-
Catalyst 6500 Series Software Configuration Guide, 8.7
-
Catalyst 6500 Series Switch Software Configuration Guide (Full-book PDF)
-
Index
-
Preface
-
Product Overview
-
Command-Line Interfaces
-
Configuring the Switch IP Address and Default Gateway
-
Configuring Ethernet, Fast Ethernet, Gigabit Ethernet, and 10-Gigabit Ethernet Switching
-
Configuring Ethernet VLAN Trunks
-
Configuring EtherChannel
-
Configuring IEEE 802.1Q Tunneling and Layer 2 Protocol Tunneling
-
Configuring Spanning Tree
-
Configuring Spanning Tree PortFast, UplinkFast, BackboneFast, and Loop Guard
-
Configuring VTP
-
Configuring VLANs
-
Configuring InterVLAN Routing
-
Configuring CEF for PFC2/PFC3
-
Configuring MLS
-
Configuring Access Control
-
Configuring NDE
-
Configuring GVRP
-
Configuring MVRP
-
Configuring Dynamic Port VLAN Membership with VMPS
-
Checking Status and Connectivity
-
Configuring Online Diagnostics
-
Administering the Switch
-
Configuring Redundancy
-
Configuring NSF with SSO MSFC Redundancy
-
Modifying the Switch Boot Configuration
-
Working with the Flash File System
-
Working with System Software Images
-
Working with Configuration Files
-
Configuring System Message Logging
-
Configuring DNS
-
Configuring CDP
-
Configuring UDLD
-
Configuring DHCP Snooping and IP Source Guard
-
Configuring NTP
-
Configuring Broadcast Suppression
-
Configuring Layer 3 Protocol Filtering
-
Configuring the IP Permit List
-
Configuring Port Security
-
Configuring Switch Access Using AAA
-
Configuring 802.1x Authentication
-
Configuring MAC Authentication Bypass
-
Configuring Web-Based Proxy Authentication
-
Tracking Host Aging
-
Configuring Network Admission Control
-
Configuring Unicast Flood Blocking
-
Configuring SNMP
-
Configuring RMON
-
Configuring SPAN, RSPAN and the Mini Protocol Analyzer
-
Using Switch TopN Reports
-
Configuring Multicast Services
-
Configuring QoS
-
Configuring Automatic QoS
-
Configuring ASLB
-
Configuring the Switch Fabric Module
-
Configuring a VoIP Network
-
Configuring aCEF
-
Configuring MSFC IOS Features
-
Acronyms
-
Table Of Contents
Configuring 802.1X Authentication
Understanding How 802.1X Authentication Works
Authentication Initiation and Message Exchange
Ports in Authorized and Unauthorized States
802.1X Parameters Configurable on the Switch
Understanding How 802.1X VLAN Assignments Using a RADIUS Server Work
Understanding How 802.1X Authentication with DHCP Works
Understanding How 802.1X Authentication on Ports Configured for Auxiliary VLAN Traffic Works
Understanding How 802.1X Authentication for the Guest VLAN Works
Usage Guidelines for 802.1X Authentication with the Guest VLANs on Windows-XP Hosts
Understanding How 802.1X Authentication with Port Security Works
Understanding How 802.1X Authentication with ARP Traffic Inspection Works
Default Authentication Configuration
Authentication Configuration Guidelines
Configuring 802.1X Authentication on the Switch
Enabling 802.1X Authentication Globally
Disabling 802.1X Authentication Globally
Enabling 802.1X Authentication for Individual Ports
Enabling 802.1X with Inaccessible Authentication Bypass
Enabling Multiple 802.1X Authentications
Setting and Enabling Automatic Reauthentication of the Host
Manually Reauthenticating the Host
Setting the Shutdown Timeout Period
Setting the Authenticator-to-Host Retransmission Time for EAP-Request/Identity Frames
Setting the Back-End Authenticator-to-Host Retransmission Time for the EAP-Request Frames
Setting the Back-End Authenticator-to-Host Frame-Retransmission Number
Setting the Critical Recovery Delay for an Authentication Feature
Resetting the 802.1X Configuration Parameters to the Default Values
Enabling 802.1X Authentication for the DHCP Relay Agent
Disabling 802.1X Authentication for the DHCP Relay Agent
Adding Hosts to an 802.1X Guest VLAN
Configuring an 802.1X Unidirectional Controlled Port
Using the CLI to Configure an 802.1X Unidirectional or Bidirectional Port
Configuring 802.1X with ACL Assignments
802.1X with ACL Assignments Configuration Guidelines
Using the CLI to Configure 802.1X with ACL Assignments
Configuring 802.1X with QoS ACLs
Configuring 802.1X User Distribution
802.1X User Distribution Configuration Guidelines
