Feedback
Contents
Security Commands
- aaa accounting dot1x
- aaa accounting identity
- aaa authentication dot1x
- aaa authorization
- access-session mac-move deny
- authentication host-mode
- authentication mac-move permit
- authentication priority
- authentication violation
- cisp enable
- clear errdisable interface vlan
- clear mac address-table
- deny (MAC access-list configuration)
- device-role (IPv6 snooping)
- device-role (IPv6 nd inspection)
- dot1x critical (global configuration)
- dot1x max-start
- dot1x pae
- dot1x supplicant force-multicast
- dot1x test eapol-capable
- dot1x test timeout
- dot1x timeout
- epm access-control open
- ip admission
- ip admission name
- ip device tracking maximum
- ip device tracking probe
- ip dhcp snooping database
- ip dhcp snooping information option format remote-id
- ip dhcp snooping verify no-relay-agent-address
- ip source binding
- ip verify source
- ipv6 snooping policy
- limit address-count
- mab request format attribute 32
- no authentication logging verbose
- no dot1x logging verbose
- no mab logging verbose
- permit (MAC access-list configuration)
- protocol (IPv6 snooping)
- security level (IPv6 snooping)
- show aaa clients
- show aaa command handler
- show aaa local
- show aaa servers
- show aaa sessions
- show authentication history
- show authentication sessions
- show cisp
- show dot1x
- show eap pac peer
- show ip dhcp snooping statistics
- show radius server-group
- tracking (IPv6 snooping)
- trusted-port
- wireless security dot1x Command
- wireless security strong-password Command
- wireless wps ap-authentication Command
- wireless wps auto-immune Command
- wireless wps cids-sensor Command
- wireless wps client-exclusion Command
- wireless wps mfp infrastructure Command
- wireless wps rogue Command
aaa accounting dot1x
To enable authentication, authorization, and accounting (AAA) accounting and to create method lists defining specific accounting methods on a per-line or per-interface basis for IEEE 802.1x sessions, use the aaa accounting dot1x global configuration command. Use the no form of this command to disable IEEE 802.1x accounting.
aaa accounting dot1x { name | default } start-stop { broadcast group { name | radius | tacacs+} [ group { name | radius | tacacs+} ... ] | group { name | radius | tacacs+} [ group { name | radius | tacacs+} ... ]}
no aaa accounting dot1x { name | default }
Syntax Description
name Name of a server group. This is optional when you enter it after the broadcast group and group keywords.
default Specifies the accounting methods that follow as the default list for accounting services.
start-stop Sends a start accounting notice at the beginning of a process and a stop accounting notice at the end of a process. The start accounting record is sent in the background. The requested user process begins regardless of whether or not the start accounting notice was received by the accounting server.
broadcast Enables accounting records to be sent to multiple AAA servers and sends accounting records to the first server in each group. If the first server is unavailable, the switch uses the list of backup servers to identify the first server.
group The group keyword is optional when you enter it after the broadcast group and group keywords. You can enter more than optional group keyword.
radius (Optional) Enables RADIUS accounting.
tacacs+ (Optional) Enables TACACS+ accounting.
Command History
aaa accounting identity
To enable authentication, authorization, and accounting (AAA) accounting for IEEE 802.1x, MAC authentication bypass (MAB), and web authentication sessions, use the aaa accounting identity global configuration command. Use the no form of this command to disable IEEE 802.1x accounting.
aaa accounting identity { name | default } start-stop { broadcast group { name | radius | tacacs+} [ group { name | radius | tacacs+} ... ] | group { name | radius | tacacs+} [ group { name | radius | tacacs+} ... ]}
no aaa accounting identity { name | default }
Syntax Description
name Name of a server group. This is optional when you enter it after the broadcast group and group keywords.
default Uses the accounting methods that follow as the default list for accounting services.
start-stop Sends a start accounting notice at the beginning of a process and a stop accounting notice at the end of a process. The start accounting record is sent in the background. The requested-user process begins regardless of whether or not the start accounting notice was received by the accounting server.
broadcast Enables accounting records to be sent to multiple AAA servers and send accounting records to the first server in each group. If the first server is unavailable, the switch uses the list of backup servers to identify the first server.
group The group keyword is optional when you enter it after the broadcast group and group keywords. You can enter more than optional group keyword.
radius (Optional) Enables RADIUS authorization.
tacacs+ (Optional) Enables TACACS+ accounting.
Command History
Usage Guidelines
To enable AAA accounting identity, you need to enable policy mode. To enable policy mode, enter the authentication display new-style command in privileged EXEC mode.
Examples
This example shows how to configure IEEE 802.1x accounting identity:
Switch# authentication display new-style Please note that while you can revert to legacy style configuration at any time unless you have explicitly entered new-style configuration, the following caveats should be carefully read and understood. (1) If you save the config in this mode, it will be written to NVRAM in NEW-style config, and if you subsequently reload the router without reverting to legacy config and saving that, you will no longer be able to revert. (2) In this and legacy mode, Webauth is not IPv6-capable. It will only become IPv6-capable once you have entered new- style config manually, or have reloaded with config saved in 'authentication display new' mode. Switch# configure terminal Switch(config)# aaa accounting identity default start-stop group radiusaaa authentication dot1x
To specify the authentication, authorization, and accounting (AAA) method to use on ports complying with the IEEE 802.1x authentication, use the aaa authentication dot1x global configuration command on the switch stack or on a standalone switch. Use the no form of this command to disable authentication.
Syntax Description
default The default method when a user logs in. Use the listed authentication method that follows this argument.
method1 Specifies the server authentication. Enter the group radius keywords to use the list of all RADIUS servers for authentication.
Note Though other keywords are visible in the command-line help strings, only the default and group radius keywords are supported.
Command History
Usage Guidelines
The method argument identifies the method that the authentication algorithm tries in the specified sequence to validate the password provided by the client. The only method that is IEEE 802.1x-compliant is the group radius method, in which the client data is validated against a RADIUS authentication server.
If you specify group radius, you must configure the RADIUS server by entering the radius-server host global configuration command.
Use the show running-config privileged EXEC command to display the configured lists of authentication methods.
Examples
This example shows how to enable AAA and how to create an IEEE 802.1x-compliant authentication list. This authentication first tries to contact a RADIUS server. If this action returns an error, the user is not allowed access to the network.
Switch(config)# aaa new-model Switch(config)# aaa authentication dot1x default group radiusaaa authorization
To set the parameters that restrict user access to a network, use the aaa authorization command in global configuration mode. To remove the parameters, use the no form of this command.
aaa authorization { auth-proxy | cache | commands level | config-commands | configuration | console | credential-download | exec | multicast | network | reverse-access | template} { default | list_name } [ method1 [ method2 ...]]
no aaa authorization { auth-proxy | cache | commands level | config-commands | configuration | console | credential-download | exec | multicast | network | reverse-access | template} { default | list_name } [ method1 [ method2 ...]]
Syntax Description
auth-proxy Runs authorization for authentication proxy services.
cache Configures the authentication, authorization, and accounting (AAA) server.
commands Runs authorization for all commands at the specified privilege level.
level Specific command level that should be authorized. Valid entries are 0 through 15.
config-commands Runs authorization to determine whether commands entered in configuration mode are authorized.
configuration Downloads the configuration from the AAA server.
console Enables the console authorization for the AAA server.
credential-download Downloads EAP credential from Local/RADIUS/LDAP.
exec Enables the console authorization for the AAA server.
multicast Downloads the multicast configuration from the AAA server.
network Runs authorization for all network-related service requests, including Serial Line Internet Protocol (SLIP), PPP, PPP Network Control Programs (NCPs), and AppleTalk Remote Access (ARA).
reverse-access Runs authorization for reverse access connections, such as reverse Telnet.
template Enables template authorization for the AAA server.
default Uses the listed authorization methods that follow this keyword as the default list of methods for authorization.
list_name Character string used to name the list of authorization methods.
method1 [method2...] (Optional) An authorization method or multiple authorization methods to be used for authorization. A method may be any one of the keywords listed in the table below.
Command History
Usage Guidelines
Use the aaa authorization command to enable authorization and to create named methods lists, which define authorization methods that can be used when a user accesses the specified function. Method lists for authorization define the ways in which authorization will be performed and the sequence in which these methods will be performed. A method list is a named list that describes the authorization methods (such as RADIUS or TACACS+) that must be used in sequence. Method lists enable you to designate one or more security protocols to be used for authorization, which ensures a backup system in case the initial method fails. Cisco IOS software uses the first method listed to authorize users for specific network services; if that method fails to respond, the Cisco IOS software selects the next method listed in the method list. This process continues until there is successful communication with a listed authorization method, or until all the defined methods are exhausted.
NoteThe Cisco IOS software attempts authorization with the next listed method only when there is no response from the previous method. If authorization fails at any point in this cycle--meaning that the security server or the local username database responds by denying the user services--the authorization process stops and no other authorization methods are attempted.
