User Access And Authentication

Local User Configuration

show local-user brief

[Command]
show local-user brief

[Purpose]
Display local user information

[View]
System view

[Use Cases]

sonic# show local-user brief
USER  ONLINE BLOCKED LOGIN IP        LOGIN TIME
admin  yes     no                     Nov 3 17:24
admin  yes     no    150.1.0.1        Nov 4 23:20
test   no      yes

show local-user brief This command display description table

Fields	Description
ONLINE	Whether the current user is online or not yes User Online no User is not online
BLOCKED	Whether the current user is locked out or not yes Locked no Unlocked
LOGIN IP	The IP address used by the current user to log in to the device, if the user is online and the LOGIN IP is empty, it means that the user is logging in through the serial port
LOGIN TIME	Current user login time to the device

show local-user block-conf

[Command]
show local-user block-conf

[Purpose]
Displays the device’s configured method for processing successive incorrect password entries by the user

[View]
System view

[Use Cases]

sonic# show local-user block-conf
+-------------+---------+
| PARAMETER   |   VALUE |
+=============+=========+
| retry-count |       5 |
+-------------+---------+
| block-time  |       5 |
+-------------+---------+

show local-user blocked

[Command]
show local-user blocked

[Purpose]
Show locked users

[View]
System view

[Use Cases]

sonic# show local-user blocked
Login   Failures  Latest   failure    From
test        8    11/05/16  00:42:56  150.1.0.1

show local-user password-control

[Command]
show local-user password-control

[Purpose]
Show user password complexity configuration

[View]
System view

[Use Cases]

sonic# show local-user password-control
+--------------+---------+--------------+--------------+------------+---------------+
|PASSWD_CONTRO | MINLEN |MIN_LOWERCASE |MIN_UPPERCASE | MIN_DIGITS | MIN_SPECIAL_CHARS |
+================+=======+==============+==============+============+================+
|  disable     |       8 |            0 |            0 |         0  |              0 |
+--------------+---------+--------------+--------------+------------+----------------+

local-user name passwd

[Command]
local-user name name*** *passwd** password no local-user

[Purpose]
Create local user

[Parameter]

Parameter	Description
name	Username
password	Password

[View]
System configuration view

[Use Cases]

sonic(config)# local-user name test passwd testuser

local-user block-time

[Command]
local-user block-time time

[Purpose]
Configure local users to continuously enter incorrect password account lockout time

[Parameter]

Parameter	Description
time	Value range: 1-65535, unit: min

[View]
System configuration view

[Notes]
Locked for 5 minutes by default.

[Use Cases]

sonic(config)# local-user block-time 5

local-user retry-count

[Command]
local-user retry-count count no local-user retry-count

[Purpose]
Configure a limit on the number of consecutive incorrect password entries for local users

[Parameter]

Parameter	Description
count	Value range: 2-65535

[View]
System configuration view

[Notes]
By default, 5 attempts are allowed

[Use Cases]

sonic(config)# local-user retry-count 5

local-user password-control enable

[Command]
local-user password-control enable
no local-user password-control enable

[Purpose]
Configure local user password complexity function

[View]
System configuration view

[Notes]
To prevent passwords from being cracked by malicious users through brute-force attacks, you can configure the complexity requirements for local user passwords.

[Use Cases]

sonic(config)# local-user password-control enable

local-user password-control min-len

[Command]
local-user password-control min-len length
no local-user password-control min-len

[Purpose]
Set the minimum length for local user passwords.

[Parameter]

Parameter	Description
length	The range of value is: 8-64, default value is: 8

[View]
System configuration view

[Use Cases]

sonic(config)# local-user password-control min-len 10

local-user password-control min-lowercase

[Command]
local-user password-control min-lowercase num
no local-user password-control min-lowercase

[Purpose]
Set the minimum lowercase letter requirement for local user passwords.

[Parameter]

Parameter	Description
num	The range of value is: 1-10, default value is: 0

[View]
System configuration view

[Use Cases]

sonic(config)# local-user password-control min-lowercase 1

local-user password-control min-uppercase

[Command]
local-user password-control min-uppercase num
no local-user password-control min-uppercase

[Purpose]
Set the minimum number of uppercase letters required for local user passwords.

[Parameter]

Parameter	Description
num	The range of value is: 1-10, default value is: 0

[View]
System configuration view

[Use Cases]

sonic(config)# local-user password-control min-uppercase 1

local-user password-control min-digits

[Command]
local-user password-control min-digits num
no local-user password-control min- digits

[Purpose]
Set the minimum number of digits required in local user passwords.

[Parameter]

Parameter	Description
num	The range of value is: 1-10, default value is: 0

[View]
System configuration view

[Use Cases]

sonic(config)# local-user password-control min-digits 1

local-user password-control min-special-chars

[Command]
local-user password-control min-special-chars num
no local-user password-control min- special-chars

[Purpose]
Set the minimum number of special characters required in local user passwords.

