Scribd
Upload
9 views68 pages

05-Security Command

05-Security command

Uploaded by

Giridaran_Jagadeesan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
9 views68 pages

05-Security Command

05-Security command

Uploaded by

Giridaran_Jagadeesan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 68

Security Command

Content

Table of Content
Chapter 1 AAA Command................................................................................................................................................. 1
1.1 AAA Authentication............................................................................................................................................. 1
1.1.1 aaa authentication enable default ............................................................................................................. 1
1.1.2 aaa authentication login ............................................................................................................................ 3
1.1.3 aaa authentication password-prompt ........................................................................................................ 4
1.1.4 aaa authentication username-prompt........................................................................................................ 5
1.1.5 aaa default-username ............................................................................................................................... 6
1.1.6 aaa directed-request ................................................................................................................................. 7
1.1.7 aaa group server ....................................................................................................................................... 8
1.1.8 debug aaa authentication.......................................................................................................................... 9
1.1.9 enable password ..................................................................................................................................... 10
1.1.10 server .................................................................................................................................................... 12
1.1.11 show users ............................................................................................................................................ 13
1.1.12 service password-encryption................................................................................................................. 14
1.1.13 username .............................................................................................................................................. 15
Chapter 2 RADIUS Command............................................................................................................................................ 17
2.1 RADIUS Command ............................................................................................................................................. 17
2.1.1 debug radius............................................................................................................................................ 17
2.1.2 ip radius source-interface........................................................................................................................ 18
2.1.3 radius challenge-noecho ......................................................................................................................... 19
2.1.4 radius dead-time...................................................................................................................................... 20
2.1.5 radius server............................................................................................................................................ 21
2.1.6 radius optional-passwords....................................................................................................................... 22
2.1.7 radius key................................................................................................................................................ 23
2.1.8 radius retransmit...................................................................................................................................... 24
2.1.9 radius timeout.......................................................................................................................................... 25
2.1.10 radius vsa send ..................................................................................................................................... 26
Chapter 3 802.1x command ............................................................................................................................................... 28
3.1.1 dot1x port-control .................................................................................................................................... 28
3.1.2 dot1x multiple-hosts ................................................................................................................................ 29
3.1.3 dot1x default............................................................................................................................................ 29
3.1.4 dot1x max-req ......................................................................................................................................... 30
3.1.5 dot1x reauth-max .................................................................................................................................... 31
3.1.6 dot1x re-authentication............................................................................................................................ 32
3.1.7 dot1x timeout quiet-period....................................................................................................................... 32
3.1.8 dot1x timeout re-authperiod .................................................................................................................... 33
3.1.9 dot1x timeout tx-period............................................................................................................................ 34
3.1.10 dot1x user-permit .................................................................................................................................. 34
3.1.11 dot1x authentication method ................................................................................................................. 35
3.1.12 dot1x authen-type.dot1x authentication type......................................................................................... 36
3.1.13 aaa authentication dot1x ....................................................................................................................... 37

-I-
Content

3.1.14 debug dot1x error.................................................................................................................................. 38


3.1.15 debug dot1x state.................................................................................................................................. 38
3.1.16 debug dot1x packet............................................................................................................................... 39
3.1.17 show dot1x ............................................................................................................................................ 39
Chapter 4 MAC access-list command ................................................................................................................................ 42
4.1 MAC access-list command.................................................................................................................................. 42
4.1.1 mac access-list........................................................................................................................................ 42
4.1.2 permit ...................................................................................................................................................... 42
4.1.3 deny......................................................................................................................................................... 43
4.1.4 mac access-group................................................................................................................................... 44
CHAPTER 5 Port Security Configuration............................................................................................................................ 45
5.1.1 switchport port-security ........................................................................................................................... 45
5.1.2 switchport port-security bind.................................................................................................................... 45
5.1.3 switchport port-security violation ............................................................................................................. 46
5.1.4 switchport port-security maximum.......................................................................................................... 47
5.1.5 switchport port-security mac-address...................................................................................................... 48
5.1.6 switchport port-security aging-time.......................................................................................................... 48
5.1.7 show port-security ................................................................................................................................... 49
5.1.8 show port-security address ..................................................................................................................... 50
Chapter 6 Web-based Authentication Command ............................................................................................................... 51
6.1 Web-based Authentication Command ................................................................................................................. 51
6.1.1 web-auth enable...................................................................................................................................... 51
6.1.2 web-auth accounting ............................................................................................................................... 51
6.1.3 web-auth authentication .......................................................................................................................... 52
6.1.4 web-auth mode........................................................................................................................................ 53
6.1.5 web-auth keep-alive ................................................................................................................................ 54
6.1.6 web-auth holdtime................................................................................................................................... 55
6.1.7 web-auth authtime................................................................................................................................... 55
6.1.8 web-auth portal-server ............................................................................................................................ 56
6.1.9 web-auth vlan-password ......................................................................................................................... 57
6.1.10 web-auth kick-out .................................................................................................................................. 58
6.1.11 show web-auth ...................................................................................................................................... 58
6.1.12 show web-auth interface ....................................................................................................................... 59
6.1.13 show web-auth user .............................................................................................................................. 60
6.1.14 debug web-auth event........................................................................................................................... 61
6.1.15 debug web-auth error............................................................................................................................ 61
6.1.16 debug web-auth verbose....................................................................................................................... 62
6.1.17 debug web-auth http event.................................................................................................................... 63
6.1.18 debug web-auth http request................................................................................................................. 63
6.1.19 debug web-auth http.............................................................................................................................. 64
6.1.20 debug web-auth..................................................................................................................................... 65

- II -
05-Security command

Chapter 1 AAA Command

1.1 AAA Authentication

This Chapter describes the commands used for configuring the AAA authentication
method. Authentication defines the access right of the users before they are allowed to
access the network and network service.

Please refer to “Configuration Authentication” for information on how to use the AAA
method to configure the authentication. Please refer to the last part for examples of the
documentation “Example” to review the examples configured by the commands in this
Chapter.

1.1.1 aaa authentication enable default

AAA authentication shall be enabled so as to determine whether a user has the access
to the command of privileged priority by using the command “ aaa authentication
enable default”. The authentication method can be closed by using the “no” format of
the said command.

Syntas

aaa authentication enable default method1 [method2...]

no aaa authentication enable default method1 [method2...]

Parameter

Parameter Description
Method one of the key words at the least in list 1.

Default

If default is not set, the enable password shall be used to make authentication, it has
the same effect as the command below.

aaa authentication enable default enable

If the enable password exists in configuration list, the password should be used. If no
password is set, the final feedback result will recognize the success of authentication.

Command mode

Global configuration mode

-1-
05-Security command

Explanation

The command “aaa authentication enable default” can be used to create a series of
authentication methods, which are used to determine whether a user has the right to
use the privileged commands. The keyword “method” has been explained in form 1.
Only when the previous authentication method feeds back error, other authentication
methods shall be applied. If the feedback result of the said authentication method
informs the failure of the authentication, other authentication method shall be
employed. If all the authentication method is expected to feed back the result of failure
and the authentication still succeeds, “none” can be designated as the last
authentication method of command line.

On top of that, when the method of RADIUS or TACACS+ is available for making
authentication of enable, the user names applied are different. The user name shall be
“$ENABLElevel$” in case “RADIUS” is used for authentication. The “level” in the user
name refers to the privileged level accessible to the user. When TACACS+ is used for
authentication, the user name is the one used when the user log on the switch. The
relevant specific configuration can be referred to as the part of “AAA Authentication
Configuration” in the document.
Figuer 1-1 Effective Default Method of AAA Authentication

Key Word Description

group The server group is used for authentication

The server group is used for authentication. But when the user designates
group-restrict
a server, the server group is disabled.

enable The enable password is used for authentication.

line The password line is used for authentication

none Authenticating the passage of none condition

tacacs+ TACACS+ is used for authentication

radius RADIUS is used for authentication.

