This section describes the commands you use to configure port-based network access control (IEEE 802.1X). Port-based network access control allows you to permit access to network services only to and devices that are authorized and authenticated.
aaa authentication dot1x default
Use this command to configure the authentication method for port-based access to the switch. The additional methods of authentication are used only if the previous method returns an error, not if there is an authentication failure. The possible methods are as follows:
ias. Uses the internal authentication server users database for authentication. This method can be used in conjunction with any one of the existing methods like local, radius, etc.
local. Uses the local username database for authentication.
none. Uses no authentication.
radius. Uses the list of all RADIUS servers for authentication.
This command clears the authentication history table captured during successful and unsuccessful authentication on all interface or the specified interface.
This command is used to clear all RADIUS statistics.
Format: clear radius statistics
Mode: Privileged EXEC
dot1x dynamic-vlan enable
Use this command to enable the switch to create VLANs dynamically when a RADIUS-assigned VLAN does not exist in the switch.
Default: Disabled
Format: dot1x dynamic-vlan enable
Mode: Global Config
no dot1x dynamic-vlan enable
Use this command to prevent the switch from creating VLANs when a RADIUS-assigned VLAN does not exist in the switch.
Format: no dot1x dynamic-vlan enable
Mode: Global Config
dot1x guest-vlan
This command configures VLAN as guest vlan on an interface or a range of interfaces. The command specifies an active VLAN as an IEEE 802.1X guest VLAN. The range is 1 to the maximum VLAN ID supported by the platform.
Default: disabled
Format: dot1x guest-vlan <vlan-id>
Mode: Interface Config
no dot1x guest-vlan
This command disables Guest VLAN on the interface.
Default: disabled
Format: no dot1x guest-vlan
Mode: Interface Config
dot1x initialize
This command begins the initialization sequence on the specified port. This command is only valid if the control mode for the specified port is auto or mac-based. If the control mode is not auto or mac-based, an error will be returned.
Format: dot1x initialize <unit/slot/port>
Mode: Privileged EXEC
dot1x max-req
This command sets the maximum number of times the authenticator state machine on an interface or range of interfaces will transmit an EAPOL EAP Request/Identity frame before timing out the supplicant. The <count> value must be in the range 1 - 10.
Default: 2
Format: dot1x max-req count
Mode: Interface Config
no dot1x max-req
This command sets the authenticator state machine on the port to the default value.
Format: no dot1x max-req
Mode: Interface Config
dot1x max-users
Use this command to set the maximum number of clients supported on an interface or range of interfaces when MAC-based dot1x authentication is enabled on the port. The maximum users supported per port is dependent on the product. The <count> value is in the range <1 - 16>
Default: 16
Format: dot1x max-users <count>
Mode: Interface Config
no dot1x max-users
This command resets the maximum number of clients allowed per port to its default value.
Format: no dot1x max-users
Mode: Interface Config
dot1x port-control
This command sets the authentication mode to use on the specified interface or range of interfaces. Use the force-authorized parameter to specify that the authenticator PAE unconditionally sets the controlled port to unauthorized. Use the force-authorized parameter to specify that the authenticator PAE unconditionally sets the controlled port to authorized. Use the auto parameter to specify that the authenticator PAE sets the controlled port mode to reflect the outcome of the authentication exchanges between the supplicant, authenticator and the authentication server. If the mac-based option is specified, then MAC-based dot1x authentication is enabled on the port.
Default: auto
Format: dot1x port-control {force-unauthorized | force-authorized | auto | mac-based}
Mode: Interface Config
no dot1x port-control
This command sets the 802.1X port control mode on the specified port to the default value.
Format: no dot1x port-control
Mode: Interface Config
dot1x port-control all
This command sets the authentication mode to use on all ports. Select force-authorized to specify that the authenticator PAE unconditionally sets the controlled port to unauthorized. Select force-authorized to specify that the authenticator PAE unconditionally sets the controlled port to authorized. Select auto to specify that the authenticator PAE sets the controlled port mode to reflect the outcome of the authentication exchanges between the supplicant, authenticator and the authentication server. If the mac-based option is specified, then MAC-based dot1x authentication is enabled on the port.