Using the CLI to Configure 802.1X User Distribution
Enabling and Disabling 802.1X RADIUS Accounting and Tracking
Using the CLI to Enable and Disable 802.1X RADIUS Accounting and Tracking
Enabling and Disabling RADIUS Keepalive
Configuring the Authenticated Identity-to-Port Description Mappings
Configuring the DNS Resolution for a RADIUS Server Configuration
Configuring the Authentication Failure VLAN
Authentication Failure VLAN Configuration Guidelines and Restrictions
Creating an Authentication Failure VLAN and Adding 802.1X Ports
Configuring a RADIUS Server Failover
Configuring 802.1X Authentication with Private VLANs
Configuring 802.1X Authentication with Private VLANs
Configuring 802.1X Authentication
This chapter describes how to configure IEEE 802.1X authentication on the Catalyst 6500 series switches.
Note
For complete syntax and usage information for the commands that are used in this chapter, refer to the Catalyst 6500 Series Switch Command Reference publication.
Note
Note
Note
Note
Note
This chapter consists of these sections:
•
•
•
•
Understanding How 802.1X Authentication Works
802.1X defines a client-server-based access control and authentication protocol that restricts unauthorized devices from connecting to a LAN through publicly accessible ports. 802.1X controls network access by creating two distinct virtual access points at each port. One access point is an uncontrolled port; the other is a controlled port. All traffic through the single port is available to both access points. 802.1X authenticates each user device that is connected to a switch port and assigns the port to a VLAN before making available any services that are offered by the switch or the LAN. Until the device is authenticated, 802.1X access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which the device is connected. After authentication is successful, normal traffic can pass through the port. You can restrict the traffic in both directions, or you can restrict just the incoming traffic.
These sections provide the following information:
•
•
•
•
•
•
•
•
•
Device Roles
With 802.1X port-based authentication, the devices in the network have specific roles. (See Figure 40-1.)
Figure 40-1 802.1X Device Roles
•
Note
•
•
When the switch receives the Extensible Authentication Protocol over LAN (EAPOL) frames and relays them to the authentication server, the Ethernet header is stripped and the remaining EAP frame is reencapsulated in the RADIUS format. The EAP frames are not modified or examined during encapsulation, and the authentication server must support EAP within the native frame format. When the switch receives the frames from the authentication server, the server's frame header is removed, leaving the EAP frame, which is then encapsulated for Ethernet and sent to the host.
Authentication Initiation and Message Exchange
The switch or the host can initiate authentication. If you enable authentication on a port by using the set port dot1x mod/port port-control auto command, the switch must initiate authentication when it determines that the port link state transitions from down to up. The switch sends an EAP-request/identity frame to the host to request its identity (typically, the switch sends an initial identity/request frame that is followed by one or more requests for authentication information). When the host receives the frame, it sends an EAP-response/identity frame.
During bootup, if the host does not receive an EAP-request/identity frame from the switch, the host can initiate authentication by sending an EAPOL-start frame that prompts the switch to request the host's identity.
Note
When the host supplies its identity, the switch acts as the intermediary, passing the EAP frames between the host and the authentication server until authentication succeeds or fails. If the authentication succeeds, the switch port becomes authorized. For more information, see the "Ports in Authorized and Unauthorized States" section.
The specific exchange of EAP frames depends on the authentication method that is being used. Figure 40-2 shows a message exchange that is initiated by the host using the One-Time-Password (OTP) authentication method with a RADIUS server.
