Commands For 802.1x

9.2 Commands for 802.1x

9.2.1 debug dot1x detail

Command: debug dot1x detail {pkt-send | pkt-receive | internal | all | userbased | webbased} interface [ethernet] <interface-name>
no debug dot1x detail { pkt-send | pkt-receive | internal | all | userbased | webbased} interface [ethernet] <interface-name>
Function: Enable the dot1x detail debug information. The no command disables that debug information.
Parameters:

  • pkt-send: enable the send packet dot1x debug information.
  • pkt-receive: enable the receive packet dot1x debug information.
  • internal: enable the internal dot1x debug information.
  • all: enable all packet dot1x debug information.
  • userbased: user-based authentication.
  • webbased: web-based authentication.
  • <interface-name>: interface name.

Command mode: Admin Mode
Default: None.
Usage guide: By enabling the debug information of dot1x details, users can check the detailed processes of the Radius protocol operation which might help diagnose the cause of faults if there?are any.
Example: Enable all debug information of dot1x details on interface1/0/1.

active500EM#debug dot1x detail all interface ethernet1/0/1
Ethernet1/0/1 detail tx debug is on
Ethernet1/0/1 detail rx debug is on
Ethernet1/0/1 detail internal debug is on
Ethernet1/0/1 detail userbased debug is on
detail  debug is on
Ethernet1/0/1 detail dhcpoption82based debug is on
detail  debug is on

 

9.2.2 debug dot1x error

Command: debug dot1x error
no debug dot1x error
Function: Enable the dot1x error debug information. The no command disables that debug information.
Parameters: None.
Command mode: Admin Mode
Default: None.
Usage guide: By enabling the dot1x error debug information, users can check the error information which occurs in the Radius protocol operation processes.
Example: Enable the dot1x error debug information.

active500EM#debug dot1x error
error  debug is on

 

9.2.3 debug dot1x fsm

Command: debug dot1x fsm {all | aksm | asm | basm | ratsm} interface <interface-name>
no debug dot1x fsm {all | aksm | asm | basm | ratsm} interface <interface-name>
Function: Enable the dot1x state machine debug information. The no command disables that debug information.
Parameters:

  • all: enable the dot1x state machine debug information.
  • aksm: enable the Authenticator Key Transmit state machine debug information.
  • asm: enable the Authenticator state machine debug information.
  • basm: enable the Backend Authentication state machine debug information.
  • ratsm: enable the Re-Authentication Timer state machine debug information.
  • <interface-name>: name of the interface.

Command mode: Admin Mode
Default: None.
Usage guide: By enabling the dot1x debug information, users can check the negotiation process of the dot1x protocol.
Example: Enable the dot1x state machine debug information.

active500EM#debug dot1x fsm asm interface ethernet1/0/1
Ethernet1/0/1 fsm ASM debug is on

 

9.2.4 debug dot1x packet

Command: debug dot1x packet {all | receive | send} interface <interface-name>
no debug dot1x packet {all | receive | send} interface <interface-name>
Function: Enable the dot1x message debug information. The no command disables that debug information.
Parameters:

  • send: enable the dot1x sending packets debug information.
  • receive: enable the dot1x receiving packets debug information.
  • all: enable the dot1x both sending and receiving packet debug information.
  • <interface-name>: name of the interface.

Command mode: Admin Mode
Default: None.
Usage guide: By enabling the dot1x message debug information, users can check the dot1x protocol negotiation process.
Example: Enable the dot1x?message debug information.

active500EM#debug dot1x packet all interface ethernet1/0/1
Ethernet1/0/1 packet rx debug is on
Ethernet1/0/1 packet tx debug is on

 

9.2.5 dot1x accept-mac

Command: dot1x accept-mac <mac-address> [interface <interface-name>] no dot1x accept-mac <mac-address> [interface <interface-name>]
Function: Add a MAC address entry to the dot1x address filter table. If a port is specified, the entry added applies to the specified port only. If no port is specified, the entry added applies to all the ports. The no command deletes the entry from the dot1x address filter table.
Parameters:

  • <mac-address>: MAC address.
  • <interface-name>: interface name and port number.