Default: auto
Format: dot1x port-control all {force-unauthorized | force-authorized | auto | mac-based}
Mode: Global Config
no dot1x port-control all
This command sets the authentication mode on all ports to the default value.
Format: no dot1x port-control all
Mode: Global Config
dot1x re-authenticate
This command begins the re-authentication sequence on the specified port. This command is only valid if the control mode for the specified port is auto or mac-based. If the control mode is not auto or mac-based, an error will be returned.
Format: dot1x re-authenticate <unit/slot/port>
Mode: Privileged EXEC
dot1x re-authentication
This command enables re-authentication of the supplicant for the specified interface or range of interfaces.
Default: disabled
Format: dot1x re-authentication
Mode: Interface Config
no dot1x re-authentication
This command disables re-authentication of the supplicant for the specified port.
Format: no dot1x re-authentication
Mode: Interface Config
dot1x system-auth-control
Use this command to enable the dot1x authentication support on the switch. While disabled, the dot1x configuration is retained and can be changed, but is not activated.
Default: disabled
Format: dot1x system-auth-control
Mode: Global Config
no dot1x system-auth-control
This command is used to disable the dot1x authentication support on the switch.
Format: no dot1x system-auth-control
Mode: Global Config
dot1x system-auth-control monitor
Use this command to enable the 802.1X monitor mode on the switch. The purpose of Monitor mode is to help troubleshoot port-based authentication configuration issues without disrupting network access for hosts connected to the switch. In Monitor mode, a host is granted network access to an 802.1X-enabled port even if it fails the authentication process. The results of the process are logged for diagnostic purposes.
Default: disabled
Format: dot1x system-auth-control monitor
Mode: Global Config
no dot1x system-auth-control monitor
This command disables the 802.1X Monitor mode on the switch.
Format: no dot1x system-auth-control monitor
Mode: Global Config
dot1x timeout
This command sets the value, in seconds, of the timer used by the authenticator state machine on an interface or range of interfaces. Depending on the token used and the value (in seconds) passed, various timeout configurable parameters are set. The following tokens are supported:
guest-vlan-period: The time, in seconds, for which the authenticator waits to see if any EAPOL packets are received on a port before authorizing the port and placing the port in the guest vlan (if configured). The guest vlan timer is only relevant when guest vlan has been configured on that specific port.
reauth-period: The value, in seconds, of the timer used by the authenticator state machine on this port to determine when re-authentication of the supplicant takes place. The reauth-period must be a value in the range 1 - 65535.
quiet-period: The value, in seconds, of the timer used by the authenticator state machine on this port to define periods of time in which it will not attempt to acquire a supplicant. The quiet-period must be a value in the range 0 - 65535.
tx-period: The value, in seconds, of the timer used by the authenticator state machine on this port to determine when to send an EAPOL EAP Request/Identity frame to the supplicant. The quiet-period must be a value in the range 1 - 65535.
supp-timeout: The value, in seconds, of the timer used by the authenticator state machine on this port to timeout the supplicant. The supp-timeout must be a value in the range 1 - 65535.
server-timeout: The value, in seconds, of the timer used by the authenticator state machine on this port to timeout the authentication server. The supp-timeout must be a value in the range The value, in seconds, of the timer used by the authenticator state machine on this port to timeout the supplicant. The supp-timeout must be a value in the range 1 - 65535.
This command sets the value, in seconds, of the timer used by the authenticator state machine on this port to the default values. Depending on the token used, the corresponding default values are set.
Use this command to configure the unauthenticated VLAN associated with the specified interface or range of interfaces. The unauthenticated VLAN ID can be a valid VLAN ID from 0-Maximum supported VLAN ID (4093 for TEJOS). The unauthenticated VLAN must be statically configured in the VLAN database to be operational. By default, the unauthenticated VLAN is 0, i.e. invalid and not operational.
Default: 0
Format: dot1x unauthenticated-vlan <vlan id>
Mode: Interface Config
no dot1x unauthenticated-vlan
This command resets the unauthenticated-vlan associated with the port to its default value.
Format: no dot1x unauthenticated-vlan
Mode: Interface Config
dot1x user
This command adds the specified user to the list of users with access to the specified port or all ports. The <user> parameter must be a configured user.
