Commands For Mab

9.11 Commands for MAB

9.11.1 authentication mab

Command: authentication mab {radius | none}
no authentication mab
Function: Configure the authentication mode and priority of the MAC address authentication. The no command restores the default authentication mode.
Parameters:

  • radius: Radius authentication mode.
  • none: authentication is not needed.

Command mode: Global mode
Default:?Radius authentication mode.
Usage guide: The none option is used if MAC address authentication is not needed. If all configured?Radius servers don?t respond, the switch will adopt the none authentication mode to allow that MAC address authentication users to access the network directly.
Example: Configure MAC address authentication with a parameter of none.

active500EM(config)#authentication mab radius none

 

9.11.2 clear mac-authentication-bypass binding

Command: clear mac-authentication-bypass binding {mac <address> | interface [ethernet] <IFNAME> | all}
Function: Clear MAB bind information.
Parameters:

  • <address>: delete MAB binding for the specified MAC address.
  • <IFNAME>: delete MAB binding for the specified port.
  • all: delete all MAB binding.

Command mode: Admin Mode
Default: None.
Usage guide: Clear MAB bind information.
Example: Delete all MAB binds.

active500EM#clear mac-authentication-bypass binding all

 

9.11.3 debug mac-authentication-bypass

Command: debug mac-authentication-bypass {packet | event | binding}
Function: Enable the debugging of the packet information, event information, or binding information for MAB authentication.
Parameters:

  • packet: enable the debugging of the packet information for MAB authentication.
  • event: enable the debugging of the event information for MAB authentication.
  • binding: enable the debugging of the binding information for MAB authentication.

Command mode: Admin Mode
Default: None.
Usage guide: Enable the debugging of the packet information, event information, or binding information for MAB authentication.
Example: Enable the debugging of the packet information for MAB authentication.

active500EM#debug mac-authentication-bypass packet

 

9.11.4 mac-authentication-bypass binding-limit

Command: mac-authentication-bypass binding-limit <1-100>
no mac-authentication-bypass binding-limit
Function: Set the maximum binding number of MAB. The no command restores the default binding number as 3.
Parameters:

  • <1-100: MAB maximum binding number. The valid range is from 1 to 100.

Command mode: Port Mode
Default: The maximum MAB binding number is 3.
Usage guide: Set the max MAB binding number. When the binding number reaches the max value, the port will stop binding. If the max binding number is less than the current binding number of the port, the setting will be unsuccessful.
Example: Configure the max binding number to 10.

active500EM(config)#interface ethernet 1/0/1
active500EM(config-if-ethernet1/0/1)#mac-authentication-bypass binding-limit 10

 

9.11.5 mac-authentication-bypass enable

Command: mac-authentication-bypass enable
no mac-authentication-bypass enable
Function: Enable the global and port MAB function. The no command disables the MAB function.
Parameters: None.
Command mode: Global Mode and Port Mode
Default: Disabled.
Usage guide: To process MAB authentication of a port, enable the global MAB function and then enable the MAB function of the corresponding port.
Example: Enable the global and port Eth1/0/1 MAB function.

active500EM(config)#mac-authentication-bypass enable
active500EM(config)#interface ethernet 1/0/1
active500EM(config-if-ethernet1/0/1)#mac-authentication-bypass enable

 

9.11.6 mac-authentication-bypass guest-vlan

Command: mac-authentication-bypass guest-vlan <1-4094>
no mac-authentication-bypass guest-vlan
Function: Set the guest?VLAN for MAB authentication. The no command deletes the guest VLAN.
Parameters:

  • <1-4094>: guest?VLAN ID. The valid range is from 1 to 4094.

