R0106-HP MSR Router Series Security Configuration Guide(V7)
103
• Offline detect timer—Sets the interval that the device waits for traffic from a user before the device
regards the user idle. If a user connection has been idle within the interval, the device logs the user
out and stops accounting for the user.
• Quiet timer—Sets the interval that the device must wait before the device can perform MAC
authentication for a user who has failed MAC authentication. All packets from the MAC address are
dropped during the quiet time. This quiet mechanism prevents repeated authentication from
affecting system performance.
• Server timeout timer—Sets the interval that the device waits for a response from a RADIUS server
before the device regards the RADIUS server unavailable. If the timer expires during MAC
authentication, the user cannot access the network.
To configure MAC authentication timers:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Configure MAC
authentication timers.
mac-authentication timer { offline-detect
offline-detect-value | quiet quiet-value |
server-timeout server-timeout-value }
By default, the offline detect
timer is 300 seconds, the quiet
timer is 60 seconds, and the
server timeout timer is 100
seconds.
Setting the maximum number of concurrent MAC
authentication users on a port
Perform this task to prevent the system resources from being overused.
To set the maximum number of concurrent MAC authentication users on a port:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter interface view.
interface interface-type
interface-number
N/A
3. Set the maximum number of
concurrent MAC authentication
users on the port.
mac-authentication max-user
user-number
By default, the maximum number
of concurrent MAC
authentication users on the port
is 256.
Configuring MAC authentication delay
When both 802.1X authentication and MAC authentication are enabled on a port, you can delay MAC
authentication so that 802.1X authentication is preferentially triggered.
If no 802.1X authentication is triggered or 802.1X authentication fails within the delay period, the port
continues to process MAC authentication.
Do not set the port security mode to mac-else-userlogin-secure or mac-else-userlogin-secure-ext when
you use MAC authentication delay. The delay does not take effect on a port in either of the two modes.
For more information about port security modes, see "Configuring port security."