802.1X Authentication Configuration

show {dot1x|portal} accounting-statistics

[Command] show {dot1x|portal} accounting-statistics [{interface |mac }]

[Purpose] Show billing statistics

[View] System view

[Use Cases]

sonic# show dot1x accounting-statistics
+-------------+--------------------+---------------+------------+
| interface   | mac-addr           |   rx-packets  |   rx-bytes |
+=============+====================+===============+============+
| Ethernet1   | 00:00:02:01:01:02  |        4      |     360    |
+-------------+--------------------+---------------+------------+

show {dot1x|portal} accounting-statics drop

[Command] show {dot1x|portal} accounting-statics drop

[Purpose] View packet loss statistics for packets that have not passed the dot1x authentication

[View] System view

[Use Cases]

sonic# show dot1x accounting-statistics drop
+-------------+--------------+------------+
| interface   | drop-packets | drop-bytes |
+=============+==============+============+
| Ethernet49  |           0  |         0  |
+-------------+--------------+------------+

show {dot1x|portal} status

[Command] show {dot1x|portal} status show {dot1x|portal} interface interface-name

[Purpose] View authenticated user information

[View] System view

[Use Cases]

sonic# show dot1x interface 1
+-------------+-------------------+------------+-------------+
| Interface   | MAC               | Status     | Auth-Type   |
+=============+===================+============+=============+
| Ethernet1   | 00:00:02:01:01:02 | authorized | > 8021x     |
|             | 00:00:02:01:01:04 | authorized |   8021x     |
|             | 00:00:02:01:01:04 | authorized | > mab       |
+-------------+-------------------+------------+-------------+

This command display description table

Fields	Description
status	Certification Status
authorized Certification passed
unauthorized Certification Failure
timeout The device sends an authentication packet but does not receive a response from the server, and the authentication timeout
escaped Escape users
logoff Users offline
Auth-type	Authentication method

marked by the authentication method currently in effect, and the authentication results do not preempt |

show {dot1x|portal} server-status

[Command] show {dot1x|portal} server-status

[Purpose] Display radius server status

[View] System view

[Usage Scenario] Servers can exist in two states: active and inactive. The active state indicates that the Radius server is functioning normally and can perform user authentication. The inactive state indicates that the server is experiencing issues. If users continue to authenticate, they will come online in escape mode. Using this command helps check the current connectivity status of the server.

[Notes] If all configured Radius servers on the device are in the inactive state, it triggers the global escape function. After server recovery, it initiates one or more re-authentication attempts for escaped users until they come online normally or fail authentication and go offline.

[Use Cases]

sonic# show dot1x server-status
+---------------+----------+
| Server        | Status   |
+===============+==========+
| 151.1.0.1     | active   |
+---------------+----------+
| 150.1.0.1     | active   |
+---------------+----------+
| detect result | active   |
+---------------+----------+

show authentication radius-server configuration

[Command] show authentication radius-server configuration

[Purpose] Display configuration information related to the RADIUS server

[View] System view

[Use Cases]

sonic# show authentication radius-server configuration
+-----------------------+----------------------------------------+
| Interface             | Configuration                          |
+=======================+========================================+
| Auth server           | server-addr          = 151.1.0.1       |
|                       | shared-secret        = ******|
|                       | source-addr          = 10.1.0.1        |
|                       | vrf                  = default         |
|                       | role                 = secondary       |
+-----------------------+----------------------------------------+
| Acct server           | server-addr          = 150.1.0.1       |
|                       | shared-secret        =******|
|                       | source-addr          = 10.1.0.1        |
|                       | vrf                  = default         |
|                       | role                 = primary         |
+-----------------------+----------------------------------------+
| Auth server           | server-addr          = 150.1.0.1       |
|                       | shared-secret        =******|
|                       | source-addr          = 10.1.0.1        |
|                       | vrf                  = default         |
|                       | role                 = primary         |
+-----------------------+----------------------------------------+
| Dynamic authorization | das-enable           = enable          |
|                       | client-addr          = 0.0.0.0         |
|                       | shared-secret        =******|
|                       | das-port             = 3799            |
+-----------------------+----------------------------------------+
| Global                | server-mode            = master-backup |
|                       | timeout-aging-timer    = 120           |
|                       | timeout-reauth-count   = 1             |
|                       | timeout-reauth-period  = 15            |
+-----------------------+----------------------------------------+

