-
Catalyst 6500 Series Software Configuration Guide, 8.7
-
Index
-
Preface
-
Product Overview
-
Command-Line Interfaces
-
Configuring the Switch IP Address and Default Gateway
-
Configuring Ethernet, Fast Ethernet, Gigabit Ethernet, and 10-Gigabit Ethernet Switching
-
Configuring Ethernet VLAN Trunks
-
Configuring EtherChannel
-
Configuring IEEE 802.1Q Tunneling and Layer 2 Protocol Tunneling
-
Configuring Spanning Tree
-
Configuring Spanning Tree PortFast, UplinkFast, BackboneFast, and Loop Guard
-
Configuring VTP
-
Configuring VLANs
-
Configuring InterVLAN Routing
-
Configuring CEF for PFC2/PFC3
-
Configuring MLS
-
Configuring Access Control
-
Configuring NDE
-
Configuring GVRP
-
Configuring MVRP
-
Configuring Dynamic Port VLAN Membership with VMPS
-
Checking Status and Connectivity
-
Configuring Online Diagnostics
-
Administering the Switch
-
Configuring Redundancy
-
Configuring NSF with SSO MSFC Redundancy
-
Modifying the Switch Boot Configuration
-
Working with the Flash File System
-
Working with System Software Images
-
Working with Configuration Files
-
Configuring System Message Logging
-
Configuring DNS
-
Configuring CDP
-
Configuring UDLD
-
Configuring DHCP Snooping and IP Source Guard
-
Configuring NTP
-
Configuring Broadcast Suppression
-
Configuring Layer 3 Protocol Filtering
-
Configuring the IP Permit List
-
Configuring Port Security
-
Configuring Switch Access Using AAA
-
Configuring 802.1x Authentication
-
Configuring MAC Authentication Bypass
-
Configuring Web-Based Proxy Authentication
-
Tracking Host Aging
-
Configuring Network Admission Control
-
Configuring Unicast Flood Blocking
-
Configuring SNMP
-
Configuring RMON
-
Configuring SPAN, RSPAN and the Mini Protocol Analyzer
-
Using Switch TopN Reports
-
Configuring Multicast Services
-
Configuring QoS
-
Configuring Automatic QoS
-
Configuring ASLB
-
Configuring the Switch Fabric Module
-
Configuring a VoIP Network
-
Configuring MSFC IOS Features
-
Acronyms
-
Table Of Contents
Configuring 802.1X Authentication
Understanding How 802.1X Authentication Works
Authentication Initiation and Message Exchange
Ports in Authorized and Unauthorized States
802.1X Parameters Configurable on the Switch
Understanding How 802.1X VLAN Assignments Using a RADIUS Server Work
Understanding How 802.1X Authentication with DHCP Works
Understanding How 802.1X Authentication on Ports Configured for Auxiliary VLAN Traffic Works
Understanding How 802.1X Authentication for the Guest VLAN Works
Usage Guidelines for 802.1X Authentication with the Guest VLANs on Windows-XP Hosts
Understanding How 802.1X Authentication with Port Security Works
Understanding How 802.1X Authentication with ARP Traffic Inspection Works
Default Authentication Configuration
Authentication Configuration Guidelines
Configuring 802.1X Authentication on the Switch
Enabling 802.1X Authentication Globally
Disabling 802.1X Authentication Globally
Enabling 802.1X Authentication for Individual Ports
Enabling 802.1X with Inaccessible Authentication Bypass
Enabling Multiple 802.1X Authentications
Setting and Enabling Automatic Reauthentication of the Host
Manually Reauthenticating the Host
Setting the Shutdown Timeout Period
Setting the Authenticator-to-Host Retransmission Time for EAP-Request/Identity Frames
Setting the Back-End Authenticator-to-Host Retransmission Time for the EAP-Request Frames
Setting the Back-End Authenticator-to-Host Frame-Retransmission Number
Setting the Critical Recovery Delay for an Authentication Feature
Resetting the 802.1X Configuration Parameters to the Default Values
Enabling 802.1X Authentication for the DHCP Relay Agent
Disabling 802.1X Authentication for the DHCP Relay Agent
Adding Hosts to an 802.1X Guest VLAN
Configuring an 802.1X Unidirectional Controlled Port
Using the CLI to Configure an 802.1X Unidirectional or Bidirectional Port
Configuring 802.1X with ACL Assignments
802.1X with ACL Assignments Configuration Guidelines
Using the CLI to Configure 802.1X with ACL Assignments
Configuring 802.1X with QoS ACLs
Configuring 802.1X User Distribution
802.1X User Distribution Configuration Guidelines
Using the CLI to Configure 802.1X User Distribution
Enabling and Disabling 802.1X RADIUS Accounting and Tracking
Using the CLI to Enable and Disable 802.1X RADIUS Accounting and Tracking
Enabling and Disabling RADIUS Keepalive
Configuring the Authenticated Identity-to-Port Description Mappings
Configuring the DNS Resolution for a RADIUS Server Configuration
Configuring the Authentication Failure VLAN
Authentication Failure VLAN Configuration Guidelines and Restrictions
Creating an Authentication Failure VLAN and Adding 802.1X Ports
Configuring a RADIUS Server Failover
Configuring 802.1X Authentication with Private VLANs
Configuring 802.1X Authentication with Private VLANs
Configuring 802.1X Authentication
This chapter describes how to configure IEEE 802.1X authentication on the Catalyst 6500 series switches.
Note
For complete syntax and usage information for the commands that are used in this chapter, refer to the Catalyst 6500 Series Switch Command Reference publication.
Note
Note
Note
Note
Note
This chapter consists of these sections:
•
•
•
•
Understanding How 802.1X Authentication Works
802.1X defines a client-server-based access control and authentication protocol that restricts unauthorized devices from connecting to a LAN through publicly accessible ports. 802.1X controls network access by creating two distinct virtual access points at each port. One access point is an uncontrolled port; the other is a controlled port. All traffic through the single port is available to both access points. 802.1X authenticates each user device that is connected to a switch port and assigns the port to a VLAN before making available any services that are offered by the switch or the LAN. Until the device is authenticated, 802.1X access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which the device is connected. After authentication is successful, normal traffic can pass through the port. You can restrict the traffic in both directions, or you can restrict just the incoming traffic.
These sections provide the following information:
•
•
•
•
•
•
•
•
•
Device Roles
With 802.1X port-based authentication, the devices in the network have specific roles. (See Figure 40-1.)
Figure 40-1 802.1X Device Roles
•
Note
•
•
When the switch receives the Extensible Authentication Protocol over LAN (EAPOL) frames and relays them to the authentication server, the Ethernet header is stripped and the remaining EAP frame is reencapsulated in the RADIUS format. The EAP frames are not modified or examined during encapsulation, and the authentication server must support EAP within the native frame format. When the switch receives the frames from the authentication server, the server's frame header is removed, leaving the EAP frame, which is then encapsulated for Ethernet and sent to the host.
Authentication Initiation and Message Exchange
The switch or the host can initiate authentication. If you enable authentication on a port by using the set port dot1x mod/port port-control auto command, the switch must initiate authentication when it determines that the port link state transitions from down to up. The switch sends an EAP-request/identity frame to the host to request its identity (typically, the switch sends an initial identity/request frame that is followed by one or more requests for authentication information). When the host receives the frame, it sends an EAP-response/identity frame.
During bootup, if the host does not receive an EAP-request/identity frame from the switch, the host can initiate authentication by sending an EAPOL-start frame that prompts the switch to request the host's identity.
Note
When the host supplies its identity, the switch acts as the intermediary, passing the EAP frames between the host and the authentication server until authentication succeeds or fails. If the authentication succeeds, the switch port becomes authorized. For more information, see the "Ports in Authorized and Unauthorized States" section.
The specific exchange of EAP frames depends on the authentication method that is being used. Figure 40-2 shows a message exchange that is initiated by the host using the One-Time-Password (OTP) authentication method with a RADIUS server.
Figure 40-2 Message Exchange
Ports in Authorized and Unauthorized States
The switch port state determines if the host is granted access to the network. The port starts in the unauthorized state. In this state, the port disallows all the ingress and egress traffic except for the 802.1X protocol packets. When a host is successfully authenticated, the port transitions to the authorized state, which allows all traffic for the host to flow normally.
If a host that does not support 802.1X is connected to an unauthorized 802.1X port, the switch requests the host's identity. In this situation, the host does not respond to the request, the port remains in the unauthorized state, and the host is not granted access to the network.
When an 802.1X-enabled host connects to a port that is not running the 802.1X protocol, the host initiates the authentication process by sending the EAPOL-start frame. When no response is received, the host sends the request for a fixed number of times. Because no response is received, the host begins sending frames as if the port is in the authorized state.
You control the port authorization state by using the set port dot1x mod/port port-control command and these keywords:
•
•
•
If the host is successfully authenticated (receives an Accept frame from the authentication server), the port state changes to authorized, and all frames from the authenticated host are allowed through the port. If the authentication fails, the port remains in the unauthorized state, but authentication can be retried. If the switch cannot reach the authentication server, it can retransmit the request. If no response is received from the server after the specified number of attempts, authentication fails, and network access is not granted.
When a host logs off, the server sends an EAPOL-logoff message, causing the switch port to transition to the unauthorized state.
If the link state of a port transitions from up to down, or if an EAPOL-logoff frame is received, the port returns to the unauthorized state.
Table 40-1 defines the 802.1X terms.
