mac-authen timer

Function

The mac-authen timer command configures parameters of timers for MAC address authentication.

The undo mac-authen timer command restores the default parameter values of timers for MAC address authentication.

Format

mac-authen timer { guest-vlan reauthenticate-period interval | offline-detect offline-detect-value | quiet-period quiet-value }

undo mac-authen timer { guest-vlan reauthenticate-period | offline-detect | quiet-period }

Parameters

Parameter	Description	Value
guest-vlan reauthenticate-period interval	Specifies the interval for re-authenticating users in the Guest VLAN.	The value is an integer that ranges from 60 to 3600, in seconds. The default value is 60.
offline-detect offline-detect-value	Specifies the interval for detecting online users. The timer is used to periodically check whether a user is offline. NOTE: The timer takes effect for both MAC address authentication users and static users.	The value is an integer that ranges from 30 to 7200, and 0, in seconds. The default value is 300. 0 means disable detecting online users.
quiet-period quiet-value	Specifies the value of the quiet timer. If a user fails authentication, the device does not process the user's authentication requests until the quiet timer expires. During the quiet period, the device does not process the user's authentication requests.	The value is an integer that ranges from 0 to 3600, in seconds. By default, the quiet period of a user who fails authentication is 60 seconds. NOTE: When the quiet timer is set to 0, the quiet function is disabled.

Parameter

Description

Value

guest-vlan reauthenticate-period interval

Specifies the interval for re-authenticating users in the Guest VLAN.

The value is an integer that ranges from 60 to 3600, in seconds. The default value is 60.

offline-detect offline-detect-value

Specifies the interval for detecting online users.

The timer is used to periodically check whether a user is offline.

NOTE:

The timer takes effect for both MAC address authentication users and static users.

The value is an integer that ranges from 30 to 7200, and 0, in seconds. The default value is 300.

0 means disable detecting online users.

quiet-period quiet-value

Specifies the value of the quiet timer. If a user fails authentication, the device does not process the user's authentication requests until the quiet timer expires. During the quiet period, the device does not process the user's authentication requests.

The value is an integer that ranges from 0 to 3600, in seconds.

By default, the quiet period of a user who fails authentication is 60 seconds.

NOTE:

When the quiet timer is set to 0, the quiet function is disabled.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

During MAC address authentication, multiple timers implement systematic interactions between access users or devices and the authentication server. You can change the values of the timers by running the mac-authen timer command to adjust the interaction process. (The values of some timers cannot be changed.) This command is necessary in special network environments. Generally, the default settings of the timers are recommended.

If the number of offline detection packets (ARP packets) exceeds the default CAR value, the detection fails and the users are logged out. (The display cpu-defend statistics command can be run to check whether ARP request and response packets are lost.) To resolve the problem, the following methods are recommended:

Increase the detection interval based on the number of users. The default detection interval is recommended when there are less than 8000 users; the detection interval should be no less than 600 seconds when there are more than 8000 users.
Deploy the port attack defense function on the access device and limit the rate of packets sent to the CPU.

Example

# Set the value of the quiet timer to 60 seconds.

<HUAWEI> system-view
[HUAWEI] mac-authen timer quiet-period 60