command to configure the device to detect users' online status before MAC address migration.
  • When any-l2-packet is configured and 802.1X authentication is enabled on an interface, EAP packets sent from a client trigger 802.1X authentication first.
  • When MAC address authentication and 802.1X authentication are both enabled on an interface, packets that can trigger authentication include all the packet types that can trigger authentication in the MAC access profile and 802.1X access profile. For example, assume that ARP packets in the MAC access profile are unable to trigger authentication and ARP packets in the 802.1X access profile can trigger authentication. If MAC address authentication and 802.1X authentication are both enabled on an interface, ARP packets can trigger MAC address authentication.

Example

# In the MAC access profile m1, configure the device to trigger MAC address authentication only through ARP packets.

<HUAWEI> system-view
[HUAWEI] mac-access-profile name m1
[HUAWEI-mac-access-profile-m1] authentication trigger-condition arp

authentication trigger-condition dhcp dhcp-option

Function

The authentication trigger-condition dhcp dhcp-option command enables the device to send DHCP option information to the authentication server when triggering MAC address authentication through DHCP packets.

The undo authentication trigger-condition dhcp dhcp-option command restores the default configuration.

By default, the device does not send DHCP option information to the authentication server when triggering MAC address authentication through DHCP packets.

Format

authentication trigger-condition dhcp dhcp-option option-code

undo authentication trigger-condition dhcp dhcp-option option-code

Parameters

Parameter Description Value
option-code

Specifies the option that the device sends to the authentication server.

The value is fixed as 82.

Views

MAC access profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Option82 records information about DHCP user locations and services (voice and data services). After this command is run, if the device can trigger MAC address authentication though DHCP packets, it sends Option82 information to the authentication server when triggering MAC address authentication through DHCP packets. Based on the user information recorded in Option82, the authentication server then assigns different network access rights to users with different services in different locations. This implements accurate control on the network access rights of each user.

Precautions

  • MAC address authentication users who go online through VLANIF interfaces do not support this function.

  • This function takes effect only for users who go online after this function is successfully configured.

  • Only wired users support MAC address authentication triggered by DHCP/ARP/DHCPv6/ND/any packets. For wireless users, MAC address authentication is triggered by association packets.

Example

# In the MAC access profile m1, enable the device to send Option82 information to the authentication server when triggering MAC address authentication through DHCP packets.

<HUAWEI> system-view
[HUAWEI] mac-access-profile name m1
[HUAWEI-mac-access-profile-m1] authentication trigger-condition dhcp dhcp-option 82

authentication unified-mode

Function

The authentication unified-mode command switches the NAC mode to unified mode.

The undo authentication unified-mode command switches the NAC mode to common mode.

By default, the unified NAC configuration mode is used.

Format

authentication unified-mode

undo authentication unified-mode

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Compared with the common mode, the unified mode uses the modular configuration, making the configuration clearer and configuration model easier to understand.

Considering advantages of the unified mode, you are advised to deploy NAC in unified mode. You can run the authentication unified-mode command to switch the NAC mode to unified mode.

Precautions

  • After the common mode and unified mode are switched, the device automatically restarts, causing service interruption.
  • In V200R008C00, some NAC commands do not differentiate the common and unified modes. Their formats and views remain unchanged after being switched from one mode to the other. After devices are switched from the common mode in V200R008C00 or later versions to the unified mode in V200R009C00 or later versions, these NAC commands can be switched to the unified mode.
  • In the unified mode, only the commands of the common mode are unavailable; in the common mode, only the commands of the unified mode are unavailable. In addition, after the configuration mode is switched, the commands supported by both the common mode and unified mode still take effect.

Example

# Switch the NAC mode to unified mode.

<HUAWEI> system-view
[HUAWEI] authentication unified-mode

authentication user-alarm percentage

Function

The authentication user-alarm percentage command sets alarm thresholds for the percentage of successfully authenticated NAC users.

The undo authentication user-alarm command restores the default alarm thresholds for the percentage of successfully authenticated NAC users.

By default, the lower alarm threshold for the percentage of successfully authenticated NAC users is 50, and the upper alarm threshold is 100.

Format

authentication user-alarm percentage percent-lower-value percent-upper-value

undo authentication user-alarm

Parameters

Parameter Description Value
percent-lower-value

Specifies the lower alarm threshold for the percentage of successfully authenticated NAC users.

The value is an integer in the range from 1 to 100.

percent-upper-value

Specifies the upper alarm threshold for the percentage of successfully authenticated NAC users.

The value is an integer in the range from 1 to 100, and must be greater than or equal to the lower alarm threshold.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

When the number of successfully authenticated NAC users reaches a specified percentage, the device generates an alarm. You can run the authentication user-alarm percentage command to set the upper and lower alarm thresholds for this percentage.

When the percentage of successfully authenticated NAC users against the maximum number of users allowed by the device is greater than or equal to the upper alarm threshold, the device generates an alarm. When this percentage reaches or falls below the lower alarm threshold, the device generates a clear alarm.

Example

# Set the lower and upper alarm thresholds for the percentage of successfully authenticated NAC users to 30 and 80, respectively.

<HUAWEI> system-view
[HUAWEI] authentication user-alarm percentage 30 80

authentication wlan-max-user

Function

The authentication wlan-max-user command configures the maximum number of authenticated users allowed on a VAP.

The undo authentication wlan-max-user command restores the default setting.

By default, a maximum of 128 authenticated users are allowed on a VAP.

Format

authentication wlan-max-user max-user-number

undo authentication wlan-max-user

Parameters

Parameter

Description

Value

max-user-number

Specifies the maximum number of users.

The value is an integer that ranges from 1 to 128.

Views

Authentication profile view

Default Level

2: Configuration level

Usage Guidelines

To ensure high-quality network access services for online users in high-density wireless access scenarios, the administrator needs to limit the number of authenticated users to prevent excess access users from degrading user experience. The administrator can run the authentication wlan-max-user command to limit the number of access users allowed on a VAP of a single AP.
NOTE:

This function takes effect only when the authentication profile is bound to the VAP profile.

Example

# In the authentication profile authen1, set the maximum number of allowed authenticated users to 100 on a VAP.

<HUAWEI> system-view
[HUAWEI] authentication-profile name authen1
[HUAWEI-authen-profile-authen1] authentication wlan-max-user 100

authentication-profile (Interface view or VAP profile view)

Function

The authentication-profile command applies an authentication profile to the interface or VAP profile.

The undo authentication-profile command restores the default setting.

By default, no authentication profile is applied to the interface or VAP profile.

Format

authentication-profile authentication-profile-name

undo authentication-profile

Parameters

Parameter

Description

Value

authentication-profile-name

Specifies the name of an authentication profile.

The value must be an existing authentication profile name.

Views

Interface view, or VAP profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An authentication profile uniformly manages NAC configuration. The authentication profile is bound to the interface or VAP profile view to enable NAC, implementing access control on the users in the interface or VAP profile. The authentication type of the users in the interface or VAP profile is determined by the access profile bound to the authentication profile.

Prerequisites

An authentication profile has been created using the authentication-profile (system view) command in the system view.

Precautions
When configuring NAC, pay attention to the following points:
  • VLANIF interfaces, GE interfaces, XGE interfaces, 40GE interfaces, 100GE interfaces, Eth-Trunks, port groups, and VAP profiles support NAC. The support for NAC on different interfaces is as follows:
    • Only Layer 2 interfaces support 802.1X authentication.
    • Layer 2 interfaces and VLANIF interfaces support MAC address authentication.
    • The support for Portal authentication varies depending on different interfaces, routed main interfaces support only Layer 3 Portal authentication, Layer 2 interfaces support only Layer 2 Portal authentication, and VLANIF interfaces support both Layer 2 and Layer 3 Portal authentication.

    • The VLANIF interface corresponding to the super VLAN does not support Portal authentication.
  • For the access of wireless users through APs, ensure that the APs can be authenticated (for example, adding the APs to static users) when NAC authentication is deployed for users. Otherwise, the wireless users cannot be authenticated.
  • NAC authentication cannot be enabled both on a Layer 2 Ethernet interface and the VLANIF interface mapping the VLAN of the Ethernet interface. Otherwise, the users have no network access rights after connecting to the network. (The users who are connected through the X series cards can obtain network access rights; those connected through other boards cannot obtain network access rights.) In addition, NAC authentication cannot be enabled both on WLAN-ESS and VLANIF interfaces in wireless scenarios.

  • After enabling NAC on an interface, you cannot run the following commands on the interface. Similarly, after running the following commands on an interface, you cannot enable NAC on the interface.

    Command

    Function

    mac-limit

    Sets the maximum number of MAC addresses that can be learned by an interface.

    mac-address learning disable

    Disables MAC address learning on an interface.

    port link-type dot1q-tunnel

    Sets the link type of an interface to QinQ.

    port vlan-mapping vlan map-vlan

    port vlan-mapping vlan inner-vlan

    Configures VLAN mapping on an interface.

    port vlan-stacking

    Configures selective QinQ.

    mac-vlan enable

    Enables MAC address-based VLAN assignment on an interface.

    ip-subnet-vlan enable

    Enables IP subnet-based VLAN assignment on an interface.

    user-bind ip sticky-mac

    NOTE:

    This command conflicts with only 802.1X authentication and MAC address authentication.

    Enables the device to generate snooping MAC entries.
  • After the encapsulation mode of packets allowed to pass a Layer 2 sub-interface is set to default using the encapsulation (Layer 2 sub-interface view) command, NAC cannot be configured on the main interface of the Layer 2 sub-interface.
  • After NAC is configured on the main interface, the bridge-domain (Layer 2 sub-interface view) command cannot be executed on its Layer 2 sub-interface to associate with BDs. Similarly, NAC cannot be executed on the main interface if the bridge-domain (Layer 2 sub-interface view) command is configured on its Layer 2 sub-interface to associate with BDs.

Example

# Apply the authentication profile m1 to VLANIF10.

<HUAWEI> system-view
[HUAWEI] authentication-profile name m1
[HUAWEI-authen-profile-m1] quit
[HUAWEI] interface vlanif 10
[HUAWEI-Vlanif10] authentication-profile m1

authentication-profile (system view)

Function

The authentication-profile command creates an authentication profile and displays the authentication profile view.

The undo authentication-profile command deletes the authentication profile.

By default, the device has six built-in authentication profiles: default_authen_profile, dot1x_authen_profile, mac_authen_profile, portal_authen_profile, dot1xmac_authen_profile, and multi_authen_profile.

Format

authentication-profile name authentication-profile-name

undo authentication-profile name authentication-profile-name

Parameters

Parameter

Description

Value

name authentication-profile-name

Specifies the name of an authentication profile.

The value is a string of 1-31 case-sensitive characters, which cannot be configured to - and --. It cannot contain spaces and the following symbols: / \ : * ? " < > | @ ' %.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

NAC can implement access control on users. The device uses authentication profiles to uniformly manage NAC configuration so that users can easily configure NAC functions. The parameters (for example, the bound access profile and authentication type) in the authentication profile can be configured to provide various access control modes for different users. After the configuration is complete, the authentication profile is applied to the interface or VAP profile to enable NAC.

Follow-up Procedure

  1. Configuring authentication profiles: Configure the access profile, and authorization information in the authentication profiles.
  2. Applying authentication profiles: Run the authentication-profile (Interface view or VAP profile view) command to apply the authentication profiles to the interface or VAP profile.

Precautions

  • The built-in authentication profile default_authen_profile and the compatibility profile converted after an upgrade are not counted in the configuration specification. The six built-in authentication profiles (default_authen_profile, dot1x_authen_profile, mac_authen_profile, portal_authen_profile, dot1xmac_authen_profile, and multi_authen_profile) can be modified and applied, but cannot be deleted.
  • Before deleting an authentication profile, ensure that this profile is not bound to any interface or VAP profile. You can run the display authentication-profile configuration command to check whether the authentication profile is bound to an interface or VAP profile

Example

# Create the authentication profile named mac_authen_profile1.

<HUAWEI> system-view
[HUAWEI] authentication-profile name mac_authen_profile1

band-width share-mode

Function

The band-width share-mode command enable the bandwidth share mode.