Table 40-1 802.1X Terminology
Authenticator PAE1
(Referred to as the "authenticator") entity at one end of a point-to-point LAN segment that enforces host authentication. The authenticator is independent of the actual authentication method and functions only as a pass-through for the authentication exchange. It communicates with the host, submits the information from the host to the authentication server, and authorizes the host when instructed to do so by the authentication server.
Authentication server
Entity that provides the authentication service for the authenticator PAE. It checks the credentials of the host PAE and then notifies its client, the authenticator PAE, whether the host PAE is authorized to access the LAN/switch services.
Authorized state
Status of the port after the host PAE is authorized.
Both
Bidirectional flow control, incoming and outgoing, at an unauthorized switch port.
Controlled port
Secured access point.
EAP
Extensible Authentication Protocol.
EAPOL2
Encapsulated EAP messages that can be handled directly by a LAN MAC service.
In
Flow control only on incoming frames in an unauthorized switch port.
Port
Single point of attachment to the LAN infrastructure (for example, MAC bridge ports).
PAE
Port access entity protocol object that is associated with a specific system port.
PDU
Protocol data unit.
RADIUS
Remote Access Dial-In User Service.
Supplicant3 PAE
Entity that requests access to the LAN/switch services and responds to the information requests from the authenticator.
Unauthorized state
Status of the port before the supplicant PAE is authorized.
Uncontrolled port
Unsecured access point that allows the uncontrolled exchange of PDUs.
1 PAE = port access entity
2 EAPOL = Extensible Authorization Protocol over LAN
3 802.1X uses the term supplicant for client or host. This publication uses host instead of supplicant because host is used in the Catalyst 6500 series CLI syntax.
Authentication Server
The frames that are exchanged between the authenticator and the authentication server are dependent on the authentication mechanism, so they are not defined by 802.1X. You can use other protocols, but we recommend that you use RADIUS for authentication, particularly when the authentication server is located remotely, because RADIUS has extensions that support the encapsulation of EAP frames built into it.
802.1X Parameters Configurable on the Switch
You can configure these 802.1X parameters on the switch:
•
•
•
•
•
•
•
•
•
•
•
Understanding How 802.1X VLAN Assignments Using a RADIUS Server Work
In the supervisor engine software releases prior to software release 7.2(2), once the 802.1X host is authenticated, it joins an NVRAM-configured VLAN. With software release 7.2(2) and later releases, after authentication, an 802.1X host can receive its VLAN assignment from the RADIUS server.
The VLAN assignment feature allows you to restrict users to a specific VLAN. For example, you could put the guest users in a VLAN with limited access to the network.
The 802.1X authenticated ports are assigned to a VLAN based on the username of the host that is connected to the port. This feature works with the RADIUS server that has a database of username-to-VLAN mappings.
After a successful 802.1X authentication of the port, the RADIUS server sends the VLAN in which the user needs to be given access. The 802.1X port behavior with the VLAN assignment feature is as follows:
•
•
•
•
•
•
•
•
•
•
In order for the "802.1X VLAN assignment using a RADIUS server" feature to successfully complete, the RADIUS server must return these three RFC 2868 attributes to the authenticator (the Cisco switch to which the host attaches):
•
•
•
Attribute [64] must contain the value "VLAN" (type 13). Attribute [65] must contain the value "802" (type 6). Attribute [81] specifies the VLAN name or VLAN ID in which the successfully authenticated 802.1X host is placed.
Understanding How 802.1X Authentication with DHCP Works
The 802.1X authentication support for the Dynamic Host Configuration Protocol (DHCP) allows the DHCP server to assign the IP addresses to the different classes of end users by adding the authenticated user identity into the DHCP discovery process. This feature allows you to secure the IP addresses given to the end users for accounting purposes and to grant the services that are based on the Layer 3 criteria. Once the RADIUS server authenticates the supplicant, the DHCP server keeps an authenticated user identity that is associated with the IP address lease. This authenticated user identity is then added to the DHCP discovery process so that the different addresses can be assigned to the different classes of users.
After the successful 802.1X authentications between the supplicant and the RADIUS server, the switch puts the port in the forwarding state and stores the attributes that it receives from the RADIUS server. These attributes are used to map to an address pool in the DHCP server. Because the switch can act as a DHCP Relay Agent, it can receive the DHCP messages and regenerate those messages for transmission on another interface. When the supplicant does DHCP discovery (following authentication), the DHCP Relay Agent on the supervisor engine receives the packet and adds the stored attributes that it received from the RADIUS server to the DHCP discovery packet and submits the discovery broadcast again. The mapping of user-to-IP address can be on a one-to-one, one-to-many, or many-to-many basis. The one-to-many mapping allows the same user to authenticate through the 802.1X hosts on multiple ports.
Understanding How 802.1X Authentication on Ports Configured for Auxiliary VLAN Traffic Works
You can enable 802.1X on a Multiple VLAN Access Port (MVAP), and you can enable an auxiliary VLAN ID on an 802.1X port.
The ports that are configured for 802.1X authentication and an auxiliary VLAN must be in single-host authentication mode to forward the auxiliary VLAN-tagged packets from an IP phone. Because the IP phones do not have host PAE capability, when the auxiliary VLAN-tagged packets are received on a port that is configured for 802.1X authentication from the IP phone, the packets are forwarded as authorized traffic.
A host PAE that is connected behind an IP phone will be authenticated. Only the traffic from the host PAE behind the IP phone is forwarded after authentication.
Note
Understanding How 802.1X Authentication for the Guest VLAN Works
This section describes the 802.1X authentication for the guest VLANs.
A guest VLAN enables the non-802.1X capable hosts to access the networks that use 802.1X authentication. You can use the guest VLANs while you are upgrading your system to support the 802.1X authentication.
When you configure a VLAN as an 802.1X guest VLAN, all the non-802.1X capable hosts are put in this VLAN. You can configure any VLAN (except for the private VLANs and RSPAN VLANs) as a guest VLAN. If a port is already forwarding on the guest VLAN and you enable 802.1X support on the network interface of the host, the port is immediately moved out of the guest VLAN and the authenticator waits for authentication to occur.
Note
Enabling 802.1X authentication on a port starts the 802.1X protocol. If the host fails to respond to the packets from the authenticator within a certain amount of time, the authenticator puts the port in the guest VLAN.
The guest VLANs are supported in both single-authentication mode and multiple-host mode.
Note
An authentication failure VLAN is independent of the guest VLAN. However, the guest VLAN can be the same VLAN as the authentication failure VLAN. If you do not want to differentiate between the non-802.1X capable hosts and the authentication failed hosts, you may configure both hosts to the same VLAN (either a guest VLAN or an authentication failure VLAN).
For more information, see the "Configuring the Authentication Failure VLAN" section.
Usage Guidelines for 802.1X Authentication with the Guest VLANs on Windows-XP Hosts
This section describes the usage guidelines for configuring 802.1X authentication with the guest VLANs on Windows-XP hosts:
•
•
•
•
Note
Understanding How 802.1X Authentication with Port Security Works
802.1X authentication is compatible with the port security feature (for more information, see Chapter 38, "Configuring Port Security"). If you enable port security for only one MAC address on a specific port, only that MAC address authenticates through a RADIUS server. The users that are connected through all other MAC addresses are denied access. If you enable port security for multiple MAC addresses, each address needs to authenticate through the 802.1X RADIUS server.
Note
You can enable port security for any 802.1X mode (single-authentication mode, multiple-host mode, or multiple-authentication mode). Only one mode can be enabled on a port at a time. The default port mode is single-authentication mode.
You can disable port security for single-authentication mode and multiple-host mode. You cannot disable port security for multiple-authentication mode.
When 802.1X authentication is enabled on a port that is also enabled for MAC address-based port security, 802.1X authentication does not occur on the port unless the maximum allowable number of MAC addresses has been configured. If you configure fewer addresses than the maximum allowable number of MAC addresses on a port that is also configured for 802.1X single-host mode authentication, the system generates a message asking if you want the configured MAC addresses to be removed. If you answer "yes" to this message, the MAC addresses that you configured for MAC address-based port security are removed and the port is authenticated using 802.1X authentication. If 802.1X authentication is enabled for any other mode, no message is created and the MAC addresses are retained.
In the multiple-authentication mode, all connected hosts are authenticated using 802.1X and secured using port security. 802.1X authenticates the MAC address and then gives the MAC address to port security to secure it. When a MAC address sends an EAPOL logoff packet, the MAC address is cleared from the port security tables.
Understanding How 802.1X Authentication with ARP Traffic Inspection Works
Note
ARP traffic inspection allows you to configure a set of order-dependent rules within the security ACL (VACL) framework to prevent ARP table attacks. ARP traffic inspection complements the 802.1X port authentication protocol, which first binds the MAC address of the authenticated client to the port, eliminating the possibility of spoofing additional MAC addresses by adding an IP to MAC address binding for additional spoof proofing.
You can use 802.1X authentication with ARP traffic inspection to provide an additional layer of port and user security by eliminating the possibility of malicious users/hosts corrupting the ARP tables of the other hosts. After a successful 802.1X supplicant authentication, ARP traffic inspection, which binds the supplicant's IP address and MAC address, is invoked and eliminates the spoofing possibility.
ARP is a simple protocol that does not have an authentication mechanism so there is no means to ensure that the ARP requests and replies are genuine. Without an authentication mechanism, a malicious user/host can corrupt the ARP tables of the other hosts on the same VLAN in a Layer 2 network or bridge domain.
For example, user/Host A (the malicious user) can send the unsolicited ARP replies (or the gratuitous ARP packets) to the other hosts on the subnet with the IP address of the default router and the MAC address of Host A.With some earlier operating systems, even if a host already has a static ARP entry for the default router, the newly advertised binding from Host A is learned. If Host A enables IP forwarding and forwards all packets from the "spoofed" hosts to the router and vice versa, then Host A can carry out a man-in-the-middle attack (for example, using the program dsniff) without the spoofed hosts realizing that all of their traffic is being sniffed.
