|
|
|
|
|
Use the features in the Security folder on the navigation menu to set management security parameters for port, user, and server security. The Security folder contains links to the following features:
In port-based authentication mode, when 802.1x is enabled globally and on the port, successful authentication of any one supplicant attached to the port results in all users being able to use the port without restrictions. At any given time, only one supplicant is allowed to attempt authentication on a port in this mode. Ports in this mode are under bidirectional control. This is the default authentication mode.
The 802.1X network has three components:
Authentication Server: Specifies the external server.
The Port Access Control folder contains links to the following pages that allow you to view and configure 802.1X features on the system.
Use the Port Based Access Control Configuration page to enable or disable port access control on the system.
To display the Port Based Authentication page, click Security > Port Access Control > Configuration in the navigation menu.
Port Access Control-Port Configuration Fields
Field |
Description |
|---|---|
Administrative Mode |
Select Enable or Disable 802.1x mode on the switch. The default is Disable. This feature permits port-based authentication on the switch. |
VLAN Assignment Mode |
If enabled, when a supplicant is authenticated by a authentication server, the port that the supplicant is connected to is placed in a particular VLAN specified by the RADIUS server. VLAN Assignment mode controls if the switch is allowed to place a port in a RADIUS-assigned VLAN. A port’s VLAN assignment is determined by the first supplicant that is authenticated on the port. |
Dynamic VLAN Creation Mode |
Select Enable to allow the switch to dynamically create a RADIUS-assigned VLAN if it does not already exist in the VLAN database. |
Monitor Mode |
Select Enable to permit network access even when the 802.1X authentication process fails. The switch logs the results of the authentication process for diagnostic purposes. Monitor Mode can help you troubleshoot Dot1X configuration problems without affecting network access for end users. |
If you change the mode, click Submit to apply the new settings to the system.
Use the Port Access Control Port Configuration page to enable and configure port access control on one or more ports.
To access the Port Based Access Control Port Configuration page, click Security > Port Based Access Control > Port Configuration in the navigation menu.
Port Access Control Port Configuration Fields
Field |
Description |
|---|---|
Interface |
Selects the interface to configure. |
Control Mode |
Defines the port authorization state. The control mode is only set if the link status of the port is link up. The possible field values are:
|
Quiet Period (secs) |
Defines the amount of time that the switch remains in the quiet state following a failed authentication exchange. The possible field range is 0‐65535. The field value is in seconds. The field default is 60 seconds. |
Transmit Period (secs) |
Defines the transmit period for the selected port. The transmit period is the value, in seconds, of the timer used by the authenticator state machine on the specified port to determine when to send an EAPOL EAP Request/Identity frame to the supplicant. The transmit period must be a number in the range of 1 and 65535. The default value is 30. |
Guest VLAN ID |
Defines the Guest VLAN ID on the interface. The valid range is 0 to 4093. The default value is 0. Changing the value will not change the configuration until you click Submit button. Enter zero (0) to clear the Guest VLAN ID on the interface. |
Guest VLAN Period (secs) |
Defines the Guest VLAN period for the selected port. The Guest VLAN period is the value, in seconds, of the timer used by the Guest VLAN Authentication. The Guest VLAN timeout must be a value in the range of 1 to 300. The default value is 90. Changing the value will not change the configuration until you click the Submit button. |
Unauthenticated VLAN ID |
Defines the Unauthenticated VLAN ID for the selected port. The valid range is 0 to 4093. The default value is zero (0). Changing the value will not change the configuration until you click the Submit button. Enter zero (0) to clear the Unauthenticated VLAN ID on the interface. |
Supplicant Timeout (secs) |
Defines the amount of time that lapses before EAP requests are resent to the user. The value must be in the range of 1 to 65535 seconds. The value is 30 seconds. Changing the value will not change the configuration until you click the Submit button. |
Server Timeout (secs) |
Defines the amount of time that lapses before the switch resends a request to the authentication server. The field value is in seconds. The range is 1‐65535, and the field default is 30 seconds. Changing the value will not change the configuration until you click the Submit button. |
Maximum Requests |
Defines the maximum number of times the switch can send an EAP request before restarting the authentication process if it does not receive a response. The possible field range is 1-10. The field default is 2 retries. |
Reauthentication Period (secs) |
Indicates the time span in which the selected port is reauthenticated. The field value is in seconds. The range is 1 – 65535, and the field default is 3600 seconds. Changing the value will not change the configuration until you click the Submit button. |
Reauthentication Enabled |
Reauthenticates the selected port periodically, when enabled. The default value is False. Changing the value will not change the configuration until you click the Submit button. |
Maximum Users |
Defines the maximum number of clients that can get authenticated on the port in the MAC-based dot1x authentication mode. The range is 1 to 16. The default value is 16. Changing the value will not change the configuration until you click the Submit button. |
Use the PAE Capability Configuration page to configure a port as an authenticator or supplicant.