Command mode: Port Mode
Default: None.
Usage guide: Set the guest?VLAN for MAB authentication. Only the hybrid port is used by this command. It is not take effect on the access port. After MAB authentication fails and if the existing guest?VLAN is configured by the port connecting to the MAB user, the MAB user can join and access the guest VLAN.
Example: Configure the guest?VLAN for MAB authentication for port 1/0/1

active500EM(config)#interface ethernet 1/0/1
active500EM(config-if-ethernet1/0/1)#mac-authentication-bypass guest-vlan 10

 

9.11.7 mac-authentication-bypass spoofing-garp-check

Command: mac-authentication-bypass spoofing-garp-check enable
no mac-authentication-bypass spoofing-garp-check enable
Function: Enable the spoofing-garp-check function. MAB will no longer handle spoofing-garp. The no command disables the function.
Parameters: None.
Command mode: Global Mode
Default: Disabled.
Usage guide: When the Windows operating system detects an address conflict, it will send a gratuitous ARP to correct the erroneous ARP entries generated by gratuitous ARP conflict detection. This command is used to detect the spoofing-garp when the address conflict occurs. The MAB function does not handle the packet any more. Note: when enabling the function, all ARP will be processed via the software check which will add to the switch?s load.
Example: Enable spoofing-garp-check.

active500EM(config)#mac-authentication-bypass spoofing-garp-check enable

 

9.11.8 mac-authentication-bypass timeout linkup-period

Command: mac-authentication-bypass timeout linkup-period <0-30>
no mac-authentication-bypass timeout linkup-period
Function: Set the interval between down and up when VLAN binding in a port changes to enable the user to obtain an IP again.
Parameters:

  • <0-30>: the interval before the port is up again after being shutdown automatically. The valid unit is seconds. 0 means there is no down/up operation.

Command mode: Global Mode
Default: The interval is 0.
Usage guide: When MAB authentication is successful, associate to a?VLAN according to the?auto-vlan setting. When MAB authentication fails, associate to a?VLAN according to the guest-vlan setting. After the linkup-period is set and when port VLAN binding changes, the port will be shutdown automatically. The port will be up again after the linkup-period to enable the user to obtain an IP.
Example: Configure down/up time as 12s.

active500EM(config)#mac-authentication-bypass timeout linkup-period 12

 

9.11.9 mac-authentication-bypass timeout offline-detect

Command: mac-authentication-bypass timeout offline-detect (0 | <60-7200>)
no mac-authentication-bypass timeout offline-detect
Function: Configure offline-detect time. The no command restores the default value.
Parameters:

  • (0 | <60-7200>): offline-detect time. The valid range is 0 or 60 to 7200s.

Command mode: Global Mode
Default: Offline-detect time is 180s.
Usage guide: When offline-detect time is 0, the switch does not detect MAB binding. When offline-detect time is 60s to 7200s, the switch detects the flow corresponding to the MAB binding. If there is no flow during the offline-detect time, this binding will be deleted and forbid the flow to pass.
Example: Configure the offline-detect time to 200s.

active500EM(config)#mac-authentication-bypass timeout offline-detect 200

 

9.11.10 mac-authentication-bypass timeout quiet-period

Command: mac-authentication-bypass timeout quiet-period <1-60>
no mac-authentication-bypass timeout quiet-period
Function: Set the MAB authentication quiet-period. The no command restores quiet-period as the default value.
Parameters:

  • <1-60>: quiet-period. The valid range is from 1 to 60s.

Command mode: Global Mode
Default: quiet-period is 30s.
Usage guide: If MAB authentication fails within the quiet-period the switch will not respond to the authentication request of this MAC. After the quiet-period, it will respond to the request again.
Example: Configure the MAB authentication quiet-period to 60s.

active500EM(Config)#mac-authentication-bypass timeout quiet-period 60

 

9.11.11 mac-authentication-bypass timeout reauth-period

Command: mac-authentication-bypass timeout reauth-period <1-3600>
no mac-authentication-bypass timeout reauth-period
Function: Set the reauthentication interval when authentication fails. The no command restores the default value.
Parameters:

  • <1-3600>: reauthentication interval. The valid range is from 1 to 3600s.