The undo band-width share-mode command restores the default configuration.

By default, the bandwidth share mode is disabled.

Format

band-width share-mode

undo band-width share-mode

Parameters

None

Views

System view, AAA domain view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

On a home network, all family members go online using the same account. To improve service experience of family members, you can enable the bandwidth share mode so that all members can share the bandwidth.

Precautions

  • This function is not supported in the direct forwarding mode of wireless traffic.
  • If several users are connected through Eth-Trunk member interfaces that reside on the same LPU, these users share the bandwidth of the LPU. If users are connected through Eth-Trunk member interfaces that reside on different LPUs, the rate of each user's traffic depends on the CAR value of the corresponding LPU.
  • If this command is run in the system view, it takes effect for all new online users who connected to the device. If this command is run in the AAA domain view, it takes effect only for new online users in the domain.
  • If the local or remote RADIUS server does not assign CAR settings to the users who will go online and the online users, the share mode is invalid to the users.

  • If the bandwidth share mode is enabled and different users use the same account for authentication, the users going online with no CAR settings assigned will not be affected when CAR settings are assigned to the users who go online later.

Example

# Enable the bandwidth share mode in the system view.

<HUAWEI> system-view
[HUAWEI] band-width share-mode

# Enable the bandwidth share mode in the AAA domain view.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] domain huawei
[HUAWEI-aaa-domain-huawei] band-width share-mode

cut access-user ucl-group

Function

The cut access-user ucl-group command forces UCL group users offline.

Format

cut access-user ucl-group { group-index | name group-name }

Parameters

Parameter

Description

Value

group-index

Specifies the index of a UCL group.

The UCL group must exist.

name group-name

Specifies the name of a UCL group.

The UCL group must exist.

Views

AAA view

Default Level

3: Management level

Usage Guidelines

After a user goes online, if you want to modify the user's network access rights or detect that the user is unauthorized, run this command to force the user offline.

Example

# Force UCL group users offline.

<HUAWEI> system-view
[HUAWEI] aaa
[HUAWEI-aaa] cut access-user ucl-group name huawei

device-type

Function

The device-type command sets a terminal type identifier.

The undo device-type command deletes a terminal type identifier that has been set.

By default, no terminal type identifier exists in the system.

Format

device-type device-name

undo device-type

Parameters

Parameter

Description

Value

device-name

Specifies a terminal type identifier.

The value is a string of 1 to 31 case-sensitive characters without spaces. The value cannot be - or --, and cannot contain ?, ', ".

Views

Terminal type identification profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After a terminal type identifier is configured in a terminal type identification profile, the terminal type can be identified in the profile. Assume that the terminal type identifier is set to huawei. If the MAC address, UA, or DHCP Option information that an AC receives from a terminal matches the identification rule configured in the terminal type profile, the terminal type is huawei. This helps administrators to perform access control and rights management for the terminal based on the identified terminal type.

Precautions

The device-type command is cyclic in nature, and only the latest configuration takes effect.

Example

# In the terminal type identification profile huawei, configure the terminal type identifier huawei_1.

<HUAWEI> system-view
[HUAWEI] device-profile profile-name huawei
[HUAWEI-device-profile-huawei] device-type huawei_1

device-profile

Function

The device-profile command creates a terminal type identification profile and enters the terminal type identification profile view, or directly enters the view of a terminal type identification profile that has already been created.

The undo device-profile command deletes a terminal type identification profile that has been created.

By default, no terminal type identification profile is created.

NOTE:

The terminal type identification function takes effect only for wireless access users.

The AP3010DN-AGN does not support terminal type identification.

Format

device-profile profile-name profile-name

undo device-profile { all | profile-name profile-name }

Parameters

Parameter

Description

Value

profile-name profile-name

Specifies the name of a terminal type identification profile.

The valueThe value

The value is a string of 1 to 31 case-sensitive characters without characters including spaces and the following:/ \ : * ? " < > | @ ' %. The value cannot be - or --.

all

Deletes all terminal type identification profiles.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

With the development of Internet, many enterprises allow employees to wirelessly access the enterprise intranet using their own intelligent devices such as cellphones, tablets, and laptops, which satisfies employees' pursuit of new technology and desire of being unique, and improves their efficiency as well. This is called Bring Your Own Device (BYOD). However, access to enterprise intranet through PCs may cause potential security risks, and traditional security technology based on user identity authentication and authorization can no longer guarantee network security. It is in such a background that the terminal type identification technology comes out. With this technology, the types of the devices that employees use to access the intranet can be identified, facilitating access control. During the implementation of BYOD, administrators can limit intranet access rights to specified types of mobile devices and perform authentication and authorization based on users, device types, access time, access points, and environment information about the devices.

A terminal type identification profile is configured with terminal types that can be identified by devices, and identification rules. With the configured identification rules, the types of devices using which employees access the intranet can be identified, helping administrators to control employees' access rights.

Example

# Create a terminal type identification profile named huawei.

<HUAWEI> system-view
[HUAWEI] device-profile profile-name huawei

device-sensor dhcp option

Function

The device-sensor dhcp option command enables the DHCP-based terminal type awareness function.

The undo device-sensor dhcp option command disables the DHCP-based terminal type awareness function.

By default, the DHCP-based terminal type awareness function is disabled.

Format

device-sensor dhcp option option-code &<1-6>

undo device-sensor dhcp option option-code &<1-6>

Parameters

Parameter Description Value
option-code

Specifies the DHCP option field that the device needs to resolve.

The option fields in a DHCP packet carry the control information and parameters, for example, terminal type.

The value is an integer that ranges from 1 to 254.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A device usually connects to many types of terminals. You may need to assign different network access rights or packet processing priorities to the terminals of different types. For example, the voice devices, such as IP phones, should be assigned a high packet processing priority because voice signals require low delay and jitter.

After the DHCP-based terminal type awareness function is enabled, the device can resolve the option fields that carry terminal type information in the received DHCP Request packets. The device then sends the option information to the RADIUS server through RADIUS accounting packets. Through the option information, the RADIUS server knows the terminal types and controls the network access rights and packet processing priorities of the terminals.

Precautions

  • The command takes effect only when the authentication or accounting mode in the AAA scheme is RADIUS.

  • To make this command take effect, you must run the dhcp snooping enable command on the interfaces or in VLANs.

Example

# Set the option fields to be resolved by the device to option 60.
<HUAWEI> system-view
[HUAWEI] device-sensor dhcp option 60

device-sensor lldp tlv

Function

The device-sensor lldp tlv command enables the LLDP-based terminal type awareness function.

The undo device-sensor lldp tlv command disables the LLDP-based terminal type awareness function.

By default, the LLDP-based terminal type awareness function is disabled.

Format

device-sensor lldp tlv tlv-type &<1-4>

undo device-sensor lldp tlv

Parameters

Parameter Description Value
tlv-type

Specifies the LLDP TLV type as the terminal type to be aware of the device.

The value is an integer that can be 1, 2, 5, 6, 7, 8, and 127. The values are as follows:
  • 1: Chassis ID TLV, indicating the bridge MAC address of the device
  • 2: Port ID TLV, indicating the port identifying the LLD PDU sending end
  • 5: System Name TLV, indicating the device name
  • 6: System Description TLV, indicating the system description
  • 7: System Capabilities TLV, indicating the system capabilities
  • 8: Management Address TLV, indicating the management address
  • 127: Organization Specific TLV, indicating the user-defined organization information

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A device usually connects to many types of terminals. You may need to assign different network access rights or packet processing priorities to the terminals of different types. For example, the voice devices, such as IP phones, should be assigned a high packet processing priority because voice signals require low delay and jitter.

Using the LLDP-based terminal type awareness function, the device parses the required TLV type containing terminal type information from the received LLDP packets. The device then sends the TLV type information to the RADIUS server through a RADIUS accounting packet. Through the TLV type information, the RADIUS server knows the terminal types and controls the network access rights and packet processing priorities of the terminals.

Precautions

  • The command takes effect only when the authentication or accounting mode in the AAA scheme is RADIUS.

  • The command takes effect only when the LLDP function is enabled on the device and the connected peer device.

Example

# Enable the terminal type awareness function based on LLDP TLV type 5.
<HUAWEI> system-view
[HUAWEI] device-sensor lldp tlv 5

display aaa statistics access-type-authenreq

Function

The display aaa statistics access-type-authenreq command displays the number of requests for MAC, Portal, or 802.1X authentication.

Format

display aaa statistics access-type-authenreq

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

When users send authentication requests, the device collects statistics on the number of initiating MAC, Portal, or 802.1X authentications.

To view the number of requests for MAC, Portal, or 802.1X authentication, run the display aaa statistics access-type-authenreq command.

Example

# Display the number of requests for MAC, Portal, or 802.1X authentication.

<HUAWEI> display aaa statistics access-type-authenreq
mac     authentication request     :2
portal  authentication request     :0
dot1x   authentication request     :0
Table 13-39  Description of the display aaa statistics access-type-authenreq command output

Item

Description

mac authentication request

Number of MAC authentication requests.

portal authentication request

Number of Portal authentication requests.

dot1x authentication request

Number of 802.1X authentication requests.

display access-context profile

Function

The display access-context profile command displays the configuration of a user context profile.

Format

display access-context profile [ name profile-name ]

Parameters

Parameter

Description

Value

name profile-name

Displays the configuration of the user context profile with a specified name.

If name profile-name is not specified, all user context profiles configured on the device are displayed.

The value must be the name of an existing user context profile on the device.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After configuring a user context profile, you can run this command to check whether the configuration is correct.

Example

# Display all user context profiles configured on the device.

<HUAWEI> display access-context profile
-------------------------------------------------------------------------------                                                     
    ID        Access-context profile name                                                                                           
-------------------------------------------------------------------------------                                                     
     0        p1                                                                                                                    
     1        aA                                                                                                                    
-------------------------------------------------------------------------------                                                     
    Total 2, printed 2

# Display the configuration of the user context profile p1.

<HUAWEI> display access-context profile name p1
  Profile name               : p1                                                                                                   
  if-match vlan-id           : 13 to 20 
Table 13-40  Description of the display access-context profile command output

Item

Description

ID

Index of a user context profile.

Access-context profile name or Profile name

Name of a user context profile.

To configure the parameter, run the access-context profile name command.

if-match vlan-id

VLAN matching a user context profile.

To configure the parameter, run the if-match vlan-id command.

display access-author policy

Function

The display access-author policy command displays the configuration of a user authentication event authorization policy.

Format

display access-author policy [ name policy-name ]

Parameters

Parameter

Description

Value

name policy-name

Displays the configuration of the user authentication event authorization policy with a specified name.

If name policy-name is not specified, all user authentication event authorization policies configured on the device are displayed.

The value must be the name of an existing user authentication event authorization policy on the device.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After configuring a user authentication event authorization policy, you can run this command to check whether the configuration is correct.

Example

# Display all user authentication event authorization policies configured on the device.

<HUAWEI> display access-author policy
-------------------------------------------------------------------------------                                                     
    ID        Access-author policy name                                                                                             
-------------------------------------------------------------------------------                                                     
     0        a1                                                                                                                    
     1        a2                                                                                                                    
-------------------------------------------------------------------------------                                                     
    Total 2, printed 2 

# Display the configuration of the user authentication event authorization policy a1.

<HUAWEI> display access-author policy name a1
  Policy name               : a1                                                                                                    
  match access-context-profile p1 action authen-fail service-scheme s1
Table 13-41  Description of the display access-author policy command output

Item

Description

ID

Index of a user authentication event authorization policy.

Access-author policy name or Policy name

Name of a user authentication event authorization policy.

To configure the parameter, run the access-author policy name command.

match access-context-profile profile-name action authen-fail service-scheme scheme-name

User authorization information specified based on a user context profile.

To configure the parameter, run the match access-context-profile action command.

display access-user

Function

The display access-user command displays information about NAC access users.