Example

An authentication list is created in the following example. The list first tries to connect
with TACACS+ server. If no error is fed back by TACACS+ server or no server is found,
AAA will try using the enable password. Should the error be fed back to such trial (as
no effective password is configured on the server), the user will be allowed to access
the server without authentication.
aaa authentication enable default tacacs+ enable none

Relevant command

enable password

-2-
05-Security command

1.1.2 aaa authentication login

The global configuration command “aaa authentication login” shall be used for setting
AAA authentication at the time of login. The “no” format of the command can be used
to close AAA authentication.

Syntas

aaa authentication login {default | list-name} method1 [method2...]

no aaa authentication login {default | list-name} method1 [method2...]

Parameter

Parameter Description
Default It uses the listed authentication method following the parameter as the
default authentication method list at the time of the user’s login.

list-name It is used to name the character string of authentication method list. When
the user logs in, the methods listed in authentication method list will be
activated.

method It is one of the key words described in the Form 2 at the least.

Default

If no default method list is set, the default will not make authentication. At this moment,
it has the same effect as the one below:

aaa authentication login default none

Command mode

global configuration mode

Explanation

The default list or other naming list created by the command “aaa authentication login”
will act on some specific line using the command “login authentication”.

Only when the said authentication method feeds back error, other authentication
methods will be used. Should the said authentication method feed back the failure, no
other authentication methods will be used. To ensure the success of authentication
even if all authentication methods feed back error, “none” shall be designated as the
last method of the command line.

If no authentication is specially set for a line, no authentication will be executed at the


time of default.
Figuer 1-2 The Registration Method of AAA Authentication

-3-
05-Security command

Key Word Description


enable The enable password is used for authentication

group The server group is used for authentication

The server group is used for authentication. But when the user designates
group-restrict
a server, the server group is disabled.

line The password line is used for authentication

local The database of local user names is used for authentication.

The database of local user names is used for authentication (case


local-case
sensitive for user name)

none No authentication is made.

radius RADIUS is used for authentication

tacacs+ TACACS+ is used for authentication.

Example

AAA authentication methods list named “TEST” is created in the following example.
This authentication first tries to connect with TACACS+ server. If no error is fed back
by TACACS+ or no server is found, AAA will try using the enable password. Should
error be fed back to such attempt (as no enable password is configured on the switch),
the user will be allowed to access the network without authentication.
aaa authentication login TEST tacacs+ enable none

The same list is created in the Example below, but the default list is set. If no other lists
are designated, the list will be used for all the login authentication.
aaa authentication login default tacacs+ enable none

Relevant command

None

1.1.3 aaa authentication password-prompt

The global configuration command “aaa authentication password-prompt” should be


used for changing the text display prompting the user password input. The “no” format
of the command can be employed for reusing the default prompt text of the password.

Syntas

aaa authentication password-prompt text-string

no aaa authentication password-prompt text-string

Parameter

Parameter Description

-4-
05-Security command

test-string It is used to prompt the user of the text displayed at the time of password
input.

Default

When the user-defined text-string is not used, the password prompt is “Password”.

Command mode

global configuration mode

Explanation

The displayed default literal information prompting the user password input can be
changed by using the command “aaa authentication password-prompt”. The command
not only changes the password prompt of the enable password, it also changes the
password prompt of login password. The “no” format of the command restores the
password prompt to default value.

Password:

The command “aaa authentication password-prompt” does not change any prompting
information provided by remote TACACS+ or RADIUS server.

Example

The following Example will change the password prompt to “YourPassword:”


aaa authentication password-prompt YourPassword:

Relevant command

aaa authentication username-prompt

enable password

1.1.4 aaa authentication username-prompt

The global configuration command “aaa authentication username-prompt” can be used


for changing the text display prompting the user name input. The “no” format of the
command is used for restoring the default prompting character string of the user name.

Syntas

aaa authentication username-prompt text-string

no aaa authentication username-prompt text-string

-5-
05-Security command

Parameter

Parameter Description
text-string It is used to prompt the user of the text to be displayed at the time of the
user name input.

Default

When there is no user-defined text-string, the prompting character string of the user
name is “Username”.

Command mode

global configuration mode

Explanation

The command “aaa authentication username-prompt” is used for changing the


displayed character string prompting the user name input. The “no” format of the
command changes the prompt of username into default value.

Username:

Some protocols (such as TACACS+) have the capability to cover the prompting
information of local username. Under such circumstances, the use of the command
“aaa authentication username-prompt” will not change the prompting character string
of username.

Note: The command “aaa authentication username-prompt” does not change any
prompting information provided by remote TACACS +server.

Example

The following Example will change the prompt of username into the displayed
character string.
aaa authentication username-prompt YourUsernam:

Relevant command

aaa authentication password-prompt

1.1.5 aaa default-username

When the user is not authenticated, a default username will be set for the user. The
command below can be used for changing the character string used by the default
username. The “no” format of the command can be used to restore its default value.

-6-
05-Security command

Syntas

aaa default-username username

no aaa default-username

Parameter

Parameter Description
username character string of default username.

Default

Under the default status, the default name is DEFAULT

Command mode

global configuration mode

Explanation

If the user carries out the authorized operation under the case of no authentication and
uses default username, the service available for the user will be limited to the authority
corresponding to the default username.

Example

The following Example changes the default username into default-user.


aaa default-username default-user

Relevant command

None

1.1.6 aaa directed-request

Syntas

aaa directed-request [no-truncate]

no aaa directed-request

Parameter

Parameter Description

-7-
05-Security command

no-truncate It uses @host-ip-address as a part of the username instead of truncating it


from the username.

Default

Default does not allow use of the server designated by this method and is preferred to
be used first

Command mode

global configuration mode

Explanation

The command “aaa directed-request” can be used if the user is allowed to designate
the AAA Server preferred to be used first through the format of
username@host-ip-address. The “no” format of the command can be used to forbid
this form.

Example

The Example below allows use of the form of @host-ip-address to designate the AAA
Server preferred to be used first, but @host-ip-address is not used as a part of the
username.

1.1.7 aaa group server

The commands below are used to access to the configuration level of server group for
supporting the configuration of AAA server group. The “no” format of the command is
used to delete the configured server group.

Syntas

aaa group server radius group-name

no aaa group server radius group-name

Parameter

Parameter Description
group-name Character string of the name of the server group.

Default

no server Group

-8-
05-Security command

Command mode

global configuration mode

Explanation

Accessing to configuration level of server group by using the command, then adding
the corresponding sever to the group.

Example

aaa group server radius radius-group

The said command is used for adding a radiusserver group named ““radius-group”.

Relevant command

server

1.1.8 debug aaa authentication

The command “debug aaa authentication” can be used for tracing the authentication
process of the user. The “no” format of the command is used to close the debug
information.

Syntas

debug aaa authentication

no debug aaa authentication

Parameter

None

Default

Closing debug information

Command mode

Supervisor mode

-9-
05-Security command

Explanation

The command can be used for tracing the authentication process of each user to find
out the cause of the failure of authentication.

