dot1x

To set the PNAC related information or configure the dot1x parameters for a specified port, use the command dot1x in Interface Configuration Mode. The no form of the command resets the parameters to their default value or to no authentication, and disables periodic re-authentication from authenticator to client.

dot1x

dot1x { {access-control } { {active } { | inactive} }

{ | auth-mode } { {port-based } { | mac-based} }

{ | control-direction } { {in } { | both} }

{ | default }

{ | disable }

{ | enable }

{ | host-mode } { {multi-host } { | single-host} }

{ | max-req } { <count(1-10)> }

{ | max-start } { <count (1-65535)> }

{ | port-control } { {auto } { | force-authorized} } { | force-unauthorized} }

{ | reauth-max } { <count(1-10)> }

{ | reauthentication }

{ | timeout } { {auth-period } { | held-period } { | quiet-period } { | reauth-period } { | server-timeout } { | start-period } { | supp-timeout } { | tx-period} } { <value (1-65535)> }

no dot1x

no dot1x { {access-control } { | auth-mode } { | control-direction } { | max-req } { | max-start } { | port-control } { | reauth-max } { | reauthentication } { | timeout }

Parameters

Parameter	Type	Description
`access-control`		Enter to configure the supplicant access control. This setting is for the application of the Supplicant authorization state when the port is operating as both Supplicant and Authenticator.
`active`		Enter to configure the port to apply both the Supplicant authorization state and Authenticator authorization state
`inactive`		Enter to configure the port to use only the Authenticator authorization state to restrict access to the port and not the Supplicant authorization state. This is the default option
`auth-mode`		Enter to configure the authentication mode of a port as either port-based (which is also known as multi-host) or mac-based (which is also known as single-host). Port based authentication has different modes of authentication. MAC based authentication allows secured mac addresses to pass through the port. Non-secure MAC addresses are dropped.
`port-based`		Enter to configure the port’s authentication mode as port-based. The port authenticates the host to use the restricted resource. The port state is changed to authorize. The traffic flows through the port without any access restriction till any event that causes the port state to become unauthorized. This is default option.
`mac-based`		Enter to configure the port’s authentication mode as MAC-based. Upon receiving tagged/untagged data/control frames from the CFA Module, it checks if the source MAC is present in the Authenticator Session Table and if it is authorized. If it is present in the table and is authorized, the result is passed to CFA, which then forwards the frame to the appropriate destination module. If it is present in the table but not authorized, the CFA Module is intimated and the frame is dropped at the CFA Module. If neither of the above occurs, the Authenticator will initiate a new authentication session for that source MAC address and return the unauthorized status to the CFA Module, which then drops the frame.
`control-direction`		Enter to configure configures port control direction. The switch port authenticates incoming packets and outgoing packets. The direction can be configured manually by selecting either in or both.
`in`		Enter to configure the port to authenticate only the incoming packets.
`both`		Enter to configure the port to authenticate both incoming and outgoing packets. This is the default option.
`default`		Enter to configure dot1x with default values for this port. The previous configurations on this port are reset to the default values. These details are not displayed but are the basic settings for a port.
`disable`		Enter to disable dot1x on the specified port.
`enable`		Enter to enable dot1x on the specified port.
`host-mode`		Enter to configure the port authentication mode of a port as either multi-host (which is also known as port-based) or single-host (which is also known as mac-based). Multi host authentication has different Modes of authentication. Single host authentication allows secured mac addresses to pass through the port. Non-secure mac addresses are dropped. Note: This command is a standardized implementation of the existing command; dot1x auth-mode. It operates similar to the existing command.
`multi-host`		Enter to configure the port to multi host authentication mode and perform port-based authentication. With this option, more than one host can be connected to the port using an Ethernet hub attached to the port. This is the default option.
`single-host`		Enter to configure the port to single host authentication Mode and perform MAC-based authentication. With this option, only one host can be connected to the port. Note: To configure the auth Mode of a port as single-host, port control of the port must be set as auto.
`max-req`		Enter to set the maximum number of EAP (Extensible Authentication Protocol) retries to the client by the authenticator before restarting authentication process.