Format

display access-user service-scheme service-scheme

display access-user access-type { dot1x | mac-authen | portal | none | static }

display access-user event { pre-authen | authen-fail | client-no-response | authen-server-down }

display access-user ucl-group { group-index | name ucl-group-name } [ detail ]

display access-user option82 { circuit-id text | remote-id text }

Parameters

Parameter

Description

Value

service-scheme service-scheme

Displays information about users assigned with a specified service scheme.

The value must be the name of an existing service scheme.

access-type

Displays information about users using a specified authentication mode.

-

dot1x

Displays information about users who pass 802.1X authentication.

-

mac-authen

Displays information about users who pass MAC address authentication.

-

portal

Displays information about users who pass Portal authentication.

-

none

Displays information about users whose AAA scheme is non-authentication.

-

static

Displays static user information.

-

event

Displays information about users in a specified authentication phase.

-

pre-authen

Displays information about users in the pre-connection phase.

-

authen-fail

Displays information about users who fail to be authenticated and are assigned network access policies when the authentication server sends authentication failure packets to the device.

-

client-no-response

Displays information about 802.1X authentication users who fail to be authenticated and are assigned network access policies when the 802.1X client does not respond.

-

authen-server-down

Displays information about users who fail to be authenticated due to the Down status of the authentication server and are assigned network access policies.

-

ucl-group

Displays information about users in a specified UCL group.

-

group-index

Specifies the index of a UCL group.

The value must be an existing UCL group index.

name ucl-group-name

Specifies the name of a UCL group.

The value must be an existing UCL group name.

detail

Displays detailed user information.

-

option82

Displays information about MAC address authentication users who use the Option 82 field as user names.

-

circuit-id text

Displays information about MAC address authentication users who specify the circuit ID as user names.

The value must be existing circuit-id information.

remote-id text

Displays information about MAC address authentication users who specify the remote ID as user names.

The value must be existing remote-id information.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run this command to check information about online NAC users.

Example

# Display information about users who are assigned the service scheme huawei.
<HUAWEI> display access-user service-scheme huawei
 ------------------------------------------------------------------------------ 
 UserID Username                IP address       MAC            Status          
 ------------------------------------------------------------------------------ 
 16018  zqm                     10.12.12.254     78ac-c0c2-0175 Pre-authen      
 ------------------------------------------------------------------------------ 
 Total: 1, printed: 1  
# Display information about users in the pre-connection phase.
<HUAWEI> display access-user event pre-authen
 ------------------------------------------------------------------------------ 
 UserID Username                IP address       MAC            Status          
 ------------------------------------------------------------------------------ 
 16018  zqm                     10.12.12.254     78ac-c0c2-0175 Pre-authen      
 ------------------------------------------------------------------------------ 
 Total: 1, printed: 1  
NOTE:

Only letters, digits, and special characters can be displayed for username.

When the value of username contains special characters or characters in other languages except English, the device displays dots (.) for these characters. If there are more than three such consecutive characters, three dots (.) are displayed. Here, the special characters are the ASCII codes smaller than 32 (space) or larger than 126 (~).

When the value of username is longer than 20 characters, the device displays up to three dots (.) for the characters following 19; that is, only 22 characters are displayed.

Table 13-42  Description of the display access-user command output

Item

Description

UserID ID automatically allocated to an online user by the device.
Username User name.
IP address User IP address.

When both IPv4 and IPv6 addresses exist, only the IPv4 address is recorded.

When only IPv6 addresses exist, only the latest updated IPv6 address is recorded.

MAC User MAC address.
Status User status.
  • Open: For wired users, the user goes online through the open function upon authentication failure. For wireless users, no authentication is performed.
  • Success: authentication is successful
  • Pre-authen: pre-authentication
  • Client-no-resp: the client does not respond
  • Fail-authorized: authorization upon authentication failure
  • Web-server-down: web server is Down
  • Aaa-server-down: AAA server is Down

display access-user dot1x-identity statistics

Function

The display access-user dot1x-identity statistics command displays statistics about Identity packets for 802.1X authentication on a switch.

Format

display access-user dot1x-identity statistics

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

You can run this command to view the statistics about Identity packets for 802.1X authentication on a switch.

Example

# Display statistics about Identity packets for 802.1X authentication on the switch.

<HUAWEI> display access-user dot1x-identity statistics
Process:5
-----------------------------------------------------------------------
Receive(Packet)    Pass(Packet)    Drop(Packet)    Last-dropping-time  
-----------------------------------------------------------------------
0                  0               0               -                   
-----------------------------------------------------------------------
...
Table 13-43  Description of the display access-user dot1x-identity statistics command output
Item Description
Process Id of the process for processing Identity packets for 802.1X authentication.
Receive(Packet) Total number of Identity packets for 802.1X authentication received by the switch.
Pass(Packet) Number of Identity packets for 802.1X authentication sent to and processed by the CPU of the switch.
Drop(Packet) Number of Identity packets for 802.1X authentication discarded by the switch.
Last-dropping-time Latest time when the switch discarded Identity packets for 802.1X authentication. If no packet loss record exists on the switch, this field displays -.

display access-user https statistics

Function

The display access-user https statistics command displays statistics about HTTPS protocol packets sent to the CPU.

Format

display access-user https statistics

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

None

Example

# Display statistics about HTTPS protocol packets sent to the CPU.

In V200R013C00SPC300, the command output is as follows:
<HUAWEI> display access-user https statistics
Process:0 
-----------------------------------------------------------------------                                                             
Receive(Packet)    Pass(Packet)    Drop(Packet)    Last-dropping-time                                                               
-----------------------------------------------------------------------                                                             
0                  0               0               -                                                                                
----------------------------------------------------------------------- 
Table 13-44  Description of the display access-user https statistics command output
Item Description
Process ID of the process that processes HTTPS protocol packets.
Receive(Packet) Total number of HTTPS protocol packets received by the switch.
Pass(Packet) Number of HTTPS protocol packets sent to the CPU.
Drop(Packet) Number of HTTPS protocol packets discarded by the switch.
Last-dropping-time Last time when the switch discards HTTPS protocol packets. If no HTTPS protocol packet is discarded, this parameter is displayed as -.

In V200R013C00SPC500, the command output is as follows:

<HUAWEI> display access-user https statistics
Process:0 
-----------------------------------------------------------------------                                                             
Received packets:
    Tcp-syn:519 

Passed packets:
    Tcp-syn:391 

Dropped packets:
    Last dropping time:2019-03-12 09:26:46
    Duplicate tcp-syn within 1 second:0
    Rate-limited packets:128
Table 13-45  Description of the display access-user https statistics command output
Item Description
Process ID of the process that processes HTTPS packets.
Received packets: Tcp-syn Number of HTTPS TCP handshake packets received by the switch.
Passed packets: Tcp-syn Number of HTTPS TCP handshake packets sent to the CPU on the switch.
Dropped packets Number of HTTPS TCP handshake packets dropped by the switch.
Last dropping time Number of latest HTTPS TCP handshake packets dropped by the switch. If - is displayed, packet loss did not occur on the switch.
Duplicate tcp-syn within 1 second Number of duplicate TCP handshake packets dropped by the switch within 1 second.
Rate-limited packets Number of TCP handshake packets dropped by the switch due to rate limiting.

display access-user portal statistics

Function

The display access-user portal statistics command displays statistics about Portal protocol packets sent to the CPU.

Format

display access-user portal statistics

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

None

Example

# Display statistics about Portal protocol packets sent to the CPU.

<HUAWEI> display access-user portal statistics
Process:9 
-----------------------------------------------------------------------                                                             
Receive(Packet)    Pass(Packet)    Drop(Packet)    Last-dropping-time                                                               
-----------------------------------------------------------------------                                                             
0                  0               0               -                                                                                
-----------------------------------------------------------------------                                                             
...
Table 13-46  Description of the display access-user portal statistics command output
Item Description
Process ID of the process that processes Portal protocol packets.
Receive(Packet) Total number of Portal protocol packets received by the switch.
Pass(Packet) Number of Portal protocol packets sent to the CPU.
Drop(Packet) Number of Portal protocol packets discarded by the switch.
Last-dropping-time Last time when the switch discards Portal protocol packets. If no Portal protocol packet is discarded, this parameter is displayed as -.

display access-user roam-table

Function

The display access-user roam-table command displays the roaming table information of a roaming user.

Format

display access-user roam-table [ mac-address mac-address | ip-address ip-address [ vpn-instance vpn-instance-name ] | acct-session-id acct-session-id ]

Parameters

Parameter

Description

Value

mac-address mac-address

Displays the roaming table information of a roaming user with a specified MAC address.

The value is in H-H-H format. H contains 4 hexadecimal digits.

ip-address ip-address

Displays the roaming table information of a roaming user with a specified IP address.

The value is in dotted decimal notation.

vpn-instance vpn-instance-name

Displays the roaming table information of a roaming user with a specified IP address in a specified VPN instance.

The value must be an existing VPN instance name on the device.

acct-session-id acct-session-id

Displays the roaming table information of a roaming user with a specified accounting ID.

The value must be the current accounting ID of the user.

For details, run the display access-user user-id user-id command to check the User accounting session ID field.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

When a user roams between different ACs, the user roaming table is generated on the AC (authentication point) before the user is re-authenticated. You can run this command to view the user roaming table information.

Precautions

In 802.1X authentication and MAC address authentication, roaming tables are generated only for accounting users, not non-accounting users.

Example

# Display the roaming table information of a roaming user.

<HUAWEI> display access-user roam-table
 ------------------------------------------------------------------------------
 MAC             IP address                       FAC address
------------------------------------------------------------------------------
 7c7d-3dad-aed8  10.1.1.2                         10.137.213.119 
 ------------------------------------------------------------------------------
<HUAWEI> display access-user roam-table ip-address 10.1.1.2
  User MAC                                 : 7c7d-3dad-aed8
  User accounting session ID               : AP6050-00000000000102fa****0000023
  User IP address                          : 10.1.1.2
  IP address of foreign AC                 : 10.137.213.119
Table 13-47  Description of the display access-user roam-table command output

Item

Description

User accounting session ID

User accounting ID.

IP address/User IP address

User IP address.

MAC/User MAC

User MAC address.

FAC address/IP address of foreign AC

IP address of the AC where the user roams.

display access-user-num

Function

The display access-user-num command displays the maximum number of concurrent users and the number of current online users on a virtual access point (VAP).

Format

display access-user-num [ interface wlan-dbss wlan-dbss-interface-id ]

Parameters

Parameter

Description

Value

interface wlan-dbss wlan-dbss-interface-id

Displays the maximum number of concurrent users and the number of current online users on a VAP.

If this parameter is not specified, the maximum number of concurrent users and the number of current online users on all VAPs are displayed.

The value is an existing WLAN-DBSS interface id.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After configuring the maximum number of authenticated users allowed in a VAP profile, you can run the display access-user-num command to view the maximum number of concurrent users and the number of current online users.

Example

# Display the maximum number of concurrent users and the number of current online users on all VAPs.

<HUAWEI> display access-user-num                                                 
2016-09-30 11:09:27.790
----------------------------------------------------------------------          
 Interface name              max-user-num              online-user-num          
----------------------------------------------------------------------          
 Wlan-Dbss0                            30                           10          
 Wlan-Dbss1                             2                            0          
----------------------------------------------------------------------
 Total: 8, printed: 2  
Table 13-48  Description of the display access-user-num command output

Item

Description

Interface name WLAN-DBSS interface id.
max-user-num Maximum number of concurrent users. This parameter is specified by the authentication wlan-max-user command.
online-user-num Number of current online users.
Total Total number of interfaces.
printed Number of printed entries.

display authentication mac-move configuration

Function

The display authentication mac-move configuration command displays the MAC address migration configuration.

Format

display authentication mac-move configuration

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the display authentication mac-move configuration command to view the MAC address migration configuration. The configuration includes the number of times that MAC address migration users are allowed to migrate their MAC addresses 60s before they enter the quiet state, the period that MAC address migration users stay in the quiet state, the interval at which a device detects users' online status before user MAC address migration, and the number of detections before user MAC address migration.

