-
Catalyst 4500 Series Software Configuration Guide, 8.3 GLX and 8.4GLX
-
Preface
-
Product Overview
-
Using the Command-Line Interface
-
Configuring the Switch IP Address and Default Gateway
-
Configuring Ethernet and Fast Ethernet Switching
-
Configuring Gigabit Ethernet Switching
-
Configuring Fast EtherChannel and Gigabit EtherChannel
-
Configuring Spanning Tree
-
Configuring Spanning Tree PortFast, BPDU Guard, BPDU Filter, UplinkFast, BackboneFast, and Loop Guard
-
Configuring VTP
-
Configuring VLANs
-
Configuring VLAN Trunks on Fast Ethernet and Gigabit Ethernet Ports
-
Configuring Dynamic VLAN Membership with VMPS
-
Configuring GVRP
-
Configuring QoS
-
Configuring Multicast Services
-
Configuring Port Security
-
Configuring Unicast Flood Blocking
-
Configuring the IP Permit List
-
Configuring Protocol Filtering
-
Checking Status and Connectivity
-
Configuring CDP
-
Using Switch TopN Reports
-
Configuring UDLD
-
Configuring SNMP
-
Configuring RMON
-
Configuring SPAN and RSPAN
-
Adminstering the Switch
-
Power Management
-
Configuring VoIP
-
Configuring Switch Access Using AAA
-
Configuring 802.1x Authentication
-
Modifying the Switch Boot Configuration
-
Working with System Software Images
-
Working with the Flash File System
-
Working with Configuration Files
-
Configuring Switch Acceleration
-
Configuring System Message Logging
-
Configuring DNS
-
Configuring NTP
-
Acronyms
-
Index
-
Table Of Contents
Configuring 802.1X Authentication
Understanding How 802.1X Authentication Works
Authentication Initiation and Message Exchange
Ports in Authorized and Unauthorized States
802.1X Parameters Configurable on the Switch
802.1X VLAN Assignment Using a RADIUS Server
Using 802.1X Authentication for Guest VLANs
Guidelines for Guest VLANs on Windows-XP Hosts
Authentication Default Configuration
Authentication Configuration Guidelines
Configuring 802.1X Authentication on the Switch
Enabling and Initializing 802.1X Authentication for Individual Ports
Setting and Enabling Automatic Reauthentication of the Host
Manually Reauthenticating the Host
Setting the Authenticator-to-Host Retransmission Time for EAP-Request/Identity Frames
Setting the Supplicant-to-Host Retransmission Time for EAP-Request Frames
Setting the Back-End Authenticator-to-Host Frame-Retransmission Number
Setting the Shutdown Timeout Period
Setting the Back-End Authenticator-to-Host Frame-Retransmission Number
Setting the Back-End Authenticator-to-Host Frame-Retransmission Number
Resetting the 802.1X Configuration Parameters to the Default Values
Configuring 802.1X Authentication
This chapter describes how to configure 802.1X authentication on the Catalyst enterprise LAN switches.
Note
For complete syntax and usage information for the commands that are used in this chapter, refer to the Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Command Reference publication.
Note
Note
This chapter consists of these sections:
•
•
•
•
Understanding How 802.1X Authentication Works
IEEE 802.1X is a client-server-based access control and authentication protocol that restricts unauthorized devices from connecting to a local area network (LAN) through publicly accessible ports. 802.1X authenticates each user device that is connected to a switch port before making available any services that are offered by the switch or the LAN. Until the device is authenticated, 802.1X access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which the device is connected. After authentication is successful, normal traffic can pass through the port.
802.1X controls network access by creating two distinct virtual access points at each port. One access point is an uncontrolled port; the other is a controlled port. All traffic through the single port is available to both access points. Only EAPOL traffic is allowed to pass through the uncontrolled port, which is always open. The controlled port is open only when the device that is connected to the port has been authorized by 802.1X. After this authorization takes place, the controlled port opens, allowing normal traffic to pass. You can restrict traffic in both directions, or you can restrict the incoming traffic only.
Device Roles
With 802.1X port-based authentication, the devices in the network have specific roles. (See Figure 31-1.)
Figure 31-1 802.1X Device Roles
•
Note
•
•
When the switch receives Extensible Authentication Protocol over LAN (EAPOL) frames and relays them to the authentication server, the Ethernet header is stripped and the remaining EAP frame is reencapsulated in the RADIUS format. The EAP frames are not modified or examined during encapsulation, and the authentication server must support EAP within the native frame format. When the switch receives the frames from the authentication server, the server's frame header is removed, leaving the EAP frame, which is then encapsulated for Ethernet and sent to the host.