If the aaa authorization command for a particular authorization type is issued without a specified named method list, the default method list is automatically applied to all interfaces or lines (where this authorization type applies) except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, then no authorization takes place. The default authorization method list must be used to perform outbound authorization, such as authorizing the download of IP pools from the RADIUS server.
Use the aaa authorization command to create a list by entering the values for the list-name and the method arguments, where list-name is any character string used to name this list (excluding all method names) and method identifies the list of authorization methods tried in the given sequence.
NoteIn the table that follows, the groupgroup-name, group ldap, group radius, and group tacacs+ methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius-server host and tacacs-server host commands to configure the host servers. Use the aaa group server radius, aaa group server ldap, and aaa group server tacacs+ commands to create a named group of servers.
This table describes the method keywords.
Table 1 aaa authorization MethodsKeyword
Description
cache group-name
Uses a cache server group for authorization.
group group-name
Uses a subset of RADIUS or TACACS+ servers for accounting as defined by the server group group-name command.
group ldap
Uses the list of all Lightweight Directory Access Protocol (LDAP) servers for authentication.
group radius
Uses the list of all RADIUS servers for authentication as defined by the aaa group server radius command.
grouptacacs+
Uses the list of all TACACS+ servers for authentication as defined by the aaa group server tacacs+ command.
if-authenticated
Note The if-authenticated method is a terminating method. Therefore, if it is listed as a method, any methods listed after it will never be evaluated.
local
Uses the local database for authorization.
none
Indicates that no authorization is performed.
Cisco IOS software supports the following methods for authorization:
- Cache Server Groups — The router consults its cache server groups to authorize specific rights for users.
- If-Authenticated — The user is allowed to access the requested function provided the user has been authenticated successfully.
- Local— The router or access server consults its local database, as defined by the username command, to authorize specific rights for users. Only a limited set of functions can be controlled through the local database.
- None — The network access server does not request authorization information; authorization is not performed over this line or interface.
- RADIUS —The network access server requests authorization information from the RADIUS security server group. RADIUS authorization defines specific rights for users by associating attributes, which are stored in a database on the RADIUS server, with the appropriate user.
- TACACS+ — The network access server exchanges authorization information with the TACACS+ security daemon. TACACS+ authorization defines specific rights for users by associating attribute-value (AV) pairs, which are stored in a database on the TACACS+ security server, with the appropriate user.
Method lists are specific to the type of authorization being requested. AAA supports five different types of authorization:
- Commands — Applies to the EXEC mode commands a user issues. Command authorization attempts authorization for all EXEC mode commands, including global configuration commands, associated with a specific privilege level.
- EXEC — Applies to the attributes associated with a user EXEC terminal session.
NoteYou must configure the aaa authorization config-commands command to authorize global configuration commands, including EXEC commands prepended by the do command.
- Reverse Access — Applies to reverse Telnet sessions.
- Configuration — Applies to the configuration downloaded from the AAA server.
When you create a named method list, you are defining a particular list of authorization methods for the indicated authorization type.
Once defined, the method lists must be applied to specific lines or interfaces before any of the defined methods are performed.
The authorization command causes a request packet containing a series of AV pairs to be sent to the RADIUS or TACACS daemon as part of the authorization process. The daemon can do one of the following:
For a list of supported RADIUS attributes, see the module RADIUS Attributes. For a list of supported TACACS+ AV pairs, see the module TACACS+ Attribute-Value Pairs.
NoteFive commands are associated with privilege level 0: disable, enable, exit, help, and logout. If you configure AAA authorization for a privilege level greater than 0, these five commands will not be included in the privilege level command set.
Examples
The following example shows how to define the network authorization method list named mygroup, which specifies that RADIUS authorization will be used on serial lines using PPP. If the RADIUS server fails to respond, local network authorization will be performed.
Switch(config)# aaa authorization network mygroup group radius localaccess-session mac-move deny
To disable MAC move on a switch, use the access-session mac-move deny global configuration command. To return to the default setting, use the no form of this command.
Command History
Usage Guidelines
The no form of this command enables authenticated hosts to move between any authentication-enabled ports (MAC authentication bypass [MAB], 802.1x, or Web-auth) on a switch. For example, if there is a device between an authenticated host and port, and that host moves to another port, the authentication session is deleted from the first port, and the host is reauthenticated on the new port.
If MAC move is disabled, and an authenticated host moves to another port, it is not reauthenticated, and a violation error occurs.
Examples
This example shows how to enable MAC move on a switch:
Switch(config)# no access-session mac-move denyRelated Commands
authentication host-mode
To set the authorization manager mode on a port, use the authentication host-mode interface configuration command. To return to the default setting, use the no form of this command.
authentication host-mode { multi-auth | multi-domain | multi-host | single-host}
no authentication host-mode
Syntax Description
multi-auth Enables multiple-authorization mode (multi-auth mode) on the port.
multi-domain Enables multiple-domain mode on the port.
multi-host Enables multiple-host mode on the port.
single-host Enables single-host mode on the port.
Command History
Usage Guidelines
Single-host mode should be configured if only one data host is connected. Do not connect a voice device to authenticate on a single-host port. Voice device authorization fails if no voice VLAN is configured on the port.
Multi-domain mode should be configured if data host is connected through an IP phone to the port. Multi-domain mode should be configured if the voice device needs to be authenticated.
Multi-auth mode should be configured to allow devices behind a hub to obtain secured port access through individual authentication. Only one voice device can be authenticated in this mode if a voice VLAN is configured.
Multi-host mode also offers port access for multiple hosts behind a hub, but multi-host mode gives unrestricted port access to the devices after the first user gets authenticated.
Examples
This example shows how to enable multi-auth mode on a port:
Switch(config-if)# authentication host-mode multi-authThis example shows how to enable multi-domain mode on a port:
Switch(config-if)# authentication host-mode multi-domainThis example shows how to enable multi-host mode on a port:
Switch(config-if)# authentication host-mode multi-hostThis example shows how to enable single-host mode on a port:
Switch(config-if)# authentication host-mode single-hostYou can verify your settings by entering the show authentication sessions interface interface details privileged EXEC command.
authentication mac-move permit
To enable MAC move on a switch, use the authentication mac-move permit global configuration command. To disable MAC move, use the no form of this command.
Command History
Usage Guidelines
This is a legacy command. The new command is access-session mac-move deny.
The command enables authenticated hosts to move between any authentication-enabled ports (MAC authentication bypass [MAB], 802.1x, or Web-auth) on a switch. For example, if there is a device between an authenticated host and port, and that host moves to another port, the authentication session is deleted from the first port, and the host is reauthenticated on the new port.
If MAC move is disabled, and an authenticated host moves to another port, it is not reauthenticated, and a violation error occurs.
Examples
This example shows how to enable MAC move on a switch:
Switch(config)# authentication mac-move permitRelated Commands
authentication priority
To add an authentication method to the port-priority list, use the authentication priority command in interface configuration mode. To return to the default, use the no form of this command.
authentication priority [ dot1x | mab] { webauth}
no authentication priority [ dot1x | mab] { webauth}
Syntax Description
Command Default
The default priority is 802.1x authentication, followed by MAC authentication bypass and web authentication.
Command History
Usage Guidelines
Ordering sets the order of methods that the switch attempts when trying to authenticate a new device is connected to a port.
When configuring multiple fallback methods on a port, set web authentication (webauth) last.
Assigning priorities to different authentication methods allows a higher-priority method to interrupt an in-progress authentication method with a lower priority.
NoteIf a client is already authenticated, it might be reauthenticated if an interruption from a higher-priority method occurs.
The default priority of an authentication method is equivalent to its position in execution-list order: 802.1x authentication, MAC authentication bypass (MAB), and web authentication. Use the dot1x, mab, and webauth keywords to change this default order.
Examples
This example shows how to set 802.1x as the first authentication method and web authentication as the second authentication method:
Switch(config-if)# authentication priority dotx webauthThis example shows how to set MAB as the first authentication method and web authentication as the second authentication method:
Switch(config-if)# authentication priority mab webauthRelated Commands
authentication violation
To configure the violation modes that occur when a new device connects to a port or when a new device connects to a port after the maximum number of devices are connected to that port, use the authentication violation interface configuration command.
authentication violation{ protect| replace| restrict| shutdown }
no authentication violation{ protect| replace| restrict| shutdown }
Syntax Description
protect Drops unexpected incoming MAC addresses. No syslog errors are generated.
replace Removes the current session and initiates authentication with the new host.
restrict Generates a syslog error when a violation error occurs.
shutdown Error-disables the port or the virtual port on which an unexpected MAC address occurs.
Command History
Usage Guidelines
Use the authentication violation command to specify the action to be taken when a security violation occurs on a port.