Example

# Display the MAC address migration configuration.

<HUAWEI> display authentication mac-move configuration
Mac-move vlan config:all                                                                                                            
Mac-move quiet times:1                                                                                                              
Mac-move quiet period(s):120                                                                                                        
Mac-move quiet log:ENABLE                                                                                                           
Mac-move quiet user alarm:ENABLE                                                                                                    
Mac-move quiet user alarm lower percentage(%):50                                                                                    
Mac-move quiet user alarm upper percentage(%):100
Mac-move detect:DISABLE                                                         
Mac-move detect retry-interval(s):3                                             
Mac-move detect retry-time:1 
Table 13-49  Description of the display authentication mac-move configuration command output

Item

Description

Mac-move vlan config

VLAN ID range in which MAC address migration is enabled.

For details, see the authentication mac-move enable command.

Mac-move quiet times

Number of times that MAC address migration users are allowed to migrate their MAC addresses 60s before they enter the quiet state.

For details, see the authentication mac-move quiet-times quiet-period command.

Mac-move quiet period(s)

Period that MAC address migration users stay in the quiet state.

For details, see the authentication mac-move quiet-times quiet-period command.

Mac-move quiet log
Whether a device is enabled to record logs about user quietness triggered by MAC address migration:
  • ENABLE
  • DISABLE

For details, see the authentication mac-move quiet-log enable command.

Mac-move quiet user alarm
Whether a device is enabled to send alarms about user quietness triggered by MAC address migration:
  • ENABLE
  • DISABLE

For details, see the authentication mac-move quiet-user-alarm enable command.

Mac-move quiet user alarm lower percentage(%)

Lower alarm threshold for the percentage of MAC address migration users in quiet state.

For details, see the authentication mac-move quiet-user-alarm percentage command.

Mac-move quiet user alarm upper percentage(%)

Upper alarm threshold for the percentage of MAC address migration users in quiet state.

For details, see the authentication mac-move quiet-user-alarm percentage command.

Mac-move detect
Whether a device is enabled to detect users' online status before user MAC address migration:
  • ENABLE
  • DISABLE

For details, see the authentication mac-move detect enable command.

Mac-move detect retry-interval(s)

Interval at which a device detects users' online status before user MAC address migration.

For details, see the authentication mac-move detect retry-interval retry-time command.

Mac-move detect retry-time

Number of detections before user MAC address migration.

For details, see the authentication mac-move detect retry-interval retry-time command.

display authentication mac-move quiet-user

Function

The display authentication mac-move quiet-user command displays information about MAC address migration users in quiet state.

Format

display authentication mac-move quiet-user { all | mac-address mac-address }

Parameters

Parameter

Description

Value

all

Displays information about all MAC address migration users in quiet state.

-

mac-address mac-address

Displays information about MAC address migration users in quiet state with a specified MAC address.

The value is in the H-H-H format. An H contains 1 to 4 hexadecimal digits.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Run this command to view information about MAC address migration users in quiet state.

Example

# Display information about all MAC address migration users in quiet state.

<HUAWEI> display authentication mac-move quiet-user all
Quiet MAC Information
-------------------------------------------------------------------------------
Quiet MAC                                                 Quiet Remain Time(Sec)
-------------------------------------------------------------------------------
0001-0002-0003                                            143
-------------------------------------------------------------------------------
1 quiet MAC found, 1 printed. 
Table 13-50  Description of the display authentication mac-move quiet-user all command output

Item

Description

Quiet MAC

MAC address of MAC address migration users in quiet state.

Quiet Remain Time(Sec)

Remaining quiet time of MAC address migration users in quiet state, in seconds.

display authentication interface

Function

The display authentication interface command displays the configuration of the NAC authentication mode on an interface.

Format

display authentication interface interface-type interface-number

Parameters

Parameter

Description

Value

interface-type interface-number

Displays the configuration of the NAC authentication mode on a specified interface.
  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After configuring the NAC authentication mode, you can run this command to check the configuration.

Example

# Display the configuration of the NAC authentication mode on GE1/0/1.
<HUAWEI> display authentication interface gigabitethernet 1/0/1
Authentication profile: p1
Authentication access-point: Enable
Authentication access-point max-user: 10
Port authentication order:
                          MAC
                          DOT1X
                          WEB   
Table 13-51  Description of the display authentication interface command output

Item

Description

Authentication profile Name of the authentication profile applied to the interface.
Authentication access-point Whether the interface functions as an access control point.
NOTE:
This field is displayed only on access devices used in policy association solutions.
Authentication access-point max-user Maximum number of users who are allowed to log in through an access point
NOTE:
This field is displayed only on access devices used in policy association solutions.
Port authentication order Authentication mode configured in the authentication profile applied to the interface. Authentication modes include:
  • MAC: indicates the MAC address authentication mode.
  • DOT1X: indicates the 802.1X authentication mode.
  • WEB: indicates the Portal authentication mode.
NOTE:
  • On a standalone device, if MAC address bypass authentication is enabled in the authentication profile using the authentication dot1x-mac-bypass command, DOT1X is displayed before MAC. If MAC address bypass authentication is disabled, MAC is displayed before DOT1X.

  • On an AS device in an SVF system or a policy association scenario, this item only indicates authentication modes configured in the authentication profile, and does not indicate the authentication sequence.

display authentication mode

Function

The display authentication mode command displays the current NAC configuration mode and the mode after restart.

Format

display authentication mode

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the display authentication mode command to view the current NAC configuration mode.

Example

# Display the current NAC configuration mode and the mode after restart.
<HUAWEI> display authentication mode
  Current authentication mode is unified-mode                               
  Next authentication mode is unified-mode  
Table 13-52  Description of the display authentication mode command output

Item

Description

Current authentication mode is unified-mode Current NAC configuration mode.
Next authentication mode is unified-mode NAC configuration mode after the device restarts.

Run the authentication unified-mode command to switch the NAC mode to unified mode.

Run the undo authentication unified-mode command to switch the NAC mode to common mode.

display authentication user-alarm configuration

Function

The display authentication user-alarm configuration command displays alarm thresholds for the percentage of successfully authenticated NAC users.

Format

display authentication user-alarm configuration

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run this command to view the alarm thresholds for the percentage of successfully authenticated NAC users.

Example

# Display the alarm thresholds for the percentage of successfully authenticated NAC users.

<HUAWEI> display authentication user-alarm configuration
  Current Alarm Percent:100                                                     
  Current Alarm Resume Percent:60 
Table 13-53  Description of the display authentication user-alarm configuration command output

Item

Description

Current Alarm Percent Upper alarm threshold for the percentage of successfully authenticated NAC users.
Current Alarm Resume Percent Lower alarm threshold for the percentage of successfully authenticated NAC users.

display authentication-profile configuration

Function

The display authentication-profile configuration command displays the configuration of an authentication profile.

Format

display authentication-profile configuration [ name authentication-profile-name ]

Parameters

Parameter

Description

Value

name authentication-profile-name

Displays the configuration of a specified authentication profile.

If name authentication-profile-name is not specified, the device displays all the authentication profiles configured on the device.

The value must be the name of an existing authentication profile.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After configuring an authentication profile, you can run this command to check whether the configuration is correct.

NOTE:

The built-in authentication profile default_authen_profile is not counted in the configuration specification. The name of the compatibility profile converted after an upgrade begins with the at sign (@) and the profile is also not counted in the configuration specification.

Example

# Display all the authentication profiles configured on the device.

<HUAWEI> display authentication-profile configuration
------------------------------------------------------------------------------- 
    ID        Auth-profile name                                                 
------------------------------------------------------------------------------- 
     0        default_authen_profile                                            
     1        dot1x_authen_profile                                              
     2        mac_authen_profile                                                
     3        portal_authen_profile                                             
     4        dot1xmac_authen_profile                                           
     5        multi_authen_profile                                              
------------------------------------------------------------------------------- 
    Total 6, printed 6
Table 13-54  Description of the display authentication-profile configuration command output

Item

Description

ID

Authentication profile ID.

Auth-profile name

Authentication profile name.

# Display the configuration of the authentication profile p1.

<HUAWEI> display authentication-profile configuration name p1
  Profile name                                : p1
  Dot1x access profile name                   : -
  Mac access profile name                     : -
  Portal access profile name                  : testdel
  Free rule template                          : -
  Force domain                                : -
  Dot1x force domain                          : -
  Mac-authen force domain                     : -
  Portal force domain                         : -
  Default domain                              : 110
  Dot1x default domain                        : -
  Mac-authen default domain                   : -
  Portal default domain                       : -
  Permit domain                               : -
  Authentication handshake                    : Enable                                                                              
  Authentication handshake period             : 300s   
  Auth-fail re-auth period                    : 60s
  Pre-auth Re-auth period                     : 60s
  Auth-fail aging time                        : 82800s
  Pre-auth aging time                         : 82800s
  Author-keep aging time                      : 0s
  Dot1x-mac-bypass                            : Disable
  Mac authen before 802.1x authen force       : Enable 
  Single-access                               : Disable
  Device-type authorize service-scheme        : -
  Mac move detect enable                      : Enable    
  Authentication mode                         : multi-authen
  Authen-fail authorize service-scheme        : -
  Authen-server-down authorize service-scheme : -
  Authen-server-down authorize keep           : response-success
  Authen-server-noreply authorize keep        : response-success
  Authen-server-down close re-authen          : N
  Pre-authen authorize service-scheme         : -
  Security-name-delimiter                     : -
  Domain-name-delimiter                       : -
  Domain-location                             : -
  Domainname-parse-direction                  : -
  WLAN max user number                        : 128
  Bound vap profile                           : -
  SVF flag                                    : Disable
  Ip-static-user                              : Disable
  Roam-realtime-accounting                    : Enable                          
  Update-IP-realtime-accounting               : Enable  
  IP-address in-accounting-start              : Enable
  Linkdown offline delay time                 : 10 
  Termination action                          : reauthenticate 
  Control direction                           : Inbound 
  Update-Info-realtime-accounting             : Enable 
  No IP Check Flag                            : N  
  IP Conflict Check Flag                      : Y 
  Authentication roam pre-authen mac-authen   : Enable 
  Authentication single-stack-control enable  : IPv6 
  Authentication no-replace dot1x             : -
Table 13-55  Description of the display authentication-profile configuration name command output

Item

Description

Profile name

Authentication profile name.

Dot1x access profile name

802.1X access profile bound to the authentication profile.

To configure an 802.1X access profile, run the dot1x-access-profile (authentication profile view) command.

Mac access profile name

MAC access profile bound to the authentication profile.

To configure a MAC access profile, run the mac-access-profile (authentication profile view) command.

Portal access profile name

Portal access profile bound to the authentication profile.

To configure a Portal access profile, run the portal-access-profile (authentication profile view) command.

Free rule template

Authentication-free rule profile bound to the authentication profile.

To configure an authentication-free rule profile, run the free-rule-template (authentication profile view) command.

Force domain

Forcible domain for users.

To configure a forcible domain, run the access-domain command.

Dot1x force domain

Forcible domain for 802.1X authentication users.

To configure a forcible domain for 802.1X authentication users, run the access-domain command.

Mac-authen force domain

Forcible domain for MAC address authentication users.

To configure a forcible domain for MAC address authentication users, run the access-domain command.

Portal force domain

Forcible domain for Portal authentication users.

To configure a forcible domain for Portal authentication users, run the access-domain command.

Default domain

Default domain for users.

To configure a default domain for users, run the access-domain command.

Dot1x default domain

Default domain for 802.1X authentication users.

To configure a default domain for 802.1X authentication users, run the access-domain command.

Mac-authen default domain

Default domain for MAC address authentication users.

To configure a default domain for MAC address authentication users, run the access-domain command.

Portal default domain

Default domain for Portal authentication users.

To configure a default domain for Portal authentication users, run the access-domain command.

Permit domain

Permitted domain for users.

To configure a permitted domain, run the permit-domain command.

Authentication handshake

Whether the handshake function is enabled.

  • Enable
  • Disable

To enable the handshake function, run the authentication handshake command.

Authentication handshake period

Handshake interval.