show authentication dot1x configuration [Command]show authentication dot1x configuration[Purpose] View dot1x related configurations [View] System view [Use Cases]```plaintext

sonic# show authentication dot1x configuration +---------------+-------------------------------+ | Interface | Configuration | +===============+===============================+ | Ethernet1 | 8021x = enable | | | dot1x-mab = enable | | | mab-priority = low | | | 8021x-priority = high | +---------------+-------------------------------+ | Detect server | detect-server = enable | | | testuser-username = NA | | | testuser-password =******| | | detect-interval = 60 | | | detect-timeout-count = 3 | +---------------+-------------------------------+

### show authentication portal configuration **\[Command]****show authentication portal configuration****\[Purpose]** View portal related configurations **\[View]** System view **\[Use Cases]**```plaintext
sonic# show authentication portal configuration
+----------------------+-------------------------------+
| Interface            | Configuration                 |
+======================+===============================+
| Detect radius-server | detect-server        = enable |
|                      | testuser-username    = aaa    |
|                      | testuser-password    =******|
|                      | detect-interval      = 60     |
|                      | detect-timeout-count = 3      |
+----------------------+-------------------------------+
| Portal protocol      | http                          |
+----------------------+-------------------------------+
| Detect portal-server | detect-server        = enable |
|                      | detect-interval      = 60     |
|                      | detect-timeout-count = 3      |
+----------------------+-------------------------------+

authentication enable [Command]authentication enable[Purpose] Enable authentication functionality [View] System configuration view [Usage Scenario] When access users need to use 802.1x or Portal for access authentication, it is necessary to enable authentication functionality globally first, and then configure the corresponding authentication services.[Use Cases]```plaintext

sonic(config)# authentication enable

### authentication radius-server [source]**\[Command]****authentication radius-server** *ip-address share-secret* **\[source** *ip-address* **]**
**no authentication radius-server** *ip-address*

**\[Purpose]**
Configure the RADIUS server

**\[Parameter]**

| **Parameter**       | **Description**                                                                                                                                         |
| ------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------- |
| *ip-address*        | Configure the server IP address                                                                                                                         |
| *share-secre*       | Configure the shared key between the device and the server                                                                                              |
| *source ip-address* | Configure the source IP address of the device when sending RADIUS packets to the server, usually it is recommended to use the address of Loopback0 port |