Figure 40-2 Message Exchange
Ports in Authorized and Unauthorized States
The switch port state determines if the host is granted access to the network. The port starts in the unauthorized state. In this state, the port disallows all the ingress and egress traffic except for the 802.1X protocol packets. When a host is successfully authenticated, the port transitions to the authorized state, which allows all traffic for the host to flow normally.
If a host that does not support 802.1X is connected to an unauthorized 802.1X port, the switch requests the host's identity. In this situation, the host does not respond to the request, the port remains in the unauthorized state, and the host is not granted access to the network.
When an 802.1X-enabled host connects to a port that is not running the 802.1X protocol, the host initiates the authentication process by sending the EAPOL-start frame. When no response is received, the host sends the request for a fixed number of times. Because no response is received, the host begins sending frames as if the port is in the authorized state.
You control the port authorization state by using the set port dot1x mod/port port-control command and these keywords:
•
•
•
If the host is successfully authenticated (receives an Accept frame from the authentication server), the port state changes to authorized, and all frames from the authenticated host are allowed through the port. If the authentication fails, the port remains in the unauthorized state, but authentication can be retried. If the switch cannot reach the authentication server, it can retransmit the request. If no response is received from the server after the specified number of attempts, authentication fails, and network access is not granted.
When a host logs off, the server sends an EAPOL-logoff message, causing the switch port to transition to the unauthorized state.
If the link state of a port transitions from up to down, or if an EAPOL-logoff frame is received, the port returns to the unauthorized state.
Table 40-1 defines the 802.1X terms.
Table 40-1 802.1X Terminology
Authenticator PAE1
(Referred to as the "authenticator") entity at one end of a point-to-point LAN segment that enforces host authentication. The authenticator is independent of the actual authentication method and functions only as a pass-through for the authentication exchange. It communicates with the host, submits the information from the host to the authentication server, and authorizes the host when instructed to do so by the authentication server.
Authentication server
Entity that provides the authentication service for the authenticator PAE. It checks the credentials of the host PAE and then notifies its client, the authenticator PAE, whether the host PAE is authorized to access the LAN/switch services.
Authorized state
Status of the port after the host PAE is authorized.
Both
Bidirectional flow control, incoming and outgoing, at an unauthorized switch port.
Controlled port
Secured access point.
EAP
Extensible Authentication Protocol.
EAPOL2
Encapsulated EAP messages that can be handled directly by a LAN MAC service.
In
Flow control only on incoming frames in an unauthorized switch port.
Port
Single point of attachment to the LAN infrastructure (for example, MAC bridge ports).
PAE
Port access entity protocol object that is associated with a specific system port.
PDU
Protocol data unit.
RADIUS
Remote Access Dial-In User Service.
Supplicant3 PAE
Entity that requests access to the LAN/switch services and responds to the information requests from the authenticator.
Unauthorized state
Status of the port before the supplicant PAE is authorized.
Uncontrolled port
Unsecured access point that allows the uncontrolled exchange of PDUs.
1 PAE = port access entity
2 EAPOL = Extensible Authorization Protocol over LAN
3 802.1X uses the term supplicant for client or host. This publication uses host instead of supplicant because host is used in the Catalyst 6500 series CLI syntax.
Authentication Server
The frames that are exchanged between the authenticator and the authentication server are dependent on the authentication mechanism, so they are not defined by 802.1X. You can use other protocols, but we recommend that you use RADIUS for authentication, particularly when the authentication server is located remotely, because RADIUS has extensions that support the encapsulation of EAP frames built into it.
802.1X Parameters Configurable on the Switch
You can configure these 802.1X parameters on the switch:
•
•
•
•
•
•
•
•
•
•
•
Understanding How 802.1X VLAN Assignments Using a RADIUS Server Work
In the supervisor engine software releases prior to software release 7.2(2), once the 802.1X host is authenticated, it joins an NVRAM-configured VLAN. With software release 7.2(2) and later releases, after authentication, an 802.1X host can receive its VLAN assignment from the RADIUS server.
The VLAN assignment feature allows you to restrict users to a specific VLAN. For example, you could put the guest users in a VLAN with limited access to the network.