To access the Port Based Access Control Port Configuration page, click Security > Port Access Control > PAE Capability Configuration.
PAE Capability Configuration
Field |
Description |
|---|---|
Port |
Select the Slot/Port to configure. |
PAE Capabilities |
Select authenticator or supplicant from the list. |
Click Submit to set the PAE capability. Note that these changes will not be retained across a power cycle unless you Save All Applied Changes. If you configured a port as a supplicant, use the Supplicant Port Configuration page to configure additional operational parameters for the port.
After you have configured a port as a supplicant, use this page to configure operational properties of the port. To access the Port Based Access Control Port Configuration page, click Security > Port Access Control > Supplicant Port Configuration.
Dot1x Supplicant Port Configuration
Field |
Description |
|---|---|
Port |
Select the port to configure. |
ControlMode |
Select the port authorization state. The control mode is set only if the link status of the port is link up. The possible field values are:
|
Start Period |
Enter the wait interval period in seconds for the supplicant to receive the authenticator's EAP Identity request message. |
Held Period |
Enter the wait interval period in seconds for the supplicant to start the next authentication process after a previous authentication process failure. |
Authentication Period |
Enter the wait interval period for the supplicant to receive EAP challenge requests form the authenticator. |
Maximum Requests |
Enter the maximum number of successive EAPOL start messages that will be sent before the supplicant assumes that there is no authenticator present. |
Use the Port Access Control Port Status page to view information about the port access control settings on a specific port. To access the Port Based Access Control Port Status page, click Security > Port Based Access Control > Port Status in the navigation menu.
Figure below is an example of the fields displayed for the port when the Control mode of the port is MAC-based.
Port Access Control Status Fields
Field |
Description |
|---|---|
Interface |
Selects the interface to view. |
Protocol Version |
This field displays the protocol version associated with the selected port. The only possible value is 1, corresponding to the first version of the 802.1x specification. This field is not configurable. |
PAE Capabilities |
This field displays the port access entity (PAE) functionality of the selected port. Possible values are "Authenticator" or "Supplicant". This field is not configurable. |
Control Mode |
Defines the port authorization state. The control mode is only set if the link status of the port is link up. The possible field values are:
|
Authenticator PAE State |
This field displays the current state of the authenticator PAE state machine. Possible values are as follows:
|
Backend Authentication State |
This field displays the current state of the backend authentication state machine. Possible values are as follows:
|
Quiet Period |
Displays the configured quiet period for the selected port. This quiet period is the value, in seconds, of the timer used by the authenticator state machine on this port to define periods of time in which it will not attempt to acquire a supplicant. The quiet period is the period for which the authenticator does not attempt to acquire a supplicant after a failed authentication exchange with the supplicant. The quiet period is a number in the range of 0 and 65535. |
Transmit Period |
Displays the configured transmit period for the selected port. The transmit period is the value, in seconds, of the timer used by the authenticator state machine on the specified port to determine when to send an EAPOL EAP Request/Identity frame to the supplicant. The transmit period is a number in the range of 1 and 65535. |
Guest VLAN ID |
Displays the Guest VLAN ID configured on the interface. The valid range is 0 to 4093. |
Guest VLAN Period (secs) |
Displays the Guest VLAN period for the selected port. The Guest VLAN period is the value, in seconds, of the timer used by the Guest VLAN Authentication. The value is in the range of 1 to 300. |
Supplicant Timeout |
Displays the configured supplicant timeout for the selected port. The supplicant timeout is the value, in seconds, of the timer used by the authenticator state machine on this port to timeout the supplicant. The supplicant timeout is a value in the range of 1 and 65535. |
Server Timeout |
Displays the configured server timeout for the selected port. The server timeout is the value, in seconds, of the timer used by the authenticator on this port to timeout the authentication server. The server timeout is a value in the range of 1 and 65535. |
Maximum Requests |
Displays the configured maximum requests for the selected port. The maximum requests value is the maximum number of times the authenticator state machine on this port will retransmit an EAPOL EAP Request/Identity before timing out the supplicant. The maximum requests value is in the range of 1 and 10. |
VLAN Assigned |
Displays the VLAN ID assigned to the selected interface by the Authenticator. NOTE: This field is displayed only when the port control mode of the selected interface is not MAC-based. |
VLAN Assigned Reason |
Displays the reason for the VLAN ID assigned by the authenticator to the selected interface. Possible values are:
NOTE: This field is displayed only when the port control mode of the selected interface is not MAC-based. |
Reauthentication Period |