Example

The Example below will open the debug information of authentication:


switch#debug aaa authentication
AAA: Authen start (0x1f74208), user=, authen_type=ASCII, priv=0, method-list=default
AAA: Use authen method LOCAL (0x1f74208).
AAA: Authen CONT, need username.
AAA: Authen CONT, need password.
AAA: Authen ERROR (0x1f74208)! Use next method.
AAA: Authen FAIL(0x1f74208)! Method-list polling finish.
Output Information Explanation
Authen start (0x1f74208), user=, When the authentication starts, the username is
authen_type=ASCII, priv=0, unknown. ASCII is employed for authentication. The
method-list=default privileged level required for user’s access is 0. The
default authentication methods list is used. UserID
0x1f74208.

Use authen method LOCAL The local authentication method is used. UserID
(0x1f74208) 0x1f74208.

Authen CONT, need username Inquiring username.

Authen CONT, need password Inquiring password.

Authen ERROR (0x1f74208)! Use next The method of local “none” completes the authentication
method by using the next authentication method in the method
list.

Authen FAIL(0x1f74208)! Method-list After having polled all the authentication methods, the
polling finish authentication fails here.

Relevant command

None

1.1.9 enable password

The authentication password of the corresponding privileged level can be configured


for authenticating the user accessible to privileged level through the command “enable
password”. The “no” format of the command can be used for canceling the password.

enable password { password | [encryption-type] encrypted-password } [level


number]

no enable password [level number]

- 10 -
05-Security command

Parameter

Parameter Description
password plaintext of character-string of password

encryption-type The type of password encryption

encrypted-password Cipher text of password corresponding to and limited by encryption-type.

Level The parameter of privileged level

number The specific value of the privileged level (1-15)

Default

None

Command mode

global configuration mode

Explanation

The password of switch configuration contains no blank, namely at the time of using
the command “enable password”, the blank shall not be entered when the plaintext of
password needs to be entered directly. The length of plain password can not exceed
126 characters.

When no level parameter is entered, the default parameter is level 15. The higher the
privileged level, the more the authority. If no password is configured to a privileged
level, no authentication will be made when the user accesses this privileged level.

Currently there are only two encryption-types supported by our switch system. The
parameters in the commands are 0 and 7 respectively. 0 stands for 0, meaning no
encryption. The following encrypted-password is entered directly using the plaintext of
password. This method has the same effect as the method of direct input of password
parameter without adding encryption-type. “7” represents a kind of algorithm defined
by Our Company for encrypting. The encrypted cipher text of password is needed to
be entered in the following encrypted-password. The cipher text can be copied from
other configuration files of the switch.

Example

The password added by the following Example for privileged level 10 is clever. The
encryption-type applied is 0, namely the plaintext of password.
enable password 0 clever level 10

The password added by the following Example for the default privileged level (15) is
Oscar. The encryption-type applied is 7, namely the encryption method. The cipher text
of the password is needed to be entered.
enable password 7 074A05190326

- 11 -
05-Security command

Given the assumption that the cipher text of Oscar is 074A05190326, the value of the
cipher text is obtained from the configuration file of another switch.

Relevant command

aaa authentication enable default

service password-encryption

1.1.10 server

The command is used for adding a server in an AAA server group. The “no” format of
the command is used for deleting a server.

Syntas

server A.B.C.D

no server A.B.C.D

Parameter

Parameter Description
A.B.C.D IP address of server

Default

no server

Command mode

Server Group Configuration Mode

Explanation

20 different servers can be added to a server group at most.

Example

server 12.1.1.1

The above command is used for adding the server whose address is 12.1.1.1 to server
group.

- 12 -
05-Security command

Relevant command

aaa group server

1.1.11 show users

The command “show users” can be used for showing the summary information of all
the on-line users.

Syntas

show users

Parameter

None

Default

None

Command mode

Supervisor mode

Explanation

The command is used for showing all the on-line users, including the information below:
port, username, service type, authentication method, time online and IP peer address.

Example

#show users
Port User Service Auth_Meth Time Peer-address
===============================================================
0 someone exec unknown 2d06h01m(m) unknown
2 admin ppp local 2d01h10m(m) 192.168.30.87
Parameter Description
Area Explanation

Port The index number of Vty or ID of the interface where the user is located.

User Character string of the username

Service The service requested by the user.

Auth_Meth Through which method the user obtains the authentication.

Time The statistic time of the user online

- 13 -
05-Security command

Peer-address IP address of remote host where the user is located.

Relevant command

username

1.1.12 service password-encryption

The command can be used for encrypting the relevant password in the system. The
“no” format of the command can be used for canceling the encryption of the new set
password.

Syntas

service password-encryption

no service password-encryption

Parameter

None

Default

The password in the system is not encrypted.

Command mode

global configuration mode

Explanation

Currently in the implement of the switch system of Our Company, the command is
related to the commands of “username password enable password and password. If
the command is not configured (i.e. under default status) and the said three commands
are stored in the plaintext of the password, the plaintext of the configured password
can be shown in the command “show running-config”. Once the command is
configured, the password configured in the said three commands will be encrypted.
The plaintext of the configured password is not shown in the command “show
running-config”. The command “no service password-encryption” can not restore the
display of the plaintext of the password. So the configured password shall be
confirmed before the command is used for encryption. The command “no service
password-encryption” is effective only to the password configured after the command
is used and has no effect on the encrypted password configured before the command
is used.

- 14 -
05-Security command

Example

switch_config#service password-encryption

The command is used for encrypting the configured plaintext password and encrypting
the plaintext password after the command is used.

Relevant command

username username password

enable password

password

1.1.13 username

The command can be used for adding the user to the database of local users,
authentication of local method and authorization. The “no” format of the method can be
used for deleting the corresponding user.

Syntas

username username [password { password | [encryption-type]


encrypted-password }] [trust-host ip_address] [user-maxlinks number]
[autocommand command]

no username username

Parameter

Parameter Description
username Character String of User Name

password The password corresponding to the user

password Plaintext of character string of password

encryption-type The type of password encryption

The ciphertext of the password corresponding to the encryption type


encrypted-password
limited by “encryption-type”.

trust-host The trust-host corresponding to the user.

IP address of trust-host, the authentication can be passed only when the


ip_address
user logs in the switch from the host.

The maximum links to the switch, the same user can create at the same
user-maxlinks
time (Statistic is made only to the user passing the local authentication.

number The number of links created at the same time.

When the user logs in the switch, the designated command will be
autocommand
executed automatically.

command Automatic execution of character string of the command.

- 15 -
05-Security command

Default

No user

Command mode

global configuration mode

Explanation

When there is no password parameter, the password will be interpreted as null


character string. The trust-host bundles up the user and specific host together. When
the user logs in the switch from another host, the user will have the “none” method to
pass the authentication. “user-maxlinks” limits the number of dialogues the same user
set up with the switch at the same time. However, when a dialogue of the user is not
authenticated by the local authentication method, the dialogue will not be included. The
command “show users” can be used for examining the kind of authentication the users
uses to pass.

The password of switch configuration of Our Company contains no blank, namely at


the time of using the command “enable password”, the blank shall not be entered
when the plaintext of password needs to be entered directly.

Currently there are only two encryption-types supported by our switch system. The
parameters in the commands are 0 and 7 respectively. 0 stands for 0, meaning no
encryption. The plaintext of password is entered directly in the following
encrypted-password. This method has the same effect as the method of direct input of
password parameter without adding encryption-type. 7 represents a kind of algorithm
defined by Our Company for encrypting. The encrypted ciphertext of password is
needed to be entered in the following encrypted-password. The ciphertext can be
copied from other configuration files of the switch.