[Parameter]

Parameter	Description
num	The range of value is: 1-10, included: ~!@#$%^*-_=+:/,.

[View]
System configuration view

[Use Cases]

sonic(config)# local-user password-control min-special-chars 1

telnet max session

[Command]
telnet max session count

[Purpose]
Set the maximum number of telnet user sessions

[Parameter]

Parameter	Description
count	The range of value is: 1-100, default value is: 10

[View]
System configuration view

[Use Cases]

sonic(config)# telnet max session 5

ssh max session

[Command]
ssh max session count

[Purpose]
Set the maximum number of SSH user sessions

[Parameter]

Parameter	Description
count	The range of value is: 1-100, default value is: 10

[View]
System configuration view

[Use Cases]

sonic(config)# telnet ssh session 5

AAA Configuration

show aaa

[Command]
show aaa

[Purpose]
View the authentication, authorization and billing settings configured in the network node

[View]
System view

[Use Cases]

sonic# show aaa
AAA accounting debug False
AAA accounting command local (default)
AAA authentication debug False
AAA authentication login tacacs+,local
AAA authentication failthrough True
AAA authentication fallback True
AAA authorization debug False
AAA authorization auth_cmd False
AAA authorization command tacacs+,local
AAA authorization auth_service True

aaa accounting command {tacacs+|radius|local|default}

[Command]
aaa accounting command {tacacs+|radius|local|default}

[Purpose]
Configure AAA Audit Method

[Parameter]

Parameter	Description
tacacs+	Command Auditing Using TACACS+
radius	Command Auditing Using RADIUS
local	Local Audit
default	Reset to default values, local auditing

[View]
System configuration view

[Notes]
After enabling TACACS+ or RADIUS auditing, commands executed by users at the command line will be logged on the TACACS+ server or RADIUS server.

[Important Notes]

TACACS+ and local authentication can be used independently or in combination. RADIUS and local authentication can be used independently or in combination. TACACS+ and RADIUS cannot be used in combination.

Configure the billing mode to match the authentication mode, meaning either both use local auditing, or both use TACACS+, or both use RADIUS.

[Use Cases]

sonic(config)# aaa accounting command local tacacs+

aaa authentication debug enable

[Command]

aaa authentication debug enable
no aaa authentication debug enable

[Purpose]

Enable user authentication debug information

[View]
System configuration view

[Notes]

When users enable authentication debug information, corresponding authentication details for each user will be logged to the /var/log/syslog file during the authentication process.

[Use Cases]

sonic(config)# aaa authentication debug enable

aaa authentication failthrough {enable|default}

[Command]
aaa authentication failthrough {enable|default}
no aaa authentication failthrough enable

[Purpose]
Enable fail-through

[View]
System configuration view

[Notes]

Configure this command when multiple TACACS+ servers are set up and TACACS+ authentication is enabled. This configuration allows authentication requests to proceed to the next server if the first server fails, continuing until a server responds or all configured servers have been polled. If this option is disabled and authentication fails on the first server, the authentication process stops and login to the device is denied.

Configure this command when both TACACS+ authentication and local authentication are enabled. After TACACS+ server authentication fails, the device will then attempt authentication with the local server.

[Use Cases]

sonic(config)# aaa authentication failthrough enable

aaa authentication fallback {enable|default}

[Command]
aaa authentication fallback {enable|default}
no aaa authentication fallback enable

[Purpose]
Enable fallback

[View]
System configuration view

[Notes]
Configure this command when multiple TACACS+ servers are set up and TACACS+ authentication is enabled. This enables sequential authentication attempts when certain TACACS+ servers become inaccessible. Without this feature enabled, authentication occurs only on the highest-priority TACACS+ server; if authentication fails, the device login process will not proceed normally.

[Use Cases]

sonic(config)# aaa authentication fallback enable

[Command]
aaa authentication login {tacacs+|radius|local|default}

[Purpose]
Configure aaa login authentication method

[Parameter]

Parameter	Description
tacacs+	Remote authentication based on tacacs +
radius	Authentication based on a RADIUS server
local	Using Local Authentication
default	Reset back to the default value to enable local authentication only

[View]
System configuration view

[Notes]
In enterprise networks, to protect network security, user identities must be verified to ensure only authorized users can access network resources. This command allows administrators to select the authentication method for user logins based on specific scenarios, thereby enhancing network security and management efficiency.

[Important Notes]

TACACS+,RADIUS, and local are optional parameters that can be configured individually or in combination, but TACACS+ and RADIUS cannot be configured simultaneously.

[Use Cases]

sonic(config)# aaa authentication login tacacs+ local
sonic(config)# aaa authentication login radius local

aaa authorization debug enable

[Command]
aaa authentication debug enable

[Purpose]
Enable user authentication debug information

[View]
System configuration view

[Notes]
After enabling user authentication debug information, the user’s permission details will be printed in the device’s /var/log/syslog log upon successful authentication and login.