In addition, ARP inspection can drop the packets where the source Ethernet MAC address (in the Ethernet header) does not match the source MAC address in the ARP header. You can enable (or disable) this feature through the CLI by entering the set security acl arp-inspection match-mac {enable [drop [log]] | disable} command.
To configure ARP traffic inspection, see the "Inspecting ARP Traffic" section on page 15-30.
Default Authentication Configuration
Table 40-2 shows the default 802.1X authentication configuration.
Authentication Configuration Guidelines
This section provides the guidelines for configuring 802.1X authentication on the switch:
•
•
•
•
•
•
•
•
•
•
•
•
Note
•
Configuring 802.1X Authentication on the Switch
These sections describe how to configure 802.1X authentication on the switch:
Note
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Enabling 802.1X Authentication Globally
You must enable 802.1X authentication for the entire system before you can configure it for the individual ports. After you globally enable 802.1X authentication, you can configure the individual ports for 802.1X authentication if the port meets the specific requirements that are required by 802.1X. To enable 802.1X authentication for the individual ports, see the "Enabling 802.1X Authentication for Individual Ports" section.
To enable 802.1X authentication globally, perform this task in privileged mode:
This example shows how to enable 802.1X authentication globally:
Console> (enable) set dot1x system-auth-control enabledot1x system-auth-control enabled.Disabling 802.1X Authentication Globally
When 802.1X authentication is enabled for the entire system, you can disable it globally. When 802.1X authentication is disabled globally, it is no longer available at any port (even ports that were previously configured for it).
To disable 802.1X authentication globally, perform this task in privileged mode:
This example shows how to disable 802.1X authentication globally:
Console> (enable) set dot1x system-auth-control disabledot1x system-auth-control disabled.Enabling 802.1X Authentication for Individual Ports
After 802.1X authentication is globally enabled, you must enable 802.1X authentication from the console for the individual ports. To enable 802.1X authentication globally, see the "Enabling 802.1X Authentication Globally" section.
Note
To enable 802.1X authentication for access to the switch, perform this task in privileged mode:
Step 1
Enable 802.1X control on a specific port.
set port dot1x mod/port port-control auto
Step 2
Verify the 802.1X configuration.
show port dot1x mod/port
This example shows how to enable 802.1X authentication on port 1 in module 3 and verify the configuration:
Console> (enable) set port dot1x 3/1 port-control autoPort 3/1 dot1x port-control is set to auto.Trunking disabled for port 3/1 due to Dot1x feature.Spantree port fast start option enabled for port 3/1.Console> (enable) show port dot1x 3/1Port Auth-State BEnd-State Port-Control Port-Status----- ------------------- ---------- ------------------- -------------3/1 connecting idle auto unauthorizedPort Port-Mode Re-authentication Shutdown-timeout Control-Modeadmin oper----- ------------- ----------------- ---------------- ---------------3/1 SingleAuth disabled disabled Both BothConsole> (enable)
Note
Enabling 802.1X with Inaccessible Authentication Bypass
You can enable 802.1X inaccessible authentication bypass on a per-port basis. This feature allows you to specify a port as critical. When a port is specified as a critical port, 802.1X attempts to authenticate the port in the normal way. If attempts to reach the authentication server fail, the port is still given access to the network in the administratively configured VLAN or the port's native VLAN. You can configure a port as critical only if it is in single-authentication mode.
After a critical port obtains access to the network, if the authentication server becomes available, the critical port returns to the unauthorized state, the normal authentication process restarts, and the critical port moves into the RADIUS server-specified VLAN after the port is authenticated. At this point, you must initialize the port manually using the set port dot1x mod/port initialize command.
If the authentication server goes down after a host has already been authenticated through the normal authentication process, the switch checks if the port is a critical port. If the switch determines that the port is a critical port, the normal reauthentication process is temporarily disabled for the port and the port is given network access until the authentication server becomes active and restarts the authentication process.
To specify a port as a critical port, perform this task in privileged mode:
Step 1
Specify a port as a critical port.
set port dot1x mod/port critical {enable | disable}
Step 2
Verify the 802.1X configuration.
show port dot1x mod/port
This example shows how to specify a port as a critical port:
Console> (enable) set port dot1x 5/48 critical enablePort 5/48 critical-port option is enabledConsole> (enable)This example shows how to verify the 802.1X configuration:
Console> (enable) show port dot1x 5/48Port Auth-State BEnd-State Port-Control Port-Status----- ------------------- ---------- ------------------- -------------5/48 - - force-authorized -Port Port-Mode Re-authentication Shutdown-timeout Control-Modeadmin oper----- ------------- ----------------- ---------------- ---------------5/48 SingleAuth disabled disabled Both -Port Posture-Token Critical Termination action Session-timeout----- ------------- -------- ------------------ ---------------5/48 - YES - -Console> (enable)Enabling Multiple 802.1X Authentications
You can specify multiple authentications so that more than one host can gain access to an 802.1X port. Cisco-proprietary multiple authentication allows multiple dot1x-hosts on a port; every host is authenticated separately. Use these guidelines when enabling multiple 802.1X authentications:
•
•
•
•
•
•
•
To enable multiple 802.1X authentications, perform this task in privileged mode:
This example shows how to enable multiple 802.1X authentications on port 1 in module 3 and verify the configuration:
Console> (enable) set port dot1x 3/1 multiple-authentication enablePortSecurity should be enabled on port 3/1, before enabling Multiple-authenticationPort Security not enabled on 3/1.Console> (enable) set port security 3/1 enablePort 3/1 security enabled.Console> (enable) set port dot1x 3/1 multiple-authentication enablePort 3/1 Multiple-authentication option enabledConsole> (enable) show port dot1x 3/1Port Auth-State BEnd-State Port-Control Port-Status----- ------------------- ---------- ------------------- -------------3/1 connecting idle auto unauthorizedPort Port-Mode Re-authentication Shutdown-timeout Control-Modeadmin oper----- ------------- ----------------- ---------------- ---------------3/1 MultiAuth disabled disabled Both BothConsole> (enable)Setting and Enabling Automatic Reauthentication of the Host
You can specify how often 802.1X authentication reauthenticates the host if you do so before you enable automatic 802.1X host reauthentication. If you do not specify a time period before you enable host reauthentication, 802.1X defaults to 3600 seconds (the valid values are from 1-65535 seconds).
You can enable automatic 802.1X host reauthentication for the hosts that are connected to a specific port. To manually reauthenticate the host that is connected to a specific port, see the "Manually Reauthenticating the Host" section.
To set how often 802.1X authentication reauthenticates the host and enable automatic 802.1X reauthentication, perform this task in privileged mode:
This example shows how to set automatic reauthentication to 7200 seconds, enable 802.1X reauthentication on port 3/1, and verify the configuration:
Console> (enable) set dot1x re-authperiod 7200dot1x re-authperiod set to 7200 secondsConsole> (enable) set port dot1x 3/1 re-authentication enablePort 3/1 Dot1x re-authentication enabled.Console> (enable) show port dot1x 3/1Port Auth-State BEnd-State Port-Control Port-Status----- ------------------- ---------- ------------------- -------------3/1 connecting idle auto unauthorizedPort Port-Mode Re-authentication Shutdown-timeout Control-Modeadmin oper----- ------------- ----------------- ---------------- ---------------3/1 MultiAuth enabled disabled Both BothConsole> (enable)Manually Reauthenticating the Host
You can manually reauthenticate the host that is connected to a specific port at any time. When you want to configure automatic 802.1X host reauthentication, see the "Setting and Enabling Automatic Reauthentication of the Host" section.
To manually reauthenticate a host that is connected to a specific port, perform this task in privileged mode:
Manually reauthenticate the host that is connected to a specific port.
set port dot1x mod/port re-authenticate
This example shows how to manually reauthenticate the host that is connected to port 1 on module 3:
Console> (enable) set port dot1x 3/1 re-authenticatePort 3/1 re-authenticating...dot1x re-authentication successful...dot1x port 3/1 authorized.Console> (enable)Enabling Multiple Hosts
You can enable a specific port to allow multiple-user access. When a port is enabled for multiple users, and a host that is connected to that port is authorized successfully, any host (with any MAC address) is allowed to send and receive the traffic on that port. If you connect multiple hosts to that port through a hub, you can reduce the security level on that port.
To enable access for multiple hosts on a specific port, perform this task in privileged mode:
This example shows how to enable access for multiple hosts on port 1 on module 3:
Console> (enable) set port dot1x 3/1 multiple-host enablePort 3/1 Multiple-host option enabled.Console> (enable)Disabling Multiple Hosts
You can disable multiple-user access on any port where it is enabled.
To disable access for multiple hosts on a specific port, perform this task in privileged mode:
Disable multiple hosts on a specific port.
set port dot1x mod/port multiple-host disable
This example shows how to disable access for multiple hosts on port 1 on module 3:
Console> (enable) set port dot1x 3/1 multiple-host disablePort 3/1 Multiple-host option disabled.Console> (enable)Setting the Quiet Period
When the authenticator cannot authenticate the host, it remains idle for a set period of time and then tries again. The idle time is determined by the quiet-period value. (The default is 60 seconds.) You may set the value from 0-65535 seconds.
