Command Line Reference
User Access And Authentication
802.1X Authentication Configuration
46 min
show {dot1x|portal} accounting statistics show {dot1x|portal} accounting statistics \[command] show {dot1x|portal} accounting statistics \[{interface |mac }] \[purpose] show billing statistics \[view] system view \[use cases] sonic# show dot1x accounting statistics + + + + + \| interface | mac addr | rx packets | rx bytes | +=============+====================+===============+============+ \| ethernet1 | 00 00 02 01 01 02 | 4 | 360 | + + + + + show {dot1x|portal} accounting statics drop show {dot1x|portal} accounting statics drop \[command] show {dot1x|portal} accounting statics drop \[purpose] view packet loss statistics for packets that have not passed the dot1x authentication \[view] system view \[use cases] sonic# show dot1x accounting statistics drop + + + + \| interface | drop packets | drop bytes | +=============+==============+============+ \| ethernet49 | 0 | 0 | + + + + show {dot1x|portal} status show {dot1x|portal} status \[command] show {dot1x|portal} status show {dot1x|portal} interface interface name \[purpose] view authenticated user information \[view] system view \[use cases] sonic# show dot1x interface 1 + + + + + \| interface | mac | status | auth type | +=============+===================+============+=============+ \| ethernet1 | 00 00 02 01 01 02 | authorized | > 8021x | \| | 00 00 02 01 01 04 | authorized | 8021x | \| | 00 00 02 01 01 04 | authorized | > mab | + + + + + show dot1x status show dot1x status this command display description table this command display description table fields description status certification status authorized certification passed unauthorized certification failure timeout the device sends an authentication packet but does not receive a response from the server, and the authentication timeout escaped escape users logoff users offline auth type authentication method > marked by the authentication method currently in effect, and the authentication results do not preempt show {dot1x|portal} server status show {dot1x|portal} server status \[command] show {dot1x|portal} server status \[purpose] display radius server status \[view] system view \[usage scenario] servers can exist in two states active and inactive the active state indicates that the radius server is functioning normally and can perform user authentication the inactive state indicates that the server is experiencing issues if users continue to authenticate, they will come online in escape mode using this command helps check the current connectivity status of the server \[notes] if all configured radius servers on the device are in the inactive state, it triggers the global escape function after server recovery, it initiates one or more re authentication attempts for escaped users until they come online normally or fail authentication and go offline \[use cases] sonic# show dot1x server status + + + \| server | status | +===============+==========+ \| 151 1 0 1 | active | + + + \| 150 1 0 1 | active | + + + \| detect result | active | + + + show authentication radius server configuration show authentication radius server configuration \[command] show authentication radius server configuration \[purpose] display configuration information related to the radius server \[view] system view \[use cases] sonic# show authentication radius server configuration + + + \| interface | configuration | +=======================+========================================+ \| auth server | server addr = 151 1 0 1 | \| | shared secret = | \| | source addr = 10 1 0 1 | \| | vrf = default | \| | role = secondary | + + + \| acct server | server addr = 150 1 0 1 | \| | shared secret = | \| | source addr = 10 1 0 1 | \| | vrf = default | \| | role = primary | + + + \| auth server | server addr = 150 1 0 1 | \| | shared secret = | \| | source addr = 10 1 0 1 | \| | vrf = default | \| | role = primary | + + + \| dynamic authorization | das enable = enable | \| | client addr = 0 0 0 0 | \| | shared secret = | \| | das port = 3799 | + + + \| global | server mode = master backup | \| | timeout aging timer = 120 | \| | timeout reauth count = 1 | \| | timeout reauth period = 15 | + + + show authentication dot1x configuration show authentication dot1x configuration \[command] show authentication dot1x configuration \[purpose] view dot1x related configurations \[view] system view \[use cases] sonic# show authentication dot1x configuration + + + \| interface | configuration | +===============+===============================+ \| ethernet1 | 8021x = enable | \| | dot1x mab = enable | \| | mab priority = low | \| | 8021x priority = high | + + + \| detect server | detect server = enable | \| | testuser username = na | \| | testuser password = | \| | detect interval = 60 | \| | detect timeout count = 3 | + + + show authentication portal configuration show authentication portal configuration \[command] show authentication portal configuration \[purpose] view portal related configurations \[view] system view \[use cases] sonic# show authentication portal configuration + + + \| interface | configuration | +======================+===============================+ \| detect radius server | detect server = enable | \| | testuser username = aaa | \| | testuser password = | \| | detect interval = 60 | \| | detect timeout count = 3 | + + + \| portal protocol | http | + + + \| detect portal server | detect server = enable | \| | detect interval = 60 | \| | detect timeout count = 3 | + + + authentication enable authentication enable \[command] authentication enable \[purpose] enable authentication functionality \[view] system configuration view \[usage scenario] when access users need