[Use Cases]

sonic(config)# aaa authorization debug enable

aaa authorization command {tacacs+|radius|local|default}

[Command]
aaa authentication command {tacacs+|radius|local|default}

[Purpose]
Configure AAA Command-Line Authentication Method

[Parameter]

Parameter	Description
tacacs+	Using tacacs + for command authentication
radius	Authentication via RADIUS server
local	Command Local Authentication
default	Reset back to default values, local forensics

[View]
System configuration view

[Notes]

TACACS+, RADIUS, and Local are optional parameters that can be configured individually or in combination, but TACACS+ and RADIUS cannot be configured simultaneously.

After enabling TACACS+ or RADIUS authentication, the system will authenticate based on the user level configured for that user in TACACS or RADIUS. The system currently supports four distinct permission types:

0: Non-login user
1: Read-only user, only supports viewing with show commands
2-14: Regular user, possesses execution permissions for all commands except system commands (reboot/image-update/delete startup-config/)
15: System user, capable of executing all commands including system commands

[Use Cases]

sonic(config)# aaa authentication command tacacs+,local

aaa authorization mode {service|cmd} enable

[Command]

aaa authorization mode {service|cmd} enable

no aaa authorization mode {service|cmd} enable

[Purpose]
Configure the AAA command authentication method

[Parameter]

Parameter	Description
service	Grant permissions to the command line based on different service functions.
cmd	Authorize the command line based on the regular expression match results of the command line.

[View]
System configuration view

[Notes]

When users employ TACACS+ or RADIUS authentication and require more granular authentication methods beyond user levels, server/cmd authentication can be configured:

server: Authenticates based on the service associated with functional features. For example, a Level 2 user can only access the interface view for related operations but cannot configure other functions.
cmd: Classifies based on command-line keywords. For example, authentication succeeds when commands containing show or ping are executed, while other commands fail authentication and are not permitted.

When multiple authentication methods coexist, they are matched sequentially in the order: user level -> service authentication -> command-line authentication. If authentication fails at any higher level, the process immediately terminates. If a user lacks sufficient permissions, authentication at lower levels is not attempted.

[Important Notes]

For the mapping between functional features and services, please consult technical support personnel.

It is not recommended to enable both service-level authentication and command-line authentication simultaneously.

During cmd authentication, regardless of whether the device is configured with service authentication, the authentication sequence on the server side remains: user level > service authentication > command-line authentication.

[Use Cases]

sonic(config)# aaa authorization mode service enable

TACACS Configuration

show tacacs

[Command]
show tacacs

show tacacs config

[Purpose]
Display terminal TACACS+ configuration information.

[View]
System view

[Notes]

After modifying device configurations, you can use this command to view information such as the authentication type, timeout period, and communication key for the TACACS terminal.

[Use Cases]

sonic# show tacacs
TACPLUS global auth_type pap (default)
TACPLUS global timeout 5 (default)
TACPLUS global passkey <EMPTY_STRING> (default)

show tacacs status

[Command]
show tacacs status

[Purpose]
Display the TACACS server status

[View]
System view

[Notes]

Use this command to check the connection status between the TACACS server and the device. online indicates a normal connection status with the server, allowing authentication communication to proceed normally. offline indicates an abnormal connection status with the server, meaning the server cannot perform TACACS authentication at this time.

[Use Cases]

sonic# show tacacs status
SERVER IP     STATUS
------------ --------
192.168.0.78  online

tacacs timeout

[Command]
tacacs ipaddress timeout time_out auth-type {chap|pap|mschap|login} port port_num pri pri_num mgmt-vrf use_mgmt_vrf

[Purpose]
Configure the TACACS+ authentication server and specify the relevant parameters.

[Parameter]

Parameter	Description
ip_address	TACACS+ server IP address
time_out	Transmission timeout interval, SECOND range 1 to 60, default is 5
auth-type	Authentication type, chap/pap/mschap/login, default is pap
port_num	Interface number, TCP interface range is 1 to 65535, default value 49
pri_num	Priority, default value is 1
mgmt-vrf	Manage VRF, default is no vrf

[View]
System configuration view

[Notes]

Device administrators can use this command to configure the IP address of the TACACS server on the device, enabling user authentication and command-line authorization using the TACACS server.