Authentication Initiation and Message Exchange
The switch or the host can initiate authentication. If you enable authentication on a port by using the set port dot1x mod/port port-control auto command, the switch must initiate authentication when it determines that the port link state transitions from down to up. The switch sends an EAP-request/identity frame to the host to request its identity (typically, the switch sends an initial identity/request frame that is followed by one or more requests for authentication information). When the host receives the frame, it sends an EAP-response/identity frame.
However, if during bootup, the host does not receive an EAP-request/identity frame from the switch, the host can initiate authentication by sending an EAPOL-start frame, which prompts the switch to request the host's identity.
Note
When the host supplies its identity, the switch acts as the intermediary, passing EAP frames between the host and the authentication server until authentication succeeds or fails. If the authentication succeeds, the switch port becomes authorized. For more information, see the "Ports in Authorized and Unauthorized States" section.
The specific exchange of EAP frames depends on the authentication method that is being used. Figure 31-2 shows a message exchange that is initiated by the host using the One-Time-Password (OTP) authentication method with a RADIUS server.
Figure 31-2 Message Exchange
Ports in Authorized and Unauthorized States
The switch port state determines if the host is granted access to the network. The port starts in the unauthorized state. In this state, the port disallows all ingress and egress traffic except for 802.1X protocol packets. When a host is successfully authenticated, the port transitions to the authorized state, allowing all traffic for the host to flow normally.
If a host that does not support 802.1X is connected to an unauthorized 802.1X port, the switch requests the host's identity. If the host does not respond to the request, the port remains in the unauthorized state, and the host is not granted access to the network.
When an 802.1X-enabled host connects to a port that is not running the 802.1X protocol, the host initiates the authentication process by sending the EAPOL-start frame. When no response is received, the host sends the request a fixed number of times. If no response is received, the host begins sending frames as if the port is in the authorized state.
You control the port authorization state by using the set port dot1x mod/port port-control command and these keywords:
•
•
•
If the host is successfully authenticated (receives an Accept frame from the authentication server), the port state changes to authorized, and all frames from the authenticated host are allowed through the port. If the authentication fails, the port remains in the unauthorized state, but authentication can be retried. If the switch cannot reach the authentication server, it can retransmit the request. If no response is received from the server after the specified number of attempts, authentication fails, and network access is not granted.
When a host logs off, the server sends an EAPOL-logoff message, causing the switch port to transition to the unauthorized state.
If the link state of a port transitions from up to down, or if an EAPOL-logoff frame is received, the port returns to the unauthorized state.
Table 31-1 defines the terms that are used in 802.1X.
Table 31-1 802.1X Terminology
Authenticator PAE
(Referred to as the "authenticator") entity at one end of a point-to-point LAN segment that enforces host authentication. The authenticator is independent of the actual authentication method and functions only as a pass-through for the authentication exchange. It communicates with the host, submits the information from the host to the authentication server, and authorizes the host when instructed to do so by the authentication server.
Authentication server
Entity that provides the authentication service for the authenticator PAE. It checks the credentials of the host PAE, and then notifies its client, the authenticator PAE, whether the host PAE is authorized to access the LAN/switch services.
Authorized state
Status of the port after the host PAE is authorized.
Both
Bidirectional flow control, incoming and outgoing, at an unauthorized switch port.
Controlled port
Secured access point.
EAP
Extensible Authentication Protocol.
EAPOL1
Encapsulated EAP messages that can be handled directly by a LAN MAC service.
In
Flow control only on incoming frames in an unauthorized switch port.
Port
Single point of attachment to the LAN infrastructure (for example, MAC bridge ports).
PAE2
Protocol object that is associated with a specific system port.
PDU
Protocol data unit.
RADIUS
Remote Access Dial In User Service.
PAE
(Referred to as the "host") entity that requests access to the LAN/switch services and responds to information requests from the authenticator.
Unauthorized state
Status of the port before the host PAE is authorized.
Uncontrolled port
Unsecured access point that allows the uncontrolled exchange of PDUs.