The 802.1X authenticated ports are assigned to a VLAN based on the username of the host that is connected to the port. This feature works with the RADIUS server that has a database of username-to-VLAN mappings.
After a successful 802.1X authentication of the port, the RADIUS server sends the VLAN in which the user needs to be given access. The 802.1X port behavior with the VLAN assignment feature is as follows:
•
•
•
•
•
•
•
•
•
•
In order for the "802.1X VLAN assignment using a RADIUS server" feature to successfully complete, the RADIUS server must return these three RFC 2868 attributes to the authenticator (the Cisco switch to which the host attaches):
•
•
•
Attribute [64] must contain the value "VLAN" (type 13). Attribute [65] must contain the value "802" (type 6). Attribute [81] specifies the VLAN name or VLAN ID in which the successfully authenticated 802.1X host is placed.
Understanding How 802.1X Authentication with DHCP Works
The 802.1X authentication support for the Dynamic Host Configuration Protocol (DHCP) allows the DHCP server to assign the IP addresses to the different classes of end users by adding the authenticated user identity into the DHCP discovery process. This feature allows you to secure the IP addresses given to the end users for accounting purposes and to grant the services that are based on the Layer 3 criteria. Once the RADIUS server authenticates the supplicant, the DHCP server keeps an authenticated user identity that is associated with the IP address lease. This authenticated user identity is then added to the DHCP discovery process so that the different addresses can be assigned to the different classes of users.
After the successful 802.1X authentications between the supplicant and the RADIUS server, the switch puts the port in the forwarding state and stores the attributes that it receives from the RADIUS server. These attributes are used to map to an address pool in the DHCP server. Because the switch can act as a DHCP Relay Agent, it can receive the DHCP messages and regenerate those messages for transmission on another interface. When the supplicant does DHCP discovery (following authentication), the DHCP Relay Agent on the supervisor engine receives the packet and adds the stored attributes that it received from the RADIUS server to the DHCP discovery packet and submits the discovery broadcast again. The mapping of user-to-IP address can be on a one-to-one, one-to-many, or many-to-many basis. The one-to-many mapping allows the same user to authenticate through the 802.1X hosts on multiple ports.
Understanding How 802.1X Authentication on Ports Configured for Auxiliary VLAN Traffic Works
You can enable 802.1X on a Multiple VLAN Access Port (MVAP), and you can enable an auxiliary VLAN ID on an 802.1X port.
The ports that are configured for 802.1X authentication and an auxiliary VLAN must be in single-host authentication mode to forward the auxiliary VLAN-tagged packets from an IP phone. Because the IP phones do not have host PAE capability, when the auxiliary VLAN-tagged packets are received on a port that is configured for 802.1X authentication from the IP phone, the packets are forwarded as authorized traffic.
A host PAE that is connected behind an IP phone will be authenticated. Only the traffic from the host PAE behind the IP phone is forwarded after authentication.
Note
Understanding How 802.1X Authentication for the Guest VLAN Works
This section describes the 802.1X authentication for the guest VLANs.
A guest VLAN enables the non-802.1X capable hosts to access the networks that use 802.1X authentication. You can use the guest VLANs while you are upgrading your system to support the 802.1X authentication.
When you configure a VLAN as an 802.1X guest VLAN, all the non-802.1X capable hosts are put in this VLAN. You can configure any VLAN (except for the private VLANs and RSPAN VLANs) as a guest VLAN. If a port is already forwarding on the guest VLAN and you enable 802.1X support on the network interface of the host, the port is immediately moved out of the guest VLAN and the authenticator waits for authentication to occur.
Note
Enabling 802.1X authentication on a port starts the 802.1X protocol. If the host fails to respond to the packets from the authenticator within a certain amount of time, the authenticator puts the port in the guest VLAN.
The guest VLANs are supported in both single-authentication mode and multiple-host mode.
Note
An authentication failure VLAN is independent of the guest VLAN. However, the guest VLAN can be the same VLAN as the authentication failure VLAN. If you do not want to differentiate between the non-802.1X capable hosts and the authentication failed hosts, you may configure both hosts to the same VLAN (either a guest VLAN or an authentication failure VLAN).