Command mode: Global Mode
Default: None.
Usage guide: The dot1x address filter function is implemented according to the MAC address filter table. The dot1x address filter table is manually added or deleted by the user. When a port is specified when adding a dot1x address filter table entry, that entry applies to the port only. When no port is specified, the entry applies to all ports on the switch. When the dot1x address filter function is enabled, the switch will filter the authentication user by the MAC address. Only the authentication request initialed by the users in the dot1x address filter table will be accepted, the rest will be rejected.
Example: Add MAC address 00-01-34-34-2e-0a to the filter table of Ethernet 1/0/5.

active500EM(config)#dot1x accept-mac 00-01-34-34-2e-0a interface ethernet 1/0/5

 

9.2.6 dot1x eapor enable

Command: dot1x eapor enable
no dot1x eapor enable
Function: Enables the EAP relay authentication function in the switch. The no command sets EAP local end authentication.
Parameters: None.
Command mode: Global Mode
Default: EAP relay authentication is used.
Usage guide: The switch and RADIUS may be connected via Ethernet or PPP. If an Ethernet connection exists between the switch and RADIUS server, the switch needs to authenticate the user by EAP relay (EAPoR authentication). If the switch connects to the RADIUS server by PPP, the switch will use EAP local end authentication (CHAP authentication). The switch should use different authentication methods according to the connection between the switch and the authentication server.
Example: Set EAP local end authentication for the switch.

active500EM(config)#no dot1x eapor enable

 

9.2.7 dot1x enable

Command: dot1x enable
no dot1x enable
Function: Enables the 802.1x function on the switch and ports. The no command disables the 802.1x function.
Parameters: None.
Command mode: Global Mode and Port Mode
Default: 802.1x function is not enabled in Global Mode by default. If 802.1x is enabled under Global Mode, 802.1x will not be enabled for the ports.
Usage guide: The 802.1x authentication for the switch must be enabled first to enable 802.1x authentication for the respective ports. If Spanning Tree or MAC binding is enabled on the port, or the port is a trunk port or member of the port aggregation group, the 802.1x function cannot be enabled for that port unless such conditions are removed.
Example: Enable the 802.1x function of the switch and enable 802.1x for port 1/0/12.

active500EM(config)#dot1x enable
active500EM(config)#interface ethernet 1/0/12
active500EM(config-if-ethernet1/0/12)#dot1x enable

 

9.2.8 dot1x ipv6 passthrough

Command: dot1x ipv6 passthrough
no dot1x ipv6 passthrough
Function: Enable the IPv6 passthrough function on a switch port (only applicable when access control mode is userbased). The no command disables the function.
Parameters: None.
Command mode: Port Configuration Mode
Default: Disabled.
Usage guide: The function can only be enabled when the 802.1x function is enabled both globally and on the port, with userbased being the control access mode. After it is enabled, users can send IPv6 messages without authentication.
Example: Enable the IPv6 passthrough function on port Ethernet1/0/12.

active500EM(config)#dot1x enable
active500EM(config)#interface ethernet 1/0/12
active500EM(config-if-ethernet1/0/12)#dot1x enable
active500EM(config-if-ethernet1/0/12)#dot1x ipv6 passthrough

 

9.2.9 dot1x guest-vlan

Command: dot1x guest-vlan <vlanid>
no dot1x guest-vlan
Function: Set the guest-vlan of the specified port. The no command deletes the guest-vlan.
Parameters:

  • <vlanid>: specified VLAN ID. The valid range is from 1 to 4094.

Command mode: Port Mode
Default: There is no 802.1x guest-vlan function on the port.
User guide: The access device will add the port into the guest VLAN if no supplicant receives authentication successfully in a certain stretch of time because of a lack of an exclusive authentication supplicant system or the version of the supplicant system is too low. In guest VLAN, users can get 802.1x supplicant system software, update the supplicant system, or update other applications (such as anti-virus software). When a user of a port within guest VLAN starts an authentication, the port will remain in gest VLAN in the case of a failed authentication. If the authentication finishes successfully, there are two possible results:
1. The authentication server assigns an Auto VLAN, causing the port to leave the guest VLAN to join the assigned auto VLAN. After the user goes offline, the port will be allocated back into the specified guest VLAN.
2. The authentication server assigns an Auto VLAN and the port leaves the guest VLAN and joins the specified VLAN. When the user goes offline, the port will be allocated to the specified guest VLAN again.
Note:
1. There can be different guest VLANs set on different ports, while only one guest VLAN is allowed on one port.
2. The guest VLAN takes effect only when the access control mode is portbased can. If the access control mode of the port is macbased or userbased, the guest VLAN can be successfully set but will not take effect.
Examples? Set Guest-VLAN of port Ethernet1/0/3 as VLAN 10.