1 EAPOL = Extensible Authorization Protocol over LAN
2 PAE = Port access entity
Authentication Server
The frames that are exchanged between the authenticator and the authentication server are dependent on the authentication mechanism, so they are not defined by the 802.1X standard. You can use other protocols, but we recommend RADIUS for authentication, particularly when the authentication server is located remotely, because RADIUS has extensions that support encapsulation of EAP frames built into it.
802.1X Parameters Configurable on the Switch
With 802.1X, you can do the following:
•
•
•
•
•
•
•
•
•
•
•
802.1X VLAN Assignment Using a RADIUS Server
In software release 6.3 or earlier releases, once the 802.1X host is authenticated, it joins an NVRAM-configured VLAN. With software release 7.2(1) and later releases, after authentication, an 802.1X host can receive its VLAN assignment from the RADIUS server.
VLAN assignments allow you to restrict users to a specific VLAN. For example, you could put guest users in a VLAN with limited access to the network.
802.1X authenticated ports are assigned to a VLAN that is based on the username of the host that is connected to the port. VLAN assignments work with the RADIUS server, which has a database of username-to-VLAN mappings.
After a successful 802.1X authentication of the port, the RADIUS server sends the VLAN in which the user needs to be given access. The 802.1X port behavior with the VLAN assignment is as follows:
•
•
•
•
•
•
•
•
•
•
In order for the 802.1X VLAN assignment using a RADIUS server to successfully complete, the RADIUS server must return the following three RFC 2868 attributes back to the authenticator (the Cisco switch to which the host attaches):
•
•
•
Attribute [64] must contain the value "VLAN" (type 13). Attribute [65] must contain the value "802" (type 6). Attribute [81] specifies the VLAN name in which the successfully authenticated 802.1X host should be put.
Note
Using 802.1X Authentication for Guest VLANs
Guest VLANs allow users who do not have 802.1X-compatible workstations to be able to access networks that use 802.1X authentication. You can also use guest VLANs while upgrading systems to support 802.1X authentication.
When you configure an active VLAN on the switch as a 802.1X guest VLAN, the guest users are put in this VLAN and allowed access until an 802.1X authentication occurs. Any VLAN can be configured as a guest VLAN, except private VLANs, auxiliary VLANs, and RSPAN VLANs.
When you enable 802.1X authentication on a port, the 802.1X protocol starts. If the host fails to respond to the packets from the authenticator within a certain amount of time, the authenticator puts the port in the guest VLAN.
The network administrator can configure a guest VLAN on a per-port basis. Typically, guest VLANs support minimal services and provide minimal network access. A VLAN does not have to be active to be configured as a guest VLAN, but it must be active before a host can use it. The hosts are assigned to the guest VLAN only when the set port dot1x mod/port port-control auto keyword is used. Changing the set port dot1x mod/port port-control keyword from auto to force-authorized or force-unauthorized removes the host from the guest VLAN and returns the host to the port VLAN.
Guest VLANs are supported in both single-authentication and multiple-host mode.
Note
Guidelines for Guest VLANs on Windows-XP Hosts
This section lists the guidelines for using 802.1X authentication with guest VLANs on Windows-XP hosts:
•
•
•
Authentication Default Configuration
Table 31-2 shows the default configuration for authentication.
Authentication Configuration Guidelines
This section provides the guidelines for configuring 802.1X authentication on the switch:
•
•
•
•
•
•
•
Configuring 802.1X Authentication on the Switch
The following sections describe how to configure 802.1X authentication on the switch.
Enabling 802.1X Globally
You must enable 802.1X authentication for the entire system before configuring it for individual ports. After you globally enable 802.1X authentication, you can configure individual ports for 802.1X authentication if they meet the specific requirements that are required by 802.1X. To enable 802.1X authentication for individual ports, see the "Enabling and Initializing 802.1X Authentication for Individual Ports" section.
To globally enable 802.1X authentication, perform this task in privileged mode:
This example shows how to globally enable 802.1X authentication:
Console> (enable) set dot1x system-auth-control enabledot1x system-auth-control enabled.Disabling 802.1X Globally
When you enable 802.1X authentication for the entire system, you can disable it globally. When you disable 802.1X authentication globally, it is no longer available at any port, even ports that were previously configured for it.
To globally disable 802.1X authentication, perform this task in privileged mode:
This example shows how to globally disable 802.1X authentication:
Console> (enable) set dot1x system-auth-control disabledot1x system-auth-control disabled.Enabling and Initializing 802.1X Authentication for Individual Ports
After you enable 802.1X authentication globally, you can enable and initialize 802.1X authentication from the console only for individual ports. For more information, see the "Enabling 802.1X Globally" section.