For more information, see the "Configuring the Authentication Failure VLAN" section.
Usage Guidelines for 802.1X Authentication with the Guest VLANs on Windows-XP Hosts
This section describes the usage guidelines for configuring 802.1X authentication with the guest VLANs on Windows-XP hosts:
•
•
•
•
Note
Understanding How 802.1X Authentication with Port Security Works
802.1X authentication is compatible with the port security feature (for more information, see Chapter 38, "Configuring Port Security"). If you enable port security for only one MAC address on a specific port, only that MAC address authenticates through a RADIUS server. The users that are connected through all other MAC addresses are denied access. If you enable port security for multiple MAC addresses, each address needs to authenticate through the 802.1X RADIUS server.
Note
You can enable port security for any 802.1X mode (single-authentication mode, multiple-host mode, or multiple-authentication mode). Only one mode can be enabled on a port at a time. The default port mode is single-authentication mode.
You can disable port security for single-authentication mode and multiple-host mode. You cannot disable port security for multiple-authentication mode.
When 802.1X authentication is enabled on a port that is also enabled for MAC address-based port security, 802.1X authentication does not occur on the port unless the maximum allowable number of MAC addresses has been configured. If you configure fewer addresses than the maximum allowable number of MAC addresses on a port that is also configured for 802.1X single-host mode authentication, the system generates a message asking if you want the configured MAC addresses to be removed. If you answer "yes" to this message, the MAC addresses that you configured for MAC address-based port security are removed and the port is authenticated using 802.1X authentication. If 802.1X authentication is enabled for any other mode, no message is created and the MAC addresses are retained.
In the multiple-authentication mode, all connected hosts are authenticated using 802.1X and secured using port security. 802.1X authenticates the MAC address and then gives the MAC address to port security to secure it. When a MAC address sends an EAPOL logoff packet, the MAC address is cleared from the port security tables.
Understanding How 802.1X Authentication with ARP Traffic Inspection Works
Note
ARP traffic inspection allows you to configure a set of order-dependent rules within the security ACL (VACL) framework to prevent ARP table attacks. ARP traffic inspection complements the 802.1X port authentication protocol, which first binds the MAC address of the authenticated client to the port, eliminating the possibility of spoofing additional MAC addresses by adding an IP to MAC address binding for additional spoof proofing.
You can use 802.1X authentication with ARP traffic inspection to provide an additional layer of port and user security by eliminating the possibility of malicious users/hosts corrupting the ARP tables of the other hosts. After a successful 802.1X supplicant authentication, ARP traffic inspection, which binds the supplicant's IP address and MAC address, is invoked and eliminates the spoofing possibility.
ARP is a simple protocol that does not have an authentication mechanism so there is no means to ensure that the ARP requests and replies are genuine. Without an authentication mechanism, a malicious user/host can corrupt the ARP tables of the other hosts on the same VLAN in a Layer 2 network or bridge domain.
For example, user/Host A (the malicious user) can send the unsolicited ARP replies (or the gratuitous ARP packets) to the other hosts on the subnet with the IP address of the default router and the MAC address of Host A.With some earlier operating systems, even if a host already has a static ARP entry for the default router, the newly advertised binding from Host A is learned. If Host A enables IP forwarding and forwards all packets from the "spoofed" hosts to the router and vice versa, then Host A can carry out a man-in-the-middle attack (for example, using the program dsniff) without the spoofed hosts realizing that all of their traffic is being sniffed.
In addition, ARP inspection can drop the packets where the source Ethernet MAC address (in the Ethernet header) does not match the source MAC address in the ARP header. You can enable (or disable) this feature through the CLI by entering the set security acl arp-inspection match-mac {enable [drop [log]] | disable} command.
To configure ARP traffic inspection, see the "Inspecting ARP Traffic" section on page 15-30.
Default Authentication Configuration
Table 40-2 shows the default 802.1X authentication configuration.