Example

The local user is added in the Example below. The username is someone, the
password is someother.
username someone password someother

The local user is added in the Example below, the username is Oscar, the password is
Joan. The encryption type applied is 7, namely the encryption method, the ciphertext of
the password is needed to be entered.
enable password 7 1105718265

Given the assumption that the ciphertext of Joan is 1105718265, the value of the
ciphertext is obtained from the configuration files of other switches.

Relevant command

aaa authentication login

aaa authentication ppp

- 16 -
05-Security command

Chapter 2 RADIUS Command

2.1 RADIUS Command

This chapter introduces the commands for RADIUS configuration. RADIUS is a


distributed client/server system capable of denying the unauthorized network access.
RADIUS client is running on the switch and sends the request of authentication,
authorization and accounting to the central RADIUS server containing the
authentication of all the user and the information of network service access.

2.1.1 debug radius

The command “debug radius” can be executed for tracing RADIUS event or packet.
The “no” format of the command can be used for closing debug information.

Syntas

debug radius event | packet

no debug radius event | packet

Parameter

Parameter Description

event Tracing RADIUS event


packet Tracing RADIUS packet

Default

none

Command mode

Supervisor mode

Explanation

The command can be used for debugging network system to find out the cause of
authentication failure.
switch#debug radius event
RADIUS:return message to aaa, Give me your username
RADIUS:return message to aaa, Give me your password

- 17 -
05-Security command

RADIUS:inital transmit access-request [4] to 192.168.20.126 1812 <length=70>


RADIUS:retransmit access-request [4] to 192.168.20.126 1812 <length=70>
RADIUS:retransmit access-request [4] to 192.168.20.126 1812 <length=70>
RADIUS:192.168.20.126 is dead to response [4]
RADIUS:Have tried all servers return error to aaa.
Output Information Explanation
Return packet to aaa, Give me your The username wantd
username

Return packet to aaa, Give me your The password corresponding to the username wanted.
password

inital transmit access-request [4] to The first authentication request is sent to the RADIUS
192.168.20.126 1812 <length=70> server. The address of the server is 192.168.20.126, the
port number is 1812, the length of packet is 70.

retransmit access-request [4] to Server does not echo the request and authentication
192.168.20.126 1812 <length=70> request is retransmitted.

192.168.20.126 is dead to response [4] After repeated retransmission, server is dead to


response, the server is marked as dead.

Have tried all servers return error to The authentication is completed by using RADIUS and
aaa the error is returned.

Example

The following Example opens event trace of RADIUS.


debug radius event

2.1.2 ip radius source-interface

The global configuration command “ip radius source-interface” is used for compelling
RADIUS to use IP address of the designated interface for all the packets transmitted
by RADIUS. The “no” format of the command is used for restoring the default value.

Syntas

ip radius source-interface interface-name

no ip radius source-interface

Parameter

Parameter Description

interface-name RADIUS uses IP address of the interface for all RADIUS


packet sent.

- 18 -
05-Security command

Default

The command has no default value designated by the manufacturer, i.e., the source IP
address should be determined on the real condition.

Command mode

global configuration mode

Explanation

The command is used for selecting the IP address of an interface as the source
address of sending out RADIUS packet. So long as the interface is under “up” state,
the address will be used continuously. Thus, for each client accessing the network,
RADIUS server only uses one IP address rather than maintaining an IP address list.
The command is especially useful when the switch has many interfaces and intends to
ensure that all RADIUS packets coming from some specific switch has the same IP
address.

The designated interface shall have IP address related to the interface. If the
designated interface does not have an IP address or is under a “down” state, RADIUS
will restore to the default value. In order to avoid the case, IP address should be added
to the interface and the interface shall be ensured under “up” state.

Example

The following Example allows RADIUS to use IP address of the interface VLAN1 for all
RADIUS packets used.
ip radius source-interface vlan1

Relevant command

ip tacacs source-interface

2.1.3 radius challenge-noecho

The command “radius challenge-noecho” shall be used for not showing the user data
under the Access-Challenge Mode.

Syntas

radius challenge-noecho

no radius challenge-noecho

Parameter

none

- 19 -
05-Security command

Default

The user data is shown under the Access-Challenge.

Command mode

global configuration mode

Explanation

none

Example

radius challenge-noecho

2.1.4 radius dead-time

The global configuration command “radius dead-time” shall be used for improving the
echo time of RADIUS when some servers are not workable. The command allows the
system to skip the unworkable servers. The “no” format of the command can be used
for setting dead-time as 0, namely, all the servers are thought to be workable.

Syntas

radius dead-time minutes

no radius dead-time

Parameter

Parameter Description
minutes The time length of RADIUS server thought to be unworkable, the
maximum length is 1440 minutes (24 hours)

Default

The unworkable time is set as 0, meaning that the server is thought to be workable all
the time.

Command mode

global configuration mode

- 20 -
05-Security command

Explanation

The command is used for labeling those RADIUS servers that do not respond to the
authentication request as “dead”, which avoids too long waiting for the response
before using the next server. The RADIUS server labeled as “dead” is skipped by all
the requests during the set minutes unless otherwise all the servers are labeled as
“dead”.

Example

The following Example designates 5-minute dead time for the RADIUS server that
does not respond to the request.
radius dead-time 5

Relevant command

radius server

radius retransmit

radius timeout

2.1.5 radius server

The global configuration command “radius server” is used for designating IP address
of radius server. The “no” format of the command is used for deleting the designated
RADIUS host.

Syntas

radius server ip-address [auth-port port-number1] [acct-port port-number2]


no radius server ip-address

Parameter

Parameter Description

ip-address the ip address of RADIUS server


auth-port (optional item) Designating UDP destination port for authentication
request.

port-number1 (optional item) The port number of authentication request. If the setting is
0, the host is not used for authentication.

acct-port (optional item) Designating UDP destination port for accounting request.

port-number2 (optional item) The port number of accounting request. If the setting is 0,
the host is not used for accounting.

- 21 -
05-Security command

Default

Any RADIUS host is not designated.

Command mode

global configuration mode

Explanation

The command “radius server” can be used repeatedly for designating multiple servers.
The polling can be made under the order of configuration when necessary.

Example

The Example below designates RADIUS host whose IP address is 1.1.1.1. The default
port is used for accounting and authentication.
radius server 1.1.1.1

The following Example designates Port 12 as the destination port of authentication


request on the RADIUS host whose IP address is 1.2.1.2. Port 16 is used as the
destination port of accounting request.
radius server 1.2.1.2 auth-port 12 acct-port 16

Relevant command

aaa authentication

radius key

tacacs server

username

2.1.6 radius optional-passwords

The global configuration command “radius optional-passwords” is used for verifying the
username without checking password when RADIUS authentication request is
transmitted to RADIUS server for the first time. The “no” format of the command can
be used for restoring the default value.

Syntas

radius optional-passwords

no radius optional-passwords

- 22 -
05-Security command

parameter

none

Default

optional-password mode is not used.

Command mode

global configuration mode

Explanation

When the user enters login name, the authentication request will include the user
name and zero length password. If the authentication request is accepted, the login
authentication process is completed. If RADIUS server refuses the request, the server
will prompt the password input. When the user enters the password, the second
authentication will be tried. RADIUS server shall support the authentication of the user
of no password so as to take advantage of this feature.

Example

The following Example configures the exclusion of user password when the first
authentication request is transmitted.
radius optional-passwords

Relevant command

radius server

2.1.7 radius key

The global configuration command shall be used for setting encryption key for RADIUS
communication between the switch and RADIUS server. The “no” format of command
can be used for invalidating the encryption key.