Note
To enable and initialize 802.1X authentication for access to the switch, perform this task in privileged mode:
This example shows how to enable 802.1X authentication on port 1 in module 4, initialize 802.1X authentication on the same port, and verify the configuration:
Console> (enable) set port dot1x 4/1 port-control autoPort 4/1 dot1x port-control is set to auto.Trunking disabled for port 4/1 due to Dot1x feature.Spantree port fast start option enabled for port 4/1.Console> (enable) set port dot1x 4/1 initializePort 4/1 initializing...Port 4/1 dot1x initialization complete.Console> show port dot1x 4/1Port Auth-State BEnd-State Port-Control Port-Status----- ------------------- ---------- ------------------- -------------4/1 connecting finished auto unauthorizedPort Multiple-Host Re-authentication----- ------------- -----------------4/1 disabled disabledSetting and Enabling Automatic Reauthentication of the Host
You can specify how often 802.1X authentication reauthenticates the host if you do so before you enable automatic 802.1X host reauthentication. If you do not specify a time period before you enable host reauthentication, 802.1X defaults to 3600 seconds (the valid values are from 1-65,535 seconds).
You can enable automatic 802.1X host reauthentication for hosts that are connected to a specific port. To manually reauthenticate the host that is connected to a specific port, see the "Manually Reauthenticating the Host" section.
To set how often 802.1X authentication reauthenticates the host and enable automatic 802.1X reauthentication, perform this task in privileged mode:
This example shows how to set automatic reauthentication to 7200 seconds, enable 802.1X reauthentication, and verify the configuration:
Console> (enable) set dot1x re-authperiod 7200dot1x re-authperiod set to 7200 secondsConsole> (enable) set port dot1x 4/1 re-authentication enablePort 4/1 re-authentication enabled.Console> (enable) show port dot1x 4/1Port Auth-State BEnd-State Port-Control Port-Status----- ------------------- ---------- ------------------- -------------4/1 connecting finished auto unauthorizedPort Multiple Host Re-authentication----- ------------- -----------------4/1 disabled enabledManually Reauthenticating the Host
You can manually reauthenticate the host that is connected to a specific port at any time. When you want to configure automatic 802.1X host reauthentication, see the "Setting and Enabling Automatic Reauthentication of the Host" section.
To manually reauthenticate a host that is connected to a specific port, perform this task in privileged mode:
Manually reauthenticate the host that is connected to a specific port.
set port dot1x mod/port re-authenticate
This example shows how to manually reauthenticate the host that is connected to port 1 on module 4:
Console> (enable) set port dot1x 4/1 re-authenticatePort 4/1 re-authenticating...dot1x re-authentication successful...dot1x port 4/1 authorized.Enabling Multiple Hosts
You can enable a specific port to allow multiple users. When a port is enabled for multiple users, and a host that is connected to that port is authorized successfully, any host (with any MAC address) is allowed to send and receive traffic on that port. If you connect multiple hosts to that port through a hub, you can reduce the security level on that port.
To enable access for multiple users on a specific port, perform this task in privileged mode:
This example shows how to enable access for multiple hosts on port 1 on module 4:
Console> (enable) set port dot1x 4/1 multiple-host enablePort 4/1 multiple hosts allowed.Disabling Multiple Hosts
You can disable access for multiple users on any port where it is enabled.
To disable access for multiple users on a specific port, perform this task in privileged mode:
Disable multiple hosts on a specific port.
set port dot1x mod/port multiple-host disable
This example shows how to disable access for multiple hosts on port 1 on module 4:
Console> (enable) set port dot1x 4/1 multiple-host disablePort 4/1 multiple hosts not allowed.Setting the Quiet Period
When the authenticator cannot authenticate the host, it remains idle for a set period of time and then tries again. The idle time is determined by the quiet-period value. (The default is 60 seconds.) You may set the value from 0-65,535 seconds.
To set the value for the quiet period, perform this task in privileged mode:
This example shows how to set the quiet period to 45 seconds:
Console> (enable) set dot1x quiet-period 45dot1x quiet-period set to 45 seconds.Setting the Authenticator-to-Host Retransmission Time for EAP-Request/Identity Frames
The host notifies the authenticator that it received the EAP-request/identity frame. When the authenticator does not receive this notification, the authenticator waits a set period of time and then retransmits the frame. You may set the amount of time that the authenticator waits for notification from 1-65,535 seconds. The default is 30 seconds.