Format: dot1x user user {<unit/slot/port> | all}
Mode: Global Config
no dot1x user
This command removes the user from the list of users with access to the specified port or all ports.
Format: no dot1x user user {<unit/slot/port> | all}
Mode: Global Config
show authentication methods
Use this command to display information about the authentication methods.
Format: show authentication methods
Mode: Privileged EXEC
show authentication sessions
Use this command to display information about the authentication sessions.
Format: show authentication sessions [unit/slot/port]
Mode: Privileged EXEC
The display parameters for above command are:
Hostname: The host name of the server.
Vlan Id: Vlan Id associated with the host.
IP address: IP address assigned.
PAE capabilities: The Port Access Entity (PAE) functionality of this port. Possible values are Authenticator or Supplicant.
Control Mode: The configured control mode for this port. Possible values are force- unauthorized | force-authorized | auto | mac-based.
Authenticator PAE State: Current state of the authenticator PAE state machine. Possible values are Initialize, Disconnected, Connecting, Authenticating, Authenticated, Aborting, Held, ForceAuthorized, and ForceUnauthorized. When MAC-based authentication is enabled on the port, this parameter is deprecated.
Backend Authentication State: Current state of the backend authentication state machine. Possible values are Request, Response, Success, Fail, Timeout, Idle, and Initialize. When MAC-based authentication is enabled on the port, this parameter is deprecated.
Quiet Period: The timer used by the authenticator state machine on this port to define periods of time in which it will not attempt to acquire a supplicant. The value is expressed in seconds and will be in the range 0 and 65535.
Transmit Period: The timer used by the authenticator state machine on the specified port to determine when to send an EAPOL EAP Request/Identity frame to the supplicant. The value is expressed in seconds and will be in the range of 1 and 65535.
VLAN Id: The Vlan Id in which the hosts are included.
VLAN Assigned Reason: The reason the VLAN identified in the VLAN-assigned field has been assigned to the port. Possible values are RADIUS, Unauthenticated VLAN, Guest VLAN, default, and Not Assigned. When the VLAN Assigned Reason is Not Assigned, it means that the port has not been assigned to any VLAN by dot1x. This only valid when the port control mode is not MAC-based.
show dot1x
This command is used to show a summary of the global dot1x configuration, summary information of the dot1x configuration for a specified port or all ports, the detailed dot1x configuration for a specified port and the dot1x statistics for a specified port - depending on the tokens used.
If you do not use the optional parameters <unit/slot/port> or<vlanid>, the command displays the global dot1x mode, the VLAN Assignment mode, and the Dynamic VLAN Creation mode.
Administrative Mode: Indicates whether authentication control on the switch is enabled or disabled.
VLAN Assignment Mode: Indicates whether assignment of an authorized port to a RADIUS-assigned VLAN is allowed (enabled) or not (disabled).
Dynamic VLAN Creation Mode:Indicates whether the switch can dynamically create a RADIUS-assigned VLAN if it does not currently exist on the switch.
Monitor Mode: Indicates whether the Dot1x Monitor mode on the switch is enabled or disabled.
If you use the optional parameter summary {<unit/slot/port> | all}, the dot1x configuration for the specified port or all ports are displayed.
Interface: The interface whose configuration is displayed.
Control Mode: The configured control mode for this port. Possible values are force-unauthorized | force-authorized | auto | mac-based | authorized | unauthorized.
Operating Control Mode: The control mode under which this port is operating. Possible values are authorized | unauthorized.
Reauthentication Enabled: Indicates whether re-authentication is enabled on this port.
Port Status: Indicates whether the port is authorized or unauthorized. Possible values are authorized | unauthorized.
If you use the optional parameter 'detail <unit/slot/port>', the detailed dot1x configuration for the specified port is displayed.
Port: The interface whose configuration is displayed.
Protocol Version:The protocol version associated with this port. The only possible value is 1, corresponding to the first version of the dot1x specification.
PAE Capabilities: The port access entity (PAE) functionality of this port. Possible values are Authenticator or Supplicant.
Control Mode: The configured control mode for this port. Possible values are force-unauthorized | force-authorized | auto | mac-based.