to use 802 1x or portal for access authentication, it is necessary to enable authentication functionality globally first, and then configure the corresponding authentication services \[use cases] sonic(config)# authentication enable authentication radius server \[source] authentication radius server \[source] \[command] authentication radius server ip address share secret \[source ip address ] no authentication radius server ip address \[purpose] configure the radius server \[parameter] parameter description ip address configure the server ip address share secre configure the shared key between the device and the server source ip address configure the source ip address of the device when sending radius packets to the server, usually it is recommended to use the address of loopback0 port \[view] system configuration view \[use cases] sonic(config)# authentication radius server 150 1 0 1 dot1x source 10 1 0 1 authentication radius server server mode {master backup|polling} authentication radius server server mode {master backup|polling} \[command] authentication radius server server mode {master backup|polling} \[purpose] configure the working mode of servers in a multi server scenario \[parameter] parameter description master backup master backup mode polling dual mode \[view] system configuration view \[usage scenario] in an authentication environment with multiple authentication servers, users can modify the server working mode to master backup or polling mode based on actual requirements during configuration \[notes] when the working mode of the radius server is configured as master backup , the device, upon receiving eapol packets from clients, will prioritize one server for authentication when the server's working mode is set to polling , the device will duplicate eapol packets and send them to multiple servers simultaneously, selecting the server that responds first for subsequent packet interactions \[use cases] sonic(config)# authentication radius server server mode polling authentication radius server accounting \[source] authentication radius server accounting \[source] \[command] authentication radius server accounting ip address share secret \[source ip address ] no authentication radius server accounting ip address \[purpose] configure radius billing server \[parameter] parameter description ip address configure the server ip address share secret configure the shared key between the device and the server source ip address configure the source ip address of the device when sending radius packets to the server, usually it is recommended to use the address of loopback0 port \[view] system configuration view \[use cases] sonic(config)# dot1x radius server accounting 150 1 0 1 dot1x source 10 1 0 1 authentication radius server dot1x detect server authentication radius server dot1x detect server \[command] authentication radius server dot1x detect server enable authentication radius server dot1x detect server interval value authentication radius server dot1x detect server timeout count value no authentication radius server dot1x detect server enable \[purpose] configure radius server detection \[parameter] parameter description enable enable the server detection function interval value specify the detection period of the server, the value range 30 3600s timeout count value specify the maximum number of consecutive non response in each probe cycle of the server, the value range 2 50 \[view] system configuration view \[usage scenario] when the number of failed probes in a probing cycle reaches the maximum number of consecutive non responses, the device is judged to be disconnected from the radius server, and if all radius servers configured on the device are disconnected, the newly online terminal is judged to be an escape user when the radius server resumes connection, the user indicated as an escape needs to be re authenticated \[use cases] sonic(config)# dot1x radius server detect server enable sonic(config)# dot1x radius server detect server interval 100 sonic(config)# dot1x radius server detect server timeout count 3 authentication portal server {primary|secondary} authentication portal server {primary|secondary} \[command] authentication portal server server url {primary|secondary} \[purpose] configure the portal server \[parameter] parameter description server url url of the portal server primary designate the server as the primary server secondary designate the server as the secondary server \[view] system configuration view \[use cases] sonic(config)# authentication portal server http //192 168 0 1 8080/login authentication dot1x enable authentication dot1x enable \[command] authentication dot1x enable no authentication dot1x enable \[purpose] enable dot1x authentication function \[view] interface view \[use cases] sonic(config)# interface ethernet 1 sonic(config if 1)# authentication dot1x enable authentication dot1x eap type {peap|tls} enable authentication dot1x eap type {peap|tls} enable \[command] authentication dot1x eap type {peap|tls} enable no authentication dot1x eap type {peap|tls} enable \[purpose] modify the switch of dot1x authentication method \[view] system configuration view \[usage scenario] by default, the device supports peap, tls, and md5 authentication methods, and when dot1x authentication is enabled, all authentication methods are enabled among them, peap and tls authentication methods support shutdown, and after closing, authentication cannot be passed by using this method \[use cases] sonic(config)# dot1x enable sonic(config)# interface ethernet 1 sonic(config if 1)# authentication dot1x enable sonic(config if 1)# no authentication dot1x eap type tls enable authentication dot1x mac bypass