To set the authenticator-to-host retransmission time for the EAP-request/identity frames, perform this task in privileged mode:
Set the authenticator-to-host retransmission time for EAP-request/identity frames.
set dot1x tx-period seconds
This example shows how to set the authenticator-to-host retransmission time for the EAP-request/identity frame to 15 seconds:
Console> (enable) set dot1x tx-period 15dot1x tx-period set to 15 seconds.Setting the Supplicant-to-Host Retransmission Time for EAP-Request Frames
The host notifies the back-end authenticator that it received the EAP-request frame. When the back-end authenticator does not receive this notification, the back-end authenticator waits a set period of time, and then retransmits the frame. You may set the amount of time that the back-end authenticator waits for notification from 1-65,535 seconds. The default is 30 seconds.
To set the back-end authenticator-to-host retransmission time for the EAP-request frames, perform this task in privileged mode:
Set the back-end authenticator-to-host retransmission time for an EAP-request frame.
set dot1x supp-timeout seconds
This example shows how to set the back-end authenticator-to-host retransmission time for the EAP-request frame to 15 seconds:
Console> (enable) set dot1x supp-timeout 15dot1x supp-timeout set to 15 seconds.Setting the Back-End Authenticator-to-Authentication-Server Retransmission Time for Transport Layer Packets
The authentication server notifies the back-end authenticator each time that it receives a transport layer packet. When the back-end authenticator does not receive a notification after sending a packet, the back-end authenticator waits a set period of time, and then retransmits the packet. You may set the amount of time that the back-end authenticator waits for notification from 1-65,535 seconds. The default is 30 seconds.
To set the value for the retransmission of transport layer packets from the back-end authenticator to the authentication server, perform this task in privileged mode:
Set the back-end authenticator-to-authentication-server retransmission time for transport layer packets.
set dot1x server-timeout seconds
This example shows how to set the value for the retransmission time for transport layer packets that are sent from the back-end authenticator to the authentication server to 15 seconds:
Console> (enable) set dot1x server-timeout 15dot1x server-timeout set to 15 seconds.Setting the Back-End Authenticator-to-Host Frame-Retransmission Number
The authentication server notifies the back-end authenticator each time that it receives a specific number of frames. When the back-end authenticator does not receive this notification after sending the frames, the back-end authenticator waits a set period of time and then retransmits the frames. You may set the number of frames that the back-end authenticator retransmits from 1-10 (the default is 2).
To set the number of frames that are retransmitted from the back-end authenticator to the host, perform this task in privileged mode:
Set the back-end authenticator-to-host frame retransmission number.
set dot1x max-req count
This example shows how to set the number of retransmitted frames that are sent from the back-end authenticator to the host to 4:
Console> (enable) set dot1x max-req 4dot1x max-req set to 4.Setting the Shutdown Timeout Period
If a port is shut down because of a security violation, you must either manually reenable it or configure the shutdown timeout period after which the port can be enabled again.
To set the period of time that a port will be disabled after a security violation, perform this task in privileged mode:
This example shows how to set the shutdown timeout period:
Console> (enable) set dot1x shutdown-timeout 300dot1x shutdown-timeout set to 300 seconds.Console> (enable)Setting the Back-End Authenticator-to-Host Frame-Retransmission Number
The authentication server notifies the back-end authenticator each time that it receives a specific number of frames. When the back-end authenticator does not receive this notification after sending the frames, the back-end authenticator waits a set period of time and then retransmits the frames. You may set the number of frames that the back-end authenticator retransmits from 1-10 (the default is 2).
To set the number of frames that are retransmitted from the back-end authenticator to the host, perform this task in privileged mode:
Set the back-end authenticator-to-host frame retransmission number.
set dot1x max-req count
This example shows how to set the number of retransmitted frames that are sent from the back-end authenticator to the host to 4:
console> (enable) set dot1x max-req 4dot1x max-req count set to 4.Console> (enable)Setting the Back-End Authenticator-to-Host Frame-Retransmission Number
The authentication server notifies the back-end authenticator each time that it receives a specific number of frames. When the back-end authenticator does not receive this notification after sending the frames, the back-end authenticator waits a set period of time and then retransmits the frames. You may set the number of frames that the back-end authenticator retransmits from 1-10 (the default is 2).