To configure the handshake interval, run the authentication timer handshake-period command.

Auth-fail re-auth period

Interval for re-authenticating users who fail to be authenticated.

To configure the interval, run the authentication timer re-authen command.

Pre-auth re-auth period

Interval for re-authenticating pre-connection users.

To configure the interval, run the authentication timer re-authen command.

Auth-fail aging Time

Aging time for entries of the users who fail to be authenticated.

To configure the aging time, run the authentication timer authen-fail-aging command.

Pre-auth aging Time

Aging time for pre-connection user entries.

To configure the aging time, run the authentication timer pre-authen-aging command.

Author-keep aging time

Aging time for entries of online users that are authorized to retain the original network access rights.

To configure the aging time, run the authentication timer authorize-keep-aging command.

Dot1x-mac-bypass

Whether MAC address bypass authentication is enabled.

  • Enable
  • Disable

To configure the function, run the authentication dot1x-mac-bypass command.

Mac authen before 802.1x authen force

Whether forcible MAC address authentication is enabled before 802.1X authentication.

  • Enable
  • Disable

To enable the function, run the authentication mac-authen-first force command.

Single-access

Whether the device allows users to access in only one authentication mode.

To configure the function, run the authentication single-access command.

Device-type authorize service-scheme

Name of the service scheme based on which the device assigns network access rights to voice terminals that are not authenticated.

To configure the name, run the authentication device-type voice authorize command.

Authentication mode

User access mode.

To configure the mode, run the authentication mode command.

Authen-fail authorize service-scheme

Name of the service scheme based on which the device assigns network access rights to users who fail to be authenticated.

To configure the name, run the authentication event action authorize command.

Authen-server-down authorize service-scheme

Name of the service scheme based on which the device assigns network access rights to users when the authentication server is Down.

To configure the name, run the authentication event action authorize command.

Authen-server-down authorize keep

The device retains the original network access rights of users and responds to users when the authentication server is Down.

  • response-success: The device returns an authentication success packet to users.
  • response-fail: The device returns an authentication failure packet to users.
  • no-response: The device does not respond to users.

To configure the function, run the authentication event action authorize.

Authen-server-noreply authorize keep

The device retains the original network access rights of users and responds to users when the authentication server does not respond.

  • response-success: The device returns an authentication success packet to users.
  • response-fail: The device returns an authentication failure packet to users.
  • no-response: The device does not respond to users.

To configure the function, run the authentication event action authorize.

Authen-server-down close re-authen

Whether to disable the re-authentication function when the authentication server is Down.

  • Y
  • N

To configure the function, run the authentication event authen-server-down action close re-authen.

Pre-authen authorize service-scheme

Name of the service scheme based on which the device assigns network access rights to users who are in the pre-connection state.

To configure the name, run the authentication event action authorize command.

Security-name-delimiter

Security string delimiter.

To configure the delimiter, run the security-name-delimiter command.

Domain-name-delimiter

Domain name delimiter.

To configure the delimiter, run the domain-name-delimiter command.

Domain-location

Domain name location.

To configure the location, run the domain-location command.

Domainname-parse-direction

Domain name resolution direction.

To configure the direction, run the domainname-parse-direction command.

WLAN max user number

Maximum number of authenticated users allowed in a VAP profile.

To configure the maximum number, run the authentication wlan-max-user command.

Bound vap profile

VAP profile to which the authentication profile is bound.

To configure the VAP profile, run the authentication-profile (Interface view or VAP profile view) command.

SVF flag

The flag of SVF status.

Ip-static-user

Whether the function of identifying static users through IP addresses is enabled.

  • Enable
  • Disable

To configure the function, run the ip-static-user enable command.

Roam-realtime-accounting

Whether a device is enabled to send accounting packets for roaming.

  • Enable
  • Disable

Update-IP-realtime-accounting

Whether a device is enabled to send accounting packets for address updating.

  • Enable
  • Disable

To configure the function, run the authentication { update-info-accounting | update-ip-accounting } * enable command.

Linkdown offline delay time

User logout delay when an interface link is faulty.

To configure the delay, run the link-down offline delay command.

IP-address in-accounting-start

Whether the function of carrying users' IP addresses in Accounting-Start packets is enabled.

  • Enable
  • Disable

To configure the function, run the authentication ip-address in-accounting-start command.

Termination action Action that the device takes when the timeout period specified by the Session-Timeout attribute delivered by the RADIUS server expires.
  • reauthenticate

To configure the function, run the authentication termination-action reauthenticate command.

Control direction

Direction of packets controlled by the device.

  • Inbound: Only upstream traffic is controlled.
  • All: Bidirectional traffic is controlled.

To configure the function, run the authentication control-direction command.

Update-Info-realtime-accounting

Whether a device is enabled to send accounting packets for terminal information updates.

  • Enable
  • Disable

To configure the function, run the authentication { update-info-accounting | update-ip-accounting } * enable command.

No IP Check Flag

Whether or not the device is enabled does not create any IP hash tables for the client IP address.

  • Y
  • N

To configure the function, run the authentication no-ip-check command.

IP Conflict Check Flag

Whether or not the device is enabled the client IP address detection function.

  • Y
  • N

To configure the function, run the authentication ip-conflict-check enable command.

Authentication roam pre-authen mac-authen

Whether to enable MAC address authentication for roaming STAs.

  • Enable
  • Disable

To configure this function, run the authentication roam pre-authen mac-authen enable command.

Mac move detect enable

Whether the device is enabled to detect users' online status before user MAC address migration:

  • Enable
  • Disable

To enable this function, run the authentication mac-move detect enable command.

Authentication single-stack-control enable

Whether the single-stack authentication function is enabled.

  • IPv4
  • IPv6
  • Disable

To configure the single-stack authentication function, run the authentication single-stack-control enable command.

Authentication no-replace dot1x

Whether the function that the device responds to the EAP start packets sent from users who have successfully passed MAC address authentication or Portal authentication is enabled.

  • dot1x: enabled
  • -: disabled

To configure this function, run the authentication no-replace dot1x command.

display device-profile

Function

The display device-profile command displays the configuration of a specified terminal type identification profile or all terminal type identification profiles.

Format

display device-profile { all | profile-name profile-name }

Parameters

Parameter

Description

Value

all

Displays summary of all terminal type identification profiles.

-

profile-name profile-name

Displays detailed information about a specified terminal type identification profile.

The value must be the name of an existing terminal type identification profile.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After configuring terminal type identification, you can run the display device-profile command to view the terminal type identification profile configuration, including the profile name, terminal type identifier, and ACL rule.

Example

# Display summary of all terminal type identification profiles.

<HUAWEI> display device-profile all
  -----------------------------------------------------------------------------------------                                                                     
  Name                             Device type                      Rule num     State                                                                          
  -----------------------------------------------------------------------------------------                                                                     
  test                             huawei                           1            enable                                                                         
  -----------------------------------------------------------------------------------------                                                                     
  Total count : 1

# Display detailed information about the terminal type identification profile test.

<HUAWEI> display device-profile profile-name test
  ----------------------------------------------------------------------------
  Name        : test
  Device type : huawei
  State       : disabled
  Rule        :
    rule 1 mac 0006-0045-0078 mask 12
  Match       :
    if-match rule id 1
  ----------------------------------------------------------------------------
Table 13-56  Description of the display device-profile command output

Item

Description

Name

Name of a terminal type identification profile.

To set a terminal type identification profile name, run the device-profile command.

Device type

Terminal type identifier.

To set a terminal type identifier, run the device-type command.

Rule num

Number of ACL rules.

State
Whether to enable terminal type identification:
  • enable: Terminal type identification is enabled.
  • disabled: Terminal type identification is disabled.

To enable terminal type identification, run the enable command.

Rule

Terminal identification rule.

To set a terminal identification rule, run the rule command.

Match

Matching mode of terminal type identification rules.

To set a matching mode of terminal type identification rules, run the if-match command.

display dot1x

Function

The display dot1x command displays 802.1X authentication information.

Format

display dot1x statistics

display dot1x [ interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10> ]

Parameters

Parameter

Description

Value

statistics

Displays statistics on 802.1X authentication.

The statistics about 802.1X authentication is displayed only when this parameter is specified.

-

interface { interface-type interface-number1 [ to interface-number2 ] }

Displays 802.1X authentication information of a specified interface.

  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

If this parameter is not specified, 802.1X authentication information of all interfaces is displayed.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

You can run the display dot1x command to view configuration results of all configuration commands in 802.1X authentication and statistics about 802.1X packets.

The command output helps you to check whether the current 802.1X authentication configuration is correct and isolate faults accordingly.

Follow-up Procedure

The display dot1x command displays the statistics on 802.1X packets. You can locate the fault according to the packet statistics. When the fault is rectified, run the reset dot1x statistics command to clear the packet statistics. After a period of time, run the display dot1x command again to check the packet statistics. If no error packet is found, the fault is rectified.

Example

# Display 802.1X authentication information.
<HUAWEI> display dot1x
  Max users: 10000
  Current users: 1
  Global default domain is jqq
  Dot1x abnormal-track cache-record-num: 20
  Quiet function is Disabled
  Mc-trigger port-up-send is Disabled
  Parameter set:Quiet Period                 180s   Quiet-times          1
                Tx Period                     30s   Mac-By-Pass Delay   10s
  Dot1x URL: 123456

 GigabitEthernet0/0/1 status: UP  802.1x protocol is Enabled
  Dot1x access profile is jqq
  Authentication mode is multi-authen
  Authentication method is EAP
  Reauthentication is enabled
  Reauthen period: 300s
  Dot1x retry times: 2
  Authenticating users: 0
  Current users: 0

  Authentication Success: 0          Failure: 0
  Enter Enquence        : 0
  EAPOL Packets: TX     : 68         RX     : 0
  Sent      EAPOL Request/Identity Packets  : 3
            EAPOL Request/Challenge Packets : 0
            Multicast Trigger Packets       : 64
            EAPOL Success Packets           : 0
            EAPOL Failure Packets           : 1
  Received  EAPOL Start Packets             : 0
            EAPOL Logoff Packets            : 0
            EAPOL Response/Identity Packets : 0
            EAPOL Response/Challenge Packets: 0

 Online user(s) info:
 UserId   MAC/VLAN            AccessTime              UserName
 ------------------------------------------------------------------------------
 1047     1044-00c7-07a9/27   2018/12/06 19:27:54     jqq
 ------------------------------------------------------------------------------
 Total: 1, printed: 1

# Display 802.1X statistics.

<HUAWEI> display dot1x statistics
  Dropped   EAPOL Access Flow Control       : 0
            EAPOL Check Sysmac Error        : 0
            EAPOL Get Vlan ID Error         : 0
            EAPOL Packet Flow Control       : 0
            EAPOL Online User Reach Max     : 0
            EAPOL Static or BlackHole Mac   : 0
            EAPOL Get Vlan Mac Error        : 0
            EAPOL Temp User Exist           : 0
            EAPOL no replace dot1x          : 0  

  DHCP      Enter Enqueue                        : 0
            Processed Packet                     : 0
            Dropped Packet                       : 0

  ARP       Enter Enqueue                        : 0
            Processed Packet                     : 0
            Dropped Packet                       : 0

  ND        Enter Enqueue                        : 0
            Processed Packet                     : 0
            Dropped Packet                       : 0

  DHCPv6    Enter Enqueue                        : 0
            Processed Packet                     : 0
            Dropped Packet                       : 0

  Sent      Authentication Request               : 0
            Cut Request                          : 0
            Cut Command Ack                      : 0
            Authentication Ack Fail Aff          : 0
            Update Ip                            : 0
            Wlan Eap Authentication Request      : 0
            Wlan Eap Authentication Request Ack  : 0
            Wlan Eap Send Pmk                    : 0
            Wlan Eap Reauthenticate Send Pmk     : 0
            Update User Online Time              : 0

  Received  Authentication Ack                   : 0
            Reauthenticate Command               : 0
            Cut Command                          : 0
            Cut Ack                              : 0
            Sam Nac Ack                          : 0
            Notify Server Up                     : 0
            Wlan Eap Authentication Request      : 0
            Wlan Mac Authentication Request      : 0
            Notify Vlanif Mac Authentication     : 0
Table 13-57  Description of the display dot1x command output

Item

Description

Max users

Maximum number of global online users, the value varies according to device models.