active500EM(config-if-ethernet1/0/3)#dot1x guest-vlan 10

 

9.2.10 dot1x macfilter enable

Command: dot1x macfilter enable
no dot1x macfilter enable
Function: Enables the dot1x address filter function in the switch. The no command disables the dot1x address filter function.
Parameters: None.
Command mode: Global Mode
Default: Disabled.
Usage guide: When the dot1x address filter function is enabled, the switch will filter the authenticated user by the MAC address. Only the authentication request initialized by the users in the dot1x address filter table will be accepted.
Example: Enable the dot1x address filter function for the switch.

active500EM(config)#dot1x macfilter enable

 

9.2.11 dot1x macbased guest-vlan

Command: dot1x macbased guest-vlan <vlanid>
no dot1x macbased guest-vlan
Function: Configure the port’s Guest-VLAN based on the?MAC authentication. The no command deletes this Guest-VLAN.
Parameters:

  • <vlanid>: the configured vlan ID. The valid range is from 1 to 4094.

Command mode: Port Mode
Default: Do not configure 802.1x macbased guest-vlan.
Usage guide: If there is no dedicated authentication client or the client version is too low, and no clients authenticate successfully on the port, then the access device will make this user join the guest VLAN. Users can get the 802.1x client software in Guest-VLAN, update the client, or perform other updates (such as anti-virus software, system patches and etc.). When the user under the port in guest VLAN issues the authentication, this port will stay in Guest-VLAN if the authentication failed. If it was successful, there are two scenarios:
1. The authentication server issues an auto VLAN. The user leaves the guest VLAN and joins the auto VLAN. After the user goes offline, this user will be assigned to the configured guest VLAN again.
2. The authentication server did not issue the VLAN. The user leaves the guest VLAN and joins the configured native VLAN. After the user goes offline, this user will be assigned to the configured guest VLAN again.
Note:
1. Dot1x macbased guest-vlan can be configured only on the port based on?MAC authentication and in?hybrid mode.
2. Different macbased guestVLANs can be configured on different ports, but only one macbased guestVLAN can be configured on one port.
Example: Configure the guest-vlan of Ethernet1/0/3 as VLAN 10.

active500EM(config-if-ethernet1/0/3)#dot1x macbased guest-vlan 10

 

9.2.12 dot1x macbased port-down-flush

Command: dot1x macbased port-down-flush
no dot1x macbased port-down-flush
Function: Enable this command when the dot1x certification, according to MAC, is down. Delete the user who passed the certification of the port. The no command does not enable the macbased down operation.
Parameters: None.
Command mode: Global Mode
Default: Not enabled.
Usage guide: When users who passed the certification according to?MAC change among different ports, delete the user for the new certification. The command should be enabled to delete the user.
Example: When the dot1x certification, according to MAC, is down. Delete the user who passed the certification of the port.

active500EM(config)#dot1x macbased port-down-flush

 

9.2.13 dot1x max-req

Command: dot1x max-req <count>
no dot1x max-req
Function: Sets the number of EAP request/MD5 frames to be sent before the switch re-initializes authentication based on no supplicant response. The no command restores the default setting.
Parameters:

  • <count>: times to re-transfer EAP request/ MD5 frames. The valid range is 1 to 10.

