R0106-HP MSR Router Series Security Command Reference(V7)
145
Usage guidelines
MAC authentication uses the following timers:
• Offline detect timer—Sets the interval that the device waits for traffic from a user before the device
regards the user idle. If a user connection has been idle within the interval, the device logs the user
out and stops accounting for the user.
• Quiet timer—Sets the interval that the device must wait before the device can perform MAC
authentication for a user who has failed MAC authentication. All packets from the MAC address are
dropped during the quiet time. This quiet mechanism prevents repeated authentication from
affecting system performance.
• Server timeout timer—Sets the interval that the device waits for a response from a RADIUS server
before the device regards the RADIUS server unavailable. If the timer expires during MAC
authentication, the user cannot access the network.
Examples
# Set the server timeout timer to 150 seconds.
<Sysname> system-view
[Sysname] mac-authentication timer server-timeout 150
Related commands
display mac-authentication
mac-authentication timer auth-delay
Use mac-authentication timer auth-delay to enable MAC authentication delay and set the delay time.
Use undo mac-authentication timer auth-delay to restore the default.
Syntax
mac-authentication timer auth-delay time
undo mac-authentication timer auth-delay
Default
MAC authentication delay is disabled.
Views
Ethernet interface view
Predefined user roles
network-admin
Parameters
time: Specifies the delay time for MAC authentication in seconds. The value range is 1 to 180.
Usage guidelines
When both 802.1X authentication and MAC authentication are enabled on a port, you can delay MAC
authentication so that 802.1X authentication is preferentially triggered. If no 802.1X authentication is
triggered or if 802.1X authentication fails within the delay period, the port continues to process MAC
authentication.
Do not set the port security mode to mac-else-userlogin-secure or mac-else-userlogin-secure-ext when
you want to use MAC authentication delay. The delay does not take effect on a port in either of the two
modes. For more information about port security modes, see "Port security commands."