Current users

Number of current online users.

Global default domain is

Global default authentication domain.

To configure the global default authentication domain, run the domain (system view) command.

Dot1x abnormal-track cache-record-num Number of EAP packets for abnormal 802.1X authentication that can be recorded by the device. For details, see dot1x abnormal-track cache-record-num.

Quiet function is

Whether the quiet function is enabled.

  • Enabled.
  • Disabled.

To configure the quiet function, run the dot1x quiet-period command.

Mc-trigger port-up-send is

Whether the function of triggering 802.1X authentication through multicast packets immediately after an interface goes Up is enabled.

  • Enabled.
  • Disabled.

To configure the function, run the dot1x mc-trigger port-up-send enable command.

Parameter set

Settings of 802.1X parameters:
  • Quiet Period: specifies the quiet period set by the quiet timer. To configure the quiet period, run the dot1x timer quiet-period command.
  • Quiet-times: specifies the maximum number of authentication failures before the device quiets a user. To configure the maximum value, run the dot1x quiet-times command.
  • Tx Period: specifies the interval for sending authentication requests. To configure the interval, run the dot1x timer tx-period command.
  • Mac-By-Pass Delay: specifies the value of the delay timer for MAC address bypass authentication.

Dot1x URL

Redirect-to URL for HTTP access of 802.1X users.

To configure the redirect-to URL, run the dot1x url command.

interface status

Interface status:
  • UP: The interface is enabled.
  • DOWN: The interface is shut down.

802.1x protocol is

Whether 802.1X authentication is enabled on the interface.

  • Enabled.
  • Disabled.

Dot1x access profile is

802.1X access profile name.

To configure the 802.1X access profile name, run the dot1x-access-profile (system view) command.

Authentication mode is

User access mode.

To configure the user access mode, run the authentication mode command.

Authentication method is

Authentication mode of 802.1X users.

To configure the authentication mode of 802.1X users, run the dot1x authentication-method command.

Reauthentication is

Whether re-authentication is enabled for online 802.1X users.

To configure the function, run the dot1x reauthenticate command.

Dot1x retry times

Maximum number of attempts to send authentication requests to 802.1X users.

To configure maximum number of attempts to send authentication requests to 802.1X users, run the dot1x retry command.

Authenticating users

Number of users who are being authenticated.

Current users

Number of online users on the interface.

Authentication Success

Number of successful authentications.

The statistics include statistics on online 802.1X users but not on the users using MAC address bypass authentication.

Failure

Number of failed authentications.

The statistics include statistics on online 802.1X users but not on the users using MAC address bypass authentication.

Enter Enquence

Number of packets entering the queue.

EAPOL Packets

Number of globally EAPOL packets.

  • TX: Number of sent EAPOL packets.
  • RX: Number of received EAPOL packets.

Sent

Statistics of sent packet.

EAPOL Request/Identity Packets

Number of globally EAPOL Request/Identity packets.

EAPOL Request/Challenge Packets

Number of globally EAPOL Request/Challenge packets.

Multicast Trigger Packets

Number of multicast packets that trigger authentication.

EAPOL Success Packets

Number of globally EAPOL Success packets.

EAPOL Failure Packets

Number of globally EAPOL Failure packets.

Received

Statistics of received packet.

EAPOL Start Packets

Number of globally EAPOL Start packets.

EAPOL Logoff Packets

Number of globally EAPOL LogOff packets.

EAPOL Response/Identity Packets

Number of globally EAPOL Response/Identity packets.

EAPOL Response/Challenge Packets

Number of globally EAPOL Response/Challenge packets.

Online user(s) info Online user information:
  • UserId: User ID.
  • MAC/VLAN: MAC address/VLAN ID.
  • AccessTime: Access time.
  • UserName: User name.
  • Total: Total number of online users.
  • printed: Number of displayed online users.
Dropped
Number of discarded EAP packets.
  • EAPOL Access Flow Control: number of packets that are discarded because the user access rate is exceeded.
  • EAPOL Check Sysmac Error: number of packets that are discarded because the device MAC address is incorrect.
  • EAPOL Get Vlan ID Error: number of packets that are discarded because the obtained VLAN ID is incorrect.
  • EAPOL Packet Flow Control: number of packets that are discarded because the packet access rate is exceeded.
  • EAPOL Online User Reach Max: number of packets that are discarded because the number of online users reaches the maximum.
  • EAPOL Static or BlackHole Mac: number of packets that are discarded because the packet MAC address is a static MAC address or blackhole MAC address.
  • EAPOL Get Vlan Mac Error: number of packets that are discarded because the obtained VLAN MAC address is incorrect.
  • EAPOL Temp User Exist: number of packets that are discarded because the temporary user exists.
  • EAPOL no replace dot1x: number of EAP Start packets that are discarded due to 802.1X authentication of successfully authenticated MAC or Portal users.
DHCP DHCP packet statistics.
ARP ARP packet statistics.
ND ND packet statistics.
DHCPv6 DHCPv6 packet statistics.
Processed Packet Number of processed packets.
Dropped Packet Number of discarded packets.
Authentication Request Number of authentication request messages.
Cut Request Number of logout request messages.
Cut Command Ack Number of acknowledgment messages to logout command request messages.
Authentication Ack Fail Aff Number of the user is disconnected after the wireless user authentication fails.
Update Ip Number of IP address update messages.
Wlan Eap Authentication Request Number of EAP authentication request messages initiated by the WLAN module.
Wlan Eap Authentication Request Number of EAP authentication request messages initiated by the WLAN module.
Wlan Eap Authentication Request Ack Number of acknowledgment messages to EAP authentication request messages initiated by the WLAN module.
Wlan Eap Send Pmk Number of PMK messages sent when the WLAN module performs EAP authentication.
Wlan Eap Reauthenticate Send Pmk Number of PMK messages sent when the WLAN module performs EAP re-authentication.
Update User Online Time Number of the user online time is updated.
Authentication Ack Number of authentication acknowledgment messages.
Reauthenticate Command Number of re-authentication messages.
Cut Command Number of logout command request messages.
Cut Ack Number of acknowledgment messages to logout request messages.
Sam Nac Ack Number of EAP messages replied by the SAM module.
Notify Server Up Number of RADIUS server Up messages.
Wlan Mac Authentication Request Number of MAC authentication request messages initiated by the WLAN module.
Notify Vlanif Mac Authentication Number of MAC authentication request messages of a VLANIF interface.

display dot1x-access-profile configuration

Function

The display dot1x-access-profile configuration command displays the configuration of an 802.1X access profile.

Format

display dot1x-access-profile configuration [ name access-profile-name ]

Parameters

Parameter

Description

Value

name access-profile-name

Displays the configuration of an 802.1X access profile with a specified name.

If name access-profile-name is not specified, the device displays all the 802.1X access profiles configured on the device. If name access-profile-name is specified, the device displays the configuration of a specified 802.1X access profile.

The value must be the name of an existing 802.1X access profile.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After configuring an 802.1X access profile, you can run this command to check whether the configuration is correct.

NOTE:

The name of the compatibility profile converted after an upgrade begins with the at sign (@) and the profile is not counted in the configuration specification.

Example

# Display all the 802.1X access profiles configured on the device.

<HUAWEI> display dot1x-access-profile configuration
-------------------------------------------------------------------------------                                                     
 ID             Dot1x-Access-Profile Name                                                                                           
-------------------------------------------------------------------------------                                                     
 0              dot1x_access_profile                                                                                                
 1              d1                                                                                                                  
 2              d2                                                                                                                   
 3              d3                                                                                                                   
 4              d4                                                                                                        
-------------------------------------------------------------------------------                                                     
 Total: 5 printed: 5. 
Table 13-58  Description of the display dot1x-access-profile configuration command output

Item

Description

ID

802.1X access profile ID.

Dot1x-Access-Profile Name

802.1X access profile name.

# Display the configuration of the 802.1X access profile d1.

<HUAWEI> display dot1x-access-profile configuration name d1
  Profile Name                 : d1
  Authentication method        : EAP
  Port control                 : authorized-force
  Re-authen                    : Enable
  Client-no-response authorize : -
  Trigger condition            : arp
  Unicast trigger              : Enable
  Trigger dhcp-bind            : Enable
  Handshake                    : Disable
  Handshake packet-type        : request-identity
  Max retry value              : 2
  Reauthen Period              : 3600s
  Client Timeout               : 5s
  Handshake Period             : 60s
  Eth-trunk handshake period   : 120s
  Bound authentication profile : -
Table 13-59  Description of the display dot1x-access-profile configuration name command output

Item

Description

Profile Name

802.1X access profile name.

Authentication method

Authentication mode of 802.1X users:
  • CHAP
  • PAP
  • EAP

To configure the authentication mode, run the dot1x authentication-method command.

Port control

802.1X authentication interface's authorization status:
  • auto
  • authorized-force
  • unauthorized-force

To set an authorization state for an interface, run the dot1x port-control command.

Re-authen

Whether re-authentication for online 802.1X users is enabled:
  • Enable
  • Disable

To configure the re-authentication function, run the dot1x reauthenticate command.

Client-no-response authorize

Network access rights granted to users when the 802.1X client does not respond.

  • service-scheme: The name of a service scheme based on which network access rights are assigned.
  • ucl-group: The name of a UCL group based on which network access rights are assigned.
  • vlan: The VLAN based on which network access rights are assigned.

To configure the network access rights, run the authentication event client-no-response action authorize command.

Trigger condition

Packet type that can trigger 802.1X authentication:
  • dhcp
  • arp
  • dhcpv6
  • nd
  • any-l2-packet

To configure the packet type, run the authentication trigger-condition (802.1X authentication) command.

Unicast trigger

Whether 802.1X authentication triggered by unicast packets is enabled:
  • Enable
  • Disable

To configure the function, run the dot1x unicast-trigger command.

Trigger dhcp-bind

Whether the device is enabled to automatically generate DHCP snooping binding entries for users with static IP addresses:
  • Enable
  • Disable

To configure the function, run the dot1x trigger dhcp-binding command.

Handshake

Whether handshake with online 802.1X authentication users is enabled:
  • Enable
  • Disable

To configure the function, run the dot1x handshake command.

Handshake packet-type

Type of 802.1X authentication handshake packets:
  • request-identity
  • srp-sha1-part2

To configure the type, run the dot1x handshake packet-type command.

Max retry value

Maximum number of attempts to send authentication requests to 802.1X users.

To configure the maximum value, run the dot1x retry command.

Reauthen Period

Re-authentication interval for online 802.1X users.

To configure the re-authentication interval, run the dot1x timer command.

Client Timeout

Authentication timeout period for 802.1X clients.

To configure the authentication timeout period, run the dot1x timer command.

Handshake Period

Interval at which the device handshakes with an 802.1X client on a non-Eth-Trunk interface.

To configure the interval, run the dot1x timer command.

Eth-trunk handshake period

Interval at which the device handshakes with an 802.1X client on an Eth-Trunk.

To configure the interval, run the dot1x timer command.

Bound authentication profile

Authentication profile to which the 802.1X access profile is bound.

To configure the authentication profile, run the dot1x-access-profile (authentication profile view) command.

display dot1x quiet-user

Function

The display dot1x quiet-user command displays information about 802.1X authentication users who are quieted.

Format

display dot1x quiet-user { all | mac-address mac-address }

Parameters

Parameter

Description

Value

all

Displays information about all 802.1X authentication users who are quieted.

-

mac-address mac-address

Displays information about a quiet 802.1X authentication user with a specified MAC address.

The value is in H-H-H format. Each H is a hexadecimal number of 1 to 4 digits.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run this command to view information about 802.1X authentication users who are quieted.

