authentication event

Function

The authentication event command grants network access rights to users in different authentication stages.

The undo authentication event command cancels network access rights of users in different authentication stages.

By default, no network access right is granted to users in different authentication stages.

Format

Command for 802.1X authentication:

System view, Ethernet interface view, GE interface view, MultiGE interface view, XGE interface view, 25GE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view:

authentication event { pre-authen | authen-fail | authen-server-down | client-no-response } { vlan vlan-id | user-group group-name }

undo authentication event { pre-authen | authen-fail | authen-server-down | client-no-response }
Command for MAC address authentication:

System view, Ethernet interface view, GE interface view, MultiGE interface view, XGE interface view, 25GE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view:

authentication event { pre-authen | authen-fail | authen-server-down } { vlan vlan-id | user-group group-name }

undo authentication event { pre-authen | authen-fail | authen-server-down }

VLANIF interface view:

authentication event { authen-fail | authen-server-down } user-group group-name

undo authentication event { authen-fail | authen-server-down }
Command for external Portal authentication:

System view:

authentication event { pre-authen | authen-fail | authen-server-down } user-group group-name

undo authentication event { pre-authen | authen-fail | authen-server-down }

VLANIF interface view:

authentication event { authen-fail | authen-server-down } user-group group-name

undo authentication event { authen-fail | authen-server-down }
Command for built-in Portal authentication:

System view, Ethernet interface view, GE interface view, MultiGE interface view, XGE interface view, 25GE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view:

authentication event { pre-authen | authen-fail | authen-server-down } { vlan vlan-id | user-group group-name }

undo authentication event { pre-authen | authen-fail | authen-server-down }

VLANIF interface view:

authentication event { authen-fail | authen-server-down } user-group group-name

undo authentication event { authen-fail | authen-server-down }

Parameters

Parameter	Description	Value
pre-authen	Specifies the network access rights granted to users before authentication starts. In an 802.1X authentication, when a device receives an ARP or DHCP request packet sent from a user terminal, but not an authentication request packet from an 802.1X client, the device grants the pre-authen right to the user. If only this parameter is specified but the network access rights are not configured for other events, the device grants the pre-authen right to the users failing in authentication. In a MAC address or Portal authentication, if only this parameter is specified but the network access rights are not configured for other events, the device grants the pre-authen right to the users failing in authentication.	-
authen-fail	Specifies the network access rights granted to users when authentication fails. The device grants this right to all users who have failed in authentication.	-
authen-server-down	Specifies the network access rights granted to users when the authentication server does not respond. If both the authen-server-down and authen-fail parameters are specified, the authen-server-down parameter takes effect if the authentication server does not respond.	-
client-no-response	Specifies the network access rights granted to users when the 802.1X client does not respond. If both the client-no-response and authen-fail parameters are specified, the client-no-response parameter takes effect if the 802.1X client does not respond.	-
vlan vlan-id	Specifies a VLAN ID. When this parameter is specified, the user can access only the resources in the VLAN.	The value is an integer that ranges from 1 to 4094.
user-group group-name	Specifies a user group. When this parameter is specified, the user can access the resources defined for the user group.	The value must be an existing service scheme name.

Views

System view, VLANIF interface view, Ethernet interface view, GE interface view, MultiGE interface view, XGE interface view, 25GE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To grant different network access rights to users in different stages, you can use this command.

Prerequisites

The 802.1X authentication, MAC address authentication, or Portal authentication has been enabled.

Precautions

If the command is executed in both the interface view and system view, the configuration in interface view takes effect.
This function takes effect only for users who go online after this function is successfully configured.
If the user-group parameter is specified in the command, only the network access rights (that is, the ACL and VLAN bound to the user group) configured for the user group take effect.
If the network access rights specified in the authentication event command were defined by a user group, the dot1x free-ip command configured in the system view cannot take effect and the dot1x free-ip command configured in the interface view does not take effect for the interface.
If the user-group parameter is specified in the command and the destination network access rights in the authentication-free rule configured by portal free-rule is the same as that defined for the user group, the authentication-free rule does not take effect.

Example

# On GE0/0/1, allow users to access resources in VLAN 10 when authentication fails.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] authentication event authen-fail vlan 10