**\[View]**
System configuration view

**\[Use Cases]**

```plaintext
sonic(config)# authentication radius-server 150.1.0.1 dot1x source 10.1.0.1

authentication radius-server server-mode {master-backup|polling}

[Command] authentication radius-server server-mode {master-backup|polling}

[Purpose] Configure the working mode of servers in a multi-server scenario

[Parameter]

Parameter	Description
master-backup	Master-backup mode
polling	Dual-mode

[View] System configuration view

[Usage Scenario] In an authentication environment with multiple authentication servers, users can modify the server working mode to master-backup or polling mode based on actual requirements during configuration.

[Notes] When the working mode of the RADIUS server is configured as master-backup, the device, upon receiving EAPOL packets from clients, will prioritize one server for authentication. When the server’s working mode is set to polling, the device will duplicate EAPOL packets and send them to multiple servers simultaneously, selecting the server that responds first for subsequent packet interactions.

[Use Cases]

sonic(config)# authentication radius-server server-mode polling

authentication radius-server accounting [source]

[Command] authentication radius-server accounting ip-address share-secret [source ip-address ] no authentication radius-server accounting ip-address

[Purpose] Configure RADIUS billing server

[Parameter]

Parameter	Description
ip-address	Configure the server IP address
share-secret	Configure the shared key between the device and the server
source ip-address	Configure the source IP address of the device when sending RADIUS packets to the server, usually it is recommended to use the address of Loopback0 port

[View] System configuration view

[Use Cases]

sonic(config)# dot1x radius-server accounting 150.1.0.1 dot1x source 10.1.0.1

authentication radius-server dot1x detect-server

[Command] authentication radius-server dot1x detect-server enable authentication radius-server dot1x detect-server interval value authentication radius-server dot1x detect-server timeout-count value no authentication radius-server dot1x detect-server enable

[Purpose] Configure RADIUS server detection

[Parameter]

Parameter	Description
enable	Enable the server detection function
interval value	Specify the detection period of the server, the value range: 30~3600s
timeout-count value	Specify the maximum number of consecutive non-response in each probe cycle of the server, the value range: 2-50

[View] System configuration view

[Usage Scenario] When the number of failed probes in a probing cycle reaches the maximum number of consecutive non-responses, the device is judged to be disconnected from the RADIUS server, and if all RADIUS servers configured on the device are disconnected, the newly online terminal is judged to be an escape user. When the RADIUS server resumes connection, the user indicated as an escape needs to be re-authenticated.

[Use Cases]

sonic(config)# dot1x radius-server detect-server enable
sonic(config)# dot1x radius-server detect-server interval 100
sonic(config)# dot1x radius-server detect-server timeout-count 3

authentication portal-server {primary|secondary}

[Command] authentication portal-server server-url {primary|secondary}

[Purpose] Configure the portal server

[Parameter]

Parameter	Description
server-url	URL of the portal server
primary	Designate the server as the primary server
secondary	Designate the server as the secondary server

[View] System configuration view

[Use Cases]

sonic(config)# authentication portal-server http://192.168.0.1:8080/login

authentication dot1x enable

[Command] authentication dot1x enable no authentication dot1x enable

[Purpose] Enable dot1x authentication function

[View] Interface view

[Use Cases]

sonic(config)# interface ethernet 1
sonic(config-if-1)# authentication dot1x enable

authentication dot1x eap-type {peap|tls} enable

[Command] authentication dot1x eap-type {peap|tls} enable no authentication dot1x eap-type {peap|tls} enable

[Purpose] Modify the switch of dot1x authentication method

[View] System configuration view

[Usage Scenario] By default, the device supports PEAP, TLS, and MD5 authentication methods, and when dot1x authentication is enabled, all authentication methods are enabled. Among them, PEAP and TLS authentication methods support shutdown, and after closing, authentication cannot be passed by using this method

[Use Cases]

sonic(config)# dot1x enable
sonic(config)# interface ethernet 1
sonic(config-if-1)# authentication dot1x enable
sonic(config-if-1)# no authentication dot1x eap-type tls enable

authentication dot1x mac-bypass enable

[Command] authentication dot1x mac-bypass enable no authentication dot1x mac-bypass enable

[Purpose] Enables MAC bypass authentication for the interface

[View] Interface view

[Usage Scenario] For terminals that cannot install and use 802.1X client software, such as printers, MAC bypass authentication can be employed for authentication.

[Notes] Enabling MAC bypass authentication requires enabling dot1x authentication at the same time.

[Use Cases]

sonic(config)# interface ethernet 1