Example

# Display information about all 802.1X authentication users who are quieted.

<HUAWEI> display dot1x quiet-user all
-------------------------------------------------------------------------------
MacAddress                                                Quiet Remain Time(Sec)
-------------------------------------------------------------------------------
0001-0002-0003                                            50
-------------------------------------------------------------------------------
1 silent mac address(es) found, 1 printed. 
Table 13-60  Description of the display dot1x quiet-user all command output

Item

Description

MacAddress

MAC address of an 802.1X authentication user who is quieted.

Quiet Remain Time(Sec)

Remaining quiet time of an 802.1X authentication user who is quieted, in seconds.

display free-rule

Function

The display free-rule command displays whether an authentication-free rule defined by ACL is delivered.

Format

display free-rule

Parameters

None.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the display free-rule command to view the delivery status of an authentication-free rule defined by ACL.

Example

# Display whether an authentication-free rule defined by ACL is delivered.

<HUAWEI> display free-rule
 ------------------------------------------------------------------------------                                                     
     Slot-ID                        Acl-ID                          Status                                                          
 ------------------------------------------------------------------------------                                                     
        7                            6000                           SUCCESS                                                         
        8                            6000                           SUCCESS                                                         
 ------------------------------------------------------------------------------                                                     
Total 1 free-rule(s) 
Table 13-61  Description of the display free-rule command output

Item

Description

Slot-ID Slot ID.
Acl-ID ACL number.
Status Whether an authentication-free rule defined by ACL is successfully delivered to a slot.

display free-rule-template configuration

Function

The display free-rule-template configuration command displays the configuration of an authentication-free rule profile.

Format

display free-rule-template configuration [ name free-rule-name ]

Parameters

Parameter

Description

Value

name free-rule-name

Displays the configuration of an authentication-free rule profile with a specified name.

If name free-rule-name is not specified, the device displays all the authentication-free rule profiles configured on the device. If name free-rule-name is specified, the device displays the configuration of a specified authentication-free rule profile.

The value must be the name of an existing authentication-free rule profile.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After configuring an authentication-free rule profile, you can run this command to check whether the configuration is correct.

Example

# Display all the authentication-free rule profiles configured on the device.

<HUAWEI> display free-rule-template configuration
-------------------------------------------------------------------------------                                                     
 ID             Free-rule-template Name                                                                                                      
-------------------------------------------------------------------------------                                                     
 0              default_free_rule                                                                                                     
-------------------------------------------------------------------------------                                                     
 Total: 1 printed: 1.
Table 13-62  Description of the display free-rule-template configuration command output

Item

Description

ID

ID of an authentication-free rule profile.

Free-rule-template Name

Name of an authentication-free rule profile.

display mac-address authen

Function

The display mac-address authen command displays the current authen MAC address entries in the system.

Format

display mac-address authen [ interface-type interface-number | vlan vlan-id ] * [ verbose ]

Parameters

Parameter Description Value
vlan vlan-id

Displays MAC address entries in a specified VLAN.

If no VLAN is specified, MAC address entries in all VLANs of the device are displayed.

The value is an integer that ranges from 1 to 4094.
interface-type interface-number

Displays MAC address entries on a specified interface.

If no interface is specified, MAC address entries on all interfaces of the device are displayed.

-

verbose

Displays detailed information about MAC address entries.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

After MAC address authentication or 802.1X authentication is configured successfully, the administrator can run this command to check the existing authen MAC address entries on the device. The administrator can check information about user access based on these MAC address entries to locate user access faults.The authen entry is generated after a user passes MAC address authentication or 802.1X authentication.

Precautions

If there are a lot of authen MAC address entries, you can specify a VLAN or use a pipe operator (|) to filter the output information. Otherwise, the following problems may occur due to excessive output information:
  • The displayed information is refreshed repeatedly on the terminal screen and the administrator cannot obtain the required information.

  • The device traverses and retrieves information for a long time, and does not respond to any request.

Example

# Display all authen MAC address entries in the system.

<HUAWEI> display mac-address authen
-------------------------------------------------------------------------------  
MAC Address    VLAN/VSI/BD                          Learned-From        Type        
-------------------------------------------------------------------------------
0000-0000-0100 3000/-/-                              GE1/0/1            authen
0000-0000-0400 3000/-/-                              GE1/0/1            authen
0000-0000-0200 3000/-/-                              GE1/0/1            authen
-------------------------------------------------------------------------------  
Total items displayed = 3                     
Table 13-63  Description of the display mac-address authen command output

Item

Description

MAC Address

MAC address of a user to be authenticated.

VLAN/VSI/BD

VLAN/VSI/BD that the outbound interface belongs to.

Learned-From

Interface on which a MAC address is learned.

Type

Type of a MAC address entry.

Total items displayed

Total number of MAC address entries that match the filter condition.

display mac-address pre-authen

Function

The display mac-address pre-authen command displays the current pre-authen MAC address entries in the system.

Format

display mac-address pre-authen [ interface-type interface-number | vlan vlan-id ] * [ verbose ]

Parameters

Parameter Description Value
vlan vlan-id

Displays MAC address entries in a specified VLAN.

If no VLAN is specified, MAC address entries in all VLANs of the device are displayed.

The value is an integer that ranges from 1 to 4094.
interface-type interface-number

Displays MAC address entries on a specified interface.

If no interface is specified, MAC address entries on all interfaces of the device are displayed.

-

verbose

Displays detailed information about MAC address entries.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

You can run this command to check the existing MAC address entries of the pre-connection type to obtain access information about pre-connection users and locate faults.

Precautions

If there are a lot of pre-authen MAC address entries, you can specify a VLAN or use a pipe operator (|) to filter the output information. Otherwise, the following problems may occur due to excessive output information:
  • The displayed information is refreshed repeatedly on the terminal screen and the administrator cannot obtain the required information.

  • The device traverses and retrieves information for a long time, and does not respond to any request.

Example

# Display all pre-authen MAC address entries in the system.

<HUAWEI> display mac-address pre-authen
-------------------------------------------------------------------------------  
MAC Address    VLAN/VSI/BD                          Learned-From        Type        
-------------------------------------------------------------------------------
0000-0000-0100 3000/-/-                              GE1/0/1             pre-authen
0000-0000-0400 3000/-/-                              GE1/0/1             pre-authen
0000-0000-0200 3000/-/-                              GE1/0/1             pre-authen
-------------------------------------------------------------------------------  
Total items displayed = 3                     
Table 13-64  Description of the display mac-address pre-authen command output

Item

Description

MAC Address

MAC address of a user to be authenticated.

VLAN/VSI/BD

VLAN/VSI/BD that the interface belongs to.

Learned-From

Interface on which a MAC address of a user to be authenticated is learned.

Type

Type of a MAC address entry.

Total items displayed

Total number of MAC address entries that match the filter condition.

display mac-access-profile configuration

Function

The display mac-access-profile configuration command displays the configuration of a MAC access profile.

Format

display mac-access-profile configuration [ name access-profile-name ]

Parameters

Parameter

Description

Value

name access-profile-name

Displays the configuration of a MAC access profile with a specified name.

If name access-profile-name is not specified, the device displays all the MAC access profiles configured on the device. If name access-profile-name is specified, the device displays the configuration of a specified MAC access profile.

The value must be the name of an existing MAC access profile.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After configuring a MAC access profile, you can run this command to check whether the configuration is correct.

NOTE:

The name of the compatibility profile converted after an upgrade begins with the at sign (@) and the profile is not counted in the configuration specification.

Example

# Display all the MAC access profiles configured on the device.

<HUAWEI> display mac-access-profile configuration
-------------------------------------------------------------------------------                                                     
 ID             Mac-Access-Profile Name                                                                                           
-------------------------------------------------------------------------------                                                     
 0              mac_access_profile                                                                                                
 1              m1                                                                                                                  
 2              m2                                                                                                                   
 3              m3                                                                                                                   
 4              m4                                                                                                        
-------------------------------------------------------------------------------                                                     
 Total: 5 printed: 5. 
Table 13-65  Description of the display mac-access-profile configuration command output

Item

Description

ID

MAC access profile ID.

Mac-Access-Profile Name

MAC access profile name.

# Display the configuration of the MAC access profile m1 (the MAC address authentication user configures a password).

<HUAWEI> display mac-access-profile configuration name m1
  Profile Name                 : m1                                             
  Authentication method        : CHAP 
  Username format              : fixed username: a1                             
  Password type                : cipher                                         
  Re-authen                    : Disable                                        
  Trigger condition            : arp dhcp nd dhcpv6                             
  Offline dhcp-release         : Disable                                        
  Re-authen dhcp-renew         : Disable                                      
  Trigger dhcp-bind            : Enable 
  Reauthen Period              : 1800s                                          
  Bound authentication profile : -  

# Display the configuration of the MAC access profile m2 (the MAC address authentication user does not configure a password).

<HUAWEI> display mac-access-profile configuration name m2
  Profile Name                 : m2                                             
  Authentication method        : CHAP 
  Username format              : fixed username: a1                             
  Password                     : not configured 
  Re-authen                    : Disable                                        
  Trigger condition            : arp dhcp nd dhcpv6                             
  Offline dhcp-release         : Disable                                        
  Re-authen dhcp-renew         : Disable                                        
  Trigger dhcp-bind            : Enable 
  Reauthen Period              : 1800s                                          
  Bound authentication profile : -  
Table 13-66  Description of the display mac-access-profile configuration name command output

Item

Description

Profile Name

MAC access profile name.

Authentication method

Authentication mode for MAC address authentication.

  • CHAP
  • PAP

To configure the authentication mode, run the mac-authen authentication-method command.

Username format

User name format for MAC address authentication.

  • use MAC address without-hyphen as username: A user name is a MAC address that does not contain hyphens (-), for example, 0005e01c02e3.
  • use MAC address with-hyphen as username: A user name is a MAC address that contains hyphens (-) and the hyphens are inserted between every four digits, for example, 0005-e01c-02e3.
  • use MAC address with-hyphen normal as username: A user name is a MAC address that contains hyphens (-) and the hyphens are inserted between every two digits, for example, 00-05-e0-1c-02-e3.
  • use MAC address without-hyphen upper as username: A user name is a MAC address in the uppercase format that does not contain hyphens (-), for example, 0005E01C02E3.
  • use MAC address with-hyphen upper as username: A user name is a MAC address in the uppercase format that contains hyphens (-) and the hyphens are inserted between every four digits, for example, 0005-E01C-02E3.
  • use MAC address with-hyphen normal upper as username: A user name is a MAC address in the uppercase format that contains hyphens (-) and the hyphens are inserted between every two digits, for example, 00-05-E0-1C-02-E3.
  • use MAC address with-hyphen colon as username: A user name is a MAC address that contains colons (:) and the colons are inserted between every four digits, for example, 0005:e01c:02e3.
  • use MAC address with-hyphen normal colon as username A user name is a MAC address that contains colons (:) and the colons are inserted between every two digits, for example, 00:05:e0:1c:02:e3.
  • use MAC address with-hyphen colon upper as username: A user name is a MAC address in the uppercase format that contains colons (:) and the colons are inserted between every four digits, for example, 0005:E01C:02E3.
  • use MAC address with-hyphen normal colon upper as username: A user name is a MAC address in the uppercase format that contains colons (:) and the colons are inserted between every two digits, for example, 00:05:E0:1C:02:E3.
  • fixed username: The user name is fixed.
  • use option82 as username: The content of the Option 82 field is used as the user name.
  • not configured: The user name format is not configured.

To configure the user name format, run the mac-authen username command.

Password type

Password display mode for MAC address authentication.

  • cipher

To configure the password display mode, run the mac-authen username command.

password

Password of the MAC address authentication user. This field has the following fixed value:
  • not configured: indicates that the MAC address authentication user does not configure a password.

Re-authen

Whether re-authentication for online MAC address authentication users is enabled:
  • Enable: indicates that re-authentication is enabled.
  • Disable: indicates that re-authentication is disabled.

To configure the re-authentication function, run the mac-authen reauthenticate command.

Trigger condition

Packet type that can trigger MAC address authentication.

To configure the packet type, run the authentication trigger-condition (MAC address authentication) command.

Offline dhcp-release

Whether the device is enabled to clear user entries when receiving DHCP release packets from MAC address authentication users.