[Use Cases]

sonic(config)# tacacs 192.168.2.2
Do you need to enter shared secret [y/n]: y
enter shared secret:
enter shared secret again:

tacacs authtype {chap|pap|mschap|login}

[Command]
tacacs authtype {chap|pap|mschap|login}

[Purpose]
Configure the authentication type for the global TACACS+ server

[View]
System configuration view

[Notes]

TACACS+ supports multiple authentication types, with the device supporting the following authentication methods:

Login: Simple Login Authentication Protocol, where the username and password are transmitted over the network in plaintext.
PAP: Simple Authentication Protocol, where the username and password are transmitted over the network in plaintext.
CHAP: A more secure authentication protocol than PAP. The device sends the username, an encrypted password, and a 16-byte random number to the server. The server locates the corresponding password based on the username, then encrypts the received password using the random number and a shared secret key. The result is compared with the received encrypted password. If they match, authentication succeeds; otherwise, it fails.
MSCHAP: A Microsoft extension of CHAP, commonly used in Windows environments.

By default, the device’s authentication type is set to PAP.

[Use Cases]

sonic(config)# tacacs authtype chap

tacacs passkey

[Command]
tacacs passkey passwd

no tacacs passkey

[Purpose]
Configure the shared key for the global TACACS+ server

[View]
System configuration view

[Notes]

By default, the TACACS+ server shared key for the device is public.

[Important Notes]

This configuration will be displayed in encrypted form. Please remember to save it after making changes.

[Use Cases]

sonic(config)# tacacs passkey test

tacacs timeout

[Command]
tacacs timeout time_out

no tacacs timeout

[Purpose]
Configure the response timeout for the global TACACS+ server.

[Parameter]

Parameter	Description
time_out	Timeout time, in seconds, and the range is 1~60

[View]
System configuration view

[Notes]

After the device sends a request to the TACACS+ server, if the response timeout period elapses without receiving a response from the server, the connection to the server is considered timed out. By default, the timeout period is 5 seconds.

[Use Cases]

sonic(config)# tacacs timeout 5

RADIUS Configuration

show radius

[Command]
show radius

[Purpose]
Display terminal RADIUS configuration information.

[View]
System view

[Notes]

After modifying the device configuration, you can use this command to view information such as the authentication type, timeout period, and communication key between the RADIUS terminal and the server.

[Use Cases]

sonic# show radius
RADIUS_SERVER address 192.168.15.168
               priority 1
               auth_port 1812
               passkey ******

radius [server] [key] auth-type {chap|pap}

[Command]

radius server ip_address key password auth-type {chap|pap} priority pri_num timeout time retransmit re_num source src_ip vrf vrf_name

no radius server ip_address

[Purpose]
Configure authentication parameters for the RADIUS server.

[Parameter]

Parameter	Description
ip_address	RADIUS Server IP Address
timeout	Transmission timeout interval, configurable range 1-60, default 5, unit: seconds
password	Shared key, default is public
auth-type	Authentication type: CHAP/PAP, default is PAP
re_num	Set the number of retries for terminal login. Configuration range: 1-10
pri_num	Server priority, default value: 1, configurable range: 1-64
src_ip	Source IP for terminal authentication
vrf_name	This parameter must be configured when communicating with the RADIUS server via the management port and the management port belongs to the MGMT VRF.

[View]
System Configuration View

[Notes]

RADIUS supports multiple authentication types, with the device supporting the following authentication methods:

PAP: Simple Authentication Protocol, where the username and password are transmitted over the network in plaintext.
CHAP: A more secure authentication protocol than PAP. The device sends the username, an encrypted password, and a 16-byte random number to the server. The server locates the corresponding password based on the username, then encrypts the password using the received random number and a shared secret key. The resulting output is compared with the received encrypted password. If they match, authentication succeeds; otherwise, it fails.

By default, the device’s authentication type is set to PAP.

[Use Cases]

sonic(config)# radius server 1.1.1.1 key testing123 auth-type chap priority 1 timeout 10 retransmit 3 source 1.1.1.1 vrf 1

802.1X Authentication Configuration

show {dot1x|portal} accounting-statistics

[Command]
show {dot1x|portal} accounting-statistics [{interface |mac }]

[Purpose]
Show billing statistics

[View]
System view

[Use Cases]

sonic# show dot1x accounting-statistics
+-------------+--------------------+---------------+------------+
| interface   | mac-addr           |   rx-packets  |   rx-bytes |
+=============+====================+===============+============+
| Ethernet1   | 00:00:02:01:01:02  |        4      |     360    |
+-------------+--------------------+---------------+------------+

show {dot1x|portal} accounting-statics drop

[Command]
show {dot1x|portal} accounting-statics drop

[Purpose]
View packet loss statistics for packets that have not passed the dot1x authentication

[View]
System view

[Use Cases]

sonic# show dot1x accounting-statistics drop
+-------------+--------------+------------+
| interface   | drop-packets | drop-bytes |
+=============+==============+============+
| Ethernet49  |           0  |         0  |
+-------------+--------------+------------+

show {dot1x|portal} status

[Command]
show {dot1x|portal} status
show {dot1x|portal} interface interface-name