Syntas

radius key string

no radius key

Parameter

Parameter Description

- 23 -
05-Security command

string The secret key used for encrypting. The secret key shall match
with the one used by RADIUS server.

Default

The secret key is a null character string.

Command mode

global configuration mode

Explanation

The entered secret key shall match with the one used by RADIUS server. All the zero
space character is neglected. The secret key contains no space character.

Example

The following Example sets encryption key as “firstime”.


radius key firstime

Relevant command

radius server

tacacs server

username

2.1.8 radius retransmit

The global configuration command is used for designating the times of trial before
abandoning some server. The “no” format of the command can be used for restoring
default value.

Syntas

radius retransmit retries

no radius retransmit

Parameter

Parameter Description

retries The maximum times of repeated trial, the default value is 3


trials.

- 24 -
05-Security command

Default

3 trials

Command mode

global configuration mode

Explanation

The command is usually used together with the command “radius timeout”, indicating
the time of the timeout of server response and the times of repeated trails after the
timeout.

Example

The Example below designates the value of retrial of counter as 5.


radius retransmit 5

Relevant command

radius timeout

2.1.9 radius timeout

The global configuration command “radius timeout” is used for setting the time to wait
for the server response to the switch. The “no” format of the command is used for
restoring default value.

Syntas

radius timeout seconds

no radius timeout

Parameter

Parameter Description

seconds Designating the timeout (unit: second), the default value is 5


seconds.

Default

5 seconds

- 25 -
05-Security command

Command mode

global configuration mode

Explanation

The command is usually used together with the command “radius retransmit”.

Example

The Example below sets the value of timeout timer as 10 seconds.


radius timeout 10

2.1.10 radius vsa send

The global configuration command “radius vsa send” can be used for configuring the
switch into the one that is identified and uses special attribute of manufacturer (VSA).
The “no” format of the command can be used for restoring the default value.

Syntas

radius vsa send [accounting | authentication]

no radius vsa send [accounting | authentication]

Parameter

Parameter Description
accounting (optional item) The identified special attribute of the
manufacturer is limited to the accounting attribute.
authentication (optional item) The identified special attribute of the manufacturer is
limited to the authentication attribute.

Default

VSA is not used.

Command mode

global configuration mode

explanation

IETF uses special attribute of manufacturer (VSA) (attribute 26) and designates the
method for exchanging the special information of the manufacturer between the switch
and RADIUS server. VSA allows manufacturers to support their own extended attribute
- 26 -
05-Security command

not suitable to universal purposes. The command “radius vsa send” enables the switch
to identify and use the special attribute of the manufacturer (VSA) of authentication
and accounting. The keyword “accounting” is used in the command “radius vsa send”
to limit the identified special attribute of the manufacturer to the attribute of accounting.
The keyword “authentication” is used in the command “radius vsa send” to limit the
identified special attribute of the manufacturer to the attribute of authentication.

Example

The Example below configures the switch to enable it to identify and use the special
accounting attribute of manufacturer.
radius vsa send accounting

Relevant command

radius server

- 27 -
05-Security command

Chapter 3 802.1x command

This chapter explains the configuration commands of 802.1x.

3.1.1 dot1x port-control

Syntas

dot1x port-control {auto|force-authorized|force-unauthorized}

no dot1x port-control

Parameter

Parameter Description
auto Enable 802.1xprotocol authentication method

force-authorized Cancel 802.1xprotocol anthentication

force-unauthorize Force the port to inaccessible


d

Default

force-authorized

Explanation

802.1x protocol is a two-tier port based authentication method. Users may use autocommand to
enable the authentication method. The authentication method can only be configured in
physical port, which cannot be a vlan main force, dynamic storage, security port and monitor
port.

Command mode

interface configuration mode

Example

The following commands enable 802.1x on f0/24.


Switch(config_f0/24)# dot1x port-control auto
Switch(config_f0/24)#

The following commands configure f0/23 to vlan main force and then enable 802.1x.

- 28 -
05-Security command

Switch(config_f0/23)#switchport mode trunk


Switch(config_f0/23)#dot1x port-control auto
802.1x Control Failed, 802.1x cannot cmd on vlanTrunk port(f0/23)
Switch(config_f0/23)#

3.1.2 dot1x multiple-hosts

Syntas

dot1x multiple-hosts

no dot1x multiple-hosts

Parameter

none

Default

Disable multiu user authentication for 801.1x.

Explanation

After configuring a port to 802.1x, it can connect to multiple hosts (clients). Under this
mode, when a client pass the authentication, all the clients pass the authentication and
is able to access. If the port fails to pass authentication (re-authentication failed and
log-off is received), the port disable network accessing.

Command mode

interface configuration mode

example

The following commands enable multi host port authentication on f0/24.


Switch(config_f0/24)# dot1x multiple-hosts
Switch(config_f0/24)#

3.1.3 dot1x default

Syntas

dot1x default

- 29 -
05-Security command

Parameter

none

Default

none

Explanation

Restore all global configurations to default configuration

Command mode

global configuration mode

example

The following commands restore all dot1x configurations to default values.


Switch(config)#dot1x default
Switch(config)#

3.1.4 dot1x max-req

Syntas

dot1x max-req count

no dot1x max-req

Parameter

Parameter Description
Count The Maximum Number for Identification Request. 1-10

Default

Explanation

Change the maximum identification request time according to the network environment
to ensure authentication between client and authentication server.

- 30 -
05-Security command

command mode

global configuration mode

example

The following commands configur dot1x ID authentication max number to 4.


Switch(config)#dot1x max-req 4
Switch(config)#

3.1.5 dot1x reauth-max

Syntas

dot1x reauth-max count

no dot1x reauth-max

Parameter

Parameter Description
Count The maximum nuber for retry authentication request. 1-10.

Default

Explanation

Configure the number of times for re-authentication. Authentication will be suspended


if client does not respond over the number of times.

Command mode

Global configuration mode

Example

The following commands configur dot1x ID authentication max number to 5.


Switch(config)#dot1x reauth-max 5
Switch(config)#

- 31 -
05-Security command

3.1.6 dot1x re-authentication

Syntas

dot1x re-authentication

no dot1x re-authentication

Parameter

none

Default

none

Explanation

Enable re-authentication. When port authentication passes, it will authenticate to host


regularly. Users may configure the period of authentication with commanddot1x
timeout re-autjperiod.

Command mode

Global configuration mode

Example

The following commands will enable re-authentication.


Switch(config)#dot1x re-authentication
Switch(config)#

3.1.7 dot1x timeout quiet-period

Syntas

dot1x timeout quiet-period time

no dot1x timeout quiet-period

Parameter

Parameter Description
Time dot1x re-enable re-authentication period. The range:0-65535s.

- 32 -
05-Security command

Default

60s

Explanation

When authentication fails, there will be a quiet time. During quiet time, switch will not
receive or enable any authentication.

Command mode

Global configuration mode

Example

The following commands configure the value of quiet-period to 40.


Switch(config)#dot1x timeout quiet-period 40
Switch(config)#

3.1.8 dot1x timeout re-authperiod

Syntas

dot1x timeout re-authperiod time

no dot1x timeout re-authperiod

Parameter

Parameter Description
Time dot1x re-enable re-authentication period.the range: 1-4294967295s

Default

3600s

Explanation

This command functions after enables re-authentication.

Command mode

Global configuration mode

- 33 -
05-Security command

Example

The following commands configure the period of re-authentication of dot1x to 7200s.