  • Enable
  • Disable

To configure the function, run the mac-authen offline dhcp-release command.

Re-authen dhcp-renew

Whether the device is enabled to re-authenticate MAC address authentication users when receiving DHCP lease renewal packets from the users.

  • Enable
  • Disable

To configure the function, run the mac-authen reauthenticate dhcp-renew command.

Trigger dhcp-bind
Whether the device is enabled to automatically generate the DHCP snooping binding table after static IP users pass MAC address authentication or when the users are at the pre-connection phase:
  • Enable
  • Disable

To configure the function, run the mac-authen trigger dhcp-binding command.

Reauthen Period

Re-authentication interval for online MAC address authentication users.

To configure the re-authentication interval, run the mac-authen timer reauthenticate-period command.

Bound authentication profile

Authentication profile to which the MAC access profile is bound.

To configure the authentication profile, run the mac-access-profile (authentication profile view) command.

display mac-authen

Function

The display mac-authen command displays information about MAC address authentication.

Format

display mac-authen [ interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10> | configuration ]

Parameters

Parameter

Description

Value

interface { interface-type interface-number1 [ to interface-number2 ] }

Displays MAC authentication information of a specified interface.

  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

If this parameter is not specified, MAC authentication information of all interfaces is displayed.

-

configuration

Displays the global information about MAC address authentication.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

You can run the display mac-authen command to view configuration results of all configuration commands in MAC address authentication. The command output helps you to check whether the MAC address authentication configuration is correct and isolate faults accordingly.

Follow-up Procedure

You can locate the fault according to the packet statistics that is displayed using the display mac-authen command. When the fault is rectified, run the reset mac-authen statistics command to clear the packet statistics. After a period of time, run the display mac-authen command again to check the packet statistics. If no error packet is found, the fault is rectified.

Example

# Display the configuration of MAC address authentication.

<HUAWEI> display mac-authen
  Quiet period is 60s
  Authentication fail times before quiet is 1
  Maximum users: 65536
  Current users: 1
  Global default domain is default

 GigabitEthernet1/0/1 state: UP.  MAC address authentication is enabled
  MAC access profile is mac_access_profile
  Reauthentication is disabled
  Current users: 1
  Username format: fixed username: gcs
  Password type: cipher
  Fixed password: %^%#2}*{%bMY.D*Kw3HxDgU3CW7g'|54H&<]S,Zfu;%^%#
  Authentication Success: 22, Failure: 85
  0 silent mac address(es) found, 0 printed.

 Online user(s) info:
 UserId   MAC/VLAN            AccessTime              UserName
 ------------------------------------------------------------------------------
 37223    a088-b44d-573c/2003 2014/09/28 15:45:45     gcs
 ------------------------------------------------------------------------------
 Total: 1, printed: 1 
Table 13-67  Description of the display mac-authen command output

Item

Description

Quiet period

Quiet period during which the device quiets a user who fails to be authenticated. The default value of the quiet timer is 60 seconds.

To configure the quiet period, run the mac-authen timer quiet-period command.

Authentication fail times before quiet

Maximum number of authentication failures before the device quiets a user.

To configure the maximum value, run the mac-authen quiet-times command.

Maximum users

Maximum number of users allowed on the device.

Current users

Number of online users, the value varies according to device models.

Global default domain

Global default authentication domain.

To configure the global default authentication domain, run the domain (system view) command.

interface state

Interface status:

  • UP: The interface is enabled.
  • DOWN: The interface is shut down.

MAC address authentication

Whether MAC address authentication is enabled on the interface.

  • enabled
  • disabled

MAC access profile

MAC access profile name.

To configure the MAC access profile name, run the mac-access-profile (system view) command.

Reauthentication

Whether re-authentication for MAC address authentication users is enabled.

  • enabled
  • disabled

To configure whether re-authentication for MAC address authentication users is enabled, run the mac-authen reauthenticate command.

Current users

Number of current online users on the interface.

Username format

User name format for MAC address authentication.

  • use MAC address without-hyphen as username: A user name is a MAC address that does not contain hyphens (-), for example, 0005e01c02e3.
  • use MAC address with-hyphen as username: A user name is a MAC address that contains hyphens (-) and the hyphens are inserted between every four digits, for example, 0005-e01c-02e3.
  • use MAC address with-hyphen normal as username: A user name is a MAC address that contains hyphens (-) and the hyphens are inserted between every two digits, for example, 00-05-e0-1c-02-e3.
  • use MAC address without-hyphen upper as username: A user name is a MAC address in the uppercase format that does not contain hyphens (-), for example, 0005E01C02E3.
  • use MAC address with-hyphen upper as username: A user name is a MAC address in the uppercase format that contains hyphens (-) and the hyphens are inserted between every four digits, for example, 0005-E01C-02E3.
  • use MAC address with-hyphen normal upper as username: A user name is a MAC address in the uppercase format that contains hyphens (-) and the hyphens are inserted between every two digits, for example, 00-05-E0-1C-02-E3.
  • use MAC address with-hyphen colon as username: A user name is a MAC address that contains colons (:) and the colons are inserted between every four digits, for example, 0005:e01c:02e3.
  • use MAC address with-hyphen normal colon as username: A user name is a MAC address that contains colons (:) and the colons are inserted between every two digits, for example, 00:05:e0:1c:02:e3.
  • use MAC address with-hyphen colon upper as username: A user name is a MAC address in the uppercase format that contains colons (:) and the colons are inserted between every four digits, for example, 0005:E01C:02E3.
  • use MAC address with-hyphen normal colon upper as username: A user name is a MAC address in the uppercase format that contains colons (:) and the colons are inserted between every two digits, for example, 00:05:E0:1C:02:E3.
  • fixed username: The user name is fixed.
  • use option82 as username: The content of the Option 82 field is used as the user name.
  • not configured: The user name format is not configured.

To configure the user name format for MAC address authentication, run the mac-authen username command.

Password type

Password display mode for MAC address authentication.

  • cipher

To configure the password display mode for MAC address authentication, run the mac-authen username command.

Fixed password

Password for MAC address authentication.

To configure the password for MAC address authentication, run the mac-authen username command.

Authentication Success: m, Failure: n

Numbers of successful authentications (m) and failed authentications (n) on the interface.

m silent mac address(es) found, n printed

Numbers of successful authentications (m) and failed authentications (n) on the interface.

Online user(s) info

Online user information.
  • UserId: ID of an online user.
  • MAC/VLAN: MAC address and VLAN of an online user.
  • AccessTime: access time of an online user.
  • UserName: name of an online user.
  • Total: total number of online users.
  • printed: number of displayed online users.

display mac-authen quiet-user

Function

The display mac-authen quiet-user command displays information about MAC address authentication users who are quieted.

Format

display mac-authen quiet-user { all | mac-address mac-address }

Parameters

Parameter

Description

Value

all

Displays information about all MAC address authentication users who are quieted.

-

mac-address mac-address

Displays information about a specified MAC address authentication user who is quieted.

The value is in the H-H-H format. Each H is a hexadecimal number of 1 to 4 digits.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run this command to view information about MAC address authentication users who are quieted.

Example

# Display information about all MAC address authentication users who are quieted.

<HUAWEI> display mac-authen quiet-user all
-------------------------------------------------------------------------------
MacAddress                                                Quiet Remain Time(Sec)
-------------------------------------------------------------------------------
0001-0002-0003                                            50
-------------------------------------------------------------------------------
1 silent mac address(es) found, 1 printed. 
Table 13-68  Description of the display mac-authen quiet-user all command output

Item

Description

MacAddress

MAC address of a MAC address authentication user who is quieted.

Quiet Remain Time(Sec)

Remaining quiet time of a MAC address authentication user who is quieted, in seconds.

display portal

Function

The display portal command displays the Portal authentication configuration.

Format

display portal [ interface interface-type interface-number | configuration ]

Parameters

Parameter

Description

Value

interface interface-type interface-number

Displays Portal authentication information of a specified interface.

  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

If this parameter is not specified, Portal authentication information of all interfaces is displayed.

-

configuration

Displays the global Portal authentication information.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the display portal command to view the Portal authentication configuration and check whether the configuration is correct.

Example

# Display the Portal authentication configuration.

<HUAWEI> display portal
  Portal max-user number:65536
  Quiet function is Enabled
  Different-server is Enabled 
  Parameter set:Quiet Period        60s   Quiet-times          3
  Logout packets resend: Resend-times 3  Timeout 5s
  Portal Https Redirect: Enable
  Portal JS Redirect   : Enable

  Vlanif10 protocol status: down, web-auth-server layer2(direct)
Table 13-69  Description of the display portal command output

Item

Description

Portal max-user number

Maximum number of concurrent Portal authentication users allowed to access the device, the value varies according to device models.

To set the maximum number of concurrent Portal authentication users allowed to access the device, run the portal max-user command.

Quiet function is Enabled or Quiet function is Disabled

Whether the quiet function in Portal authentication is enabled:
  • Enabled
  • Disabled

To enable the quiet function, run the portal quiet-period command.

Different-server is Enabled or Different-server is Disabled

Whether a device is enabled to process user logout requests sent by a Portal server other than the one from which users log in:
  • Enabled
  • Disabled

To configure a device to process user logout requests sent by a Portal server other than the one from which users log in, run the portal logout different-server enable command.

Parameter set

Parameter settings of the quiet function in Portal authentication.
  • Quiet Period: indicates the quiet period in Portal authentication. To set the quiet period in Portal authentication, run the portal timer quiet-period command.
  • Quiet-times: indicates the maximum number of authentication failures within 60 seconds before a Portal authentication user enters the quiet state. To set the maximum number of authentication failures, run the portal quiet-times command.

Logout packets resend

Configuration of the logout packet re-transmission function for Portal authentication users.
  • Resend-times: indicates the number of re-transmission times for Portal authentication user logout packets.
  • Timeout: indicates the re-transmission interval of Portal authentication user logout packets.

To set the re-transmission interval, run the portal logout resend timeout command.

Portal Https Redirect

Whether HTTPS redirection of Portal authentication is enabled:

  • Enable
  • Disable

To enable this function, run the portal https-redirect enable command.

Portal JS Redirect
Whether the function of inserting a JavaScript file during Portal redirection is enabled.
  • Enable
  • Disable

To enable this function, run the portal redirect js enable command.

interface protocol status

Link layer protocol state of the interface and the enabled Portal authentication mode.

  • up: indicates that the interface is running properly.
  • down: indicates that the interface is disabled.
  • web-auth-server layer3: indicates that the authentication mode is set to Layer 3 Portal authentication on a specified interface.
  • web-auth-server layer2(direct): indicates that the authentication mode is set to Layer 2 Portal authentication on a specified interface.

display portal https-redirect blacklist

Function

The display portal https-redirect blacklist command displays IPv4 addresses in the HTTPS redirection blacklist.

Format

display portal https-redirect blacklist

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

You can run this command to check whether the addresses in the HTTPS redirection blacklist are correct.

Example

# Display IPv4 addresses in the HTTPS redirection blacklist.

<HUAWEI> display portal https-redirect blacklist
--------------------------------------
IP Address        Aging Time          
--------------------------------------
 10.1.1.1         2018-06-26 21:01:59 
--------------------------------------
 Total:1   Print:1
Table 13-70  Description of the display portal https-redirect blacklist command output
Item Description
IP Address IPv4 addresses in the blacklist, which is configured using the portal https-redirect blacklist command or is added after the condition specified by the portal https-redirect blacklist packet-rate or portal https-redirect blacklist retry-times interval command is met.
Aging Time

Time when an address in the blacklist is aged out (that is, time when an address is removed from the blacklist).

You can run the portal https-redirect blacklist aging-time command to configure the aging time of addresses in the blacklist.

Total:m Print:n Total number of addresses in the blacklist, and number of addresses displayed.

display portal https-redirect whitelist

Function

The display portal https-redirect whitelist command displays IPv4 addresses in the HTTPS redirection whitelist.

Format

display portal https-redirect whitelist

Parameters

None

Views

All views</