[Purpose]
View authenticated user information

[View]
System view

[Use Cases]

sonic# show dot1x interface 1
+-------------+-------------------+------------+-------------+
| Interface   | MAC               | Status     | Auth-Type   |
+=============+===================+============+=============+
| Ethernet1   | 00:00:02:01:01:02 | authorized | > 8021x     |
|             | 00:00:02:01:01:04 | authorized |   8021x     |
|             | 00:00:02:01:01:04 | authorized | > mab       |
+-------------+-------------------+------------+-------------+

show dot1x status command display description table

Fields	Description
status	Certification Status authorized Certification passed unauthorized Certification Failure timeout The device sends an authentication packet but does not receive a response from the server, and the authentication timeout escaped Escape users logoff Users offline
Auth-type	Authentication method > marked by the authentication method currently in effect, and the authentication results do not preempt

show {dot1x|portal} server-status

[Command]
show {dot1x|portal} server-status

[Purpose]
Display radius server status

[View]
System view

[Usage Scenario]
Servers can exist in two states: active and inactive. The active state indicates that the Radius server is functioning normally and can perform user authentication. The inactive state indicates that the server is experiencing issues. If users continue to authenticate, they will come online in escape mode. Using this command helps check the current connectivity status of the server.

[Notes]
If all configured Radius servers on the device are in the inactive state, it triggers the global escape function. After server recovery, it initiates one or more re-authentication attempts for escaped users until they come online normally or fail authentication and go offline.

[Use Cases]

sonic# show dot1x server-status
+---------------+----------+
| Server        | Status   |
+===============+==========+
| 151.1.0.1     | active   |
+---------------+----------+
| 150.1.0.1     | active   |
+---------------+----------+
| detect result | active   |
+---------------+----------+

show authentication radius-server configuration

[Command]
show authentication radius-server configuration

[Purpose]
Display configuration information related to the RADIUS server

[View]
System view

[Use Cases]

sonic# show authentication radius-server configuration
+-----------------------+----------------------------------------+
| Interface             | Configuration                          |
+=======================+========================================+
| Auth server           | server-addr          = 151.1.0.1       |
|                       | shared-secret        = ******          |
|                       | source-addr          = 10.1.0.1        |
|                       | vrf                  = default         |
|                       | role                 = secondary       |
+-----------------------+----------------------------------------+
| Acct server           | server-addr          = 150.1.0.1       |
|                       | shared-secret        = ******          |
|                       | source-addr          = 10.1.0.1        |
|                       | vrf                  = default         |
|                       | role                 = primary         |
+-----------------------+----------------------------------------+
| Auth server           | server-addr          = 150.1.0.1       |
|                       | shared-secret        = ******          |
|                       | source-addr          = 10.1.0.1        |
|                       | vrf                  = default         |
|                       | role                 = primary         |
+-----------------------+----------------------------------------+
| Dynamic authorization | das-enable           = enable          |
|                       | client-addr          = 0.0.0.0         |
|                       | shared-secret        = ******          |
|                       | das-port             = 3799            |
+-----------------------+----------------------------------------+
| Global                | server-mode            = master-backup |
|                       | timeout-aging-timer    = 120           |
|                       | timeout-reauth-count   = 1             |
|                       | timeout-reauth-period  = 15            |
+-----------------------+----------------------------------------+

show authentication dot1x configuration

[Command]
show authentication dot1x configuration

[Purpose]
View dot1x related configurations

[View]
System view

[Use Cases]

sonic# show authentication dot1x configuration
+---------------+-------------------------------+
| Interface     | Configuration                 |
+===============+===============================+
| Ethernet1     | 8021x                = enable |
|               | dot1x-mab            = enable |
|               | mab-priority         = low    |
|               | 8021x-priority       = high   |
+---------------+-------------------------------+
| Detect server | detect-server        = enable |
|               | testuser-username    = NA     |
|               | testuser-password    = ****** |
|               | detect-interval      = 60     |
|               | detect-timeout-count = 3      |
+---------------+-------------------------------+

show authentication portal configuration

[Command]
show authentication portal configuration

[Purpose]
View portal related configurations

[View]
System view

[Use Cases]

sonic# show authentication portal configuration
+----------------------+-------------------------------+
| Interface            | Configuration                 |
+======================+===============================+
| Detect radius-server | detect-server        = enable |
|                      | testuser-username    = aaa    |
|                      | testuser-password    = ****** |
|                      | detect-interval      = 60     |
|                      | detect-timeout-count = 3      |
+----------------------+-------------------------------+
| Portal protocol      | http                          |
+----------------------+-------------------------------+
| Detect portal-server | detect-server        = enable |
|                      | detect-interval      = 60     |
|                      | detect-timeout-count = 3      |
+----------------------+-------------------------------+

authentication enable

[Command]
authentication enable

[Purpose]
Enable authentication functionality

[View]
System configuration view

[Usage Scenario]
When access users need to use 802.1x or Portal for access authentication, it is necessary to enable authentication functionality globally first, and then configure the corresponding authentication services.