Command mode: Global Mode
Default: The default maximum for retransmission is 2.
Usage guide: The default value is recommended when setting the EAP request/ MD5 retransmission times.
Example: Change the maximum retransmission times for EAP request/ MD5 frames to 5 times.

active500EM(config)#dot1x max-req 5

 

9.2.14 dot1x user allow-movement

Command: dot1x user allow-movement
no dot1x user allow-movement
Function: Enable the authentication function after the user moves the port. The no command disables the function.
Parameters: None.
Command mode: Global Mode
Default: Disable the authentication function after the user moves the port.
Usage guide: Enable the authentication function after the user moves the port. The switch allows users to process this authentication. If the switch connects with a hub and the user will be moved to another port, the dot1x user allow-movement command should be enabled.
Example: Enable the authentication function after the user moves the port.

active500EM(config)#dot1x user allow-movement

 

9.2.15 dot1x user free-resource

Command: dot1x user free-resource <prefix> <mask>
no dot1x user free-resource
Function: Configure 802.1x free resource. The no command closes this function.
Parameter:

  • <prefix>: segment for?the limited resource. The valid format is dotted decimal format.
  • <mask>: mask for?the limited resource. The valid format is dotted decimal format.

Command mode: Global Mode
Default: There is no free resource.
Usage guide: This command is available only if user based access control is applied. If user based access control has been applied, this command configures the limited resources which can be accessed by the un-authenticated users. For port based and MAC based access control, users would not be able to access any network resources before authentication.
If TrustView management is available, the free resource can be configured in TrustView server, and the TrustView server will distribute the configuration to the switches.
Note: Only one free resource can be configured for the overall network.
Example: Configure the free resource segment as 1.1.1.0, the mask as 255.255.255.0.

active500EM(config)#dot1x user free-resource 1.1.1.0 255.255.255.0

 

9.2.16 dot1x max-user macbased

Command: dot1x max-user macbased <number>
no dot1x max-user macbased
Function: Sets the maximum number of users allowed to connect to the port. The no command restores the default setting.
Parameters:

  • <number>: maximum users allowed. The valid range is 1 to 256.

Command mode: Port Configuration Mode.
Default: The default maximum number of users allowed is 1.
Usage guide: This command is available for ports using MAC-based access management. If MAC address authentication exceeds the number of allowed users, additional users will not be able to access the network.
Example: Set port 1/0/3 to allow 5 users.

active500EM(config-if-ethernet1/0/3)#dot1x max-user macbased 5

 

9.2.17 dot1x max-user userbased

Command: dot1x max-user userbased <number>
no dot1x max-user userbased
Function: Set the upper limit of the number of users allowed to access the specified port when using the user-based access control mode. The no command restores the default setting.
Parameters:

  • <number>: maximum number of users allowed to access the network. The valid range is from 1 to 256.

Command mode: Port Mode
Default: The maximum number of users allowed to access each port is 10.
User Guide: This command can only take effect when the port adopts user-based access control mode. If the number of authenticated users exceeds the upper limit of the number of users allowed access to the network, those extra users can not access the network.
Example: Sett port 1/0/3 to allow 5 users.

active500EM(config-if-ethernet1/0/3)#dot1x max-user userbased 5

 

9.2.18 dot1x portbased mode single-mode

Command: dot1x portbased mode single-mode
no dot1x portbased mode single-mode
Function: Set the single-mode based on portbase authentication mode. The no command disables this function.
Parameters: None.
Command mode: Port Mode
Default: Disable the single-mode.
Usage guide: This command takes effect when the access mode of the port is set as portbased only. If the port has enabled the dot1x port-method portbased command and online users exits, the switch will enforce all users of this port offline. After that, this port will only allow one user to pass the authentication. The user can access the specified network resource but other authentication users of this port will be denied and can not access the network. After disabling single-mode, the switch will force the authenticated user offline.
Example: Set the single-mode based on portbase authentication mode.

active500EM(config-if-ethernet1/0/1)#dot1x portbased mode single-mode

 

9.2.19 dot1x port-control

Command: dot1x port-control {auto | force-authorized | force-unauthorized}
no dot1x port-control
Function: Sets the 802.1x authentication status. The no command restores the default setting.
Parameters:

  • auto: enable 802.1x authentication. The port authorization status is determined by the authentication information between the switch and the supplicant.
  • force-authorized: sets the port to authorized status, unauthenticated data is allowed to pass through the port.
  • force-unauthorized: sets the port to non-authorized mode. The switch will not provide authentication for the supplicant and prohibit data from passing through the port.