To set the value for the quiet period, perform this task in privileged mode:
This example shows how to set the quiet period to 45 seconds:
Console> (enable) set dot1x quiet-period 45dot1x quiet-period set to 45 seconds.Console> (enable)Setting the Shutdown Timeout Period
If a port is shut down because of a security violation, you must either manually reenable it or configure the shutdown timeout period after which the port can be enabled again.
To set the period of time that a port will be disabled after a security violation, perform this task in privileged mode:
This example shows how to set the shutdown timeout period:
Console> (enable) set dot1x shutdown-timeout 300dot1x shutdown-timeout set to 300 seconds.Console> (enable)Setting the Authenticator-to-Host Retransmission Time for EAP-Request/Identity Frames
The host notifies the authenticator that it received the EAP-request/identity frame. When the authenticator does not receive this notification, the authenticator waits a set period of time and then retransmits the frame. You may set the amount of time that the authenticator waits for notification from 1-65535 seconds. (The default is 30 seconds.)
To set the authenticator-to-host retransmission time for the EAP-request/identity frames, perform this task in privileged mode:
Set the authenticator-to-host retransmission time for EAP-request/identity frames.
set dot1x tx-period seconds
This example shows how to set the authenticator-to-host retransmission time for the EAP-request/identity frame to 15 seconds:
Console> (enable) set dot1x tx-period 15dot1x tx-period set to 15 seconds.Console> (enable)Setting the Back-End Authenticator-to-Host Retransmission Time for the EAP-Request Frames
The host notifies the back-end authenticator that it received the EAP-request frame. When the back-end authenticator does not receive this notification, the back-end authenticator waits a set period of time and then retransmits the frame. You may set the amount of time that the back-end authenticator waits for notification from 1-65535 seconds. (The default is 30 seconds.)
To set the back-end authenticator-to-host retransmission time for the EAP-request frames, perform this task in privileged mode:
Set the back-end authenticator-to-host retransmission time for the EAP-request frame.
set dot1x supp-timeout seconds
This example shows how to set the back-end authenticator-to-host retransmission time for the EAP-request frame to 15 seconds:
Console> (enable) set dot1x supp-timeout 15dot1x supp-timeout set to 15 seconds.Console> (enable)Setting the Back-End Authenticator-to-Authentication-Server Retransmission Time for the Transport Layer Packets
The authentication server notifies the back-end authenticator each time that it receives a transport layer packet. When the back-end authenticator does not receive a notification after sending a packet, the back-end authenticator waits a set period of time and then retransmits the packet. You may set the amount of time that the back-end authenticator waits for notification from 1-65535 seconds. (The default is 30 seconds.)
To set the value for the retransmission of transport layer packets from the back-end authenticator to the authentication server, perform this task in privileged mode:
Set the back-end authenticator-to-authentication-server retransmission time for the transport layer packets.
set dot1x server-timeout seconds
This example shows how to set the value for the retransmission time for the transport layer packets that are sent from the back-end authenticator to the authentication server to 15 seconds:
Console> (enable) set dot1x server-timeout 15dot1x server-timeout set to 15 seconds.Console> (enable)Setting the Back-End Authenticator-to-Host Frame-Retransmission Number
The authentication server notifies the back-end authenticator each time that it receives a specific number of frames. When the back-end authenticator does not receive this notification after sending the frames, the back-end authenticator waits a set period of time and then retransmits the frames. You may set the number of frames that the back-end authenticator retransmits from 1-10 (the default is 2).
To set the number of frames that are retransmitted from the back-end authenticator to the host, perform this task in privileged mode:
Set the back-end authenticator-to-host frame retransmission number.
set dot1x max-req count
This example shows how to set the number of retransmitted frames that are sent from the back-end authenticator to the host to 4:
Console> (enable) set dot1x max-req 4dot1x max-req set to 4.Console> (enable)Setting the Critical Recovery Delay for an Authentication Feature
You can set the critical recovery delay for each authentication feature. By default, critical recovery delay is disabled. The critical recovery delay can be set between 1-10000 milliseconds. Ports enabled with the critical recovery delay feature will be moved to the "critical" state when the RADIUS server is not available to authenticate. The ports moved to critical state are initalized when the RADIUS server comes online and the RADIUS auto-initialization feature is enabled. During the initialization process, the ports that were moved to the critical state are initialized after the configured critical recovery delay interval.
For example, if there are 10 ports enabled with dot1x and moved to the critical state, the ports are initialized when the RADIUS server comes online. If you configure a delay of 10 milliseconds, the initialization for each port is delayed by 10 milliseconds before the initialization process begins. After each 10-millisecond period is completed, the next port initializes until all the ports have gone through the initialization process.
Set the critical recovery delay feature.
set [dot1x | mac-auth-bypass | eou | web-auth] critical-recovery-delay time
This example shows how to set the critical recovery delay to 10 milliseconds for dot1x:
Console> (enable) set dot1x critical-recovery-delay 10Dot1x critical recovery delay set to 10 milliseconds.Console> (enable)Resetting the 802.1X Configuration Parameters to the Default Values
You can reset the 802.1X configuration parameters to the default values with a single command, which also globally disables 802.1X.
To reset the 802.1X configuration parameters to the default values, perform this task in privileged mode:
Step 1
Reset the 802.1X configuration parameters to the default values and globally disable 802.1X.
clear dot1x config
Step 2
Verify the 802.1X configuration.
show dot1x
This example shows how to reset the 802.1X configuration parameters to the default values and verify the configuration:
Console> (enable) clear dot1x configThis command will disable dot1x on all ports and take dot1x parameter values back to factory defaults.Do you want to continue (y/n) [n]?Console> (enable) show dot1xPAE Capability Authenticator OnlyProtocol Version 1system-auth-control enabledmax-req 2quiet-period 45 secondsradius-accounting disabledradius-vlan-assignment enabledradius-keepalive state enabledre-authperiod 7200 secondsserver-timeout 30 secondsshutdown-timeout 300 secondssupp-timeout 30 secondstx-period 30 secondsConsole> (enable)Enabling 802.1X Authentication for the DHCP Relay Agent
To enable the DCHP Relay Agent to send 802.1X parameters for a particular VLAN to the DHCP server, perform this task in privileged mode:
Note
This example shows how to create an ACL entry for the 802.1X DHCP relay traffic:
Console> (enable) set security acl ip dhcp_relay permit dot1x_dhcp Successfully configured Dot1x Dhcp ACL for dhcp_relay. Use `commit' command to save changesThis example shows how to configure the ACL to allow other traffic than DHCP on an existing ACL entry:
Console> (enable) set security acl ip dhcp_relay permit anydhcp_relay editbuffer modified. Use 'commit' command to apply changes.console> (enable)This example shows how to commit the ACE to NVRAM:
Console> (enable) commit security acl dhcp_relay Commit operation in progressACL `dhcp_relay' successfully committed.This example shows how to map the VLANs that should be applied to dhcp-relay-acl:
Console> (enable) set security acl map dhcp_relay 1-3,20 Mapping in progress...ACL dhcp_relay successfully mapped to VLAN 1.ACL dhcp_relay successfully mapped to VLAN 2.ACL dhcp_relay successfully mapped to VLAN 3.ACL dhcp_relay successfully mapped to VLAN 20.The DHCP Relay Agent Information field is added in the DHCP packet that is forwarded from the client to the server. The VLANs that are not mapped to "dhcp-relay-acl" and all DHCP packets are switched as usual without any modifications.
Disabling 802.1X Authentication for the DHCP Relay Agent
To disable the DCHP Relay Agent from sending the 802.1X parameters for a particular VLAN to the DHCP server, perform this task in privileged mode:
Step 1
Disable 802.1X authentication for the DHCP Relay Agent.
clear security acl map dhcp_relay vlan_ID
Step 2
Verify the 802.1X configuration.
show dot1x
This example shows how to configure the DHCP Relay Agent to stop sending the 802.1X authentication parameters for VLANs 1-3 and 20 and verify the configuration:
Console> (enable) clear security acl map dhcp_relay 1-3,20 Successfully cleared mapping between ACL dhcp_relay and VLAN 1.Successfully cleared mapping between ACL dhcp_relay and VLAN 2.Successfully cleared mapping between ACL dhcp_relay and VLAN 3.Successfully cleared mapping between ACL dhcp_relay and VLAN 20.Adding Hosts to an 802.1X Guest VLAN
Typically, the guest VLANs support minimal services and provide minimal network access. The hosts can be added to the guest VLAN only when the set port dot1x mod/port port-control auto command option is used. If you change the set port dot1x mod/port port-control command option from auto to force-authorized or force-unauthorized, the host is removed from the guest VLAN and added back to the port VLAN.
To add a port to an 802.1X guest VLAN, perform this task in privileged mode:
This example shows how to add port 3/1 to 802.1X guest VLAN 200:
Console> (enable) set port dot1x 3/1 guest-vlan 200Port 3/1 is Multiple-authentication enabled, guest-vlan can not be enabledConsole> (enable) set port dot1x 3/1 multiple-authentication disablePort 3/1 Multiple-authentication option disabledConsole> (enable) set port dot1x 3/1 guest-vlan 200Port 3/1 Guest Vlan is set to 200Console> (enable) show port dot1x guest-vlanGuest-Vlan Status Mod/Ports------------- -------- ------------------200 active 3/1none none 2/1-2,3/2-48,8/1-8Console> (enable)This example shows how to remove the port from the guest VLAN:
Console> (enable) set port dot1x 3/1 guest-vlan nonePort 3/1 Guest Vlan is clearedConsole> (enable)Configuring an 802.1X Unidirectional Controlled Port
802.1X allows you to use wake-on LAN technology (also referred to as remote wake-up) to perform the unattended system backups or software upgrades on the hosts that are attached to the switch.