Examples
This example shows how to configure an IEEE 802.1x-enabled port as error-disabled and to shut down when a new device connects it:
Switch(config-if)# authentication violation shutdownThis example shows how to configure an 802.1x-enabled port to generate a system error message and to change the port to restricted mode when a new device connects to it:
Switch(config-if)# authentication violation restrictThis example shows how to configure an 802.1x-enabled port to ignore a new device when it connects to the port:
Switch(config-if)# authentication violation protectThis example shows how to configure an 802.1x-enabled port to remove the current session and initiate authentication with a new device when it connects to the port:
Switch(config-if)# authentication violation replaceYou can verify your settings by entering the show authentication privileged EXEC command.
cisp enable
To enable Client Information Signaling Protocol (CISP) on a switch so that it acts as an authenticator to a supplicant switch, use the cisp enable global configuration command.
Command History
Usage Guidelines
The link between the authenticator and supplicant switch is a trunk. When you enable VTP on both switches, the VTP domain name must be the same, and the VTP mode must be server.
To avoid the MD5 checksum mismatch error when you configure VTP mode, verify that:
clear errdisable interface vlan
To reenable a VLAN that was error-disabled, use the clear errdisable interface privileged EXEC command on the switch.
Syntax Description
(Optional) Specifies a list of VLANs to be reenabled. If a VLAN list is not specified, then all VLANs are reenabled.
Command History
Usage Guidelines
You can reenable a port by using the shutdown and no shutdown interface configuration commands, or you can clear error-disable for VLANs by using the clear errdisable interface command.
Examples
This example shows how to reenable all VLANs that were error-disabled on Gigabit Ethernet port 4/0/2:
Switch# clear errdisable interface gigabitethernet4/0/2 vlanclear mac address-table
To delete from the MAC address table a specific dynamic address, all dynamic addresses on a particular interface, all dynamic addresses on stack members, or all dynamic addresses on a particular VLAN, use the clear mac address-table command in privileged EXEC mode. This command also clears the MAC address notification global counters.
clear mac address-table { dynamic [ address mac-addr | interface interface-id | vlan vlan-id] | move update | notification}
Syntax Description
Command History
Usage Guidelines
You can verify that the information was deleted by entering the show mac address-table privileged EXEC command.
Examples
This example shows how to remove a specific MAC address from the dynamic address table:
Switch# clear mac address-table dynamic address 0008.0070.0007deny (MAC access-list configuration)
To prevent non-IP traffic from being forwarded if the conditions are matched, use the deny MAC access-list configuration command on the switch stack or on a standalone switch. To remove a deny condition from the named MAC access list, use the no form of this command.
deny { any | host src-MAC-addr | src-MAC-addr mask} { any | host dst-MAC-addr | dst-MAC-addr mask} [ type mask | aarp | amber | appletalk | dec-spanning | decnet-iv | diagnostic | dsm | etype-6000 | etype-8042 | lat | lavc-sca | lsap lsap mask | mop-console | mop-dump | msdos | mumps | netbios | vines-echo | vines-ip | xns-idp] [ cos cos]
no deny { any | host src-MAC-addr | src-MAC-addr mask} { any | host dst-MAC-addr | dst-MAC-addr mask} [ type mask | aarp | amber | appletalk | dec-spanning | decnet-iv | diagnostic | dsm | etype-6000 | etype-8042 | lat | lavc-sca | lsap lsap mask | mop-console | mop-dump | msdos | mumps | netbios | vines-echo | vines-ip | xns-idp] [ cos cos]
Syntax Description
Command Default
This command has no defaults. However, the default action for a MAC-named ACL is to deny.
Command History
Usage Guidelines
You enter MAC-access list configuration mode by using the mac access-list extended global configuration command.
If you use the host keyword, you cannot enter an address mask; if you do not use the host keyword, you must enter an address mask.
When an access control entry (ACE) is added to an access control list, an implied deny-any-any condition exists at the end of the list. That is, if there are no matches, the packets are denied. However, before the first ACE is added, the list permits all packets.
To filter IPX traffic, you use the type mask or lsap lsap mask keywords, depending on the type of IPX encapsulation being used. Filter criteria for IPX encapsulation types as specified in Novell terminology and Cisco IOS terminology are listed in the table.
Examples
This example shows how to define the named MAC extended access list to deny NETBIOS traffic from any source to MAC address 00c0.00a0.03fa. Traffic matching this list is denied.
Switch(config-ext-macl)# deny any host 00c0.00a0.03fa netbios.This example shows how to remove the deny condition from the named MAC extended access list:
Switch(config-ext-macl)# no deny any 00c0.00a0.03fa 0000.0000.0000 netbios.This example denies all packets with Ethertype 0x4321:
Switch(config-ext-macl)# deny any any 0x4321 0You can verify your settings by entering the show access-lists privileged EXEC command.
device-role (IPv6 snooping)
To specify the role of the device attached to the port, use the device-role command in IPv6 snooping configuration mode.
Syntax Description
node Sets the role of the attached device to node.
switch Sets the role of the attached device to switch.
Command History
Usage Guidelines
The device-role command specifies the role of the device attached to the port. By default, the device role is node.
The switch keyword indicates that the remote device is a switch and that the local switch is now operating in multiswitch mode; binding entries learned from the port will be marked with trunk_port preference level. If the port is configured as a trust-port, binding entries will be marked with trunk_trusted_port preference level.
device-role (IPv6 nd inspection)
Use the device-role command in neighbor discovery (ND) inspection policy configuration mode to specify the role of the device attached to the port.
Syntax Description
host Sets the role of the attached device to host.
monitor Sets the role of the attached device to monitor.
router Sets the role of the attached device to router.
switch Sets the role of the attached device to switch.
Command History
Usage Guidelines
The device-role command specifies the role of the device attached to the port. By default, the device role is host, and therefore all the inbound router advertisement and redirect messages are blocked. If the device role is enabled using the router keyword, all messages (router solicitation [RS], router advertisement [RA], or redirect) are allowed on this port.
When the router or monitor keyword is used, the multicast RS messages are bridged on the port, regardless of whether limited broadcast is enabled. However, the monitor keyword does not allow inbound RA or redirect messages. When the monitor keyword is used, devices that need these messages will receive them.
The switch keyword indicates that the remote device is a switch and that the local switch is now operating in multiswitch mode; binding entries learned from the port will be marked with trunk_port preference level. If the port is configured as a trust-port, binding entries will be marked with trunk_trusted_port preference level.dot1x critical (global configuration)
dot1x max-start
To set the maximum number of Extensible Authentication Protocol over LAN (EAPOL) start frames that a supplicant sends (assuming that no response is received) to the client before concluding that the other end is 802.1X unaware, use the dot1x max-start command in interface configuration mode. To remove the maximum number-of-times setting, use the no form of this command.
Syntax Description
number Maximum number of times that the router sends an EAPOL start frame. The value is from 1 to 10. The default is 3.
Command History
dot1x pae
To set the Port Access Entity (PAE) type, use the dot1x pae command in interface configuration mode. To disable the PAE type that was set, use the no form of this command.
Syntax Description
supplicant The interface acts only as a supplicant and will not respond to messages that are meant for an authenticator.
authenticator The interface acts only as an authenticator and will not respond to any messages meant for a supplicant.
Command History
Usage Guidelines
Use the no dot1x pae interface configuration command to disable IEEE 802.1x authentication on the port.
When you configure IEEE 802.1x authentication on a port, such as by entering the dot1x port-control interface configuration command, the switch automatically configures the port as an IEEE 802.1x authenticator. After the no dot1x pae interface configuration command is entered, the Authenticator PAE operation is disabled.
dot1x supplicant force-multicast
To force a supplicant switch to send only multicast Extensible Authentication Protocol over LAN (EAPOL) packets whenever it receives multicast or unicast EAPOL packets, use the dot1x supplicant force-multicast global configuration command. To return to the default setting, use the no form of this command.
Command Default
The supplicant switch sends unicast EAPOL packets when it receives unicast EAPOL packets. Similarly, it sends multicast EAPOL packets when it receives multicast EAPOL packets.
Command History
Usage Guidelines
Enable this command on the supplicant switch for Network Edge Access Topology (NEAT) to work in all host modes.
Examples
This example shows how force a supplicant switch to send multicast EAPOL packets to the authenticator switch:
Switch(config)# dot1x supplicant force-multicastdot1x test eapol-capable
To monitor IEEE 802.1x activity on all the switch ports and to display information about the devices that are connected to the ports that support IEEE 802.1x, use the dot1x test eapol-capable privileged EXEC command on the switch stack or on a standalone switch.
Syntax Description
Command History
Usage Guidelines
Use this command to test the IEEE 802.1x capability of the devices connected to all ports or to specific ports on a switch.