[Use Cases]

sonic(config)# authentication enable

authentication radius-server [source]

[Command]
authentication radius-server ip-address share-secret [source ip-address ]
no authentication radius-server ip-address

[Purpose]
Configure the RADIUS server

[Parameter]

Parameter	Description
ip-address	Configure the server IP address
share-secre	Configure the shared key between the device and the server
source ip-address	Configure the source IP address of the device when sending RADIUS packets to the server, usually it is recommended to use the address of Loopback0 port

[View]
System configuration view

[Use Cases]

sonic(config)# authentication radius-server 150.1.0.1 dot1x source 10.1.0.1

authentication radius-server server-mode {master-backup|polling}

[Command]
authentication radius-server server-mode {master-backup|polling}

[Purpose]
Configure the working mode of servers in a multi-server scenario

[Parameter]

Parameter	Description
master-backup	Master-backup mode
polling	Dual-mode

[View]
System configuration view

[Usage Scenario]
In an authentication environment with multiple authentication servers, users can modify the server working mode to master-backup or polling mode based on actual requirements during configuration.

[Notes]
When the working mode of the RADIUS server is configured as master-backup, the device, upon receiving EAPOL packets from clients, will prioritize one server for authentication. When the server’s working mode is set to polling, the device will duplicate EAPOL packets and send them to multiple servers simultaneously, selecting the server that responds first for subsequent packet interactions.

[Use Cases]

sonic(config)# authentication radius-server server-mode polling

authentication radius-server accounting [source]

[Command]
authentication radius-server accounting ip-address share-secret [source ip-address ]
no authentication radius-server accounting ip-address

[Purpose]
Configure RADIUS billing server

[Parameter]

Parameter	Description
ip-address	Configure the server IP address
share-secret	Configure the shared key between the device and the server
source ip-address	Configure the source IP address of the device when sending RADIUS packets to the server, usually it is recommended to use the address of Loopback0 port

[View]
System configuration view

[Use Cases]

sonic(config)# dot1x radius-server accounting 150.1.0.1 dot1x source 10.1.0.1

authentication radius-server dot1x detect-server

[Command]
authentication radius-server dot1x detect-server enable authentication radius-server dot1x detect-server interval value authentication radius-server dot1x detect-server timeout-count value no authentication radius-server dot1x detect-server enable

[Purpose]
Configure RADIUS server detection

[Parameter]

Parameter	Description
enable	Enable the server detection function
interval value	Specify the detection period of the server, the value range: 30~3600s
timeout-count value	Specify the maximum number of consecutive non-response in each probe cycle of the server, the value range: 2-50

[View]
System configuration view

[Usage Scenario]
When the number of failed probes in a probing cycle reaches the maximum number of consecutive non-responses, the device is judged to be disconnected from the RADIUS server, and if all RADIUS servers configured on the device are disconnected, the newly online terminal is judged to be an escape user. When the RADIUS server resumes connection, the user indicated as an escape needs to be re-authenticated.

[Use Cases]

sonic(config)# dot1x radius-server detect-server enable
sonic(config)# dot1x radius-server detect-server interval 100
sonic(config)# dot1x radius-server detect-server timeout-count 3

authentication portal-server {primary|secondary}

[Command]
authentication portal-server server-url {primary|secondary}

[Purpose]
Configure the portal server

[Parameter]

Parameter	Description
server-url	URL of the portal server
primary	Designate the server as the primary server
secondary	Designate the server as the secondary server

[View]
System configuration view

[Use Cases]

sonic(config)# authentication portal-server http://192.168.0.1:8080/login

authentication dot1x enable

[Command]
authentication dot1x enable no authentication dot1x enable

[Purpose]
Enable dot1x authentication function

[View]
Interface view

[Use Cases]

sonic(config)# interface ethernet 1
sonic(config-if-1)# authentication dot1x enable

authentication dot1x eap-type {peap|tls} enable

[Command]
authentication dot1x eap-type {peap|tls} enable no authentication dot1x eap-type {peap|tls} enable

[Purpose]
Modify the switch of dot1x authentication method

[View]
System configuration view

[Usage Scenario]
By default, the device supports PEAP, TLS, and MD5 authentication methods, and when dot1x authentication is enabled, all authentication methods are enabled. Among them, PEAP and TLS authentication methods support shutdown, and after closing, authentication cannot be passed by using this method

[Use Cases]

sonic(config)# dot1x enable
sonic(config)# interface ethernet 1
sonic(config-if-1)# authentication dot1x enable
sonic(config-if-1)# no authentication dot1x eap-type tls enable

authentication dot1x mac-bypass enable

[Command]
authentication dot1x mac-bypass enable no authentication dot1x mac-bypass enable

[Purpose]
Enables MAC bypass authentication for the interface

[View]
Interface view

[Usage Scenario]
For terminals that cannot install and use 802.1X client software, such as printers, MAC bypass authentication can be employed for authentication.