Command mode: Port Configuration Mode
Default: When 802.1x is enabled for the port, auto is set.
Usage guide: If the port needs to provide 802.1x authentication for the user, the port authentication mode should be set to auto.
Example: Set port1/0/1 to require 802.1x authentication mode.

active500EM(config)#interface ethernet 1/0/1
active500EM(config-if-ethernet1/0/1)#dot1x port-control auto

 

9.2.20 dot1x port-method

Command: dot1x port-method {macbased | portbased | webbased | userbased {standard | advanced}}
no dot1x port-method
Function: Configures the access control method of the appointed interface. The no command restores the default access control method.
Parameter:

  • macbased: access control method based on the MAC address.
  • portbased: access control method based on the port.
  • webbased: access control method based on the web authentication.
  • userbased: access control method based on the user. There are two types:
    • standard: standard access control method.
    • advanced: advanced access control method.

Command mode: Port Configuration Mode
Default: Advanced access control method based on the user.
Usage guide: This command is used to configure the dot1x authentication method for the specified port. When port based authentication is applied, only one host can authenticate itself through one port. And after authentication, the host will be able to access all the resources. When MAC based authentication is applied, multiple hosts which are connected to one port can access all the network resources after authentication. When either of the above two kinds of access control are applied, the un-authenticated host cannot access any resources on the network.
When user based access control is applied, un-authenticated users can only access limited resources on the network. The user based access control falls into two types ? standard access control and the advanced access control. The standard user based access control does not limit the access to the limited resources when the host is not yet authenticated. The user based advanced access control can control the access to the limited resources before authentication has completed.
Web based access management is used mostly in layer switching. The global configuration of the WEB authentication agent and HTTP redirection address is needed before setting the port to Web based access management. Web based access management conflicts with the command of “ip dhcp snooping binding user-control”.
Note: For the standard control method based on the user, the 802.1x free resource must be configured first. dot1x privateclient must also be enabled.
Example: Configure the access control method based on the port for Etherent1/0/4.

active500EM(config-if-ethernet1/0/4)#dot1x port-method portbased

 

9.2.21 dot1x privateclient enable

Command: dot1x privateclient enable
no dot1x privateclient enable
Function: Configure the switch to force the authentication client to use private 802.1x authentication protocol. The no command disables the command and allows the authentication client to use the standard 802.1x authentication protocol.
Parameters: None.
Command mode: Global Mode
Default: Disabled.
Usage guide: To implement an integrated solution, the switch must be enabled to use private 802.1x protocol. Otherwise, many applications will not be able to function. For detailed information, please refer to the DCBI integrated solution. If the switch forces the authentication client to use the private 802.1x protocol, the standard client will not function.
Example: Force the authentication client to use private 802.1x authentication protocol.

active500EM(config)#dot1x privateclient enable

 

9.2.22 dot1x privateclient protect enable

Command: dot1x privateclient protect enable
no dot1x privateclient protect enable
Function: Enable the privateclient protect function of the switch. The no command disables the protect function.
Parameter: None.
Command mode: Global Mode
Default: Disabled.
Usage guide: Support the partial encryption of the privateclient protocol to advance the security of the privateclient.
Example: Enable the privateclient protect function of the switch.

active500EM(config)#dot1x privateclient protect enable

 

9.2.23 dot1x re-authenticate

Command: dot1x re-authenticate [interface [ethernet] <interface-name>] Function: Enables real-time 802.1x re-authentication (no wait timeout requires) for all ports or a specified port.
Parameters:

  • <interface-name>: port number; omit the parameter for all ports.

Command mode: Global Mode
Default: None.
Usage guide: This command is a Global Mode command. It enables the switch to re-authenticate the client without waiting for re-authentication timer timeout. This command is no longer valid after authentication.
Example: Enable real-time re-authentication on port1/0/8.

active500EM(config)#dot1x re-authenticate interface ethernet 1/0/8

 

9.2.24 dot1x re-authentication

Command: dot1x re-authentication
no dot1x re-authentication
Function: Enables periodical supplicant authentication. The no command disables this function.
Parameters: None.
Command mode: Global Mode
Default: Disabled.
Usage guide: When periodical re-authentication for supplicant is enabled, the switch will re-authenticate the supplicant at regular intervals.
Example: Enable the periodical re-authentication for authenticated users.

active500EM(config)#dot1x re-authentication

 

9.2.25 dot1x timeout quiet-period

Command: dot1x timeout quiet-period <seconds>
no dot1x timeout quiet-period
Function: Sets the timeout quiet period on supplicant authentication failure. The no command restores the default value.
Parameters:

  • <seconds>: quiet-period for the port in seconds. The valid range is 1 to 65535.