When you configure a unidirectional controlled port, the port allows outbound-only traffic prior to host authentication. This behavior enables a management station to send the wake-on LAN frames to selected hosts that trigger the host to power up and boot, authenticate, and then perform the unattended operation.
Note
Prior to software release 8.3(1), the 802.1X bridge ports were configured by default to a bidirectional state where the control was exerted on protocol exchanges in both directions on the unauthorized ports. With the unidirectional controlled port feature, you can configure the 802.1X-capable ports to be in unidirectional (in keyword) or bidirectional (both keyword) states using the set port dot1x mod/port port-control-direction command.
Unidirectional State
When you configure a port as a unidirectional port (in keyword) and set the port to auto using the set port dot1x mod/port port-control auto command, the bridge port is moved into the spanning-tree forwarding state where all the traffic to the port is redirected to the supervisor engine for processing. With the wake-on LAN functionality, when the connected host is in sleeping mode or a power-down state, the host does not exchange the traffic with any other devices in the network. The hosts that are connected to the unidirectional port cannot send the traffic out into the network; they can only receive the traffic from the other devices in the network. If the unidirectional port sees any kind of incoming traffic, the port returns to the bidirectional (default) state and the spanning-tree state is moved to the blocking state where both the incoming and outgoing traffic are dropped. The authenticator system on the port moves the port into the initialize state and no traffic is allowed other than the EAPOL packet exchanges. When the port is returned to the bidirectional state, a 5-minute timer is started and if the port is not authenticated before the timer runs out, the port switches back to a unidirectional port.
Bidirectional State
When you configure a port as a bidirectional port (both keyword) and set the port to auto using the set port dot1x mod/port port-control auto command, the port is access controlled in both directions. This state disables the reception of any incoming packets and the transmission of outgoing packets on the port. When the port is configured as a bidirectional port, it behaves as it did in software releases prior to release 8.3(1); the port is in the spanning-tree blocking state and the normal authentication process is followed.
Configuration Guidelines
This section provides the guidelines for configuring 802.1X unidirectional ports:
•
•
•
Using the CLI to Configure an 802.1X Unidirectional or Bidirectional Port
If you specify the in keyword, all the incoming traffic is dropped and the outgoing traffic is allowed. If you specify the both keyword (the default), all the receiving traffic and transmitting traffic on the port is dropped. To configure a port as an 802.1X unidirectional port or bidirectional port, perform this task in privileged mode:
Configure a port as an 802.1X unidirectional port or bidirectional port.
set port dot1x mod/port port-control-direction [both | in]
These examples show how to set a port to unidirectional or bidirectional states and verify the configuration:
Console> (enable) set port dot1x 3/1 port-control-direction bothPort 3/1 Port Control Direction set to Both.Console> (enable) set port dot1x 3/1 port-control-direction inPort 3/1 Port Control Direction set to In.Console> (enable) show port dot1x 3/1Port Auth-State BEnd-State Port-Control Port-Status----- ------------------- ---------- ------------------- -------------3/1 connecting idle auto unauthorizedPort Port-Mode Re-authentication Shutdown-timeout Control-Modeadmin oper----- ------------- ----------------- ---------------- ---------------3/1 SingleAuth enabled disabled In BothConsole> (enable)Configuring 802.1X with ACL Assignments
These sections describe how to configure 802.1X with ACL assignments:
•
•
•
Overview
When you configure 802.1X with ACL assignments, the identity-based ACLs are used to dynamically assign an access control policy to an interface that is based on the user's 802.1X authentication. This feature restricts the users to certain network segments, limits the access to the sensitive servers, and restricts the protocols and applications that may be used. This feature also allows you to provide very specific identity-based security without compromising user mobility or significantly increasing the administrative overhead.
When you configure 802.1X with ACL assignments, you eliminate the problem of creating, modifying, and removing the access control policies that are based on the IP/MAC addresses whenever the user's physical location changes in the network. This feature allows you to create the identity-based security access policies rather than the VLAN-based policies (VACLs) or the port-based policies (PACLs) without compromising user mobility. With this feature, the user does not have to rely on the network administrator to enforce the access policy changes whenever the user's physical location and/or connection to the network changes.
The new group group_name keyword is used to classify the policy as a group. A group is a set of users (their IP addresses) to which the policy applies. Prior to this feature, if you wanted to permit the IP access to a set of users, you had to specify each user's IP address in the ACL ACE and there could only be one IP address per ACE. With this new feature, you specify a group_name in the ACE, such as set security acl ip grpacl permit ip group ip-permit-group any, where the ip-permit-group is a group and all the users that are part of that group are authenticated. After a successful user authentication and after the user's IP address is obtained, if the user is part of the group, the user's IP address is added to the group and a new ACE is created and installed in the hardware (PFC). The ACL grows and shrinks dynamically upon user authentication and logoff; the ACL is dynamic and the policy is installed only for the authenticated and valid users.
When you configure 802.1X with ACL assignments, you can automatically configure the QoS ACLs and VACLs to a user once the user is authenticated. The RADIUS server sends a QoS VLAN-based ACL, QoS port-based ACL, or VACL policy name with the authentication success packet. The policy that is associated with the policy name is already configured on the switch through the CLI. The policy is converted into a set of ACEs and then installed on the switch.
You can apply the ACLs to an IP address. Because the 802.1X authentication is done on a username and can be tied to a MAC address—but the IP address is not known at the time of authentication (DHCP is started by the host only after a successful authentication)—the ACE installation occurs only after the IP address is known either through DHCP snooping or dynamic ARP inspection.
When you configure 802.1X with ACL assignments, you perform these two main configuration tasks:
•
•
After you configure the 802.1X ACL assignments, the switch does the following:
•
•
•
802.1X with ACL Assignments Configuration Guidelines
This section provides the guidelines for configuring 802.1X with ACL assignments:
•
•
•
•
•
•
Using the CLI to Configure 802.1X with ACL Assignments
Note
To configure 802.1X with ACL assignments, perform this task in privileged mode:
This example shows how to specify a group name for an 802.1X group and verify that the group was configured:
Console> (enable) set security acl ip grpacl permit ip group ip-permit-group anygrpacl editbuffer modified. Use 'commit' command to apply changes.Console> (enable) commit security acl grpaclACL commit in progress.ACL 'grpacl' successfully committed.Console> (enable)Console> (enable) show dot1x group allGroup Manager InfoCurrent Group Count = 1-------------------------------------------------------------Info of Group ip-permit-groupUser Count = 0Console> (enable)Configuring 802.1X with QoS ACLs
These sections describe how to configure 802.1X with QoS ACLs:
•
•
•
The RADIUS server sends a policy name to the 802.1X client. The policy is already defined and committed on the switch. The user is able to fully utilize all existing QoS features when defining the QoS policy. The 802.1X client interacts with the QoS subsystem and applies the policy on an interface after authentication has been made. The policy is removed when the authenticated client leaves the interface. If 802.1X has attached a policy to an interface, it is still possible for you to unmap the policy directly through the switch CLI.
802.1X with QoS ACLs Configuration Guidelines
This section describes the guidelines for configuring 802.1X with QoS ACLs:
•
•
•
•
•
•
•
Note
802.1X with QoS ACLs Configuration Example
In the following example, QoS is enabled and an 802.1X QoS policy (Dot1xDscp5Policy) is created. The policy is then committed. The same policy name (Dot1xDscp5Policy) is then configured on the RADIUS server. After a period of time, you can see that the policy is applied to port 3/1 after 802.1X has authenticated a client and applied the policy. You can see that the policy mapping is not found in the configuration (config) display of the mapping command: it is found only in the run-time configuration.
The AV-pairs at the RADIUS server require the following input—qos:inpacl=Dot1xDscp5Policy. After supplicant authentication on port 3/1, the QoS run-time mapping to port 3/1 occurs.
The other options for the AV-pairs are as follows—qos:invacl=<policy-name> and qos:outpacl=<policy-name>.
If the policy name in the AV-pairs does not match a policy name in the switch, the supplicant is not authenticated.
Console> (enable) set qos enableQoS is enabled.Console> (enable) set qos acl ip Dot1xDscp5Policy dscp 5 anyDot1xDscp5Policy editbuffer modified. Use 'commit' command to apply changes.Console> (enable) commit qos acl allQoS ACL 'Dot1xDscp5Policy' successfully committed.Console> (enable) show qos acl map config Dot1xDscp5PolicyQoS ACL mappings on input side:ACL name Type Vlans-------------------------------- ---- ---------------------------------Dot1xDscp5Policy IPACL name Type Ports-------------------------------- ---- ---------------------------------Dot1xDscp5Policy IPQoS ACL mappings on output side:ACL name Type Vlans-------------------------------- ---- ---------------------------------Dot1xDscp5Policy IPConsole> (enable)<<< Dot1x Authenticates a client on 3/1 and applies Dot1xDscp5Policy >>>Console> (enable) show qos acl map runtime Dot1xDscp5PolicyQoS ACL mappings on input side:ACL name Type Vlans-------------------------------- ---- ---------------------------------Dot1xDscp5Policy IPACL name Type Ports-------------------------------- ---- ---------------------------------Dot1xDscp5Policy IP 3/1QoS ACL mappings on output side:ACL name Type Vlans-------------------------------- ---- ---------------------------------Dot1xDscp5Policy IPConsole> (enable) show qos acl map config Dot1xDscp5PolicyQoS ACL mappings on input side:ACL name Type Vlans-------------------------------- ---- ---------------------------------Dot1xDscp5Policy IPACL name Type Ports-------------------------------- ---- ---------------------------------Dot1xDscp5Policy IPQoS ACL mappings on output side:ACL name Type Vlans-------------------------------- ---- ---------------------------------Dot1xDscp5Policy IPConsole> (enable)This example shows that the dynamic QoS policy information is displayed using the show qos acl map command. When you use the runtime keyword, you can see which dynamic policies have been applied to which interfaces. The config keyword does not show the dynamic QoS policy mapping.