[Notes]
Enabling MAC bypass authentication requires enabling dot1x authentication at the same time.

[Use Cases]

sonic(config)# interface ethernet 1
sonic(config-if-1)# authentication dot1x mac-bypass enable

authentication dot1x guest-vlan

[Command]
authentication dot1x guest-vlan vlan_id

[Purpose]
Configure the interface to receive packets belonging to that VLAN dot1x to allow traffic

[Parameter]

Parameter	Description
vlan_id	Specify the VLANID

[View]
Interface view

[Usage Scenario]
After configuring this feature, users carrying the specified VLAN on this interface are always in the authorized state, allowing them to access network resources without authentication. This method can be used for scenarios where users on the interface are fully trusted, allowing them to access network resources without authentication. It can also be combined with ACL functionality to control access to specific resources when not authenticated.

[Notes]
The Guest VLAN must be a VLAN that the interface has already joined.

[Use Cases]

sonic(config)# interface ethernet 1
sonic(config-if-1)# authentication dot1x guest-vlan 10

authentication dot1x restrict-vlan

[Command]
authentication dot1x restrict-vlan VLAN_ID

[Purpose]
Configure the restrict VLAN for the interface

[View]
Interface view

[Usage Scenario]
After configuring this feature, when a user under the interface fails authentication, the interface will automatically be added to the restrict VLAN in access mode. This allows access to specific network resources in the restrict VLAN even after user authentication failure.

[Notes]
The interface will only be added to the restrict VLAN in access mode. The restrict VLAN cannot be a VLAN that the interface is already a member of.

[Use Cases]

sonic(config)# interface ethernet 1
sonic(config-if-1)# dot1x authentication restrict-vlan 10

authentication dot1x priority {dot1x|mab} {dot1x|mab}

[Command]
authentication dot1x priority {dot1x|mab} {dot1x|mab}

[Purpose]
Specify the priority of dot1x and mac-bypass authentication.

[View]
Interface view

[Usage Scenario]
When both dot1x and mac-bypass authentication are enabled on an interface, specifying a higher priority for dot1x authentication than mac-bypass allows for initiating MAC authentication for users if dot1x authentication times out.

[Notes]
The first parameter designates the authentication method with higher priority. By default, if both dot1x and mac-bypass authentication are enabled on an interface, access to the network is granted if either authentication method succeeds.

[Use Cases]

sonic(config)# interface ethernet 1
sonic(config-if-1)# authentication dot1x enable
sonic(config-if-1)# authentication dot1x mac-bypass enable
sonic(config-if-1)# authentication dot1x priority dot1x mab

authentication dot1x reauthenticate-period

[Command]
authentication dot1x reauthenticate-period value

[Purpose]
Configure the 802.1X authentication re-authentication period for the interface

[Parameter]

Parameter	Description
value	Value range: 2-2000, 0, unit: min

[View]
Interface view

[Notes]
When value is 0, it means turn off the 802.1X authentication re-authentication function of the interface.

[Use Cases]

sonic(config)# interface ethernet 1
sonic(config-if-1)# authentication dot1x reauthenticate-period 2000

authentication dot1x accounting-realtime

[Command]
authentication dot1x accounting-realtime value

[Purpose]
Configure the real-time upload period of the billing server

[Parameter]

Parameter	Description
value	Value range: 2-2000, 0

[View]
Interface view

[User Scenario] After enabling periodic reauthentication for 802.1X on a port, the device will periodically reauthenticate 802.1X users who have successfully authenticated on the port. This ensures that when there are changes in authorization information, users can be promptly reauthenticated to update their authorization information.

[Notes]
When value is 0, it means disable the real-time upload function

[Use Cases]

sonic(config)# interface ethernet 1
sonic(config-if-1)# authentication dot1x accounting-realtime 2000

authentication dot1x dhcp {deny|permit}

[Command]
authentication dot1x dhcp {deny|permit}

[Purpose]
Configure to block DHCP messages until authentication is successful

[View]
Interface view

[Use Cases]

sonic(config)# interface ethernet 1
sonic(config-if-1)# authentication dot1x dhcp deny

authentication dot1x reget-ip

[Command]
authentication dot1x reget-ip

[Purpose]
After configuring this command, when a terminal successfully authenticates and is assigned an authorized VLAN, the system will automatically bring the interface down and then up to force the terminal to renew its IP address.

[View]
Interface view

[Use Cases]

sonic(config)# interface ethernet 1
sonic(config-if-1)# authentication dot1x reget-ip

authentication portal enable

[Command]
authentication portal enable no authentication portal enable

[Purpose]
Enable portal authentication function

[View]
Interface view

[Notes]
Dot1x authentication and portal authentication cannot be enabled simultaneously on the interface.