Examples
This example shows how to enable the IEEE 802.1x readiness check on a switch to query a port. It also shows the response received from the queried port verifying that the device connected to it is IEEE 802.1x-capable:
Switch# dot1x test eapol-capable interface gigabitethernet1/0/13 DOT1X_PORT_EAPOL_CAPABLE:DOT1X: MAC 00-01-02-4b-f1-a3 on gigabitethernet1/0/13 is EAPOL capabledot1x test timeout
To configure the timeout used to wait for EAPOL response from a port being queried for IEEE 802.1x readiness, use the dot1x test timeout global configuration command on the switch stack or on a standalone switch.
Syntax Description
Command History
dot1x timeout
To configure the value for retry timeouts, use the dot1x timeout command in global configuration or interface configuration mode. To return to the default value for retry timeouts, use the no form of this command.
dot1x timeout { auth-period seconds | held-period seconds | quiet-period seconds | ratelimit-period seconds | server-timeout seconds | start-period seconds | supp-timeout seconds | tx-period seconds}
Syntax Description
auth-period seconds Configures the time, in seconds for which a supplicant will stay in the HELD state (that is, the length of time it will wait before trying to send the credentials again after a failed attempt).
The range is from 1 to 65535. The default is 30.
held-period seconds Configures the time, in seconds for which a supplicant will stay in the HELD state (that is, the length of time it will wait before trying to send the credentials again after a failed attempt).
The range is from 1 to 65535. The default is 60
quiet-period seconds Configures the time, in seconds, that the authenticator (server) remains quiet (in the HELD state) following a failed authentication exchange before trying to reauthenticate the client.
The range is from 1 to 65535. The default is 60
ratelimit-period seconds Throttles the EAP-START packets that are sent from misbehaving client PCs (for example, PCs that send EAP-START packets that result in the wasting of switch processing power).
server-timeout seconds Configures the interval, in seconds, between two successive EAPOL-Start frames when they are being retransmitted.
If the server does not send a response to an 802.1X packet within the specified period, the packet is sent again.
start-period seconds Configures the interval, in seconds, between two successive EAPOL-Start frames when they are being retransmitted.
The range is from 1 to 65535. The default is 30.
supp-timeout seconds Sets the authenticator-to-supplicant retransmission time for all EAP messages other than EAP Request ID.
The range is from 1 to 65535. The default is 30.
tx-period seconds Configures the number of seconds between retransmission of EAP request ID packets (assuming that no response is received) to the client.
Command History
Usage Guidelines
You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers.
The dot1x timeout reauth-period interface configuration command affects the behavior of the switch only if you have enabled periodic re-authentication by using the dot1x reauthentication interface configuration command.
During the quiet period, the switch does not accept or initiate any authentication requests. If you want to provide a faster response time to the user, enter a number smaller than the default.
When the ratelimit-period is set to 0 (the default), the switch does not ignore EAPOL packets from clients that have been successfully authenticated and forwards them to the RADIUS server.
Examples
The following example shows that various 802.1X retransmission and timeout periods have been set:
Switch(config)# configure terminal Switch(config)# interface g1/0/3 Switch(config-if)# dot1x port-control auto Switch(config-if)# dot1x timeout auth-period 2000 Switch(config-if)# dot1x timeout held-period 2400 Switch(config-if)# dot1x timeout quiet-period 600 Switch(config-if)# dot1x timeout start-period 90 Switch(config-if)# dot1x timeout supp-timeout 300 Switch(config-if)# dot1x timeout tx-period 60 Switch(config-if)# dot1x timeout server-timeout 60epm access-control open
To configure an open directive for ports that do not have an access control list (ACL) configured, use the epm access-control open command in global configuration mode. To disable the open directive, use the no form of this command.
Command History
Usage Guidelines
Use this command to configure an open directive that allows hosts without an authorization policy to access ports configured with a static ACL. If you do not configure this command, the port applies the policies of the configured ACL to the traffic. If no static ACL is configured on a port, both the default and open directives allow access to the port.
You can verify your settings by entering the show running-config privileged EXEC command.
ip admission
Use the ip admission configuration command to enable web authentication. You can also use this command in fallback-profile mode. Use the no form of this command to disable web authentication.
Syntax Description
Command History
Examples
This example shows how to apply a web authentication rule to a switchport:
Switch# configure terminal Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# ip admission rule1This example shows how to apply a web authentication rule to a fallback profile for use on an IEEE 802.1x enabled switch port.
Switch# configure terminal Switch(config)# fallback profile profile1 Switch(config-fallback-profile)# ip admission rule1ip admission name
To enable web authentication, use the ip admission name command in global configuration mode. To disable web authentication, use the no form of this command.
ip admission name name { consent | proxy http} [ absolute timer minutes | inactivity-time minutes | list { acl | acl-name} | service-policy type tag service-policy-name]
no ip admission name name { consent | proxy http} [ absolute timer minutes | inactivity-time minutes | list { acl | acl-name} | service-policy type tag service-policy-name]
Syntax Description
name Name of network admission control rule.
consent Associates an authentication proxy consent web page with the IP admission rule specified using the admission-name argument.
proxy http Configures web authentication custom page.
absolute-timer minutes (Optional) Elapsed time, in minutes, before the external server times out.
inactivity-time minutes (Optional) Elapsed time, in minutes, before the external file server is deemed unreachable.
list (Optional) Associates the named rule with an access control list (ACL). acl Applies a standard, extended list to a named admission control rule. The value ranges from 1 through 199, or from 1300 through 2699 for expanded range.
acl-name Applies a named access list to a named admission control rule.
service-policy type tag (Optional) A control plane service policy is to be configured.
service-policy-name Control plane tag service policy that is configured using the policy-map type control tagpolicyname command, keyword, and argument. This policy map is used to apply the actions on the host when a tag is received.
Command History
Usage Guidelines
The ip admission name command globally enables web authentication on a switch.
After you enable web authentication on a switch, use the ip access-group in and ip admission web-rule interface configuration commands to enable web authentication on a specific interface.
Examples
This example shows how to configure only web authentication on a switch port:
Switch# configure terminal Switch(config) ip admission name http-rule proxy http Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# ip access-group 101 in Switch(config-if)# ip admission rule Switch(config-if)# endThis example shows how to configure IEEE 802.1x authentication with web authentication as a fallback mechanism on a switch port:
Switch# configure terminal Switch(config)# ip admission name rule2 proxy http Switch(config)# fallback profile profile1 Switch(config)# ip access group 101 in Switch(config)# ip admission name rule2 Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# dot1x port-control auto Switch(config-if)# dot1x fallback profile1 Switch(config-if)# endRelated Commands
Command
Description
dot1x fallback
Configures a port to use web authentication as a fallback method for clients that do not support IEEE 802.1x authentication.
fallback profile
Creates a web authentication fallback profile.
ip admission
Enables web authentication on a port.
show authentication sessions interface interface detail
Displays information about the web authentication session status.
show ip admission
Displays information about NAC cached entries or the NAC configuration.
ip device tracking maximum
To enable IP port security binding tracking on a Layer 2 port, use the ip device tracking maximum command in interface configuration mode. To disable IP port security on untrusted Layer 2 interfaces, use the no form of this command.
Syntax Description
Command History
Examples
This example shows how to enable IP port security with IP-MAC filters on a Layer 2 access port:
Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# ip device tracking Switch(config)# interface gigabitethernet1/0/3 Switch(config-if)# switchport mode access Switch(config-if)# switchport access vlan 1 Switch(config-if)# ip device tracking maximum 5 Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security maximum 5 Switch(config-if)# endip device tracking probe
To configure the IP device tracking table for Address Resolution Protocol (ARP) probes, use the ip device tracking probe command in global configuration mode. To disable ARP probes, use the no form of this command.
ip device tracking probe { count number | delay seconds | interval seconds | use-svi address }
no ip device tracking probe { count number | delay seconds | interval seconds | use-svi address }
Syntax Description
count number
Sets the number of times that the switch sends the ARP probe. The range is from 1 to 255.
delay seconds
Sets the number of seconds that the switch waits before sending the ARP probe. The range is from 1 to 120.
interval seconds
Sets the number of seconds that the switch waits for a response before resending the ARP probe. The range is from 30 to 1814400 seconds.
use-svi
Uses the switch virtual interface (SVI) IP address as source of ARP probes.
Command Default
The count number is 3.
There is no delay.
The interval is 30 seconds.
The ARP probe default source IP address is the Layer 3 interface and 0.0.0.0 for switchports.