Console> (enable) show qos acl map config Dot1xDscp5PolicyQoS ACL mappings on input side:ACL name Type Vlans-------------------------------- ---- ---------------------------------Dot1xDscp5Policy IPACL name Type Ports-------------------------------- ---- ---------------------------------Dot1xDscp5Policy IPQoS ACL mappings on output side:ACL name Type Vlans-------------------------------- ---- ---------------------------------Dot1xDscp5Policy IPConsole> (enable) show qos acl map runtime Dot1xDscp5PolicyQoS ACL mappings on input side:ACL name Type Vlans-------------------------------- ---- ---------------------------------Dot1xDscp5Policy IPACL name Type Ports-------------------------------- ---- ---------------------------------Dot1xDscp5Policy IP 3/1QoS ACL mappings on output side:ACL name Type Vlans-------------------------------- ---- ---------------------------------Dot1xDscp5Policy IPConsole> (enable)Configuring the RADIUS Server
Using Cisco Secure Access Control Server (ACS) 3.x or higher, you need to configure the QoS policy name associated with an authenticated client. To configure the RADIUS server, perform these steps from the ACS home page:
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
The AV-pair box appears for every user. Check the box and then type the AV-pair strings in the window. The strings in this case represent the QoS policy name that you wish to associate with each user. If you are sending multiple AV-pair strings, you need to separate them with a new line so that each AV-pair is sent as a different 26/9/1 attribute.
Configuring 802.1X User Distribution
When you configure 802.1X user distribution, you can distribute the users that have the same group name across multiple VLANs. Before software release 8.3(1), the RADIUS VLAN assignment feature that was supported by 802.1X took the VLAN number that was obtained from the RADIUS server and added all the users to that VLAN. With software release 8.3(1) and later releases, you can load balance the 802.1X-authenticated users that are configured under one group name by distributing them evenly between the VLANs.
Use these two methods to load balance the users between the different VLANs. The VLANs are either supplied by the RADIUS server or configured under a VLAN group name through the switch CLI:
•
•
802.1X User Distribution Configuration Guidelines
This section provides the guidelines for configuring the 802.1X user distribution feature:
•
•
•
•
•
•
•
Using the CLI to Configure 802.1X User Distribution
To configure a VLAN group and map a VLAN to it, perform these tasks in privileged mode:
This example shows how to configure the VLAN groups, map the VLANs to the groups, and verify that the VLAN groups were configured and mapped to the specified VLANs:
Console> (enable) set dot1x vlan-group eng-dept 10Vlan group name eng-dept is successfully configured and mapped to vlan 10Console> (enable) set dot1x vlan-group hr-dept 20Vlan group name hr-dept is successfully configured and mapped to vlan 20Console> (enable) show dot1x vlan-group eng-deptGroup Name Vlans Mapped------------- --------------eng-dept 10Console> (enable) show dot1x vlan-group allGroup Name Vlans Mapped------------- --------------eng-dept 10hr-dept 20Console> (enable)This example shows how to add a VLAN to an existing VLAN group and verify that the VLAN was added:
Console> (enable) set dot1x vlan-group eng-dept 30Vlan 30 is successfully mapped to vlan group eng-dept.Console> (enable) show dot1x vlan-group eng-deptGroup Name Vlans Mapped------------- --------------eng-dept 10,30Console> (enable)This example shows how to clear a VLAN from a VLAN group:
Console> (enable) clear dot1x vlan-group eng-dept 10Vlan 10 is successfully cleared from vlan group eng-dept.Console> (enable)This example shows that when all the VLANs are cleared from a VLAN group, the VLAN group is cleared:
Console> (enable) clear dot1x vlan-group eng-dept 30Vlan 30 is successfully cleared from vlan group eng-dept.Warning: No more vlans mapped to this group, vlan group is cleared.Console> (enable) show dot1x vlan-group eng-deptVlan group eng-dept doesn't exist, can not display.Console> (enable)This example shows how to clear all the existing VLAN groups:
Console> (enable) clear dot1x vlan-group allConsole> (enable) show dot1x vlan-group allNo vlan groups are present for display.Console> (enable)Enabling and Disabling 802.1X RADIUS Accounting and Tracking
You can use 802.1X RADIUS accounting and tracking to send the 802.1X user accounting information to the RADIUS server. The feature uses UDP port number 1813.
An 802.1X accounting packet can indicate the following information to the RADIUS server:
•
•
•
•
•
The attributes of the accounting packets are as follows (some attributes are optional):
•
•
•
–
–
–
•
The accounting packet format is as follows:
<NAS-IP> <user-id> <date> <time> <random16bit#>An example of the accounting packet format is as follows:
9.9.150.140 rameshp 31/07/2003 12:40:00 12345The attributes listed above are common regardless of the ACCT-STATUS-TYPE attribute (for START/STOP/INTERIM).
These attributes are specific to the INTERIM updates:
•
•
CISCO-AV-PAIRS sent along with the above attribute in "Interim Accounting Request" are as follows:
–
–
The type is "device local" when the RADIUS server does not send a VLAN. In that case, the administratively-configured port VLAN is the VLAN for the user. If the RADIUS server sent the VLAN, the type is "RADIUS assigned."
These attributes are specific to the STOP packets:
•
•
–
–
Using the CLI to Enable and Disable 802.1X RADIUS Accounting and Tracking
To enable or disable 802.1X RADIUS accounting and tracking globally, perform this task in privileged mode (the default is disabled):
Enable or disable 802.1X RADIUS accounting and tracking globally.
set dot1x radius-accounting {enable | disable}
This example shows how to enable or disable 802.1X RADIUS accounting and tracking globally:
Console> (enable) set dot1x radius-accounting enabledot1x radius-accounting enabled.Console> (enable) set dot1x radius-accounting disabledot1x radius-accounting disabled.Console> (enable)Enabling and Disabling RADIUS Keepalive
Use the set radius-keepalive enable command to check if configured RADIUS servers are alive. When the command is enabled, the switch sends out a test username for authentication. In reply to the test username, the RADIUS servers send an access rejection. To turn off authentication attempts that test the RADIUS servers, enter the set radius-keepalive disable command. If you disable this feature, the switch does not check the status of the servers, and the RADIUS server logs do not record the test attempts.
Note
To enable or disable the RADIUS keepalive feature, perform this task in privileged mode (the default is enabled):
Enable or disable the RADIUS keepalive feature.
set radius keepalive {enable | disable}
This example shows how to globally enable the RADIUS keepalive feature:
Console> (enable) set radius keepalive enableRadius Keepalive enabled.Console> (enable)To set the RADIUS keepalive time in seconds, perform this task in privileged mode (the default is 60 seconds):
Set the RADIUS keepalive time. The time can be set from 1-6,000 seconds. The default is 60 seconds.
set radius keepalive time seconds
This example shows how to set the RADIUS keepalive time:
Console> (enable) set radius keepalive time 120Radius keepalive time set to 120 seconds.Console> (enable)Configuring the Authenticated Identity-to-Port Description Mappings
You can use authenticated identity-to-port description mapping to assign a port name to the 802.1X port based on the information that is received from the RADIUS server. This feature uses an AV-pair "Supplicant Name" to uniquely assign a port name for an authenticated user. Currently, there is support only for the Cisco-supported AV-pairs that are sent from the authentication server; the other vendor-specific AV-pairs are ignored.
Enter the show port dot1x name-mapping command to display the name of the port that is received from the RADIUS server. If the switch receives an authenticated port name that is greater than or equal to 20 characters, the name is truncated to 19 characters and a # sign is appended to the name (allowing a total of 20 characters that is compatible with the set port name command). When you enter the set port name command, the end result is the same as if you had used the authenticated identity-to-port description mapping; the difference is that this feature assigns the name dynamically upon 802.1X authentication. An example of a dynamically assigned port name is as follows:
Console> (enable) show port dot1x name-mapping 5/1Port Port Name 802.1X Port Name---- ------------------ ------------------5/1 Cube-C1/2 User1Configuring the DNS Resolution for a RADIUS Server Configuration
When you configure the DNS resolution for a RADIUS server, you can configure the RADIUS server using a DNS name in addition to the IP addresses. The switch automatically resolves the DNS name using a DNS server that is configured to associate a DNS name with an IP address. The configured DNS name can coexist with the other IP addresses that are configured as primary or secondary. The DNS name is stored in NVRAM. You must enable the RADIUS keepalive feature for the DNS resolution to work. DNS resolution allows you to modify the IP address of the RADIUS server transparently without the knowledge of the switch. The switch can then resolve the DNS name with the modified IP address.
The switch resolves the DNS name a second time (reresolution) to the IP address during the initial configuration of the DNS name, when 802.1X is disabled and enabled, during the 802.1X port authentication, or if the request to the RADIUS server times out. The reresolution checks if the DNS name-to-IP address mapping is changed on the DNS server side.