Command mode: Global Mode
Default: 10 seconds.
Usage guide: Set the timeout quiet period on supplicant authentication failure. The default value is recommended.
Example: Set the timeout quiet period to 120 seconds.

active500EM(config)#dot1x timeout quiet-period 120

 

9.2.26 dot1x timeout re-authperiod

Command: dot1x timeout re-authperiod <seconds>
no dot1x timeout re-authperiod
Function: Sets the supplicant re-authentication interval. The no command restores the default setting.
Parameters:

  • <seconds>: interval for re-authentication, in seconds. The valid range is 1 to 65535.

Command mode: Global Mode
Default: 3600 seconds.
Usage guide: dot1x re-authentication must be enabled first before the supplicant re-authentication interval can be modified. If authentication is not enabled for the switch, the supplicant re-authentication interval set will not take effect.
Example: Set the re-authentication time to 1200 seconds.

active500EM(config)#dot1x timeout re-authperiod 1200

 

9.2.27 dot1x timeout tx-period

Command: dot1x timeout tx-period <seconds>
no dot1x timeout tx-period
Function: Sets the interval for the supplicant to re-transmit EAP request/identity frame. The no command restores the default setting.
Parameters:

  • <seconds>: interval for re-transmission of EAP request frames, in seconds. The valid range is 1 to 65535.

Command mode: Global Mode
Default: 30 seconds.
Usage guide: Set the interval for the supplicant to re-transmit the EAP request/identity frame. The default value is recommended.
Example: Set the EAP request frame re-transmission interval to 1200 seconds.

active500EM(config)#dot1x timeout tx-period 1200

 

9.2.28 dot1x unicast enable

Command: dot1x unicast enable
no dot1x unicast enable
Function: Enable the 802.1x unicast passthrough function of switch. The no command disables this function.
Parameters: None.
Command mode: Global Configuration Mode
Default: The 802.1x unicast passthrough function is not enabled in Global Mode.
Usage guide: The 802.1x unicast passthrough authentication for the switch must be enabled first. The 802.1x function can then be configured.
Example: Enable the 802.1x unicast passthrough function of the switch and enable 802.1x for port 1/0/1.

active500EM(config)#dot1x enable
active500EM(config)# dot1x unicast enable
active500EM(config)#interface ethernet1/0/1
active500EM(config-if-ethernet1/0/1)#dot1x enable

 

9.2.29 dot1x web authentication enable

Command: dot1x web authentication enable
no dot1x web authentication enable
Function: Enable the Web authentication agent. The no command disables the Web authentication agent.
Parameters: None.
Command mode: Global Mode
Default: Disabled.
Usage guide: The dot1x function must be enabled before enabling the Web authentication agent. When the dot1x web authentication agent is enabled, the dot1x privateclient enable command should not be configured.
Example: Enable the Web authentication agent function.

active500EM(config)#dot1x web authentication enable

 

9.2.30 dot1x web authentication ipv6 passthrough

Command: dot1x web authentication ipv6 passthrough
no dot1x web authentication ipv6 passthrough
Function: Enable the IPv6 passthrough function on a switch port. This function is only applicable when access control mode is webbased. The no command disables the function.
Parameters: None.
Command mode: Port Mode
Default: Disabled.
Usage guide: The function can only be enabled when the 802.1x function is enabled both globally and on the port, web authentication function is enabled, redirect URL is set, and the control access mode is webbased. After it is enabled, users can send IPv6 messages without authentication.
Example: Enable the IPv6 passthrough function on port Ethernet1/0/12.

active500EM(config)#dot1x enable
active500EM(config)#dot1x web authentication enable
active500EM(config)#dot1x web redirect http://10.1.1.1/
active500EM(config)#interface ethernet 1/0/12
active500EM(config-if-ethernet1/0/12)#dot1x enable
active500EM(config-if-ethernet1/0/12)#dot1x port-method webbased
active500EM(config-if-ethernet1/0/12)#dot1x web authentication ipv6 passthrough

 

9.2.31 dot1x web redirect

Command: dot1x web redirect <URL>
no dot1x web redirect
Function: Set the HTTP server address for Web redirection. The no command clears the address.
Parameters:

  • <URL>: HTTP server address in IP address format. The valid length does not exceed 128 characters. This command does not support the?domain analysis function.