Authenticator PAE State: Current state of the authenticator PAE state machine. Possible values are Initialize, Disconnected, Connecting, Authenticating, Authenticated, Aborting, Held, ForceAuthorized, and ForceUnauthorized. When MAC-based authentication is enabled on the port, this parameter is deprecated.
Backend Authentication State: Current state of the backend authentication state machine. Possible values are Request, Response, Success, Fail, Timeout, Idle, and Initialize. When MAC-based authentication is enabled on the port, this parameter is deprecated.
Quiet Period: The timer used by the authenticator state machine on this port to define periods of time in which it will not attempt to acquire a supplicant. The value is expressed in seconds and will be in the range 0 and 65535.
Transmit Period: The timer used by the authenticator state machine on the specified port to determine when to send an EAPOL EAP Request/Identity frame to the supplicant. The value is expressed in seconds and will be in the range of 1 and 65535.
Guest-VLAN ID: The guest VLAN identifier configured on the interface.
Guest VLAN Period: The time in seconds for which the authenticator waits before authorizing and placing the port in the Guest VLAN, if no EAPOL packets are detected on that port.
Supplicant Timeout: The timer used by the authenticator state machine on this port to timeout the supplicant. The value is expressed in seconds and will be in the range of 1 and 65535.
Server Timeout:The timer used by the authenticator on this port to timeout the authentication server. The value is expressed in seconds and will be in the range of 1 and 65535.
Maximum Requests:The maximum number of times the authenticator state machine on this port will retransmit an EAPOL EAP Request/Identity before timing out the supplicant. The value will be in the range of 1 and 10.
Vlan-assigned:The VLAN assigned to the port by the radius server. This is only valid when the port control mode is not Mac-based.
VLAN Assigned Reason: The reason the VLAN identified in the VLAN-assigned field has been assigned to the port. Possible values are RADIUS, Unauthenticated VLAN, Guest VLAN, default, and Not Assigned. When the VLAN Assigned Reason is Not Assigned, it means that the port has not been assigned to any VLAN by dot1x. This only valid when the port control mode is not MAC-based.
Reauthentication: The timer used by the authenticator state machine on this port to determine when Periodreauthentication of the supplicant takes place. The value is expressed in seconds and will be in the range of 1 and 65535.
Reauthentication Enabled: Indicates if reauthentication is enabled on this port. Possible values are ‘True" or "False".
Key Transmission Enabled: Indicates if the key is transmitted to the supplicant for the specified port. Possible values are True or False.
Control Direction: The control direction for the specified port or ports. Possible values are both or in.
Maximum Users: The maximum number of clients that can get authenticated on the port in the MAC-based dot1x authentication mode. This value is used only when the port control mode is not MAC-based.
Unauthenticated VLAN ID: Indicates the unauthenticated VLAN configured for this port. This value is valid for the port only when the port control mode is not MAC-based.
Session Timeout: Indicates the time for which the given session is valid. The time period in seconds is returned by the RADIUS server on authentication of the port. This value is valid for the port only when the port control mode is not MAC-based.
Session Termination Action: This value indicates the action to be taken once the session timeout expires. Possible values are Default, Radius-Request. If the value is Default, the session is terminated the port goes into unauthorized state. If the value is Radius-Request, then a reauthentication of the client authenticated on the port is performed. This value is valid for the port only when the port control mode is not MAC-based.
Supplicant MAC Address: The MAC-address of the supplicant.
Authenticator PAE State: Current state of the authenticator PAE state machine. Possible values are Initialize, Disconnected, Connecting, Authenticating, Authenticated, Aborting, Held, ForceAuthorized, and ForceUnauthorized.
Backend Authentication State: Current state of the backend authentication state machine. Possible values are Request, Response, Success, Fail, Timeout, Idle, and Initialize.
VLAN-Assigned: The VLAN assigned to the client by the radius server.
Logical Port: The logical port number associated with the client.
If you use the optional parameter statistics<unit/slot/port>, the following dot1x statistics for the specified port appear.
Port: The interface whose statistics are displayed.
EAPOL Frames Received: The number of valid EAPOL frames of any type that have been received by this authenticator.
EAPOL Frames Transmitted: The number of EAPOL frames of any type that have been transmitted by this authenticator.