sonic(config-if-1)# authentication dot1x mac-bypass enable

authentication dot1x guest-vlan

[Command] authentication dot1x guest-vlan vlan_id

[Purpose] Configure the interface to receive packets belonging to that VLAN dot1x to allow traffic

[Parameter]

Parameter	Description
vlan_id	Specify the VLANID

[View] Interface view

[Usage Scenario] After configuring this feature, users carrying the specified VLAN on this interface are always in the authorized state, allowing them to access network resources without authentication. This method can be used for scenarios where users on the interface are fully trusted, allowing them to access network resources without authentication. It can also be combined with ACL functionality to control access to specific resources when not authenticated.

[Notes] The Guest VLAN must be a VLAN that the interface has already joined.

[Use Cases]

sonic(config)# interface ethernet 1
sonic(config-if-1)# authentication dot1x guest-vlan 10

authentication dot1x restrict-vlan

[Command] authentication dot1x restrict-vlan VLAN_ID

[Purpose] Configure the restrict VLAN for the interface

[View] Interface view

[Usage Scenario] After configuring this feature, when a user under the interface fails authentication, the interface will automatically be added to the restrict VLAN in access mode. This allows access to specific network resources in the restrict VLAN even after user authentication failure.

[Notes] The interface will only be added to the restrict VLAN in access mode. The restrict VLAN cannot be a VLAN that the interface is already a member of.

[Use Cases]

sonic(config)# interface ethernet 1
sonic(config-if-1)# dot1x authentication restrict-vlan 10

authentication dot1x priority {dot1x|mab} {dot1x|mab}

[Command] authentication dot1x priority {dot1x|mab} {dot1x|mab}

[Purpose] Specify the priority of dot1x and mac-bypass authentication.

[View] Interface view

[Usage Scenario] When both dot1x and mac-bypass authentication are enabled on an interface, specifying a higher priority for dot1x authentication than mac-bypass allows for initiating MAC authentication for users if dot1x authentication times out.

[Notes] The first parameter designates the authentication method with higher priority. By default, if both dot1x and mac-bypass authentication are enabled on an interface, access to the network is granted if either authentication method succeeds.

[Use Cases]

sonic(config)# interface ethernet 1
sonic(config-if-1)# authentication dot1x enable
sonic(config-if-1)# authentication dot1x mac-bypass enable
sonic(config-if-1)# authentication dot1x priority dot1x mab

authentication dot1x reauthenticate-period

[Command] authentication dot1x reauthenticate-period value

[Purpose] Configure the 802.1X authentication re-authentication period for the interface

[Parameter]

Parameter	Description
value	Value range: 2-2000, 0, unit: min

[View] Interface view

[Notes] When value is 0, it means turn off the 802.1X authentication re-authentication function of the interface.

[Use Cases]

sonic(config)# interface ethernet 1
sonic(config-if-1)# authentication dot1x reauthenticate-period 2000

authentication dot1x accounting-realtime

[Command] authentication dot1x accounting-realtime value

[Purpose] Configure the real-time upload period of the billing server

[Parameter]

Parameter	Description
value	Value range: 2-2000, 0

[View] Interface view

[User Scenario] After enabling periodic reauthentication for 802.1X on a port, the device will periodically reauthenticate 802.1X users who have successfully authenticated on the port. This ensures that when there are changes in authorization information, users can be promptly reauthenticated to update their authorization information.

[Notes] When value is 0, it means disable the real-time upload function

[Use Cases]

sonic(config)# interface ethernet 1
sonic(config-if-1)# authentication dot1x accounting-realtime 2000

authentication dot1x dhcp {deny|permit}

[Command] authentication dot1x dhcp {deny|permit}

[Purpose] Configure to block DHCP messages until authentication is successful

[View] Interface view

[Use Cases]

sonic(config)# interface ethernet 1
sonic(config-if-1)# authentication dot1x dhcp deny

authentication dot1x reget-ip

[Command] authentication dot1x reget-ip

[Purpose] After configuring this command, when a terminal successfully authenticates and is assigned an authorized VLAN, the system will automatically bring the interface down and then up to force the terminal to renew its IP address.

[View] Interface view

[Use Cases]

sonic(config)# interface ethernet 1
sonic(config-if-1)# authentication dot1x reget-ip

authentication portal enable

[Command] authentication portal enable no authentication portal enable

[Purpose] Enable portal authentication function

[View] Interface view

[Notes] Dot1x authentication and portal authentication cannot be enabled simultaneously on the interface.

[Use Cases]

sonic(config)# interface ethernet 1
sonic(config-if-1)# authentication portal enable

authentication portal mac-bypass enable

[Command] authentication portal mac-bypass enable no authentication portal mac-bypass enable