Command mode: Global Mode
Default: Disabled.
Usage guide: The?web authentication function must be enabled before setting the web server address. The URL format is http://A.B.C.D[:E]/F. A.B.C.D is the IP address. E is the HTTP service port number with a default value of 80. F is a string of characters.
Example: Set the Web redirection address to http://192.168.20.20/WebSupplicant/.

active500EM(config)#dot1x web redirect http://192.168.20.20/WebSupplicant/

 

9.2.32 dot1x web redirect enable

Command: dot1x web redirect enable
no dot1x web redirect enable
Function: Direct an unauthenticated user to the web redirect function. After enabling this function, an unauthenticated user who tries to visit the website resource (the http required destination port is 80), the switch can configure a redirect to a specified website and then remind the user to authenticate. The website IP can be configured in Trustview, an inter security management background system. The IP address can be configured but not the support domain name.
Parameters: None.
Command mode: Global Mode
Default: Disabled. The redirect function in the inter security management background system can be configured and this address can transmit to the switch through private communication protocol between the switch and the background system.
Usage Guide: The redirect function in the inter security management background system can be configured and this address can transmit to the switch through private communication protocol between the switch and the background system.
Example: Direct an unauthenticated user to the Web redirect function.

active500EM(config)#dot1x web redirect enable

 

9.2.33 show dot1x

Command: show dot1x [interface <interface-list>] Function: Displays dot1x parameter related information. If parameter information is added, the corresponding dot1x status for the associated port is displayed.
Parameters:

  • <interface-list>: port list. If no parameter is specified, information for all ports is displayed.

Command mode: Admin and Configuration Mode
Default: None.
Usage guide: The dot1x related parameter and dot1x information can be displayed with the ?show dot1x? command.
Example: Display information for the dot1x global parameter for the switch.

active500EM#show dot1x
Global 802.1x Parameters
  reauth-enabled        no
  reauth-period         3600
  quiet-period          10
  tx-period             30
  max-req               2
  authenticator mode    passive
Mac Filter Disable
MacAccessList :
dot1x-EAPoR Enable
dot1x-privateclient Disable
dot1x-unicast Disable
dot1x-web authentication Enable
802.1x is enabled on ethernet Ethernet1/0/1
Authentication Method:Port based
Max User number:1
  Status                Authorized
  Port-control          Auto
  Supplicant            00-03-0F-FE-2E-D3
Authenticator State Machine
  State                 Authenticated
Backend State Machine
  State                 Idle
Reauthentication State Machine
  State                 Stop
802.1X is enabled on ethernet Ethernet1/0/16
Authentication Method: web based
  Status                Authorized
  Port-control          Auto
  Supplicant IP         192.168.1.11
VLAN id 2
Displayed information Explanation
Global 802.1x Parameters Global 802.1x parameter information
reauth-enabled Identifies whether re-authentication is enabled or not
reauth-period Re-authentication interval
quiet-period Silent interval
tx-period EAP retransmission interval
max-req EAP packet retransmission interval
authenticator mode Switch authentication mode
Mac Filter Enables/Disables dot1x address filter
MacAccessList Dot1x address filter table
dot1x-EAPoR Authentication method used by the switch (EAP relay, EAP local end)
dot1x-privateclient Identifies whether the switch supports the privateclient
dot1x-web authentication Identifies whether the switch supports web authentication
802.1x is enabled on ethernet Ethernet1/0/1 Indicates whether dot1x is enabled for the port
Authentication Method: Port authentication method (MAC-based, port-based)
Status Port authentication status
Port-control Port authorization status
Supplicant Authenticator MAC address
Authenticator State Machine Authenticator state machine status
Backend State Machine Backend state machine status
Reauthentication State Machine Re-authentication state machine status

 


Return to Controller Wired CLI Table of Contents