Displays the configured reauthentication period for the selected port. The reauthentication period is the value, in seconds, of the timer used by the authenticator state machine on this port to determine when reauthentication of the supplicant takes place. The reauthentication period is a value in the range of 1 and 65535. |
Reauthentication Enabled |
Displays if reauthentication is enabled on the selected port. This is a configurable field. The possible values are 'true' and 'false'. If the value is 'true' reauthentication will occur. Otherwise, reauthentication will not be allowed. |
Key Transmission Enabled |
This field displays if key transmission is enabled on the selected port. This is not a configurable field. The possible values are 'true' and 'false'. If the value is 'false', key transmission will not occur. Otherwise, key transmission is supported on the selected port. |
Control Direction |
This displays the control direction for the specified port. The control direction dictates the degree to which protocol exchanges take place between Supplicant and Authenticator. This affects whether the unauthorized controlled port exerts control over communication in both directions (disabling both incoming and outgoing frames) or just in the incoming direction (disabling only the reception of incoming frames). NOTE: This field is not configurable on some platforms. |
Maximum Users |
Displays the maximum number of clients that can get authenticated on the port in the MAC-based dot1x authentication mode. This field is configurable. The maximum users value is in range of 1 to 16. |
Unauthenticated VLAN ID |
Displays the Unauthenticated VLAN ID for the selected port. The valid range is 0 to 4093. |
Session Timeout |
Displays the Session Timeout set by the RADIUS Server for the selected port. NOTE: This field is displayed only when the port control mode of the selected port is not MAC-based. |
Session Termination Action |
Displays the Termination Action set by the RADIUS Server for the selected port. Possible values are:
If the termination action is Default then, at the end of the session, the client details are initialized. Otherwise, re-authentication is attempted. NOTE: This field is displayed only when the port control mode of the selected port is not MAC-based. |
Logical Port |
Displays the logical port number associated with the supplicant that is connected to the port. This field is not configurable. NOTE: This field is displayed when the port control mode of the selected port is MAC-based. |
Supplicant MacAddress |
This field displays the supplicant’s MAC address that is connected to the port. This field is not configurable. NOTE: This field is displayed when the port control mode of the selected port is MAC-based. |
Use the Port Access Control Port Summary page to view summary information about the port access control settings on all physical ports.
To access the Port Based Access Control Port Summary page, click Security > Port Based Access Control > Port Summary in the navigation menu.
Port Access Control Port Summary Fields
Field |
Description |
|---|---|
Interface |
Identifies the port number. |
Control Mode |
Displays the port authorization state. The possible field values are:
|
Operating Control Mode |
Indicates the control mode under which the port is actually operating. Possible values are as follows:
|
Reauthentication Enabled |
Displays whether reauthentication is enabled on the port. This is a configurable field. The possible values are as follows:
|
Port Status |
Shows the authorization status of the port, which might be Authorized, Unauthorized or N/A. The value is N/A if the port is in detached state and cannot participate in port access control. |
Click Refresh to update the information on the screen.
Use the Port Access Control Statistics page to view EAP and EAPOL information on a specific port. To access the Port Based Access Control Statistics page, click Security > Port Based Access Control > Statistics in the navigation menu.
Port Access Control Statistics Fields
Field |
Description |
|---|---|
Interface |
Selects the port to be displayed. When the selection is changed, a screen refresh will occur causing all fields to be updated for the newly selected port. All physical interfaces are valid. |
Authenticatior/Supplicant Port Access Control Statistics |
The name of this field changes based on whether the selected interface is configured as an Authenticator port or a Supplicant port. |
EAPOL Frames Received |
Displays the number of valid EAPOL frames received on the port. |
EAPOL Frames Transmitted |
Displays the number of EAPOL frames transmitted via the port. |
EAPOL Start Frames Received |
Displays the number of EAPOL Start frames received on the port. |
EAPOL Logoff Frames Received |
Displays the number of EAPOL Log off frames that have been received on the port. |
Last EAPOL Frames Version |
Displays the protocol version number attached to the most recently received EAPOL frame. |
Last EAPOL Frames Source |
Displays the source MAC Address attached to the most recently received EAPOL frame. |
EAP Response/ID Frames Received |
Displays the number of EAP Respond ID frames that have been received on the port. |
EAP Response Frames Received |
Displays the number of valid EAP Respond frames received on the port. |
EAP Request/ID Frames Transmitted |
Displays the number of EAP Requested ID frames transmitted through the port. |
EAP Request Frames Transmitted |
Displays the number of EAP Request frames transmitted via the port. |
Invalid EAPOL Frames Received |
Displays the number of unrecognized EAPOL frames received on this port. |
EAPOL Length Error Frames Received |
Displays the number of EAPOL frames with an invalid Packet Body Length received on this port. |
Use the Port Access Control Client Summary page to view summary information about the supplicant device.