Command History
ip dhcp snooping database
To configure the Dynamic Host Configuration Protocol (DHCP)-snooping database, use the ip dhcp snooping database command in global configuration mode. To disable the DHCP-snooping database, use the no form of this command.
ip dhcp snooping database { crashinfo:url | flash:url | ftp:url | http:url | https:url | rcp:url | scp:url | tftp:url | timeout seconds | usbflash0:url | write-delay seconds}
Syntax Description
crashinfo:url Specifies the database URL for storing entries using crashinfo.
flash:url Specifies the database URL for storing entries using flash.
ftp:url Specifies the database URL for storing entries using FTP.
http:url Specifies the database URL for storing entries using HTTP.
https:url Specifies the database URL for storing entries using secure HTTP (https).
rcp:url Specifies the database URL for storing entries using remote copy (rcp).
scp:url Specifies the database URL for storing entries using Secure Copy (SCP).
tftp:url Specifies the database URL for storing entries using TFTP.
timeout seconds Specifies the abort timeout interval; valid values are from 0 to 86400 seconds.
usbflash0:url Specifies the database URL for storing entries using USB flash.
write-delay: seconds Specifies the amount of time before writing the DHCP-snooping entries to an external server after a change is seen in the local DHCP-snooping database; valid values are from 15 to 86400 seconds.
Command History
Usage Guidelines
You must enable DHCP snooping on the interface before entering this command. Use the ip dhcp snooping command to enable DHCP snooping.
Examples
This example shows how to specify the database URL using TFTP:
Switch(config)# ip dhcp snooping database tftp://10.90.90.90/snooping-rp2This example shows how to specify the amount of time before writing DHCP snooping entries to an external server:
Switch(config)# ip dhcp snooping database write-delay 15ip dhcp snooping information option format remote-id
To configure the option-82 remote-ID suboption, use the ip dhcp snooping information option format remote-id global configuration command on the switch to configure the option-82 remote-ID suboption. Use the no form of this command to configure the default remote-ID suboption.
ip dhcp snooping information option format remote-id { hostname | string string}
no ip dhcp snooping information option format remote-id { hostname | string string}
Syntax Description
hostname Specify the switch hostname as the remote ID.
string string Specify a remote ID, using from 1 to 63 ASCII characters (no spaces).
Command History
Usage Guidelines
You must globally enable DHCP snooping by using the ip dhcp snooping global configuration command for any DHCP snooping configuration to take effect.
When the option-82 feature is enabled, the default remote-ID suboption is the switch MAC address. This command allows you to configure either the switch hostname or a string of up to 63 ASCII characters (but no spaces) to be the remote ID.
NoteIf the hostname exceeds 63 characters, it will be truncated to 63 characters in the remote-ID configuration.
ip dhcp snooping verify no-relay-agent-address
To disable the DHCP snooping feature from verifying that the relay agent address (giaddr) in a DHCP client message matches the client hardware address on an untrusted port, use the ip dhcp snooping verify no-relay-agent-address command in global configuration mode. To enable verification, use the no form of this command.
Command Default
The DHCP snooping feature verifies that the relay-agent IP address (giaddr) field in DHCP client message on an untrusted port is 0.
Command History
Usage Guidelines
By default, the DHCP snooping feature verifies that the relay-agent IP address (giaddr) field in DHCP client message on an untrusted port is 0; the message is dropped if the giaddr field is not 0. Use the ip dhcp snooping verify no-relay-agent-address command to disable the verification. Use the no ip dhcp snooping verify no-relay-agent-address to reenable verification.
ip source binding
To add a static IP source binding entry, use the ip source binding command. Use the no form of this command to delete a static IP source binding entry
ip source binding mac-address vlan vlan-id ip-address interface interface-id
no ip source binding mac-address vlan vlan-id ip-address interface interface-id
Syntax Description
mac-address Binding MAC address.
vlan vlan-id Specifies the Layer 2 VLAN identification; valid values are from 1 to 4094.
ip-address Binding IP address.
interface interface-id ID of the physical interface.
Command History
Usage Guidelines
You can use this command to add a static IP source binding entry only.
The no format deletes the corresponding IP source binding entry. It requires the exact match of all required parameter in order for the deletion to be successful. Note that each static IP binding entry is keyed by a MAC address and a VLAN number. If the command contains the existing MAC address and VLAN number, the existing binding entry is updated with the new parameters instead of creating a separate binding entry.
ip verify source
To enable IP source guard on an interface, use the ip verify source command in interface configuration mode. To disable IP source guard, use the no form of this command.
Syntax Description
Command History
Usage Guidelines
To enable IP source guard with source IP address filtering, use the ip verify source interface configuration command.
To enable IP source guard with source IP address filtering and MAC address verification, use the ip verify source mac-check interface configuration command.
Examples
This example shows how to enable IP source guard with source IP address filtering on an interface:
Switch(config-if)# ip verify sourceThis example shows how to enable IP source guard with source IP address filtering and MAC address verification:
Switch(config-if)# ip verify source mac-checkYou can verify your settings by entering the show ip verify source privileged EXEC command.
ipv6 snooping policy
To configure an IPv6 snooping policy and enter IPv6 snooping configuration mode, use the ipv6 snooping policy command in global configuration mode. To delete an IPv6 snooping policy, use the no form of this command.
Syntax Description
snooping-policy User-defined name of the snooping policy. The policy name can be a symbolic string (such as Engineering) or an integer (such as 0).
Command History
Usage Guidelines
Use the ipv6 snooping policy command to create an IPv6 snooping policy. When the ipv6 snooping policy command is enabled, the configuration mode changes to IPv6 snooping configuration mode. In this mode, the administrator can configure the following IPv6 first-hop security commands:
- The device-role command specifies the role of the device attached to the port.
- The limit address-count maximum command limits the number of IPv6 addresses allowed to be used on the port.
- The protocol command specifies that addresses should be gleaned with Dynamic Host Configuration Protocol (DHCP) or Neighbor Discovery Protocol (NDP).
- The security-level command specifies the level of security enforced.
- The tracking command overrides the default tracking policy on a port.
- The trusted-port command configures a port to become a trusted port; that is, limited or no verification is performed when messages are received.
limit address-count
To limit the number of IPv6 addresses allowed to be used on the port, use the limit address-count command in Neighbor Discovery Protocol (NDP) inspection policy configuration mode or IPv6 snooping configuration mode. To return to the default, use the no form of this command.
Syntax Description
Command Modes
ND inspection policy configuration (config-nd-inspection)
IPv6 snooping configuration (ipv6-snooping)
Command History
Usage Guidelines
The limit address-count command limits the number of IPv6 addresses allowed to be used on the port on which the policy is applied. Limiting the number of IPv6 addresses on a port helps limit the binding table size. The range is from 1 to 10000.Examples
This example shows how to define an NDP policy name as policy1, place the switch in NDP inspection policy configuration mode, and limit the number of IPv6 addresses allowed on the port to 25:
Switch(config)# ipv6 nd inspection policy policy1 Switch(config-nd-inspection)# limit address-count 25This example shows how to define an IPv6 snooping policy name as policy1, place the switch in IPv6 snooping policy configuration mode, and limit the number of IPv6 addresses allowed on the port to 25:
Switch(config)# ipv6 snooping policy policy1 Switch(config-ipv6-snooping)# limit address-count 25mab request format attribute 32
To enable VLAN ID-based MAC authentication on a switch, use the mab request format attribute 32 vlan access-vlan global configuration command. To return to the default setting, use the no form of this command.
Command History
Usage Guidelines
Use this command to allow a RADIUS server to authenticate a new user based on the host MAC address and VLAN.
Use this feature on networks with the Microsoft IAS RADIUS server. The Cisco ACS ignores this command.
Examples
This example shows how to enable VLAN-ID based MAC authentication on a switch:
Switch(config)# mab request format attribute 32 vlan access-vlanRelated Commands
no authentication logging verbose
To filter detailed information from authentication system messages, use the no authentication logging verbose global configuration command on the switch stack or on a standalone switch.
Command History
Usage Guidelines
This command filters details, such as anticipated success, from authentication system messages. Failure messages are not filtered.
no dot1x logging verbose
To filter detailed information from 802.1x system messages, use the no dot1x logging verbose global configuration command on the switch stack or on a standalone switch.
Command History
Usage Guidelines
This command filters details, such as anticipated success, from 802.1x system messages. Failure messages are not filtered.
no mab logging verbose
To filter detailed information from MAC authentication bypass (MAB) system messages, use the no mab logging verbose global configuration command on the switch stack or on a standalone switch.
Command History
Usage Guidelines
This command filters details, such as anticipated success, from MAC authentication bypass (MAB) system messages. Failure messages are not filtered.
permit (MAC access-list configuration)
To allow non-IP traffic to be forwarded if the conditions are matched, use the permit MAC access-list configuration command on the switch stack or on a standalone switch. To remove a permit condition from the extended MAC access list, use the no form of this command.