Command mode: Global Mode
Default: Reauthentication interval is 30s.
Usage guide: When authentication fails, the user processes the reauthentication over an interval until the authentication is successful. When successful, the user can access the network resources.
Example: Configure the reauthentication time to 20s.

active500EM(config)#mac-authentication-bypass timeout reauth-period 20

 

9.11.12 mac-authentication-bypass timeout stale-period

Command: mac-authentication-bypass timeout stale-period <0-60>
no mac-authentication-bypass timeout stale-period
Function: Set the timeframe that the bind is deleted after the MAB port is down. The no command restores the default value.
Parameters:

  • <1-60>: timeframe that the bind is deleted. The valid range is from 0 to 60s.

Command mode: Global Mode
Default: 30s.
Usage guide: If the time to delete the binding is set to 0, delete all user binds of this port as soon as the MAB port is down. If the time is greater than 0, delete the user binds using the specified delay after the MAB port is down.
Example: Configure the deletion time to 40s.

active500EM(config)#mac-authentication-bypass timeout stale-period 40

 

9.11.13 mac-authentication-bypass username-format

Command: mac-authentication-bypass username-format {mac-address | {fixed username <WORD> password <WORD>}}
Function: Set the MAB authentication method.
Parameters:

  • mac-address: use the MAB MAC address user as the username and password to authenticate.
  • fixed username <WORD> password <WORD>: use the specified username and password to authenticate. The length of the username and password ranges from 1 to 32 characters.

Command mode: Global Mode
Default: Use the MAB MAC address user as the username and password to authenticate.
Usage guide: There are two methods for MAB authentication: use the MAB MAC address user as the username and password to authenticate or use the specified username and password to authenticate. If there is no specified username and password, the device uses the first method to authenticate.
Example: All MAB users use the same username and password to authenticate. The username is mab-user, the password is mab-pwd.

active500EM(config)#mac-authentication-bypass username-format fixed username mab-user password mab-pwd

 

9.11.14 show mac-authentication-bypass

Command: show mac-authentication-bypass [interface [ethernet] <IFNAME>] Function: Show the MAB authentication bind information.
Parameters:

  • <IFNAME>: port name.

Command mode: Admin Mode
Default: None.
Usage guide: Show the MAB authentication bind information.
Example: Show the bind information of all MAB users.

active500EM#show mac-authentication-bypass
The number of all binds is 5
MAC                  Interface       Vlan ID    State
----------------------------------------------------------------------
05-0a-eb-6a-7f-88    Ethernet1/0/1   1          MAB-QUIET
04-0a-eb-6a-7f-88    Ethernet1/0/1   1          MAB-QUIET
03-0a-eb-6a-7f-88    Ethernet1/0/1   1          MAB-QUIET
02-0a-eb-6a-7f-88    Ethernet1/0/1   1          MAB-AUTHENTICATED
00-0a-eb-6a-7f-8e    Ethernet1/0/1   1          MAB-AUTHENTICATED
Displayed information Explanation
The number of all binding The bind number of all MAB users, include the successful authentication user and the failing authentication user at quiet-period state
MAC MAC address
Interface The binding port
Vlan The VLAN that MAB user belongs
State Authentication state
active500EM(config)#show mac-authentication-bypass interface ethernet1/0/1
Interface Ethernet1/0/1 user config:
MAB enable: Enable
Binding info: 1
--------------------------------------------------------
MAB Binding built at SUN JAN 01 01:14:48 2006
        VID 1, Port: Ethernet1/0/1
        Client MAC: 00-0a-eb-6a-7f-8e
        Binding State: MAB-AUTHENTICATED
        Binding State Lease: 164 seconds left
Displayed information Explanation
MAB enable MAB function enabled or not enabled
Binding info The MAB binding number of the specified port
MAB Binding built at The time the user bind was created
VID The VLAN that the MAB user belongs to
Port The binding port
Client MAC MAC address
Binding State Authentication state
Binding State Lease Remaining time before the binding is released

 


Return to Controller Wired CLI Table of Contents