[Purpose] Enable portal MAC bypass authentication functionality on the interface

[View] Interface view

[Notes] Enabling MAC bypass authentication requires simultaneously enabling portal authentication functionality.

[Use Cases]

sonic(config)# interface ethernet 1
sonic(config-if-1)# authentication portal mac-bypass enable

authentication portal guest-vlan

[Command] authentication portal guest-vlan VLAN-ID

[Purpose] Configure the interface to treat incoming packets belonging to the specified VLAN as forced-authorized state.

[View] Interface view

[User Scenario] After configuring this feature, users on the interface carrying the specified VLAN will consistently remain in an authorized state, allowing them to access network resources without authentication. This method is suitable for scenarios where users on the interface are fully trusted, and access to network resources is permitted without authentication. Additionally, it can be combined with ACL (Access Control List) functionality to control access to specific resources when users are not authenticated.

[Notes] The Guest VLAN must be a VLAN that the interface has already joined.

[Use Cases]

sonic(config)# interface ethernet 1
sonic(config-if-1)# switchport access vlan 10
sonic(config-if-1)# authentication portal guest-vlan 10

authentication portal restrict-vlan

[Command] authentication portal restrict-vlan VLAN-ID

[Purpose] Configure the interface’s restricted VLAN.

[View] Interface view

[Usage Scenario] After configuring this feature, when user authentication fails on the interface, the interface is automatically added to the restrict VLAN in access mode. This allows users to access specific network resources within the restrict VLAN even after authentication failure.

[Notes] The interface will only be added to the restrict VLAN in access mode. The restrict VLAN cannot be a VLAN that the interface has already joined.

[Use Cases]

sonic(config)# interface ethernet 1
sonic(config-if-1)# authentication portal restrict-vlan 10

authentication portal reauthenticate-period

[Command] authentication portal reauthenticate-period value

[Purpose] Configure the portal authentication re-authentication period for the interface

[Parameter]

Parameter	Description
value	Value range: 2-2000, 0, unit: min

[View] Interface view

[Notes] When value is 0, it means turn off the portal authentication re-authentication function of the interface.

[Use Cases]

sonic(config)# interface ethernet 1
sonic(config-if-1)# authentication portal reauthenticate-period 2000

authentication timeout-user aging timer

[Command] authentication timeout-user aging timer clear-timer

[Purpose] Configure the aging time for timeout users

[View] System view

[Usage Scenario] When the device receives an authentication request message from a terminal and does not receive a response message from the server within a certain period, the status of the terminal is marked as timed out.

[Use Cases]

sonic(config)# authentication timeout-user aging timer 300

authentication timeout-user reauth-period

[Command] authentication timeout-user reauth-period reauth_period

[Purpose] Configure the reauthentication interval for timed-out users

[Parameter]

Parameter	Description
reauth_period	Unit: seconds, Range: 5-15, Default: 15

[View] System configuration view

[Usage Scenario] After a client initiates an authentication request to the device, this timer is activated. If the device does not receive a response from the client within the specified duration of this timer, the device will reinitiate the authentication request. When a user is marked as timed-out, the device will initiate reauthentication at the frequency specified by this command.

[Use Cases]

sonic(config)# authentication timeout-user reauth-period 20

authentication timeout-user reauth-count

[Command] authentication timeout-user reauth-count reauth_count

[Purpose] Configure the number of reauthentication attempts for timed-out users.

[Parameter]

Parameter	Description
reauth_count	Number of reauthentication attempts, Range: 1-60, Default: 1

[View] System configuration view

[Usage Scenario] Due to network fluctuations or unstable links, authentication request packets may not be successfully transmitted to the server, resulting in unsuccessful device-side authentication. To avoid such scenarios, user can configure the number of reauthentication attempts for timed-out users. When a user is marked as timed-out, the device will initiate reauthentication at the specified frequency for the number of attempts specified by this command.

[Use Cases]

sonic(config)# authentication timeout-user reauth-count 3

authentication reset {dot1x|portal}

[Command] authentication reset {dot1x|portal} { interface_name| nn:nn:nn:nn:nn:nn*}*

[Purpose] Force user logout

[View] System configuration view

[Usage Scenario] When redeploying services or troubleshooting, after implementing the corresponding troubleshooting measures, you can use this command to force all users to log out. Then, reauthenticate and query the results to determine if the authentication is normal or if the issue has been resolved.

[Use Cases]

sonic(config)# authentication reset dot1x 1