{ permit { any | host src-MAC-addr | src-MAC-addr mask} { any | host dst-MAC-addr | dst-MAC-addr mask} [ type mask | aarp | amber | appletalk | dec-spanning | decnet-iv | diagnostic | dsm | etype-6000 | etype-8042 | lat | lavc-sca | lsap lsap mask | mop-console | mop-dump | msdos | mumps | netbios | vines-echo | vines-ip | xns-idp] [ cos cos]
nopermit { any | host src-MAC-addr | src-MAC-addr mask} { any | host dst-MAC-addr | dst-MAC-addr mask} [ type mask | aarp | amber | appletalk | dec-spanning | decnet-iv | diagnostic | dsm | etype-6000 | etype-8042 | lat | lavc-sca | lsap lsap mask | mop-console | mop-dump | msdos | mumps | netbios | vines-echo | vines-ip | xns-idp] [ cos cos]
Syntax Description
Command Default
This command has no defaults. However, the default action for a MAC-named ACL is to deny.
Command History
Usage Guidelines
Though visible in the command-line help strings, appletalk is not supported as a matching condition.
You enter MAC access-list configuration mode by using the mac access-list extended global configuration command.
If you use the host keyword, you cannot enter an address mask; if you do not use the any or host keywords, you must enter an address mask.
After an access control entry (ACE) is added to an access control list, an implied deny-any-any condition exists at the end of the list. That is, if there are no matches, the packets are denied. However, before the first ACE is added, the list permits all packets.
To filter IPX traffic, you use the type mask or lsap lsap mask keywords, depending on the type of IPX encapsulation being used. Filter criteria for IPX encapsulation types as specified in Novell terminology and Cisco IOS terminology are listed in the following table.
Examples
This example shows how to define the MAC-named extended access list to allow NETBIOS traffic from any source to MAC address 00c0.00a0.03fa. Traffic matching this list is allowed.
Switch(config-ext-macl)# permit any host 00c0.00a0.03fa netbiosThis example shows how to remove the permit condition from the MAC-named extended access list:
Switch(config-ext-macl)# no permit any 00c0.00a0.03fa 0000.0000.0000 netbiosThis example permits all packets with Ethertype 0x4321:
Switch(config-ext-macl)# permit any any 0x4321 0You can verify your settings by entering the show access-lists privileged EXEC command.
protocol (IPv6 snooping)
To specify that addresses should be gleaned with Dynamic Host Configuration Protocol (DHCP) or Neighbor Discovery Protocol (NDP), or to associate the protocol with an IPv6 prefix list, use the protocol command. To disable address gleaning with DHCP or NDP, use the no form of the command.
Syntax Description
dhcp Specifies that addresses should be gleaned in Dynamic Host Configuration Protocol (DHCP) packets.
ndp Specifies that addresses should be gleaned in Neighbor Discovery Protocol (NDP) packets.
Command History
Usage Guidelines
If an address does not match the prefix list associated with DHCP or NDP, then control packets will be dropped and recovery of the binding table entry will not be attempted with that protocol.
- Using the no protocol {dhcp | ndp} command indicates that a protocol will not be used for snooping or gleaning.
- If the no protocol dhcp command is used, DHCP can still be used for binding table recovery.
- Data glean can recover with DHCP and NDP, though destination guard will only recovery through DHCP.
security level (IPv6 snooping)
To specify the level of security enforced, use the security-level command in IPv6 snooping policy configuration mode.
Syntax Description
glean Extracts addresses from the messages and installs them into the binding table without performing any verification.
guard Performs both glean and inspect. Additionally, RA and DHCP server messages are rejected unless they are received on a trusted port or another policy authorizes them.
inspect Validates messages for consistency and conformance; in particular, address ownership is enforced. Invalid messages are dropped.
Command History
show aaa command handler
Command History
Examples
This is an example of output from the show aaa command handler command:
Switch# show aaa command handler AAA Command Handler Statistics: account-logon: 0, account-logoff: 0 account-query: 0, pod: 0 service-logon: 0, service-logoff: 0 user-profile-push: 0, session-state-log: 0 reauthenticate: 0, bounce-host-port: 0 disable-host-port: 0, update-rbacl: 0 update-sgt: 0, update-cts-policies: 0 invalid commands: 0 async message not sent: 0show aaa local
Syntax Description
netuser Specifies the AAA local network or guest user database.
name Network user name.
all Specifies the network and guest user information.
statistics Displays statistics for local authentication.
user lockout Specifies the AAA local locked-out user.
Command History
Examples
This is an example of output from the show aaa local statistics command:
Switch# show aaa local statistics Local EAP statistics EAP Method Success Fail ------------------------------------- Unknown 0 0 EAP-MD5 0 0 EAP-GTC 0 0 LEAP 0 0 PEAP 0 0 EAP-TLS 0 0 EAP-MSCHAPV2 0 0 EAP-FAST 0 0 Requests received from AAA: 0 Responses returned from EAP: 0 Requests dropped (no EAP AVP): 0 Requests dropped (other reasons): 0 Authentication timeouts from EAP: 0 Credential request statistics Requests sent to backend: 0 Requests failed (unable to send): 0 Authorization results received Success: 0 Fail: 0show aaa servers
Syntax Description
detailed (Optional) Displays private AAA servers as seen by the AAA Server MIB.
public (Optional) Displays public AAA servers as seen by the AAA Server MIB.
detailed (Optional) Displays detailed AAA server statistics.
Command History
Examples
This is an example of output from the show aaa servers command:
Switch# show aaa servers RADIUS: id 1, priority 1, host 172.20.128.2, auth-port 1645, acct-port 1646 State: current UP, duration 9s, previous duration 0s Dead: total time 0s, count 0 Quarantined: No Authen: request 0, timeouts 0, failover 0, retransmission 0 Response: accept 0, reject 0, challenge 0 Response: unexpected 0, server error 0, incorrect 0, time 0ms Transaction: success 0, failure 0 Throttled: transaction 0, timeout 0, failure 0 Author: request 0, timeouts 0, failover 0, retransmission 0 Response: accept 0, reject 0, challenge 0 Response: unexpected 0, server error 0, incorrect 0, time 0ms Transaction: success 0, failure 0 Throttled: transaction 0, timeout 0, failure 0 Account: request 0, timeouts 0, failover 0, retransmission 0 Request: start 0, interim 0, stop 0 Response: start 0, interim 0, stop 0 Response: unexpected 0, server error 0, incorrect 0, time 0ms Transaction: success 0, failure 0 Throttled: transaction 0, timeout 0, failure 0 Elapsed time since counters last cleared: 0m Estimated Outstanding Access Transactions: 0 Estimated Outstanding Accounting Transactions: 0 Estimated Throttled Access Transactions: 0 Estimated Throttled Accounting Transactions: 0 Maximum Throttled Transactions: access 0, accounting 0show authentication history
To display the authenticated sessions alive on the device, use the show authentication history command.
Syntax Description
min-uptime seconds (Optional) Displays sessions within the minimum uptime. The range is from 1 through 4294967295 seconds.
Command History
show authentication sessions
To display information about current Auth Manager sessions, use the show authentication sessions command.
show authentication sessions [ database] [ handle handle-id [ details] ] [ interface type number [ details] [ mac mac-address [ interface type number] [ method method-name [ interface type number [ details] [ session-id session-id [ details] ]
Syntax Description
database (Optional) Shows only data stored in session database.
handle handle-id (Optional) Specifies the particular handle for which Auth Manager information is to be displayed.
details (Optional) Shows detailed information.
interface type number (Optional) Specifies a particular interface type and number for which Auth Manager information is to be displayed.
mac mac-address (Optional) Specifies the particular MAC address for which you want to display information.
method method-name (Optional) Specifies the particular authentication method for which Auth Manager information is to be displayed. If you specify a method (dot1x, mab, or webauth), you may also specify an interface.
session-id session-id (Optional) Specifies the particular session for which Auth Manager information is to be displayed.
Command History
Usage Guidelines
Use the show authentication sessions command to display information about all current Auth Manager sessions. To display information about specific Auth Manager sessions, use one or more of the keywords.
This table shows the possible operating states for the reported authentication sessions.
Table 4 Authentication Method StatesState
Description
Not run
The method has not run for this session.
Running
The method is running for this session.
Failed over
The method has failed and the next method is expected to provide a result.
Success
The method has provided a successful authentication result for the session.
Authc Failed
The method has provided a failed authentication result for the session.