enable authentication dot1x mac bypass enable \[command] authentication dot1x mac bypass enable no authentication dot1x mac bypass enable \[purpose] enables mac bypass authentication for the interface \[view] interface view \[usage scenario] for terminals that cannot install and use 802 1x client software, such as printers, mac bypass authentication can be employed for authentication \[notes] enabling mac bypass authentication requires enabling dot1x authentication at the same time \[use cases] sonic(config)# interface ethernet 1 sonic(config if 1)# authentication dot1x mac bypass enable authentication dot1x guest vlan authentication dot1x guest vlan \[command] authentication dot1x guest vlan vlan id \[purpose] configure the interface to receive packets belonging to that vlan dot1x to allow traffic \[parameter] parameter description vlan id specify the vlanid \[view] interface view \[usage scenario] after configuring this feature, users carrying the specified vlan on this interface are always in the authorized state, allowing them to access network resources without authentication this method can be used for scenarios where users on the interface are fully trusted, allowing them to access network resources without authentication it can also be combined with acl functionality to control access to specific resources when not authenticated \[notes] the guest vlan must be a vlan that the interface has already joined \[use cases] sonic(config)# interface ethernet 1 sonic(config if 1)# authentication dot1x guest vlan 10 authentication dot1x restrict vlan authentication dot1x restrict vlan \[command] authentication dot1x restrict vlan vlan id \[purpose] configure the restrict vlan for the interface \[view] interface view \[usage scenario] after configuring this feature, when a user under the interface fails authentication, the interface will automatically be added to the restrict vlan in access mode this allows access to specific network resources in the restrict vlan even after user authentication failure \[notes] the interface will only be added to the restrict vlan in access mode the restrict vlan cannot be a vlan that the interface is already a member of \[use cases] sonic(config)# interface ethernet 1 sonic(config if 1)# dot1x authentication restrict vlan 10 authentication dot1x priority {dot1x|mab} {dot1x|mab} authentication dot1x priority {dot1x|mab} {dot1x|mab} \[command] authentication dot1x priority {dot1x|mab} {dot1x|mab} \[purpose] specify the priority of dot1x and mac bypass authentication \[view] interface view \[usage scenario] when both dot1x and mac bypass authentication are enabled on an interface, specifying a higher priority for dot1x authentication than mac bypass allows for initiating mac authentication for users if dot1x authentication times out \[notes] the first parameter designates the authentication method with higher priority by default, if both dot1x and mac bypass authentication are enabled on an interface, access to the network is granted if either authentication method succeeds \[use cases] sonic(config)# interface ethernet 1 sonic(config if 1)# authentication dot1x enable sonic(config if 1)# authentication dot1x mac bypass enable sonic(config if 1)# authentication dot1x priority dot1x mab authentication dot1x reauthenticate period authentication dot1x reauthenticate period \[command] authentication dot1x reauthenticate period value \[purpose] configure the 802 1x authentication re authentication period for the interface \[parameter] parameter description value value range 2 2000, 0, unit min \[view] interface view \[notes] when value is 0, it means turn off the 802 1x authentication re authentication function of the interface \[use cases] sonic(config)# interface ethernet 1 sonic(config if 1)# authentication dot1x reauthenticate period 2000 authentication dot1x accounting realtime authentication dot1x accounting realtime \[command] authentication dot1x accounting realtime value \[purpose] configure the real time upload period of the billing server \[parameter] parameter description value value range 2 2000, 0 \[view] interface view \[user scenario] after enabling periodic reauthentication for 802 1x on a port, the device will periodically reauthenticate 802 1x users who have successfully authenticated on the port this ensures that when there are changes in authorization information, users can be promptly reauthenticated to update their authorization information \[notes] when value is 0, it means disable the real time upload function \[use cases] sonic(config)# interface ethernet 1 sonic(config if 1)# authentication dot1x accounting realtime 2000 authentication dot1x dhcp {deny|permit} authentication dot1x dhcp {deny|permit} \[command] authentication dot1x dhcp {deny|permit} \[purpose] configure to block dhcp messages until authentication is successful \[view] interface view \[use cases] sonic(config)# interface ethernet 1 sonic(config if 1)# authentication dot1x dhcp deny authentication dot1x reget ip authentication dot1x reget ip \[command] authentication dot1x reget ip \[purpose] after configuring this command, when a terminal successfully authenticates and is assigned an authorized vlan, the system will automatically bring the interface down and then up to force the terminal to renew its ip address \[view] interface view \[use cases] sonic(config)# interface ethernet 1 sonic(config if 1)# authentication dot1x reget ip authentication portal enable authentication portal enable \[command] authentication portal enable no authentication portal enable \[purpose] enable portal authentication function \[view] interface view \[notes] dot1x authentication and portal authentication cannot be enabled simultaneously on