[Use Cases]

sonic(config)# interface ethernet 1
sonic(config-if-1)# authentication portal enable

authentication portal mac-bypass enable

[Command]
authentication portal mac-bypass enable no authentication portal mac-bypass enable

[Purpose]
Enable portal MAC bypass authentication functionality on the interface

[View]
Interface view

[Notes]
Enabling MAC bypass authentication requires simultaneously enabling portal authentication functionality.

[Use Cases]

sonic(config)# interface ethernet 1
sonic(config-if-1)# authentication portal mac-bypass enable

authentication portal guest-vlan

[Command]
authentication portal guest-vlan VLAN-ID

[Purpose]
Configure the interface to treat incoming packets belonging to the specified VLAN as forced-authorized state.

[View]
Interface view

[User Scenario] After configuring this feature, users on the interface carrying the specified VLAN will consistently remain in an authorized state, allowing them to access network resources without authentication. This method is suitable for scenarios where users on the interface are fully trusted, and access to network resources is permitted without authentication. Additionally, it can be combined with ACL (Access Control List) functionality to control access to specific resources when users are not authenticated.

[Notes]
The Guest VLAN must be a VLAN that the interface has already joined.

[Use Cases]

sonic(config)# interface ethernet 1
sonic(config-if-1)# switchport access vlan 10
sonic(config-if-1)# authentication portal guest-vlan 10

authentication portal restrict-vlan

[Command]
authentication portal restrict-vlan VLAN-ID

[Purpose]
Configure the interface’s restricted VLAN.

[View]
Interface view

[Usage Scenario]
After configuring this feature, when user authentication fails on the interface, the interface is automatically added to the restrict VLAN in access mode. This allows users to access specific network resources within the restrict VLAN even after authentication failure.

[Notes]
The interface will only be added to the restrict VLAN in access mode. The restrict VLAN cannot be a VLAN that the interface has already joined.

[Use Cases]

sonic(config)# interface ethernet 1
sonic(config-if-1)# authentication portal restrict-vlan 10

authentication portal reauthenticate-period

[Command]
authentication portal reauthenticate-period value

[Purpose]
Configure the portal authentication re-authentication period for the interface

[Parameter]

Parameter	Description
value	Value range: 2-2000, 0, unit: min

[View]
Interface view

[Notes]
When value is 0, it means turn off the portal authentication re-authentication function of the interface.

[Use Cases]

sonic(config)# interface ethernet 1
sonic(config-if-1)# authentication portal reauthenticate-period 2000

authentication timeout-user aging timer

[Command]
authentication timeout-user aging timer clear-timer

[Purpose]
Configure the aging time for timeout users

[View]
System view

[Usage Scenario]
When the device receives an authentication request message from a terminal and does not receive a response message from the server within a certain period, the status of the terminal is marked as timed out.

[Use Cases]

sonic(config)# authentication timeout-user aging timer 300

authentication timeout-user reauth-period

[Command]
authentication timeout-user reauth-period reauth_period

[Purpose]
Configure the reauthentication interval for timed-out users

[Parameter]

Parameter	Description
reauth_period	Unit: seconds, Range: 5-15, Default: 15

[View]
System configuration view

[Usage Scenario]
After a client initiates an authentication request to the device, this timer is activated. If the device does not receive a response from the client within the specified duration of this timer, the device will reinitiate the authentication request. When a user is marked as timed-out, the device will initiate reauthentication at the frequency specified by this command.

[Use Cases]

sonic(config)# authentication timeout-user reauth-period 20

authentication timeout-user reauth-count

[Command]
authentication timeout-user reauth-count reauth_count

[Purpose]
Configure the number of reauthentication attempts for timed-out users.

[Parameter]

Parameter	Description
reauth_count	Number of reauthentication attempts, Range: 1-60, Default: 1

[View]
System configuration view

[Usage Scenario]
Due to network fluctuations or unstable links, authentication request packets may not be successfully transmitted to the server, resulting in unsuccessful device-side authentication. To avoid such scenarios, user can configure the number of reauthentication attempts for timed-out users. When a user is marked as timed-out, the device will initiate reauthentication at the specified frequency for the number of attempts specified by this command.

[Use Cases]

sonic(config)# authentication timeout-user reauth-count 3

authentication reset {dot1x|portal}

[Command]
authentication reset {dot1x|portal} { interface_name| nn:nn:nn:nn:nn:nn}

[Purpose]
Force user logout

[View]
System configuration view

[Usage Scenario]
When redeploying services or troubleshooting, after implementing the corresponding troubleshooting measures, you can use this command to force all users to log out. Then, reauthenticate and query the results to determine if the authentication is normal or if the issue has been resolved.

[Use Cases]

sonic(config)# authentication reset dot1x 1