Switch(config)# dot1x timeout re-authperiod 7200
Switch(config)#

3.1.9 dot1x timeout tx-period

Syntas

dot1x timeout tx-period time

no dot1x timeout tx-period

Parameter

Parameter Description
Time Time. 1- 65535s

Default

30s

Explanation

This command waits for the interval of client response. Over the interval, switch will
send the authentication request again.

Command mode

Global configuration mode

Example

The following commands configure sending frequency to 24.


Switch(config_f0/0)# dot1x timeout tx-period 24
Switch(config_f0/0)#

3.1.10 dot1x user-permit

Syntas

dot1x user-permit user_name

no dot1x user-permit
- 34 -
05-Security command

Parameter

Parameter Description
user_name User name

Default

No user bundle. All users are passed.

Explanation

This command configure uers bundled under ports. 8 users can be bundled under
each port. When 802.1x is enabled, the switch authenticate the bundled users name. If
other users do not authenticate, the authentication fail.

Command mode

interface configuration mode

Example

The following commands configure f0/1 bundle users to a, b, c, and d.


Switch(config_f0/1)# dot1x user-permit a b c d
Switch(config_f0/1)#

3.1.11 dot1x authentication method

Syntas

dot1x authentication method method-name

no dot1x authentication method

Parameter

Parameter Description
method-name Method name.

default

“Default” method

- 35 -
05-Security command

Explanation

This command configure authentication under ports. The method should be one of the
authentication method offered by AAAA. Every interface uses only one method. When
AAA is authenticating 802.1x users, AAA will select configured authentication method
to authenticate.

Command mode

interface configuration mode

Example

The following commands configure interface f0/1 authentication method to abcd. The
method users local users name for authentication.
Switch(config) #aaa authentication dot1x abcd local
Switch(config) #aaa authentication dot1x efgh radius
Switch(config) #int f0/1
Switch(config_f0/1)# dot1x authentication method abcd
Switch(config_f0/1)# int f0/2
Switch(config_f0/2)# dot1x authentication method efgh

3.1.12 dot1x authen-type.dot1x authentication type

Syntas

dot1x authen-type {chap|eap}

no dot1x authen-type

Configure Global mode dot1x authentication type. No command will restore default
value.

dot1x authentication type {chap|eap}

no dot1x authentication type

Parameter

None

Default

Under Global mode, default value is chap.

Port default is Global mode configuration type.

- 36 -
05-Security command

Explanation

This command configures authentication type. The type decides whether Chap or Eap
authentication will be applied to AAA. When using Chpa, the challenge needed by MD5
will be established locally. When using Eap, the challenge will be established on
authentication server. Every port uses only one authentication type. Under default, the
type uses Global configuration authentication type. When a port is configured one
authentication type, it uses the type until “Nocommand” restores the default value.

Command mode

interface/global configuration mode

Example

The following command configures interface f0/1 authentication type to Chap and
global authentication type is Eap.
Switch(config) #dot1x authen-type eap
Switch(config) #int f0/1
Switch(config_f0/1)# dot1x authentication type chap

3.1.13 aaa authentication dot1x

Syntas

aaa authentication dot1x default method1 [method2...]

no aaa authentication dot1x default method1 [method2...]

Parameter

Parameter Description
Default Uses the following method when users are authenticating.

method1 Enable
[method2...]
group radius

line

local

local-case

none

Default

no authentication

- 37 -
05-Security command

Explanation

Method parameter offers a series of methods for authenticating client password. For
802.1x aaa, the best authentication method is radius authentication. Users may user
local configuration information to authencate, such as local client password saved in
configuration uses enable and line.

Command mode

global configuration mode

Example

The following command configures dot1x authentication method to radius.


Switch(config)#aaa authentication dot1x default radius
Switch(config)#

3.1.14 debug dot1x error

Syntas

debug dot1x error

Parameter

none

Default

none

Explanation

This is used to output all error information in dot1x operation.

3.1.15 debug dot1x state

Syntas

debug dot1x state

Parameter

none

- 38 -
05-Security command

Default

none

Explanation

the format of output is as follow:


2003-3-18 17:40:09 802.1x:AuthSM(F0/10) state Connecting-> Authenticating, event rxRespId
2003-3-18 17:40:09 802.1x:F0/10 Create user for Enter authentication
2003-3-18 17:40:09 802.1x:BauthSM(F0/10) state Idle-> Response, event authStart
2003-3-18 17:40:09 802.1x:F0/10 user "myname" denied, Authentication Force Failed
2003-3-18 17:40:09 802.1x:F0/10 Authentication Fail
2003-3-18 17:40:09 802.1x:BauthSM(F0/10) state Response-> Fail, event aFail

3.1.16 debug dot1x packet

Syntas

debug dot1x packet

Parameter

None

Default

none

Explanation

2003-3-18 17:40:09 802.1x:F0/10 Tx --> Supplicant(0008.74bb.d21f)


EAPOL ver:01, type:00, len:5
EAP code:01, id:03, type:01, len:5
00
2003-3-18 17:40:09 802.1x:F0/10 Rx <-- Supplicant(0008.74bb.d21f)
EAPOL ver:01, type:00, len:10
EAP code:02, id:03, type:01, len:10
62 64 63 6f 6d a5

3.1.17 show dot1x

Syntas

show dot1x [interface intf-id]

- 39 -
05-Security command

This command is used to display 802.1x configuration information.

Parameter

Parameter Description
intf-id Specific physical interface

Default

none

Explanation

display 802.1x configuration information

Command mode

supervisor configuration mode

Example

The following command configure “dot1x port-control auto” under interfaceF0/10


Switch_config#sho dot1x
802.1X Parameters
reAuthen No
reAuth-Period 3
quiet-Period 10
Tx-Period 30
Supp-timeout 30
Server-timeout 30
reAuth-max 4
max-request 2
authen-type Eap

IEEE 802.1x on port F0/10 enabled


Authorized Yes
Authen Type Eap
Authen Method default
Permit Users All Users
Multiple Hosts Disallowed
Current Identifier 21

Authenticator State Machine


State Authenticated
Reauth Count 0
Backend State Machine

- 40 -
05-Security command

State Idle
Request Count 0
Identifier (Server) 20
Port Timer Machine
Auth Tx While Time 16
Backend While Time 16
reAuth Wait Time 3
Hold Wait Time 0

- 41 -
05-Security command

Chapter 4 MAC access-list command

4.1 MAC access-list command

4.1.1 mac access-list

Syntas

[no] mac access-list name

Add/delete one MAC access-list

Parameter

Parameter Description
name name of mac access-list.

Default

none

Command mode

Global configuration mode

Example

Establish a MAC access-list named mac-acl.


Switch-config_# mac access-list mac-acl
Switch-config-macl#

4.1.2 permit

Syntas

[no] permit {any | host src-mac-addr} {any | host dst-mac-addr}

Add/delete one MAC access-list allowed item

- 42 -
05-Security command

Parameter

Parameter Description
any Any value.

host Host.

src-mac-addr Source MAC address.

dst-mac-addr Target MAC address.

Default

Deny all.

Explanation

MAC access-list configuration mode

Example

Allow source MAC address to be the host of 1234.5678.abcd.


Switch-config-macl#permit host 1234.5678.abcd any

4.1.3 deny

Syntas

[no] deny {any | host src-mac-addr} {any | host dst-mac-addr}

Add/delete one MAC access-list denied item

Parameter

Parameter Description

explanation the range

any

host

src-mac-addr H.H.H

- 43 -
05-Security command

dst-mac-addr H.H.H

Default

Deny all.