EAPOL Start Frames Received: The number of EAPOL start frames that have been received by this authenticator.
EAPOL Logoff Frames Received: The number of EAPOL logoff frames that have been received by this authenticator.
Last EAPOL Frame Version: The protocol version number carried in the most recently received EAPOL frame.
Last EAPOL Frame Source: The source MAC address carried in the most recently received EAPOL frame.
EAP Response/Id Frames Received: The number of EAP response/identity frames that have been received by this authenticator.
EAP Response Frames Received: The number of valid EAP response frames (other than resp/id frames) that have been received by this authenticator.
EAP Request/Id Frames Transmitted: The number of EAP request/identity frames that have been transmitted by this authenticator.
EAP Request Frames Transmitted: The number of EAP request frames (other than request/identity frames) that have been transmitted by this authenticator.
Invalid EAPOL Frames Received: The number of EAPOL frames that have been received by this authenticator in which the frame type is not recognized.
EAP Length Error Frames Received: The number of EAPOL frames that have been received by this authenticator in which the frame type is not recognized.
show dot1x authentication-history
This command displays 802.1X authentication events and information during successful and unsuccessful Dot1x authentication process for all interfaces or the specified interface. Use the optional keywords to display only failure authentication events in summary or in detail.
Format: show dot1x authentication-history {unit/slot/port | all} [failed-auth-only] [detail]
Mode: Privileged EXEC
The display parameters for above command are:
Time Stamp: The exact time at which the event occurs.
Interface: Physical Port on which the event occurs.
Mac-Address: The supplicant/client MAC address.
VLAN assigned:The VLAN assigned to the client/port on authentication.
VLAN assigned Reason:The type of VLAN ID assigned, which can be Guest VLAN, Unauth, Default, RADIUS Assigned, or Montior Mode VLAN ID.
Auth Status:The authentication status.
Reason: The actual reason behind the successful or failed authentication.
show dot1x clients
This command displays 802.1X client information. This command also displays information about the number of clients that are authenticated using Monitor mode and using 802.1X.
Format: show dot1x clients {<unit/slot/port> | all} [detail]
Mode: Privileged EXEC
The display parameters for above command are:
Clients Authenticated using Monitor Mode: Indicates the number of the Dot1x clients authenticated using Monitor mode.
Clients Authenticated using Dot1x: Indicates the number of Dot1x clients authenticated using 802.1x authentication process.
Logical Interface: The logical port number associated with a client.
Interface: The physical port to which the supplicant is associated.
User Name: The user name used by the client to authenticate to the server.
Supplicant MAC Address: The supplicant device MAC address.
Session Time: The time since the supplicant is logged on.
Filter ID: Identifies the Filter ID returned by the RADIUS server when the client wasauthenticated. This is a configured DiffServ policy name on the switch.
VLAN ID: The VLAN assigned to the port.
VLAN Assigned: The reason the VLAN identified in the VLAN ID field has been assigned to the port. Possible values are RADIUS, Unauthenticated VLAN, Monitor Mode, or Default. When the VLAN Assigned reason is Default, it means that the VLAN was assigned to the port because the P-VID of the port was that VLAN ID.
Session Timeout: This value indicates the time for which the given session is valid. The time period in seconds is returned by the RADIUS server on authentication of the port. This value is valid for the port only when the port-control mode is not MAC-based.
Session Termination Action: This value indicates the action to be taken once the session timeout expires. Possible values are Default and Radius-Request. If the value is Default, the session is terminated and client details are cleared. If the value is Radius-Request, then a reauthentication of the client is performed.
show dot1x users
This command displays 802.1X port security user information for locally configured users.
Format: show dot1x users <unit/slot/port>
Mode: Privileged EXEC
The display parameters for above command are:
Users: Users configured locally to have access to the specified port.
dot1x auth-violation
This command will set the action to be taken on authentication violation. Violation occurs when 802.1x authenticator detects an authentication failure, supplicant fails to provide correct authentication information. When it is set to restrict, on authentication failure 802.1x will wait for quiteperiod and again send authentication request. If it is set to shutdown then on authentication failure the interface is moved to admin disable state. Default violation action is shutdown.