`<count (1-10)>`	Integer	Enter a value for maximum number of EAP retries to the client by the authenticator before restarting authentication process. The count value ranges between 1 and 10. The default is 2.
`max-start`		Enter to set the maximum number of EAPOL retries to the authenticator.
`<count (1-65535)>`	Integer	Enter a value for maximum number of EAP retries to the authenticator. The count value ranges between 1 and 65535. The default is 3.
`port-control`		Enter to configure the authenticator port control parameter. The dot1x exercises port based authentication to increase the security of the network. The different modes employed to the ports offer varied access levels. The 802.1x protocol is supported on both Layer 2 static-access ports and Layer 3 routed ports.
`auto`		Enter to configure the 802.1x authentication process in this port. Causes the port to begin the unauthorized state, allowing only EAPOL frames to be sent and received through the port. The authentication process begins when the link state of the port transitions from down to up or when an EAPOL-start frame is received. The switch requests the identity of the client and begins relaying authentication messages between the client and the authentication server. The switch can uniquely identify each client attempting to access the network by the client's MAC address.
`force-authorized`		Enter to configure the port to allow all traffic through this port. Disables 802.1x authentication and causes the port to transit to the authorized state without requiring authentication exchange. The port transmits and receives normal traffic without 802.1x-based authentication of the client. This is the default option.
`force-unauthorized`		Enter to configure the port to block all traffic through this port. Causes the port to remain in the unauthorized state, ignoring all attempts by the client to authenticate. The switch cannot provide authentication services to the client through the interface.
`reauth-max`		Enter to configure the maximum number of EAP retries to the client. This variable can be tuned to make the port as unauthorized if the supplicant is not available when re-authentication reaches the maximum retry. Lower the value, the port is made unauthorized sooner.
`<count (1-10)>`	Integer	Enter a value for maximum number of EAP retries to the client. The count value ranges between 1 and 10. The default is 2.
`reauthentication`		Enter to enable periodic re-authentication from authenticator to client. The periodic re-authentication is requested to ensure if the same supplicant is accessing the protected resources. The amount of time between periodic re-authentication attempts can be configured manually. Note: This command will execute only if the authenticator port control parameter is auto.
`timeout`		Enter to set the dot1x timers. The timer module manages timers, creates memory pool for timers, creates timer list, starts and stops timer. It provides handlers to respective expired timers. Note: Only one timer can be configured using this command, that is, the user can configure either the quiet-period or tx-period, but not both.
`auth-period`		Enter to configure the number of seconds that the supplicant waits before timing-out the authenticator. The default is 30 seconds.
`held-period`		Enter to configure the number of seconds that the supplicant waits before trying to acquire the authenticator.The default is 60 seconds.
`quiet-period`		Enter to configure the quiet-period or the number of seconds that the switch remains in the quiet state following a failed authentication exchange with the client. The default is 60 seconds.
`reauth-period`		Enter to configure the reath-period or the number of seconds between re-authentication attempts. The default is 3600 seconds.
`server-timeout`		Enter to configure the number of seconds that the switch waits for the retransmission of packets to the authentication server. The default is 30 seconds.
`start-period`		Enter to configure the number of seconds that the supplicant waits between successive retries to the authenticator. The default is 30 seconds.
`supp-timeout`		Enter to configure the time that the switch waits for the retransmission of packets to the client. The default is 30 seconds.
`tx-period`		Enter to configure the number of seconds that the switch waits for a response to an EAP-request/identity frame, from the client before retransmitting the request. The default is 30 seconds.
`<count ((1-65535)>`	Integer	Enter a value for maximum number of EAP retries to the client. The count value ranges between 1 and 65535.

Mode

Interface Configuration Mode

Examples

iS5Comm (config-if)# dot1x access-control active

iS5Comm (config-if)# dot1x auth-mode mac-based

iS5Comm(config-if)# dot1x control-direction in

iS5Comm(config-if)# dot1x default

Setting the Default Configuration for Dot1x on this interface

iS5Comm(config-if)# dot1x disable

iS5Comm(config-if)# dot1x enable

iS5Comm(config-if)# dot1x host-mode single-host

iS5Comm(config-if)# dot1x max-req 5

iS5Comm(config-if)# dot1x max-start 2

iS5Comm(config-if)# dot1x port-control auto

iS5Comm(config-if)# dot1x reauth-max 5

iS5Comm(config-if)# dot1x reauthentication

iS5Comm(config-if)# dot1x timeout quiet-period 30