Explanation

MAC access-list configuration mode

Example

Deny source MAC address to be the host of 1234.5678.abcd.


Switch-config-macl#deny host 1234.5678.abcd any

4.1.4 mac access-group

Syntas

[no] mac access-group name

Apply the created MAC access-list to the interface, or delete the MAC access-list
applied to the interface.

Parameter

Parameter Description
name name of mac access-list

Default

MAC access-list is not applied.

Explanation

Configure this command under two-layer interface configuration mode.

Example

Configure interface f0/1 applied name to macacl MAC access-list


Switch_config_f0/1#mac access-group macacl

- 44 -
05-Security command

Chapter 5 Port Security Configuration

5.1.1 switchport port-security

Syntas

switchport port-security

no switchport port-security

Configure enable/disable security port.

Parameter

none

Default

none

Explanation

Working in layer 2 port configuration mode

Not allow members of trunk or aggregator use security port function

In default, this function is off.

Example

configure interface f0/3 to be security port


Switch(config)# interface f0/3
Switch(config-if)# switchport port-security

5.1.2 switchport port-security bind

Syntas

switchport port-security bind { ip A.B.C.D | mac H.H.H }

no switchport port-security bind [ ip A.B.C.D | mac H.H.H ]

- 45 -
05-Security command

Configure bind between MAC address and IP address on port.

Address bind can be deleted by using instruction “NO”. Also all addresses on port
can be deleted, system will exit port binding state at the same time.

Parameter

none

Default

none

Explanation

In default, this function is off. The port will work in bind state if a bind address is
configured, excepting clear up all bind entries by use of “NO” instruction..

Example

Configuring interface f0/3 bind IP address 1.2.3.4 and MAC address 0001.0001.1111,
IP address 2.3.4.5 and MAC address 6666.7777.8888.
switch(config)# interface f0/3
switch(config-if)# switchport port-security bind ip 1.2.3.4 mac 0001.0001.1111
switch(config-if)# switchport port-security bind ip 2.3.4.5
switch(config-if)# switchport port-security bind mac 6666.7777.8888

5.1.3 switchport port-security violation

Syntas

switchport port-security violation [protect|restrict]

no switchport port-security violation

Configure violation mode on security port.

Parameter

Parameter Description
protect protect mode do notnotify error inmormation.

restrict restrict mode notify error inmormation.

- 46 -
05-Security command

Default

Default mode is protect.

Explanation

Working in layer 2 port configuration mode

Example

Set violation mode of security port f0/3 into restrict


Switch(config-if)# switchport port-security restrict

5.1.4 switchport port-security maximum

Syntas

switchport port-security maximum value

no switchport port-security maximum

Set max number of security MAC

Parameter

Parameter Description
value Set max number of security MAC. The range:1 132

Default

Default value is 1.

Explanation

Working in layer 2 port configuration mode

Example

If interface f0/3 is enable as security port, the max MAC address number is set to be
10.
Switch(config-if)# switchport port-security maximum 10

- 47 -
05-Security command

5.1.5 switchport port-security mac-address

Syntas

switchport port-security mac-address mac-addr

no switchport port-security mac-address mac-addr

Add/delete static security MAC address of security port.

Parameter

Parameter Description
mac-addr MAC address.

Default

none

Explanation

Working in layer 2 port configuration mode

Example

Set 0001.0.1 to be the static security MAC address of security port interface f0/3

Switch(config-if)# switchport port-security mac-address 0001.0.1

5.1.6 switchport port-security aging-time

Syntas

switchport port-security aging-time aging-time

no switchport port-security aging-time

Configure aging-time of security port

Parameter

Parameter Description
aging-time learned aging-time of security MAC address dynamically.the range: 10
1000000

- 48 -
05-Security command

Default

300 seconds

Explanation

Working in layer 2 port configuration mode

Example

configure MAC address aging-time of dynamic security port interface f0/3 to be 100
seconds
Switch(config-if)# switchport port-security aging-time 100

5.1.7 show port-security

Syntas

show port-security [interface interface-id]

Display configuration of one or all security port.

Parameter

Parameter Description
interface-id Port name

Default

none

Explanation

Supervisor mode

Example

Switch# show port-security


Secure Port MaxSecureAddr CurrentAddr Security Violation
(count) (count) (count)
----------- ------------ ----------- --------
f0/3 10 1 0
----------- ------------ ----------- --------
Total addresses in system is : 1

- 49 -
05-Security command

5.1.8 show port-security address

Syntas

show port-security [interface interface-id] address

Display MAC information of one or all security port.

Parameter

Parameter Description
interface-id Interface id

Default

none

Explanation

Supervisor mode

Example

Switch# show port-security address


Security Port Mac Address Table
------------------------------------------
Vlan Mac Address Type Ports
---- ----------- ---- -----
1 0001.0000.0001 SecureConfigured f0/3
1 0010.0000.0002 SecureDynamic f0/1
---- ----------- ---- -----
Total addresses in system is : 2

- 50 -
05-Security command

Chapter 6 Web-based Authentication Command

6.1 Web-based Authentication Command

6.1.1 web-auth enable

Syntas

web-auth enable

no web-auth enable

Enable the web authentication function. No command will restore default value.

Parameter

None

Default

Web-auth is disabled.

Explanation

Enable the web authentication function on routing interface(ethernet type). Once the
function is enabled, the interface is under the control of web authentication.

Command mode

Interface configuration mode

Example

The following command enables the web authentication on interface VLAN5:


Switch_config_v5#web-auth enable

6.1.2 web-auth accounting

Syntas

web-auth accounting method-name


- 51 -
05-Security command

no web-auth accounting

Configure the accounting method list for the routing interface. No command will restore
default value.

Parameter

Parameter Description
method-name The name of the accounting method list configured in AAA .

Default

Use the “default” accounting method list

Explanation

Network accessing through the interface will be accounted with the accounting method
included in this method list .if the value is not set, the “default ” method list will be
used.

Command mode

Interface configuration mode

Example

The following commands first configure a method named weba-acct, and then set this
method list on interface VLAN5:
Switch_config# aaa accounting network weba-acct start-stop radius
Switch_config_v5# web-auth account weba-acct

6.1.3 web-auth authentication

Syntas

Web-auth authentication method-name

no web-auth authentication

Configure the authentication method list for the routing interface. No command will
restore default value.

Parameter

Parameter Description
method-name The name of the authentication method list configured in AAA

- 52 -
05-Security command

Default

Use the “default” authentication method list

Explanation

Network accessing through the interface will be authenticated with the authentication
method included in this method list .if the value is not set, the “default ” method list will
be used.

Command mode

Interface configuration mode

Example

The following commands first configure a method named weba-auth, and then set this
method list on interface VLAN5:
Switch_config# aaa authentication login weba local
Switch_config_v5# web-auth authentication weba

6.1.4 web-auth mode

Syntas

web-auth mode [user | vlan-id]

no web-auth mode

Parameter

user N/A

vlan-id vlan id N/A

Default

Use user name ,password authentication.

Explanation

Set authentication user .when you use the user name/password,you need fill in user
name /password in the web interface;when you use VLAN ID,you only need beat the
logging key in the web interface.

- 53 -
05-Security command

Command mode

Interface configuration mode

Example

Set vlan interface 5 authentication to vlan id mode.


Switch_config_v5#web-auth mode vlan-id

6.1.5 web-auth keep-alive

Syntas

web-auth keep-alive keep-alive-time

no web-auth keep-alive

Configure the interval client’s browser use to send online indication messages in
seconds. No command will restore default value.