Examples
The following example shows how to display all authentication sessions on the switch:
Switch# show authentication sessions Interface MAC Address Method Domain Status Session ID Gi1/0/48 0015.63b0.f676 dot1x DATA Authz Success 0A3462B1000000102983C05C Gi1/0/5 000f.23c4.a401 mab DATA Authz Success 0A3462B10000000D24F80B58 Gi1/0/5 0014.bf5d.d26d dot1x DATA Authz Success 0A3462B10000000E29811B94The following example shows how to display all authentication sessions on an interface:
Switch# show authentication sessions interface gigabitethernet2/0/47 Interface: GigabitEthernet2/0/47 MAC Address: Unknown IP Address: Unknown Status: Authz Success Domain: DATA Oper host mode: multi-host Oper control dir: both Authorized By: Guest Vlan Vlan Policy: 20 Session timeout: N/A Idle timeout: N/A Common Session ID: 0A3462C8000000000002763C Acct Session ID: 0x00000002 Handle: 0x25000000 Runnable methods list: Method State mab Failed over dot1x Failed over ---------------------------------------- Interface: GigabitEthernet2/0/47 MAC Address: 0005.5e7c.da05 IP Address: Unknown User-Name: 00055e7cda05 Status: Authz Success Domain: VOICE Oper host mode: multi-domain Oper control dir: both Authorized By: Authentication Server Session timeout: N/A Idle timeout: N/A Common Session ID: 0A3462C8000000010002A238 Acct Session ID: 0x00000003 Handle: 0x91000001 Runnable methods list: Method State mab Authc Success dot1x Not runshow cisp
Syntax Description
(Optional) Display CISP information about the specified interface. Valid interfaces include physical ports and port channels.
registrations
Displays CISP registrations.
Command History
Examples
This example shows output from the show cisp interface command:
Switch# show cisp interface fast 0 CISP not enabled on specified interfaceThis example shows output from the show cisp registration command:
Switch# show cisp registrations Interface(s) with CISP registered user(s): ------------------------------------------ Fa1/0/13 Auth Mgr (Authenticator) Gi2/0/1 Auth Mgr (Authenticator) Gi2/0/2 Auth Mgr (Authenticator) Gi2/0/3 Auth Mgr (Authenticator) Gi2/0/5 Auth Mgr (Authenticator) Gi2/0/9 Auth Mgr (Authenticator) Gi2/0/11 Auth Mgr (Authenticator) Gi2/0/13 Auth Mgr (Authenticator) Gi3/0/3 Gi3/0/5 Gi3/0/23show dot1x
To display IEEE 802.1x statistics, administrative status, and operational status for the switch or for the specified port, use the show dot1x user EXEC command.
show dot1x [ all [ count | details | statistics | summary] ] [ interface type number [ details | statistics] ] [ statistics]
Syntax Description
all (Optional) Displays the IEEE 802.1x information for all interfaces.
count (Optional) Displays total number of authorized and unauthorized clients.
details (Optional) Displays the IEEE 802.1x interface details.
statistics (Optional) Displays the IEEE 802.1x statistics for all interfaces.
summary (Optional) Displays the IEEE 802.1x summary for all interfaces.
interface type number (Optional) Displays the IEEE 802.1x status for the specified port.
Command History
Examples
This is an example of output from the show dot1x all command:
Switch# show dot1x all Sysauthcontrol Enabled Dot1x Protocol Version 3This is an example of output from the show dot1x all count command:
Switch# show dot1x all count Number of Dot1x sessions ------------------------------- Authorized Clients = 0 UnAuthorized Clients = 0 Total No of Client = 0This is an example of output from the show dot1x all statistics command:
Switch# show dot1x statistics Dot1x Global Statistics for -------------------------------------------- RxStart = 0 RxLogoff = 0 RxResp = 0 RxRespID = 0 RxReq = 0 RxInvalid = 0 RxLenErr = 0 RxTotal = 0 TxStart = 0 TxLogoff = 0 TxResp = 0 TxReq = 0 ReTxReq = 0 ReTxReqFail = 0 TxReqID = 0 ReTxReqID = 0 ReTxReqIDFail = 0 TxTotal = 0show eap pac peer
To display stored Protected Access Credentials (PAC) for Extensible Authentication Protocol (EAP) Flexible Authentication via Secure Tunneling (FAST) peers, use the show eap pac peer privileged EXEC command.
Command History
show ip dhcp snooping statistics
Use the show ip dhcp snooping statistics user EXEC command to display DHCP snooping statistics in summary or detail form.
Syntax Description
Command History
Usage Guidelines
In a switch stack, all statistics are generated on the stack master. If a new active switch is elected, the statistics counters reset.
Examples
This is an example of output from the show ip dhcp snooping statistics command:
Switch> show ip dhcp snooping statistics Packets Forwarded = 0 Packets Dropped = 0 Packets Dropped From untrusted ports = 0This is an example of output from the show ip dhcp snooping statistics detail command:
Switch> show ip dhcp snooping statistics detail Packets Processed by DHCP Snooping = 0 Packets Dropped Because IDB not known = 0 Queue full = 0 Interface is in errdisabled = 0 Rate limit exceeded = 0 Received on untrusted ports = 0 Nonzero giaddr = 0 Source mac not equal to chaddr = 0 Binding mismatch = 0 Insertion of opt82 fail = 0 Interface Down = 0 Unknown output interface = 0 Reply output port equal to input port = 0 Packet denied by platform = 0
This table shows the DHCP snooping statistics and their descriptions:
Table 6 DHCP Snooping StatisticsDHCP Snooping Statistic
Description
Packets Processed by DHCP Snooping
Total number of packets handled by DHCP snooping, including forwarded and dropped packets.
Packets Dropped Because IDB not known
Number of errors when the input interface of the packet cannot be determined.
Queue full
Number of errors when an internal queue used to process the packets is full. This might happen if DHCP packets are received at an excessively high rate and rate limiting is not enabled on the ingress ports.
Interface is in errdisabled
Number of times a packet was received on a port that has been marked as error disabled. This might happen if packets are in the processing queue when a port is put into the error-disabled state and those packets are subsequently processed.
Rate limit exceeded
Number of times the rate limit configured on the port was exceeded and the interface was put into the error-disabled state.
Received on untrusted ports
Number of times a DHCP server packet (OFFER, ACK, NAK, or LEASEQUERY) was received on an untrusted port and was dropped.
Nonzero giaddr
Number of times the relay agent address field (giaddr) in the DHCP packet received on an untrusted port was not zero, or the no ip dhcp snooping information option allow-untrusted global configuration command is not configured and a packet received on an untrusted port contained option-82 data.
Source mac not equal to chaddr
Number of times the client MAC address field of the DHCP packet (chaddr) does not match the packet source MAC address and the ip dhcp snooping verify mac-address global configuration command is configured.
Binding mismatch
Number of times a RELEASE or DECLINE packet was received on a port that is different than the port in the binding for that MAC address-VLAN pair. This indicates someone might be trying to spoof the real client, or it could mean that the client has moved to another port on the switch and issued a RELEASE or DECLINE. The MAC address is taken from the chaddr field of the DHCP packet, not the source MAC address in the Ethernet header.
Insertion of opt82 fail
Number of times the option-82 insertion into a packet failed. The insertion might fail if the packet with the option-82 data exceeds the size of a single physical packet on the internet.
Interface Down
Number of times the packet is a reply to the DHCP relay agent, but the SVI interface for the relay agent is down. This is an unlikely error that occurs if the SVI goes down between sending the client request to the DHCP server and receiving the response.
Unknown output interface
Number of times the output interface for a DHCP reply packet cannot be determined by either option-82 data or a lookup in the MAC address table. The packet is dropped. This can happen if option 82 is not used and the client MAC address has aged out. If IPSG is enabled with the port-security option and option 82 is not enabled, the MAC address of the client is not learned, and the reply packets will be dropped.
Reply output port equal to input port
Number of times the output port for a DHCP reply packet is the same as the input port, causing a possible loop. Indicates a possible network misconfiguration or misuse of trust settings on ports.
Packet denied by platform
Number of times the packet has been denied by a platform-specific registry.
show radius server-group
Syntax Description
name Name of the server group. The character string used to name the group of servers must be defined using the aaa group server radius command.
all Displays properties for all of the server groups.
Command History
Usage Guidelines
Use the show radius server-group command to display the server groups that you defined by using the aaa group server radius command.
Examples
This is an example of output from the show radius server-group all command:
Switch# show radius server-group all Server group radius Sharecount = 1 sg_unconfigured = FALSE Type = standard Memlocks = 1
This table describes the significant fields shown in the display.
Table 7 show radius server-group command Field DescriptionsField
Description
Server group
Name of the server group.
Sharecount
Number of method lists that are sharing this server group. For example, if one method list uses a particular server group, the sharecount would be 1. If two method lists use the same server group, the sharecount would be 2.
sg_unconfigured
Server group has been unconfigured.
Type
The type can be either standard or nonstandard. The type indicates whether the servers in the group accept nonstandard attributes. If all servers within the group are configured with the nonstandard option, the type will be shown as "nonstandard".
Memlocks
An internal reference count for the server-group structure that is in memory. The number represents how many internal data structure packets or transactions are holding references to this server group. Memlocks is used internally for memory management purposes.
tracking (IPv6 snooping)
To override the default tracking policy on a port, use the tracking command in IPv6 snooping policy configuration mode.
tracking { enable [ reachable-lifetime { value | infinite}] | disable [ stale-lifetime { value | infinite}
Syntax Description
enable Enables tracking.
reachable-lifetime (Optional) Specifies the maximum amount of time a reachable entry is considered to be directly or indirectly reachable without proof of reachability.
value Lifetime value, in seconds. The range is from 1 to 86400, and the default is 300.
infinite Keeps an entry in a reachable or stale state for an infinite amount of time.
disable Disables tracking.
stale-lifetime (Optional) Keeps the time entry in a stale state, which overwrites the global stale-lifetime configuration.