Enter the show config or show radius commands to display the DNS name if the DNS name is configured in place of an IP address for the RADIUS server. You can configure a maximum of three RADIUS servers. To display the configured RADIUS server parameters, enter the show radius command as follows:
Console> (enable) show radiusRADIUS Deadtime: 0 minutesRADIUS Key: ciscoRADIUS Retransmit: 2RADIUS Timeout: 5 secondsFramed-Ip Address Transmit: DisabledRADIUS-Server Status Auth-port Acct-port Resolved IP Address-------------------------------- ------- --------- --------- -------------------9.9.150.16 primary 1812 1813cat6k-sup2 1812 1813 9.9.150.20cat6k-sup3 1812 1813 9.9.150.21Console> (enable)Configuring the Authentication Failure VLAN
On a traditional 802.1X port, the switch does not provide access to the network until the supplicant that is connected to the port is authenticated by verifying its identity information with an authentication server. With the authentication failure VLAN feature, you can configure the authentication failure VLAN on a per-port basis and that after three failed 802.1X authentication attempts by the supplicant, the port is moved to the authentication failure VLAN where the supplicant can access the network.
Note
An authentication failure VLAN is independent of a guest VLAN. However, the guest VLAN can be the same VLAN as the authentication failure VLAN. If you do not want to differentiate between the non-802.1X capable hosts and the authentication failed hosts, you may configure both hosts to the same VLAN (either a guest VLAN or an authentication failure VLAN).
For more information, see the "Understanding How 802.1X Authentication for the Guest VLAN Works" section.
Authentication Failure VLAN Configuration Guidelines and Restrictions
This section describes the configuration guidelines and restrictions for configuring the authentication failure VLAN:
•
•
•
•
•
•
•
Note
•
•
•
•
Creating an Authentication Failure VLAN and Adding 802.1X Ports
To create an authentication failure VLAN and add 802.1X ports to the VLAN, perform this task in privileged mode:
Create an authentication failure VLAN and add 802.1X ports to the VLAN.
set port dot1x mod/ports auth-fail-vlan {none | vlan}
This example shows how to create the authentication failure VLAN (VLAN 81) and add port 3/33:
Console> (enable) set port dot1x 3/33 auth-fail-vlan 81Port 3/33 Auth Fail Vlan is set to 81Console> (enable)This example shows how to display the authentication failure VLAN configuration:
Console> (enable) show port dot1x auth-fail-vlanAuth-Fail-Vlan Status Mod/Ports-------------- -------- ------------------81 active 3/33none none 1/1-2,2/1-2,3/1-32,3/34-48Console> (enable)This example shows how to clear a port from an authentication failure VLAN:
Console> (enable) set port dot1x 3/33 auth-fail-vlan nonePort 3/33 Auth Fail Vlan is clearedConsole> (enable)This example shows how to list the active users and ports in an authentication failure VLAN:
Console> (enable) show dot1x auth-fail-usersUsername Mod/Port Auth-Fail-Vlan-------- -------- --------------testuser 3/33 81Console> (enable)Configuring a RADIUS Server Failover
Before software release 8.4(1), when the active RADIUS server went down or was unreachable, the 802.1X authentication timed out before the backup RADIUS server could become active. With software release 8.4(1) and later releases, some RADIUS server timer values are now configurable and the show radius command has been enhanced to show the active RADIUS server.
Enter the following commands to prevent a RADIUS server failover:
•
Console> (enable) set dot1x max-req 8dot1x max-req set to 8.Console> (enable)•
Console> (enable) set dot1x server-timeout 100dot1x server-timeout set to 100 seconds.Console> (enable)Ener the show radius command to display the RADIUS server configuration and to show which RADIUS server is active as follows:
Console> (enable) show radiusActive RADIUS Server: 81.81.81.20RADIUS Deadtime: 1 minutesRADIUS Key: ciscoRADIUS Retransmit: 2RADIUS Timeout: 5 secondsFramed-Ip Address Transmit: DisabledRADIUS-Server Status Auth-port Acct-port Resolved IP Address-------------------------------- ------- --------- --------- -------------------81.81.81.20 primary 1812 181310.6.89.200 1812 181310.6.98.35 1812 1813Console> (enable)Configuring 802.1X Authentication with Private VLANs
Note
These sections describe how to configure 802.1X authentication with private VLANs:
•
Overview
Private VLANs provide a subnet conservation mechanism that allows a port to be conditionally operational in a VLAN pair without trunking. A private VLAN is composed of an associated primary VLAN and a secondary VLAN. A primary VLAN can participate in multiple private VLANs, with each primary VLAN having a different secondary VLAN associated with it. A secondary VLAN must belong to only one private VLAN. The secondary VLAN must be associated with only one primary VLAN. Secondary VLAN types are community, isolated, and two-way.
Before software release 8.6(1), an 802.1X port could not be configured in a private VLAN and a private VLAN port could not participate in 802.1X. With software release 8.6(1) and later releases, you can enable isolated private VLANs for 802.1X ports that are assigned to a guest VLAN through 802.1X authentication.
With guest VLANs, you might have ports from different customers residing in the same guest VLAN if the supplicant is identified as incapable of 802.1X before becoming 802.1X capable. With this behavior, the traffic from one customer might be accessible to every other customer. To avoid this situation, you can select different guest VLANs for each port; however, this action consumes multiple VLANs. With the isolated private VLAN approach, you can configure multiple ports in a VLAN pair and suppress the traffic interchange between the ports in the same secondary VLAN.
Port VLANs and 802.1X VLANs
With 802.1X, a port can be in a preauthenticated or post-authenticated state. In both states, the port is associated with a VLAN. The VLANs are referred to as the port VLAN and the 802.1X VLAN. The port VLAN is the VLAN of the port before a new VLAN has been assigned by 802.1X. The 802.1X VLAN of the port is the VLAN that is assigned to the port by 802.1X. The port operates in its port VLAN if it has not been enabled for 802.1X. Once the port is enabled for 802.1X, the port continues to be associated with its port VLAN although it stops forwarding traffic on the port VLAN. Once 802.1X assigns a new VLAN to the port, the port becomes operationally associated with the new VLAN (the 802.1X VLAN). If no VLAN is supplied by the RADIUS server, the port becomes operational in its port VLAN. A summary of port VLAN and 802.1X VLAN behavior follows:
•
–
–
–
–
–
•
–
–
Configuration Guidelines
This section provides the guidelines for configuring 802.1X authentication with private VLANs:
•
•
–
–
If any of the checks fail, an error message is generated and the port is not placed in the private VLAN.
•
•
•
Configuring 802.1X Authentication with Private VLANs
These sections describe and provide examples on configuring 802.1X authentication with private VLANs:
•
•
•
•
•
Creating Private VLANs
This example shows how to create private VLANs:
Console> (enable) set vlan 800 pvlan-type primaryVTP advertisements transmitting temporarily stopped,and will resume after the command finishes.Vlan 800 configuration successfulConsole> (enable) set vlan 801 pvlan-type communityVTP advertisements transmitting temporarily stopped,and will resume after the command finishes.Vlan 801 configuration successfulConsole> (enable) set pvlan 800 801Host mode set to enable for portsBPDU guard set to enable for portsTrunk mode set to off for portsSuccessfully set association between 800 and 801.Console> (enable) set vlan 400 pvlan-type primaryVTP advertisements transmitting temporarily stopped,and will resume after the command finishes.Vlan 400 configuration successfulConsole> (enable) set vlan 401 pvlan-type isolatedVTP advertisements transmitting temporarily stopped,and will resume after the command finishes.Vlan 401 configuration successfulConsole> (enable) set pvlan 400 401Host mode set to enable for portsBPDU guard set to enable for portsTrunk mode set to off for portsSuccessfully set association between 400 and 401.Console> (enable) set vlan 200 pvlan-type primaryVTP advertisements transmitting temporarily stopped,and will resume after the command finishes.Vlan 200 configuration successfulConsole> (enable) set vlan 201 pvlan-type twoway-communityVTP advertisements transmitting temporarily stopped,and will resume after the command finishes.Vlan 201 configuration successfulConsole> (enable) set pvlan 200 201Host mode set to enable for portsBPDU guard set to enable for portsTrunk mode set to off for portsSuccessfully set association between 200 and 201.Console> (enable)Verifying the Private VLAN Configuration
This example shows how to verify the private VLAN configuration:
Console> (enable) show pvlanPrimary Secondary Secondary-Type Ports------- --------- ---------------- ------------200 201 twoway-community400 401 isolated800 801 communityConsole> (enable)Verifying the Pre-802.1X Port Settings
This example shows how to verify the pre-802.1X port settings:
Console> (enable) show port 2/2* = Configured MAC Address# = 802.1X Authenticated Port Name.Port Name Status Vlan Duplex Speed Type----- -------------------- ---------- ---------- ------ ----------- ------------2/2 connected 999 a-half a-10 10/100BaseTXPort AuxiliaryVlan AuxVlan-Status----- ------------- --------------2/2 none nonePort Security Violation Shutdown-Time Age-Time Max-Addr Trap IfIndex----- -------- --------- ------------- -------- -------- -------- -------2/2 disabled shutdown 0 0 1 disabled 61Port Flooding on Address Limit Last-Src-Addr Vlan TimerType----- ------------------------- ----------------- ---- ----------2/2 Enabled - - AbsolutePort Num-Addr Secure-Src-Addr Vlan Age-Left Shutdown/Time-Left----- -------- ----------------- ---- -------- ------------------2/2 0 - - - - -Port 802.1X Auth-State 802.1X Port-Status----- ------------------ ------------------2/2 force-authorized authorizedPort Broadcast-Limit Multicast Unicast Total-Drop Action-------- --------------- --------- ------- -------------------- ------------2/2 - - - 0 drop-packetsPort Send FlowControl Receive FlowControl RxPause TxPauseadmin oper admin oper----- -------- -------- --------- --------- ---------- ----------2/2 off off off off 0 0Port Status Channel Admin ChMode Group Id----- ---------- -------------------- ----- -----2/2 connected off 2 0Port Status ErrDisable Reason Port ErrDisableTimeout Action on Timeout---- ---------- ------------------- ---------------------- -----------------2/2 connected - Enable No ChangePort Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize----- ---------- ---------- ---------- ---------- ---------2/2 0 0 0 0 0Port Single-Col Multi-Coll Late-Coll Excess-Col Carri-Sen Runts Giants----- ---------- ---------- ---------- ---------- --------- --------- ---------2/2 3 3 0 3 0 0 0Port Last-Time-Cleared----- --------------------------2/2 Mon Oct 3 2005, 12:42:26Idle Detection----------------Console> (enable) show port dot1x 2/2Port Auth-State BEnd-State Port-Control Port-Status----- ------------------- ---------- ------------------- -------------2/2 force-authorized idle force-authorized authorizedPort Port-Mode Re-authentication Shutdown-timeout Control-Modeadmin oper----- ------------- ----------------- ---------------- ---------------2/2 SingleAuth disabled disabled Both BothPort Posture-Token Critical Termination action Session-timeout----- ------------- -------- ------------------ ---------------2/2 - NO NoReAuth -Console> (enable)Assigning Private VLANs to 802.1X
This example shows how to assign private VLANs to 802.1X:
Console> (enable) set port dot1x 2/2 port-control autoPort 2/2 dot1x port-control is set to auto.Trunking disabled for port 2/2 due to Dot1x feature.Spantree port fast start option enabled for port 2/2.Console> (enable) set port dot1x 2/2 initializePort 2/2 dot1x initializing ...Console> (enable) set port dot1x 2/2 port-control autoPort 2/2 dot1x port-control is set to auto.Trunking disabled for port 2/2 due to Dot1x feature.Spantree port fast start option enabled for port 2/2.Console> (enable) set port dot1x 2/2 initializePort 2/2 dot1x initializing ...Console> (enable) set port dot1x 2/2 guest-vlan 401Port 2/2 Guest Vlan is set to 401Console> (enable) set port dot1x 2/2 auth-fail-vlan 201Port 2/2 Auth Fail Vlan is set to 201Console> (enable)Verifying the Config-Time 802.1X Private VLAN Settings
This example shows how to verify the config-time 802.1x private VLAN settings:
Console> (enable) show port 2/2* = Configured MAC Address# = 802.1X Authenticated Port Name.Port Name Status Vlan Duplex Speed Type----- -------------------- ---------- ---------- ------ ----------- ------------2/2 connected 999 a-half a-10 10/100BaseTX<...snip...>Console> (enable) show port dot1x 2/2Port Auth-State BEnd-State Port-Control Port-Status----- ------------------- ---------- ------------------- -------------2/2 connecting idle auto unauthorized<...snip...>Console> (enable) show pvlanPrimary Secondary Secondary-Type Ports------- --------- ---------------- ------------200 201 twoway-community400 401 isolated800 801 communityConsole> (enable)Verifying the Run-Time 802.1X-Assigned Private VLAN Settings
This example shows how to verify the run-time 802.1X-assigned private VLAN settings:
Console> (enable) show port dot1x guest-vlanGuest-Vlan Status Mod/Ports------------- -------- ------------------401 active 2/2none none 2/1,2/3-48,3/1-48,5/1-2Console> (enable) show port dot1x auth-fail-vlanAuth-Fail-Vlan Status Mod/Ports-------------- -------- ------------------201 active 2/2none none 2/1,2/3-48,3/1-48,5/1-2Console> (enable)Example1: Guest VLAN is an isolated private VLAN (VLANs 400, 401)
Console> (enable) show port 2/2* = Configured MAC Address# = 802.1X Authenticated Port Name.Port Name Status Vlan Duplex Speed Type----- -------------------- ---------- ---------- ------ ----------- ------------2/2 connected guest-400,401 a-half a-10 10/100BaseTX<...snip...>Console> (enable) show port dot1x 2/2Port Auth-State BEnd-State Port-Control Port-Status----- ------------------- ---------- ------------------- -------------2/2 guest-vlan idle auto authorized<...snip...>Console> (enable) show pvlanPrimary Secondary Secondary-Type Ports------- --------- ---------------- ------------200 201 twoway-community400 401 isolated 2/2800 801 communityConsole> (enable)
Example 2: 802.1X authentication failure VLAN is a two-way community private VLAN (VLANs 200, 201)
Console> (enable) show port 2/2* = Configured MAC Address# = 802.1X Authenticated Port Name.Port Name Status Vlan Duplex Speed Type----- -------------------- ---------- ---------- ------ ----------- ------------2/2 connected fail-200,201 a-half a-10 10/100BaseTX<...snip...>Console> (enable) clear port dot1x 2/2dot1x port statistics cleared successfully for portConsole> (enable) show port dot1x 2/2Port Auth-State BEnd-State Port-Control Port-Status----- ------------------- ---------- ------------------- -------------2/2 auth-fail idle auto authorized<...snip...>Console> (enable) show pvlanPrimary Secondary Secondary-Type Ports------- --------- ---------------- ------------200 201 twoway-community 2/2400 401 isolated800 801 communityConsole> (enable)Example 3: 802.1X RADIUS-supplied VLAN is a community private VLAN (VLANs 800, 801)
Console> (enable) show port 2/2* = Configured MAC Address# = 802.1X Authenticated Port Name.Port Name Status Vlan Duplex Speed Type----- -------------------- ---------- ---------- ------ ----------- ------------2/2 connected dot1x-800,801 a-half a-10 10/100BaseTXPort AuxiliaryVlan AuxVlan-Status----- ------------- --------------2/2 none nonePort Security Violation Shutdown-Time Age-Time Max-Addr Trap IfIndex----- -------- --------- ------------- -------- -------- -------- -------2/2 disabled shutdown 0 0 1 disabled 61Port Flooding on Address Limit Last-Src-Addr Vlan TimerType----- ------------------------- ----------------- ---- ----------2/2 Enabled - - AbsolutePort Num-Addr Secure-Src-Addr Vlan Age-Left Shutdown/Time-Left----- -------- ----------------- ---- -------- ------------------2/2 0 - - - - -<...snip...>Console> (enable) show port dot1x 2/2Port Auth-State BEnd-State Port-Control Port-Status----- ------------------- ---------- ------------------- -------------2/2 authenticated idle auto authorized<...snip...>Console> (enable) show pvlanPrimary Secondary Secondary-Type Ports------- --------- ---------------- ------------200 201 twoway-community400 401 isolated800 801 community 2/2Console> (enable)Using the show Commands
Use these show commands to access the information about 802.1X authentication and its configuration:
•
•
•
•
•
To display the usage options for the show port dot1x command, perform this task in normal mode:
This example shows how to display the usage options for the show port dot1x command:
Console> (enable) show port dot1x ?guest-vlan Show Port guest vlan informationstatistics Show statistic information<mod> Module number<mod/port> Module number and Port number(s)| Output modifiers<cr>To display the values for all the parameters that are associated with the authenticator PAE and back-end authenticator on a specific port on a specific module, perform this task in normal mode:
This example shows how to display the values for all the parameters that are associated with the authenticator PAE and back-end authenticator on port 1 on module 3:
Console> (enable) show port dot1x 3/1Port Auth-State BEnd-State Port-Control Port-Status----- ------------------- ---------- ------------------- -------------3/1 connecting idle auto unauthorizedPort Port-Mode Re-authentication Shutdown-timeout Control-Modeadmin oper----- ------------- ----------------- ---------------- ---------------3/1 SingleAuth enabled disabled In BothConsole> (enable)To display the statistics for the different types of EAP frames that are transmitted and received by the authenticator on a specific port on a specific module, perform this task in normal mode:
This example shows how to display the statistics for the different types of EAP frames that are transmitted and received by the authenticator on port 1 on module 3:
Console> (enable) show port dot1x statistics 3/1Port Tx_Req/Id Tx_Req Tx_Total Rx_Start Rx_Logoff Rx_Resp/Id Rx_Resp----- --------- ------ -------- -------- --------- ---------- -------3/1 43 0 43 0 0 0 0Port Rx_Invalid Rx_Len_Err Rx_Total Last_Rx_Frm_Ver Last_Rx_Frm_Src_Mac----- ---------- ---------- -------- --------------- -------------------3/1 2 0 2 0 00-00-00-00-00-00Console> (enable)To display the global 802.1X parameters, perform this task in normal mode:
Display the PAE capabilities, protocol version, system-auth-control, and other global dot1x parameters.
show dot1x
This example shows how to display the global 802.1X parameters:
Console> (enable) show dot1xPAE Capability Authenticator OnlyProtocol Version 1system-auth-control enabledmax-req 2quiet-period 60 secondsradius-accounting disabledradius-vlan-assignment enabledradius-keepalive state enabledre-authperiod 7200 secondsserver-timeout 30 secondsshutdown-timeout 300 secondssupp-timeout 30 secondstx-period 30 secondsConsole> (enable)To display the 802.1X authenticated MAC addresses, perform this task in normal mode:
This example shows how to display the 802.1X authenticated MAC addresses. In this example, both 802.1X and port security are enabled:
Console> (enable) show cam static 8/17* = Static Entry. + = Permanent Entry. # = System Entry. R = Router Entry.X = Port Security Entry $ = Dot1x Security EntryVLAN Dest MAC/Route Des [CoS] Destination Ports or VCs / [Protocol Type]---- ------------------ ----- -------------------------------------------12 00-40-ca-13-ae-bf $ 8/1717 00-30-94-c2-c3-c1 X 8/17Total Matching CAM Entries Displayed =2Console> (enable)