To set the number of frames that are retransmitted from the back-end authenticator to the host, perform this task in privileged mode:
Set the back-end authenticator-to-host frame retransmission number.
set dot1x max-req count
This example shows how to set the number of retransmitted frames that are sent from the back-end authenticator to the host to 4:
Console> (enable) set dot1x max-req 4dot1x max-req set to 4.Resetting the 802.1X Configuration Parameters to the Default Values
You can reset the 802.1X configuration parameters to the default values with a single command, which also globally disables 802.1X.
To reset the 802.1X configuration parameters to the default values, perform this task in privileged mode:
Step 1
Reset the 802.1X configuration parameters to the default values and globally disable 802.1X.
clear dot1x config
Step 2
Verify the 802.1X configuration.
show dot1x
This example shows how to reset the 802.1X configuration parameters to the default values:
Console> (enable) clear dot1x configThis command will disable dot1x on all ports and take dot1x parameter values back to factory defaults.Do you want to continue (y/n) [n]?yDot1x config cleared.Console> (enable) 2002 Sep 06 11:34:27 %SECURITY-1-DOT1X_BACKEND_SERVER:No Radius servers configuredSetting the Trace Severity
You can alter the trace severity for 802.1X authentication. The number setting affects the number of trace messages that are displayed. Low numbers result in fewer messages; high numbers result in more messages.
To set the trace severity for 802.1X, perform this task in privileged mode:
This example shows how to set the trace severity for 802.1X authentication to 5:
Console> (enable) set trace dot1x 5DOT1X tracing set to 5Warning!! Turning on trace may affect the operation of the system.Use with caution.This example shows how to add port 3/3 to 802.1X guest VLAN 200:
Console> (enable) set port dot1x 3/3 guest-vlan 200Port 3/3 Guest Vlan is set to 200Console> (enable) show port dot1x guest-vlanGuest-Vlan Status Mod/Ports------------- -------- ------------------200 inactive 3/3none none 2/1-2,3/1-2,3/4-48Console> (enable)This example shows how to remove the port from the guest VLAN:
Console> (enable) set port dot1x 3/3 guest-vlan nonePort 3/3 Guest Vlan is clearedConsole> (enable)Using the show Commands
You can use these show commands to access information about 802.1X authentication and its configuration:
•
•
•
•
To display the usage options for the show port dot1x command, perform this task in normal mode:
This example shows how to display the usage options for the show port dot1x command:
Console> (enable) show port dot1x helpUsage: show port dot1x [<mod[/port]>]show port dot1x statistics [<mod[/port]>]To display the values for all the parameters that are associated with the authenticator PAE and back-end authenticator on a specific port on a specific module, perform this task in normal mode:
This example shows how to display the values for all the parameters that are associated with the authenticator PAE and back-end authenticator on port 1 on module 4:
Console> (enable) show port dot1x 4/1Port Auth-State BEnd-State Port-Control Port-Status----- ------------------- ---------- ------------------- -------------4/1 connecting finished auto unauthorizedPort Multiple Host Re-authentication----- ------------- -----------------4/1 disabled enabledTo display the statistics for the different types of EAP frames that are transmitted and received by the authenticator on a specific port on a specific module, perform this task in normal mode:
This example shows how to display the statistics for the different types of EAP frames that are transmitted and received by the authenticator on port 1 on module 4:
Console> (enable) show port dot1x statistics 4/1Port Tx_Req/Id Tx_Req Tx_Total Rx_Start Rx_Logoff Rx_Resp/Id Rx_Resp----- --------- ------ -------- -------- --------- ---------- -------4/1 97 0 97 0 0 0 0Port Rx_Invalid Rx_Len_Err Rx_Total Last_Rx_Frm_Ver Last_Rx_Frm_Src_Mac----- ---------- ---------- -------- --------------- -------------------4/1 0 0 0 0 00-00-00-00-00-00To display the global 802.1X parameters, perform this task in normal mode:
Display the PAE capabilities, protocol version, system-auth-control, and other global dot1x parameters.
show dot1x
This example shows how to display the global 802.1X parameters:
Console> (enable) show dot1xPAE Capability Authenticator OnlyProtocol Version 1system-auth-control enabledre-authentication disabledmax-req 2quiet-period 60 secondsre-authperiod 3600 secondsserver-timeout 30 secondssupp-timeout 30 secondstx-period 30 seconds