To access the Port Access Control Client Summary page, click Security > Port Access Control > Client Summary in the navigation menu.
Port Access Control Client Summary Fields
Field |
Description |
|---|---|
Interface |
Displays the interface address of the supplicant device. |
User Name |
Displays the user name representing the supplicant device. |
Supp Mac Address |
Displays the supplicant device’s MAC address. |
Session Time |
Displays the time since the supplicant logged in. The value is in seconds. |
Filter ID |
The policy filter ID assigned by the authenticator to the supplicant device. |
VLAN ID |
The VLAN ID assigned by the authenticator to the supplicant device. |
Click Refresh to refresh the page with the most current data from the switch.
Use the Port Access Control Client Detail page to view detail information about the supplicant device.
To access the Port Access Control Client Detail page, click Security > Port Access Control > Client Detail in the navigation menu.
Port Access Control Client Detail Fields
Field |
Description |
|---|---|
Port |
Select the port address of the supplicant device. |
User Name |
Displays the user name representing the supplicant device. |
Supplicant MAC Address |
Displays the supplicant device’s MAC address. |
Session Time |
Displays the time since the supplicant logged in. The value is in seconds. |
Filter ID |
The policy filter ID assigned by the authenticator to the supplicant device. |
VLAN ID |
The VLAN ID assigned by the authenticator to the supplicant device. |
VLAN Assigned |
Displays the reason for the VLAN ID assigned by the authenticator to the supplicant device. |
Session Timeout |
Displays the session timeout set by the radius server to the supplicant device. |
Termination Action |
Displays the termination action set by the radius server to the supplicant device. |
Click Refresh to refresh the page with the most current data from the switch.
Use the Port Access Control Privileges page to grant or deny port access to users configured on the system.
To access the Port Based Access Control Privileges page, click Security > Port Based Access Control > Privileges in the navigation menu.
Port Access Privileges Fields
Field |
Description |
|---|---|
Interface |
Selects the port to grant or deny access. To grant or deny port access privileges to a user on all ports, select All from the drop-down menu. |
Users |
Lists the users configured on the system. The users that are highlighted have access to the selected port. By default, all users have access to all ports. To deny access to a port, Shift + click to select only the users to allow access. Make sure the username to deny port access is not selected, and then click Submit. |
Use the Port Access Control Summary page to view a summary of which users are allowed access to the physical ports on the system.
To access the Port Based Access Control Summary page, click Security > Port Based Access Control > Summary in the navigation menu.
Port Access Summary Fields
Field |
Description |
|---|---|
Interface |
Lists the physical ports on the system. |
Users |
Lists the users that are allowed 802.1x access to the port. If a username is configured on the system and does not appear in the Users column for a port, the user is denied access to the port. |
Click Refresh to refresh the page with the most current data from the switch.
Use the Port Access Control Summary page to view 802.1X entries in the history log table.
To access the Port Access Control History Log Summary page, click Security > Port Based Access Control > Port Access Control History Log Summary in the navigation menu.
Port Access Control History Log Summary
Field |
Description |
|---|---|
Interface |
This field lists all the interfaces exists in the history log table. When the selection is changed, a screen refresh will occur causing all fields to be updated for the newly selected interface. |
Time Stamp |
This field displays the absolute time (in "Month Day Year Time" format) when the authentication event took place. |
VLAN Assigned |
This field displays the VLAN ID assigned by the authenticator. |
VLAN Assigned Reason |
This field displays the reason for the VLAN ID assigned by the authenticator to the supplicant device. |
Supplicant MAC Address |
This field displays the supplicant's device MAC Address. |
Filter Name |
This field displays the policy filter name assigned by the authenticator to the supplicant device. |
Auth Status |
This field displays the authentication status of the client/port (Authorized or Unauthorized). |
Reason |
This field displays the exact reason for the successful or unsuccessful authentication. |
Click Refresh to refresh the page with the most current data from the switch. Click Clear to clear all the history log entries for the selected interface.