the interface \[use cases] sonic(config)# interface ethernet 1 sonic(config if 1)# authentication portal enable authentication portal mac bypass enable authentication portal mac bypass enable \[command] authentication portal mac bypass enable no authentication portal mac bypass enable \[purpose] enable portal mac bypass authentication functionality on the interface \[view] interface view \[notes] enabling mac bypass authentication requires simultaneously enabling portal authentication functionality \[use cases] sonic(config)# interface ethernet 1 sonic(config if 1)# authentication portal mac bypass enable authentication portal guest vlan authentication portal guest vlan \[command] authentication portal guest vlan vlan id \[purpose] configure the interface to treat incoming packets belonging to the specified vlan as forced authorized state \[view] interface view \[user scenario] after configuring this feature, users on the interface carrying the specified vlan will consistently remain in an authorized state, allowing them to access network resources without authentication this method is suitable for scenarios where users on the interface are fully trusted, and access to network resources is permitted without authentication additionally, it can be combined with acl (access control list) functionality to control access to specific resources when users are not authenticated \[notes] the guest vlan must be a vlan that the interface has already joined \[use cases] sonic(config)# interface ethernet 1 sonic(config if 1)# switchport access vlan 10 sonic(config if 1)# authentication portal guest vlan 10 authentication portal restrict vlan authentication portal restrict vlan \[command] authentication portal restrict vlan vlan id \[purpose] configure the interface's restricted vlan \[view] interface view \[usage scenario] after configuring this feature, when user authentication fails on the interface, the interface is automatically added to the restrict vlan in access mode this allows users to access specific network resources within the restrict vlan even after authentication failure \[notes] the interface will only be added to the restrict vlan in access mode the restrict vlan cannot be a vlan that the interface has already joined \[use cases] sonic(config)# interface ethernet 1 sonic(config if 1)# authentication portal restrict vlan 10 authentication portal reauthenticate period authentication portal reauthenticate period \[command] authentication portal reauthenticate period value \[purpose] configure the portal authentication re authentication period for the interface \[parameter] parameter description value value range 2 2000, 0, unit min \[view] interface view \[notes] when value is 0, it means turn off the portal authentication re authentication function of the interface \[use cases] sonic(config)# interface ethernet 1 sonic(config if 1)# authentication portal reauthenticate period 2000 authentication timeout user aging timer authentication timeout user aging timer \[command] authentication timeout user aging timer clear timer \[purpose] configure the aging time for timeout users \[view] system view \[usage scenario] when the device receives an authentication request message from a terminal and does not receive a response message from the server within a certain period, the status of the terminal is marked as timed out \[use cases] sonic(config)# authentication timeout user aging timer 300 authentication timeout user reauth period authentication timeout user reauth period \[command] authentication timeout user reauth period reauth period \[purpose] configure the reauthentication interval for timed out users \[parameter] parameter description reauth period unit seconds, range 5 15, default 15 \[view] system configuration view \[usage scenario] after a client initiates an authentication request to the device, this timer is activated if the device does not receive a response from the client within the specified duration of this timer, the device will reinitiate the authentication request when a user is marked as timed out, the device will initiate reauthentication at the frequency specified by this command \[use cases] sonic(config)# authentication timeout user reauth period 20 authentication timeout user reauth count authentication timeout user reauth count \[command] authentication timeout user reauth count reauth count \[purpose] configure the number of reauthentication attempts for timed out users \[parameter] parameter description reauth count number of reauthentication attempts, range 1 60, default 1 \[view] system configuration view \[usage scenario] due to network fluctuations or unstable links, authentication request packets may not be successfully transmitted to the server, resulting in unsuccessful device side authentication to avoid such scenarios, user can configure the number of reauthentication attempts for timed out users when a user is marked as timed out, the device will initiate reauthentication at the specified frequency for the number of attempts specified by this command \[use cases] sonic(config)# authentication timeout user reauth count 3 authentication reset {dot1x|portal} authentication reset {dot1x|portal} \[command] authentication reset {dot1x|portal} { interface name| nn\ nn\ nn\ nn\ nn \ nn } \[purpose] force user logout \[view] system configuration view \[usage scenario] when redeploying services or troubleshooting, after implementing the corresponding troubleshooting measures, you can use this command to force all users to log out then, reauthenticate and query the results to determine if the authentication is normal or if the issue has been resolved \[use cases] sonic(config)# authentication reset dot1x 1