Parameter

Parameter Description
keep-alive-time The interval client’s browser use to send online indication messages. The
range: 60-65535

Default

The default interval is 60 seconds.

Explanation

Once the keep alive time is reconfigured, the user authenticated after the action will
send online indication messages at this interval, but the user authenticated before the
action will use this value only after one online indication message has been send.

Command mode

Global configuration mode

Example

The following command set the keep-alive-time to 180 seconds:


Switch_config#web-auth keep-alive 180

- 54 -
05-Security command

6.1.6 web-auth holdtime

Syntas

web-auth holdtime holdtime

no web-auth holdtime

Use web-auth holdtime to set the duration in seconds before the switch block a user’s
network accessing after not receiving the online indication message. No command will
restore default value.

Parameter

Parameter Description
holdtime The duration in seconds before the switch block a user’s network
accessing after not receiving the online indication message. The range:
60-65535

Default

The default interval is 180 seconds.

Explanation

The switch will block the user’s network accessing after not receiving the online
indication message for the holdtime. The switch will also stop accounting for the user
at the mean time.

Command mode

Global configuration mode

Example

The following command set the holdtime to 600 seconds:


Switch_config#web-auth holdtime 600

6.1.7 web-auth authtime

Syntas

web-auth authtime authtime

no web-authtime

- 55 -
05-Security command

Use web-auth holdtime to set the duration in seconds before the switch terminate the
authentication process after not completing the authentication process. No command
will restore default value.

Parameter

Parameter Description
authtime The duration in seconds before the switch terminate the authentication
process after not completing the authentication process

Default

The default interval is 180 second.

Explanation

If the authentication process cannot be accomplished in the authtime, switch will


terminate the process and free the resource for the user. User needs to trigger the
authentication process again by DHCP.

Command mode

Global configuration mode

Example

The following command set the authtime to 360 seconds:


Switch_config #web-auth authtime 360

6.1.8 web-auth portal-server

Syntas

web-auth portal-server A.B.C.D

no web-auth portal-server

Configure the IP address of the portal server. No command will restore default value.

Parameter

Parameter Description
A.B.C.D The IP address of the portal server

- 56 -
05-Security command

Default

0.0.0.0

Explanation

The switch will replace the IP address in the answer sections of the DNS response
message sent to user, before the user passes the authentication.

Command mode

Global configuration mode

Example

The following command set the portal-server IP address to 192.168.20.41:


Switch_config #web-auth portal-server 192.168.20.41

6.1.9 web-auth vlan-password

Syntas

web-auth vlan-password password

no web-auth vlan-password

Parameter

password Use vlan id to authentication user password.

Default

None

Explanation

When you use vlan id authenazation , the switch use the ”vlan n” as a user name ,
thereinto the “n”as the VLAN number ,and the command configuration password is
as the all user password of using vlan id authenazation .

Command mode

Supervise configuration mode

- 57 -
05-Security command

Example

Set vlan-password to ”abc”.


Switch_config#web-auth vlan-password abc

6.1.10 web-auth kick-out

Syntas

web-auth kick-out A.B.C.D

Use web-auth kick-out to kick out the user with the IP address.

Parameter

Parameter Description
A.B.C.D The IP address of the user to be kicked out

Default

None

Explanation

The switch kicks out the user by its IP address regardless of having passed the
authentication or being authenticated. The switch will stop accounting on the user if the
accounting has been launched before.

Command mode

Supervisor mode

Example

The following command kick out the user whose IP address is 192.168.20.43:

Switch_config #web-auth kick-out 192.168.20.43

6.1.11 show web-auth

Syntas

Show web-auth

Use show web-auth command to display the global configuration of the web
authentication.

- 58 -
05-Security command

Parameter

None

Default

None

Explanation

This command is used to display the current global configuration for the web
authentication on the switch.

Command mode

Supervisor mode

Example

The following command displays the current global configuration for the web
authentication on the switch:
Switch_config#show web-auth
web authentication parameters
holdtime 3600
authtime 600
keep-alive 60
portal-server 192.168.20.41

6.1.12 show web-auth interface

Syntas

show web-auth interface[ vlan | supervlan] intf-id

Use show web-auth interface command to display the web authentication on the
designated interface.

Parameter

Parameter Description
inertacef number The ID of the interface to be displayed.

Default

None

- 59 -
05-Security command

Explanation

This command is used to display the current web authentication configuration on the
designated interface.

Command mode

Supervisor mode

Example

The following command displays the current web authentication configuration on the
interface VLAN1:
Switch_config#show web-auth interface Vlan 1
web authentication parameters
web-auth enable
account-method weba-acct
authen-method weba
mode user

6.1.13 show web-auth user

Syntas

Show web-auth user

Use show web-auth user command to display the current user list in the switch.

Parameter

None

Default

None

Explanation

This command is used to display the current user list in the switch include users who is
online and users who is being authenticated.

Command mode

Supervisor mode

- 60 -
05-Security command

Example

The following command displays the current user list in the switch:
Switch#show web-auth user
IP MAC-ADDR state remain-time(seconds)
192.168.20.42 0008.74b7.3de1 WEBA_USER_AUTHENTICATED 3572
-------------------------------------
authenticated users: 1, authenticating users: 0

6.1.14 debug web-auth event

Syntas

Debug web-auth event

Use debug web-auth event command to display the authentication event.

Parameter

None

Default

None

Explanation

This command is used to display the event occurring when authentication, such as
having received authentication request, authentication fail, authentication successful.

Command mode

Supervisor mode

Example

Switch#debug web-auth event

6.1.15 debug web-auth error

Syntas

Debug web-auth error

- 61 -
05-Security command

Use debug web-auth event command to displays the errors occurring during
authentication.

Parameter

None

Default

None

Explanation

This command is used to display the error occurring in authentication, the information
is helpful for diagnosing the problem.

Command mode

Supervisor mode

Example

switch#debug web-auth error

6.1.16 debug web-auth verbose

Syntas

debug web-auth verbose

Parameter

None

Default

None

Explanation

This command can make “debug web-auth event “ output information more
particular,and make it output the MAC address of the correlation event by any
possibililty .

- 62 -
05-Security command

Command mode

Privilege mode

Example

Switch#debug web-auth verbose

6.1.17 debug web-auth http event

Syntas

Debug web-auth http event

Use debug web-auth http event command to display the http event during
authentication.

Parameter

None

Default

None

Explanation

This command is used to display the http event occurring during authentication, such
as receiving of http request, and connection disconnected.

Command mode

Supervisor mode

Example

switch#debug web-auth http event

6.1.18 debug web-auth http request

Syntas

Debug web-auth http request

Use debug web-auth http request command to dump the content of the http request.

- 63 -
05-Security command

Parameter

None

Default

None

Explanation

This command is used to dump the content of the http request.

Command mode

Supervisor mode

Example

switch#debug web-auth http request

6.1.19 debug web-auth http

Syntas

Debug web-auth event

Use debug web-auth event command to turn on all the debug option related to http in
web authentication.

Parameter

None

Default

None

Explanation

This command is used to turn on all the debug option related to http in web
authentication.

Command mode

Supervisor mode

- 64 -
05-Security command

Example

switch#debug web-auth http

6.1.20 debug web-auth

Syntas

Debug web-auth event

Use debug web-auth event command to turn on all the debug option in web
authentication.

Parameter

None

Default

None

Explanation

This command is used to turn on all the debug option in web authentication.

Command mode

Supervisor mode

Example

switch#debug web-auth

- 65 -

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy