Compare Products


Clear All


Home> Support> Downloads>

Ruijie SCN Solution Troubleshooting Cookbook (V1.1)

2020-02-15 View:

     SCN Solution FAQ

Q1: Why can't theweb authentication page pop up?


A: You can perform the following steps toidentify the issue:

Step 1: Check whether the terminal PCsuccessfully obtains an IP address.

1.     On the terminal, run ipconfig/all to check theIP address.

2.     On the N18K, run show ip dhcp binding | includexxxx.xxxx.xxxx (user MAC address).

Step 2: Check the terminal PC connectivity.

1.     Run arp –a to check whether the terminal hassuccessfully learnt the ARP information of the gateway.

2.     On the terminal, ping a common website to checkwhether the DNS is normal. By default, the DNS protocol is bypassed for webauthentication.

3.     On the terminal, ping the IP address of thePortal server. If the ping fails, check whether N18K bypasses the Portal IPaddress, for example, http redirect direct-site

Step 3: On the N18K, run show arp | includeIP to check whether the terminal has correctly learnt the ARP entry of thecorresponding PC.

1.     If the ARP entry is dynamically learned and theMAC address is not the actual terminal MAC address, you can run clear arp IPaddress to clear the address to perform fast recovery.

2.     If the ARP entry is learnt in static mode, andthe MAC address is not the actual terminal MAC address, you need to check theonline entry of the web.

3.      If the queried information of the online user is inconsistent withthat on the terminal, information residual of the online user may occur. Thisissue can be rapidly recovered by running the commands clear web-auth user ipx.x.x.x and clear ip dhcp binding x.x.x.x.



Q2: Why does the device fail the 802.1xauthentication although the basic configuration of the 802.1x is correct?


1.     On access layer switch, 802.1x configuration and AAA configurationshould be removed to ensure that they can transparently transmit the 802.1xpackets to Core switch.

2.    A key configuration of the simplified campusnetwork solution is to prune the VLAN on Trunk port. Therefore, when deployinga scn network, check whether the VLAN where the user exists is pruned. If yes,the packets cannot be transparently transmitted.



Q3: Why does the system prompt userauthentication expiration?


A: The possible reasons are as follows:

Generally, the NAS IP may not be added to theSAM or incorrectly added to the SAM. You can check the authentication logs onthe SAM and check whether the log prompts incorrect NAS IP.

The Su client does not select a propernetwork interface card when multiple network NIC exist, resulting in theauthentication expiration.

The SAM is inaccessible. You can ping the IPaddress of the SAM on the N18K.

The VLAN ID of the access device is missingon the distributed device. The EAP packet cannot be transparently transmittedto the N18K, resulting in the authentication failure.

The 802.1xconfiguration must be removed on the access device. Otherwise, the 802.1xpackets cannot be transparently transmitted to Core switch.


Q4: What are differences between thelatest authentication collection solution on the simplified campus network andthe previous controlled access authentication solution?


A: The previous controlled accessauthentication solution uses access devices as the NASs. Network administratorhas to configure authentication on all layer and all access device. Theconfiguration, management, and maintenance workload is huge. In the simplifiedcampus network solution, the NAS authentication devices are centralized performedon the core switch. The management and maintenance are only performed on thecore layer, to achieve controlled authentication. Therefore, the subsequentmanagement and maintenance work is relative simple.


Q5: Can I configure it to push differentWeb Portal to different authentication interface?


A. Yes, Newton series switches supportsconfigure multiple authentication templates and different authenticationtemplates can be customized for different Web Portal. Therefore, you can applydifferent web authentication templates to different authentication interfaces.



Q6: Is the performance increased after theVSU is deployed? For example, is the online user capacity doubled in VSUsolution? Do different products in the same series support built up VSU?


A. The performance capacity does not increaseand still remains the capacity of the standalone device. The VSU technology canbe deployed on different products in the same series like N18010 isable to built VSU with N18007. The VSU technology ensures device reliability.When a device fails, the services are switches to the standby device withoutuser awareness. Therefore, it ensures continuous service running and no dataforwarding interruption within 50 ms.


Q7: Why is the console hanged after astand-alone system is configured in the VSU mode?


A. According to normal operation habits,generally, the network administrator adjusts the baud rate to 115200 baud andsaves the configurations. After a stand-alone device is changed to the VSUmode, the device loads the VSU configuration template instead of that of thestand-alone device. If the VSU mode is initially configured, the baud rate is9600 by default. After the device is switched over and restarted, you cannotaccess the system and the CLI is hanged, caused by different baud rates. Insuch a situation, you need to adjust the baud rate to 9600.


Q8: How does the system implement userisolation and locating after user authentication?


A: Currently, the simplified campus networksupports two deployment modes: access isolation and QinQ.

User isolation: Each access device is in aVLAN. Protected interfaces are enabled between ports to achieve isolation. Forthe QinQ mode, the ports of the access device belongs to different VLANs toachieve isolation.

locating: Currently,the locating tool is used for information locating. After a user accesses tothe access device, the access device transmits the MAC address, port number,VLAN information, and device information of the user to the locating toolthrough the SNMP. After the user is authenticated, the SAM server synchronizesthe user information to the locating tool. According to the information, thelocating tool can locate the user. In addition, the locating tool can save thehistory login records of the user to rapidly identify any account hacking.


Q9: In the configuration template, thedefault-router command is not configured for the DHCP pool. Does this affectthe client to obtain the IP address of the gateway?


A: In network planning, if the default-routercommand is not configured, the device sends the interface address, as thegateway address, to the client by default. For example, if the network segmentconfigured for the DHCP is and the IP address of the VLAN100interface is, if the default-router command is not configured, thedevice sends the IP address of the SVI100, as the gateway address, to theclient. It is recommended to configure ”default router” during networkdeployment because it makes the configuration command planning clear and easyto check.


Q10: As a core-layer device, the Newtondevice provides gateway services and DHCP server functions. Why is the DHCPsnooping still required?


A: The DHCP snooping is a standardconfiguration on the simplified campus network, which is mandatory, because:

The IP authorizationmodes in the 802.1x authentication include Su authorization, Radiusauthorization, DHCP authorization, and Mixed authorization. The DHCPauthorization requires the information in the entries of the DHCP snooping toauthorize rights to users.

In the MAB authentication, the users’ IPaddress cannot be delivered. Therefore, the entries of the DHCP snooping arerequired to deliver the IP address of the to-be-authenticated client to theRadius server, to generate the corresponding online authentication entries.



Q11: How can I inherit the planned networkaddresses during the network reconstruction for the simplified campus network?


A: The DHCP scheme has the following changes:

CLI changes: Besides the original DHCP poolconfigurations, the following configuration commands are added:


match ip default configuration

match ip Gi0/1 vlan1,11-20----------------------Interface+VLAN configuration

match ip interface configuration(temporarily not supported)


Changes in implementation:

1)     In versions earlier than 11.x, the addresses in thesubvlan-address-range range are allocated as follows. The association with theDHCP is canceled. You do not need to focus on these messages. The addressallocation is not subject to the configurations. The original configuration commandsare as follows:

vlan 2


subvlan 21-29

vlan 24



2)      If the address-manage command is not configured, theDHCP allocation scheme adopts the original DHCP pool process.


3)     If only the default rule in the address-manage command isconfigured, all interfaces are allocated based on the default rule. When thiscommand is configured, the existing address is not deleted. When this commandis deleted, the existing address is not deleted and the address allocation isbased on the rule upon the next user request.


4)     If only the interface+VLAN in the address-manage command isconfigured, addresses are allocated to users accessed through the interfaces inthe specific VLANs. Addresses are not allocated to users accessed through theinterfaces in other VLANs. When this command is configured, the existingaddress is not deleted. When this command is deleted, the existing address isnot deleted and the address allocation is based on the rule upon the next userrequest.


5)    If the default rule and interface+VLAN inthe address-manage command are configured, for the interfaces that matchthe interface+VLAN rule, the addresses are allocated according to the rules.For interfaces in other VLANs, the addresses are notallocated. When this command is configured, the existing address is notdeleted. When this command is deleted, the existing address is not deleted andthe address allocation is based on the rule upon the next user request.

Software limitation:

Assume that the configurations exist:

match ip  Gi0/1 vlan 2-10

match ip  Gi0/1 vlan 11-20


Assume that PC1belongs to VLAN11. If the static IP address is, the PC cannotnormally communicate with the network. If the address-manage command isconfigured, it is equivalent to enable the filter entry, and the interfacefilters packets according to the rules. Therefore, during the deployment, thislimitation shall be noticed.



Q12: How can I rapidly locate the faultyposition when a terminal is abnormal?

A: The logs of theSAM server record the NASIP, Port, and VLAN ID information of the user. Withreference to the VLAN planning list, you can check the IP address and portnumber of the corresponding access device.



Q13: How can I upgrade the softwareversion of the device? Is there any change in the upgrade mode?


The software version upgrade remainsunchanged, using the USB flash drive or the TFTP. The upgrade commands havecertain differences.

1)     Version upgrade using the USB flash drive

Copy the software version file to the USBflash drive. Insert the USB flash drive to the USB interface of the devicemanagement board.

Configure the following commands to upgradethe version:

Upgrade usb0:/xxxxx (file name of the line board)

Show upgrade status (view the software version upgradestatus)

Upgrade usb0:/xxxxx (file name of the managementboard)

Show upgrade status


After the software version is successfullyupgraded, save the configurations and restart the device.

1)     Version upgrade using the TFTP

Configure the IP address of the MGMTinterface to access the network. Ensure that the TFTP Server and the MGMTinterface can successfully interwork with each other.

Access the Shell mode of the system and thetemporary directory.


#cd /tmp/vsd/0*** (This directory corresponds to thetmp directory of the system, queried using the N18K#dir tmp command)

Tftp -g -m -r lc.bin (the file name cannotinclude brackets)

Exit the Shell mode and run the following configurationcommands:

Ruijie#upgrade flash:lc.bin force (upgrade the versionof the line board)

Ruijie#upgrade flash:cm.bin force (upgrade the versionof the management board)


After the software version is successfullyupgraded, save the configurations and restart the device.

Remarks: The versionsare saved on the device for archive after the upgrade.



Q14: Is there a simple method to allocateVLANs because the workload is heavy for access VLAN allocation?


A: When the original campus network isupgraded to the simplified network, the VLANs should be re-allocated to theaccess devices. The simplified campus network deployment tool can be used toreduce the workload of the network center.


Usage of the auto VLAN configuration tool

1)     Batch configuration delivery: The VLAN configuration is importedusing the pre-configured VLAN template. The configuration commands areautomatically delivered in batch.

2)     Backup configuration: This tool supports data backup. It canautomatically back up the device configuration in a file namedconfig.bak+current date, by means of the Telnet.

3)     Display of the command execution result: The tool can display thecommand execution structure and number of successful and unsuccessful executionrecords. The unsuccessful execution records can be exported in Excel format forerror correction.


Features and advantages of the flattenedsolution:

1)     Previously, the device configurations aremanually implemented, which is time consuming. The simplified networkdeployment tool can greatly reduce the workload (with the configuration backupand restoration functions).

2)     After the original network is upgraded to thesimplified network, the network management personnel can import the originalconfiguration commands to the access switch.

3)     The solution is flexible applicable to the VLANallocation of the campus network.

4)      If error occurs, the version can be rolled back according to thesystem prompts.



Q15: How to handle the issue that theupgraded version is abnormal?


A: The version rollback function is provided.Note that the patch is a part of the system version. After the system versionis rolled back, the patch file is also rolled back. The configuration commandis as follows:

Upgrade rollback slot all



Q16: How to install a patch on the device?


A: Using the OSPF hot patch as an example,the operation is as follows:

Ruijie#copy usb0:xxxtmp:----------------------------Copy the files in the USB flash drive in thetmp directory.

     Ruijie#run-system-shell--------------------------------Enterthe Shell configuration mode.

     ~# cd /sbin------------------------------------------------Access the sbin file.

     /sbin# ls -la | grep ospf.elf------------------------------Check the current OSPFprocess.

     /sbin# mv /sbin/ospf.elf /sbin/ospf.elf.bak-----------Back up the OSPF process.

     /sbin# mv ospf.elf /tmp/vsd/0/ the OSPF file with thenew OSPF file.

     /sbin# chmod 777 ospf.elf------------------------------Authorization

     /sbin# sync------------------------------------------------Synchronization

     /sbin# ls -la | grep ospf.elf------------------------------Check the current OSPFprocess.

     sbin# pgrep ospf.elf------------------------------Check the current OSPF process.

     /sbin# pkill -9 ospf.elf-----------------------------------Restart the OSPF process.

     Afterthe OSPF process is restarted, the system outputs the following information:

     /sbin# *Mar  5 18:42:39: %HA-5-HA_SCRIPT_RESTART: Process: /sbin/ospf.elf Pid: 3743 receives error_signal[9] and quits, Process: /sbin/ospf.elf  isrestarting ...

     *Mar 5 18:42:39: %HA-5-HA_SCRIPT_RESTART: Process: /sbin/ospf.elf  restarts 2times newpid is 3864 and restarts successfully



Q17: How do different Sub VLANs in thesame Super VLAN communication with each other?


It is also known as VLAN aggregation and is aspecialized IP address optimization technology. According to this technology,IP addresses in a network segment are allocated to different sub VLANs, whichbelong to the same super VLAN. Each sub VLAN is an independent broadcastdomain. Different sub VLANs are isolated on layer 2. When users in the subVLANs require L3 communication, the IP address of virtual interface of thesuper VLAN is used as the gateway address. In this manner, multiple VLANs sharethe same IP address, thereby saving IP resources. In addition, the ARP proxy isused to enable the interworking between sub VLANs on L3 and the interworking betweenthe sub VLAN and other networks. The ARP proxy can forward and process ARPrequests and responses, thereby enabling the interworking between ports,isolated on L2, on the L3. In default state, the ARP proxy is enabled for thesuper VLAN and sub VLAN.



Q18: Why does a user who passes the 802.1xauthentication fail to connect to the network after manually modifying the IPaddress?


A: After the user passes the 802.1xauthentication, the device generates the static ARP entry, for example, +mac1. If the user manually modify the IP address, for example,, the IP address corresponding to the static ARP entry is inconsistentwith the IP address set by the user. The packets cannot be successfullyforwarded. At this time, the user does not trigger the device to authenticationagain. As a result, the user cannot access the network.



Q19: Can the existing route configurationinformation of the old network be inherited during network reconstruction?


A: The configuration of the OSPF routing informationof the old network should be revised. Generally, the OSPF routing protocol usescommands network x.x.x.x area x to broadcast OSPF hello packet to all devices.If the old OSPF configuration is directly inherited, because the IP addressesof the super VLAN on the N18K are gateway IP addresses in each network segment,the OSPF hello packet is broadcast to all sub VLANs. Therefore, if the OSPFroute is dynamically advertised using the network manner, the OSPF-basedpassive interfaces should be enabled on the N18K, that is, passive-interfacexxx. All SVI interfaces (gateways) of the super VLAN should be set toOSPF-based passive interfaces. In this manner, when the device advertises thenetwork segment addresses, the L2 network does not have a large number of OSPFhello packets, thereby reducing the network pressure. In another deploymentmode, the network dynamic route advertisement is not implemented. Theadvertisement is implemented by means of route re-distribution. In OSPF routingmode, the redistribute connected subnets are configured, so that the devicedoes not send the OSPF hello packet to all sub VLANs. The route is onlyadvertised to the directly-connected L3 physical ports.



Q20: Why does the SA prompt "You arenot in the permitted range. Please confirm your rights" during 802.1xauthentication?


A. If this information is prompted, you canchoose Start > Run. Enter cmd > ipconfig /release > ipconfig /renew.The client obtains an IP address again. Then, you can perform the 802.1xauthentication. The reason is: After the network reconstruction, an IP addressin a new network segment is assigned. However, the client does not learn theaddress change and still uses the old IP address dynamically acquired toperform 802.1x authentication. As a result, the system fails the 802.1xauthentication. To address this issue, you can manually enable the client toacquire an IP address in the new network segment.



Q21: Does the active/standby switchover ofhot backup management boards affect the authenticated services? Can thenon-authenticated user successfully pass the authentication and get online?

A: Currently, the VSU hot backup switchoverhas the following limitations:

1)   In dual-management board deployment mode, if the active and standbymanagement boards are switched over (3-4 minutes are cost from switchover startto the display of the CLI of the new management board), you cannot perform802.802.1x authentication within one minute before the hot backup switchover,which ensure non-interrupted data flow of online users. During the switchover,because the 802.1x-dependent modules need to be initialized, other parts of thesystem, for example, underlying and related channels cannot get ready soon.Therefore, within one minute before the hot backup switchover, the 802.1xauthentication cannot be implemented. This issue will be addressed in latersolutions.

2)    In dual-management board deployment mode, if the active andstandby management boards are switched over (3-4 minutes are cost fromswitchover start to the display of the CLI of the new management board), youcannot connect to the network within two minutes after the hot backupswitchover, although the 802.1x authentication is passed. This is because of arestraint of the SS framework. Within a short period after the active/standbyswitchover, the interaction of the PI and SS on the control plane is shielded(tens of seconds to two minutes, which is subject to the configuration). Thenewly-authenticated online user cannot access the network within two minutesafter the active/standby switchover. However, the services are not affected.This issue will be addressed in later solutions.



Q22: How does the system perform usermigration?


The station move is disabled:

l  The re-authentication process is applicable to the 802.1xauthentication.

l  The re-authentication process is applicable to the webauthentication.

The station move is enabled:

l  802.1x authentication

       When the IP addresses before and after migration are the same, thenetwork access is available without re-authentication. When the IP addressesbefore and after migration are different, the authentication is performedagain.

l  Web authentication

       The authentication page pops up again, and re-authentication isrequired.

       the command web-auth station-move auto is enabled. When theIP addresses before and after migration are the same (the IP addresses are inthe same super VLAN), the network access is available withoutre-authentication. When the IP addresses before and after migration aredifferent, the authentication is performed again. 

Application scenario:

l  The user migration is mainly applicable to the wireless terminals.The user migration does not require repeated authentication, which improvescustomer experience.


l  Before and after migration, the IP addresses should be in the samesuper VLAN.

l  Before and after migration, the IP allocation policy based on the AMrules should remain unchanged. That is, the IP addresses before and aftermigration should remain unchanged. Otherwise, the migration fails.



Q23: How to avoid ARP spoofing on thesimplified campus network?


The users are isolated on Layer 2 to avoidARP and DHCP snooping.

l  Access isolation: The protected interfaces of all accessdevices are enabled to avoid L2 interworking.

l  QinQ isolation: The inner VID and outer VID are used to isolate thebroadcast domain of the users to avoid L2 interworking.

Automatically binding a static ARP entry toan authenticated user on the N18K

l  The authenticated user is automatically binding a static ARP entryon the N18K. If the user IP address is changed after authentication, thecommunication fails.


Q24: How to handle the issue that theaddresses in the DHCP pool are exhausted?



l  The terminal sends a large number of DHCP requests to attack theN18000 (including the terminal loop), which exhausts the IP addresses in theDHCP pool on the DHCP server.

l  Currently, the usage of the DHCP pool can be monitored by readingthe MIB information using the network management software.

l  In later versions that support the NFPP function, the attackers canbe isolated based on the VIDs, to avoid the DOS attack.


Q25: How to configure the straight-throughVLAN?


In order to bypass the straight-through VLAN,which vlan should be configured to bypass , super VLAN or sub VLAN?

l  The pass-through VLAN ID of the straight-through VLAN is configuredbased on the sub VLAN.

What is a typical application scenario of thestraight-through VLAN

l  Capwap tunnel VLAN, wireless 802.1x VLAN, management VLAN, orspecial service VLAN, for example, video surveillance or all-in-one card.

What are precautions for straight-throughVLAN configurations?

l  In access isolation, the number of straight-through VLANscannot exceed 200.

l  In QinQ isolation, the number of straight-through VLANs usedfor non-user services cannot exceed 200. The PE-VLAN of the user servicesshould not be configured as a straight-through VLAN.


Q26: Is the VLAN of the CE-VLAN in QinQisolation mode mandatory?


Principles of QinQ dual-layer tag terminationperformed by the N18K are as follows:

l  The class-id is used to identify the CE-VLAN, and the traditionalVLAN is used to identify the PE-VLAN.

l  When a packet sent by the terminal arrives the N18K device, itcarries a two-layer tag. In the host routing information internally deliveredby the N18K device, the tag contains two layers, in which the outer-layer tagindicates the VLAN tag (PE-VLAN) corresponding to the L3 interface, and theinner-layer tag indicates the private VLAN tag (CE-VLAN).

Is the VLAN ID of the CE-VLAN mandatory?

l  For the CE-VLAN, only the CE-VLAN ID terminated by the QinQ needs tobe configured. By default, the system considers that the CE-VLAN mapping iscompleted for the class-id.


Q27: What is the function of the radius-serverattribute nas-port-id format qinq command?


The radius-server attribute nas-port-idformat qinq command has the following functions:

l  After this command is configured, the authentication and accountingpackets sent by the N18K device and the SAM server carry two-layer VIDs.

l  Upon searching the two-layer VID, the SAM server displays the startopology and locates the user port.

This command should be disabled in thefollowing situations:

l  The SAM version is earlier than V3.98, that is, the QinQ is notsupported. This command cannot be enabled on the N18K device because theauthentication packets that contain two-layer tags may not be identified by theSAM server, resulting in an authentication failure. The following commandshould be used:


Q28: Why does the MTU need to be modifiedin QinQ isolation scenario?


The reason is as follows:

l  In the QinQ scenario, the distribution device adds a two-layer tagto a packet. Compared with the default MTU 1518 on the Ethernet, a four-bytetag is added. To facilitate operation and ensureredundancy, the MTU is uniformly changed to 1530.

Which devices and interfaces need to modifythe MTU?

l  The MTUs of the core interfaces of the upstream aggregation devicesand core aggregation interfaces should be set to 1530.


Q29: DHCP Address Management (AM) rules


Functions of the AM rules:

l  The AM rules are used to allocate network segments based on VLANsand ports.

l  One DHCP pool can be configured with only one network range, whichcannot satisfy the refined address management, especially in the super VLANdeployment scenario on the simplified network.

l  Compared with the DHCP pool, the configurations of the AM rules aresimple and achieve better effects with less command lines.

Is the AM rule mandatory for the DHCP pool?

l  No. It is suggested to configure the AM rule for the DHCP pool.

Can part of the DHCP pools use the AM rulewhile the other part uses the traditional mode?

l  Not available in the earlier versions. Once the AM rule isconfigured for a DHCP pool, all DHCP pools on the network should be configuredwith the AM rule. Otherwise, addresses cannot be applied. This is a defect ofthe solution.

l  This issue is addresses in the version 11.0(1)B2 Build(10) releasedin early October. In this way, both AM rules and traditional rules canco-exist. Therefore, the AM rule configuration for the DHCP pool is notlimited.

How to configure the VLAN that adopts the AMrule in DHCP relay scenario or no switchport scenario?

l  The VLAN of the AM rule is set to the service sub VLAN of the user.

l  In no switchport scenario, the VLAN matching is unavailable. Onlyport matching is available.


Q30: What is the mechanism for avoiding IPand IPv6 conflict in the isolation scenario?


l  To detect the IPv4 and IPv6 address conflict, the address conflictdetection of the IPv4-based host relies on the free ARP broadcast, and theaddress conflict detection of the IPv6-based host relies on the DAD broadcastmechanism.

l  The N18000 adopts the ARP and ND proxy mechanism to address theaddress conflict issue. When the address in the ARP request sent by a terminalconflicts with the static ARP address or ND address generated in theauthentication on the N18000, the N18000 sends gratuitous ARP and ND packets onbehalf of the conflicted terminal.

l  In gateway mode, the mechanism is enabled by default without usingother commands.


Q31: How to prevent a successfullyauthenticated user from modifying the IP address?


When the IP address is modified by asuccessfully authenticated user:

l  In 802.1x authentication mode, the client automatically triggers there-authentication.

l  In web authentication mode, the user cannot obtain the ARPinformation from the user is disconnected. Administrator has toconfigure static ARP entry on gateway to match the user ‘s new IP address andMAC address


Q32: What is the ARP proxy mechanism afterthe authentication is enabled on the N18K device?


In the web authentication scenario on theN18K, the ARP proxy mechanism is as follows:

l  The N18K sends the ARP requests to users only in theauthentication-exempt VLANs.

l  After a user is successfully authenticated, a static ARP entry isgenerated.

l  In the VLAN that requires authentication, only when theauthentication-exempt user actively initiates an ARP request, the N18K devicegenerates an ARP entry for the authentication-exempt user.

Precautions for ARP proxy mechanism planning:

l  This type of terminals should be uniformly planned in theauthentication-exempt VLAN.




Q33: Both http redirect direct-site web-auth direct-host Are Configured for Authentication-free Accessto IP Addresses. What Are Their Differences?


A: The direct-site command is used to letpackets destined for a specified destination IP address to pass. For example,if the command is executed to configure authentication-free access to a SAMserver, users can access the IP address of the SAM server withoutauthentication.

The direct-host command is used to letpackets from a specified source IP address to pass. For example, if thiscommand is executed to configure authentication-free access to a printer, theprinter can be accessed without authentication. Nevertheless, users need to beauthenticated but authentication is not required for the printer. If a userneeds to be accessed without authentication, the direct-site command needs tobe configured for the IP address of the user.


Q34: HowCan I Import an Electronic Certificate to the N18000K?


Steps given by R&D to import certificateto N18K.

Plan to replace the expired certificate onN18K to test whether the HTTPS redirection can be improved or ignored. 

The generated cert (SCN-N18K.crt &SCN-N18K.key) copied to USB key and plug into N18K CM. The certificate must bein ASCII (Base64) format, usually the file can be opened with noted pad andprefixed with a “—– BEGIN …” line.


#cd /tmp/vsd/0/security/webauth/

#cp /mnt/sub/0/SCN-N18K.crt httprdsrv.pem

#chmod 777 httprdsrv.pem

#cp /mnt/usb/0/SCN-N18K.key httprdkey.pem

#chmod 777 httprdkey.pem


#pkill -9 wbamain



Q35: HowCan I Complete Escape Settings on Simplified RADIUS?


In order for Radius authentication bypasswhen the SAM(Radius) service down or not available, below are the command toconfigure in order the bypass authentication, based on the test in XLAB UM.

aaa authentication dot1x default group radius none

aaa authentication web-auth default group radius none


radius-server timeout 1

radius-server deadtime 1

radius-server retransmit 1

In the even radius escape, all user will beable to access to internet without proper authentication been done, which meanin the web-authen, any user id (known/unknown) will be authenticatedsuccessfully. If dot1x authentication enabled on the interface, new online userwill be authenticated via the dot1x.

In order to view the full list of connecteduser when the radius(SAM) not available, should check with the 2 commands below. 

show web-auth user all --> web-authen user

show dot1x summary  --> dot1x authen user



Q36: WhatAre Precautions for Configuring the Simplified Solution — N18000K?


The CPP rate limitneeds to be configured after HTTPS is enabled.

1.      On the N18000K of the latest version, HTTPS performance isoptimized, the CPU resource utilization of HTTPS and HTTP is separated in anoptimized manner so that HTTPS and HTTP do not affect each other. You canenable HTTPS redirection as required. The CPP rate limit must be configured forHTTPS.

Ruijie(config)#http redirect port 443

Ruijie(config)#cpu-protect type web-auths bandwidth2000


2.      After DHCP snooping is enabled, check-giaddr needs to beconfigured to solve the problem that a device fails to obtain an IP addresswhen both DHCP snooping and DHCP relay are configured on the device.

ip dhcp snooping

ip dhcp snooping check-giaddr


3.      After RADIUS escape is configured, the default parameter values needto be adjusted, to prevent misjudgment and jitter caused by the high detectionsensitivity.

radius-server host (radius ip) test username(user-name) idle-time 2 key (radius key)

radius-server dead-criteria time 120 tries 12


4.      After RADIUS escape is configured, relevant configuration needs tobe applied to ports. Check whether the configuration is complete.

dot1x critical

dot1x critical recovery action reinitialize 


5.      Certified migration is configured differently now: ARP detectionneeds to be enabled on the N18000K and ARP proxy needs to be disabled on the AC.

N18Kconfig#web-auth station-move arp-detect

N18Kconfig#dot1x station-move arp-detect

ACconfig#no proxy_arp enable


How do you like this document ?



Can we contact you to discuss your suggestion?

Privacy Policy
Thank you. We will inform you of our response as soon as possible.
Thank you again for your valuable input!
This page will be closed in 5 s…
Document Questionnaire
We sincerely invite you to fill in this questionnaire on Ruijie document acquisition and user experience.

Ruijie Networks websites use cookies to deliver and improve the website experience.

See our cookie policy for further details on how we use cookies and how to change your cookie settings.

Cookie Manager

When you visit any website, the website will store or retrieve the information on your browser. This process is mostly in the form of cookies. Such information may involve your personal information, preferences or equipment, and is mainly used to enable the website to provide services in accordance with your expectations. Such information usually does not directly identify your personal information, but it can provide you with a more personalized network experience. We fully respect your privacy, so you can choose not to allow certain types of cookies. You only need to click on the names of different cookie categories to learn more and change the default settings. However, blocking certain types of cookies may affect your website experience and the services we can provide you.

  • Performance cookies

    Through this type of cookie, we can count website visits and traffic sources in order to evaluate and improve the performance of our website. This type of cookie can also help us understand the popularity of the page and the activity of visitors on the site. All information collected by such cookies will be aggregated to ensure the anonymity of the information. If you do not allow such cookies, we will have no way of knowing when you visited our website, and we will not be able to monitor website performance.

  • Essential cookies

    This type of cookie is necessary for the normal operation of the website and cannot be turned off in our system. Usually, they are only set for the actions you do, which are equivalent to service requests, such as setting your privacy preferences, logging in, or filling out forms. You can set your browser to block or remind you of such cookies, but certain functions of the website will not be available. Such cookies do not store any personally identifiable information.

Accept All

View Cookie Policy Details

Contact Us

Contact Us

How can we help you?

Contact Us

Get an Order help

Contact Us

Get a tech support