Command History
Usage Guidelines
The tracking command overrides the default tracking policy set by the ipv6 neighbor tracking command on the port on which this policy applies. This function is useful on trusted ports where, for example, you may not want to track entries but want an entry to stay in the binding table to prevent it from being stolen.
The reachable-lifetime keyword is the maximum time an entry will be considered reachable without proof of reachability, either directly through tracking or indirectly through IPv6 snooping. After the reachable-lifetime value is reached, the entry is moved to stale. Use of the reachable-lifetime keyword with the tracking command overrides the global reachable lifetime configured by the ipv6 neighbor binding reachable-lifetime command.
The stale-lifetime keyword is the maximum time an entry is kept in the table before it is deleted or the entry is proven to be reachable, either directly or indirectly. Use of the reachable-lifetime keyword with the tracking command overrides the global stale lifetime configured by the ipv6 neighbor binding stale-lifetime command.
Examples
This example shows how to define an IPv6 snooping policy name as policy1, place the switch in IPv6 snooping policy configuration mode, and configure an entry to stay in the binding table for an infinite length of time on a trusted port:
Switch(config)# ipv6 snooping policy policy1 Switch(config-ipv6-snooping)# tracking disable stale-lifetime infinitetrusted-port
To configure a port to become a trusted port, use the trusted-port command in IPv6 snooping policy mode or ND inspection policy configuration mode. To disable this function, use the no form of this command.
Command Modes
ND inspection policy configuration (config-nd-inspection)
IPv6 snooping configuration (config-ipv6-snooping)
Command History
Usage Guidelines
When the trusted-port command is enabled, limited or no verification is performed when messages are received on ports that have this policy. However, to protect against address spoofing, messages are analyzed so that the binding information that they carry can be used to maintain the binding table. Bindings discovered from these ports will be considered more trustworthy than bindings received from ports that are not configured to be trusted.
Examples
This example shows how to define an NDP policy name as policy1, place the switch in NDP inspection policy configuration mode, and configure the port to be trusted:
Switch(config)# ipv6 nd inspection policy1 Switch(config-nd-inspection)# trusted-portThis example shows how to define an IPv6 snooping policy name as policy1, place the switch in IPv6 snooping policy configuration mode, and configure the port to be trusted:
Switch(config)# ipv6 snooping policy policy1 Switch(config-ipv6-snooping)# trusted-portwireless security dot1x Command
wireless security dot1x [ eapol-key { retries retries | timeout milliseconds } | group-key interval sec | identity-request { retries retries | timeout seconds } | radius [call-station-id] { ap-macaddress | ap-macaddress-ssid | ipaddress | macaddress } | request { retries retries | timeout seconds } | wep key { index 0 | index 3 } ]
Syntax Description
eapol-key Configures eapol-key related parameters.
retries retries (Optional) Specifies the maximum number of times (0 to 4 retries) that the controller retransmits an EAPOL (WPA) key message to a wireless client.
The default value is 2.
timeout milliseconds (Optional) Specifies the amount of time (200 to 5000 milliseconds) that the controller waits before retransmitting an EAPOL (WPA) key message to a wireless client using EAP or WPA/WPA-2 PSK.
The default value is 1000 milliseconds.
group-key interval sec Configures EAP-broadcast key renew interval time in seconds (120 to 86400 seconds).
identity-request Configures EAP ID request related parameters.
retries retries (Optional) Specifies the maximum number of times (0 to 4 retries) that the controller request the EAP ID.
The default value is 2.
timeout seconds (Optional) Specifies the amount of time (1 to 120 seconds) that the controller waits before retransmitting an EAP Identity Request message to a wireless client.
The default value is 30 seconds.
radius Configures radius messages.
call-station-id (Optional) Configures Call-Station Id sent in radius messages.
ap-macaddress Sets Call Station Id Type to the AP's MAC Address.
ap-macaddress-ssid Sets Call Station Id Type to 'AP MAC address':'SSID'.
ipaddress Sets Call Station Id Type to the system's IP Address.
macaddress Sets Call Station Id Type to the system's MAC Address.
request Configures EAP request related parameters.
retries retries (Optional) For EAP messages other than Identity Requests or EAPOL (WPA) key messages, specifies the maximum number of times (0 to 20 retries) that the controller retransmits the message to a wireless client.
The default value is 2.
timeout seconds (Optional) For EAP messages other than Identity Requests or EAPOL (WPA) key messages, specifies the amount of time (1 to 120 seconds) that the controller waits before retransmitting the message to a wireless client.
The default value is 30 seconds.
wep key Configures 802.1x WEP related paramters.
index 0 Specifies the WEP key index value as 0
index 3 Specifies the WEP key index value as 3
Command History
Examples
Examples
This example lists all the commands under wireless security dot1x .
Switch#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#wireless security dot1x ? eapol-key Configure eapol-key related parameters group-key Configures EAP-broadcast key renew interval time in seconds identity-request Configure EAP ID request related parameters radius Configure radius messages request Configure EAP request related parameters wep Configure 802.1x WEP related paramters <cr>wireless security strong-password Command
wireless wps ap-authentication Command
To configure the access point neighbor authentication, use the wireless wps ap-authentication command. To remove the access point neighbor authentication, use the no form of the command.
Syntax Description
threshold value Specifies that the WMM-enabled clients are on the wireless LAN. Threshold value (1 to 255).
Command History
wireless wps auto-immune Command
To enable protection from Denial of Service (DoS) attacks, use the wireless wps auto-immune command. To disable, use the no form of the command.
Command History
Usage Guidelines
A potential attacker can use specially crafted packets to mislead the Intrusion Detection System (IDS) into treating a legitimate client as an attacker. It causes the controller to disconnect this legitimate client and launch a DoS attack. The auto-immune feature, when enabled, is designed to protect against such attacks. However, conversations using Cisco 792x phones might be interrupted intermittently when the auto-immune feature is enabled. If you experience frequent disruptions when using 792x phones, you might want to disable this feature.
wireless wps cids-sensor Command
To configure Intrusion Detection System (IDS) sensors for the Wireless Protection System (WPS), use the wireless wps cids-sensor command. To remove the Intrusion Detection System (IDS) sensors for the Wireless Protection System (WPS), use the no form of the command.
wireless wps cids-sensor index [ ip-address ip-addr username username password password_type password ]
no wireless wps cids-sensor index
Syntax Description
index Specifies the IDS sensor internal index.
ip-address ip-addr username username password password_type password Specifies the IDS sensor IP address, IDS sensor username, password type and IDS sensor password.
Command History
Examples
Examples
This example shows how to configure the intrusion detection system with the IDS index, IDS sensor IP address, IDS username and IDS password.
Switch#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#wireless wps cids-sensor 1 10.0.0.51 Sensor_user0doc1 passowrd01wireless wps client-exclusion Command
To configure client exclusion policies, use the wireless wps client-exclusion command. To remove the client exclusion policies, use the no form of the command.
wireless wps client-exclusion { all | dot11-assoc | dot11-auth | dot1x-auth | ip-theft | web-auth }
no wireless wps client-exclusion { all | dot11-assoc | dot11-auth | dot1x-auth | ip-theft | web-auth }
Syntax Description
dot11-assoc Specifies that the controller excludes clients on the sixth 802.11 association attempt, after five consecutive failures.
dot11-auth Specifies that the controller excludes clients on the sixth 802.11 authentication attempt, after five consecutive failures.
dot1x-auth Specifies that the controller excludes clients on the sixth 802.11X authentication attempt, after five consecutive failures.
ip-theft Specifies that the control excludes clients if the IP address is already assigned to another device.
web-auth Specifies that the controller excludes clients on the fourth web authentication attempt, after three consecutive failures.
all Specifies that the controller excludes clients for all of the above reasons.
Command History
wireless wps mfp infrastructure Command
wireless wps rogue Command
Syntax Description
adhoc Configures the status of an Independent Basic Service Set (IBSS or ad-hoc) rogue access point.
client Configures rogue clients
alert mac-addr Generates an SMNP trap upon detection of the ad-hoc rogue, and generates an immediate alert to the system administrator for further action for the MAC address of the ad-hoc rogue access point.
contain mac-addr no-of-aps Contains the offending device so that its signals no longer interfere with authorized clients.
Maximum number of Cisco access points assigned to actively contain the ad-hoc rogue access point (1 through 4, inclusive).
Command History
Examples
Examples
This example shows how to generate an immediate alert to the system administrator for further action for the MAC address of the ad-hoc rogue access point.
Switch#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#wireless wps rouge adhoc alert mac_addr