Authentication Configuration Guidelines
This section provides the guidelines for configuring 802.1X authentication on the switch:
•
•
•
•
•
•
•
•
•
•
•
•
Note
•
Configuring 802.1X Authentication on the Switch
These sections describe how to configure 802.1X authentication on the switch:
Note
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Enabling 802.1X Authentication Globally
You must enable 802.1X authentication for the entire system before you can configure it for the individual ports. After you globally enable 802.1X authentication, you can configure the individual ports for 802.1X authentication if the port meets the specific requirements that are required by 802.1X. To enable 802.1X authentication for the individual ports, see the "Enabling 802.1X Authentication for Individual Ports" section.
To enable 802.1X authentication globally, perform this task in privileged mode:
This example shows how to enable 802.1X authentication globally:
Console> (enable) set dot1x system-auth-control enabledot1x system-auth-control enabled.Disabling 802.1X Authentication Globally
When 802.1X authentication is enabled for the entire system, you can disable it globally. When 802.1X authentication is disabled globally, it is no longer available at any port (even ports that were previously configured for it).
To disable 802.1X authentication globally, perform this task in privileged mode:
This example shows how to disable 802.1X authentication globally:
Console> (enable) set dot1x system-auth-control disabledot1x system-auth-control disabled.Enabling 802.1X Authentication for Individual Ports
After 802.1X authentication is globally enabled, you must enable 802.1X authentication from the console for the individual ports. To enable 802.1X authentication globally, see the "Enabling 802.1X Authentication Globally" section.
Note
To enable 802.1X authentication for access to the switch, perform this task in privileged mode:
Step 1
Enable 802.1X control on a specific port.
set port dot1x mod/port port-control auto
Step 2
Verify the 802.1X configuration.
show port dot1x mod/port
This example shows how to enable 802.1X authentication on port 1 in module 3 and verify the configuration:
Console> (enable) set port dot1x 3/1 port-control autoPort 3/1 dot1x port-control is set to auto.Trunking disabled for port 3/1 due to Dot1x feature.Spantree port fast start option enabled for port 3/1.Console> (enable) show port dot1x 3/1Port Auth-State BEnd-State Port-Control Port-Status----- ------------------- ---------- ------------------- -------------3/1 connecting idle auto unauthorizedPort Port-Mode Re-authentication Shutdown-timeout Control-Modeadmin oper----- ------------- ----------------- ---------------- ---------------3/1 SingleAuth disabled disabled Both BothConsole> (enable)
Note
Enabling 802.1X with Inaccessible Authentication Bypass
You can enable 802.1X inaccessible authentication bypass on a per-port basis. This feature allows you to specify a port as critical. When a port is specified as a critical port, 802.1X attempts to authenticate the port in the normal way. If attempts to reach the authentication server fail, the port is still given access to the network in the administratively configured VLAN or the port's native VLAN. You can configure a port as critical only if it is in single-authentication mode.
After a critical port obtains access to the network, if the authentication server becomes available, the critical port returns to the unauthorized state, the normal authentication process restarts, and the critical port moves into the RADIUS server-specified VLAN after the port is authenticated. At this point, you must initialize the port manually using the set port dot1x mod/port initialize command.
If the authentication server goes down after a host has already been authenticated through the normal authentication process, the switch checks if the port is a critical port. If the switch determines that the port is a critical port, the normal reauthentication process is temporarily disabled for the port and the port is given network access until the authentication server becomes active and restarts the authentication process.
To specify a port as a critical port, perform this task in privileged mode:
Step 1
Specify a port as a critical port.
set port dot1x mod/port critical {enable | disable}
Step 2
Verify the 802.1X configuration.
show port dot1x mod/port
This example shows how to specify a port as a critical port:
Console> (enable) set port dot1x 5/48 critical enablePort 5/48 critical-port option is enabledConsole> (enable)This example shows how to verify the 802.1X configuration:
Console> (enable) show port dot1x 5/48Port Auth-State BEnd-State Port-Control Port-Status----- ------------------- ---------- ------------------- -------------5/48 - - force-authorized -Port Port-Mode Re-authentication Shutdown-timeout Control-Modeadmin oper----- ------------- ----------------- ---------------- ---------------5/48 SingleAuth disabled disabled Both -Port Posture-Token Critical Termination action Session-timeout----- ------------- -------- ------------------ ---------------5/48 - YES - -Console> (enable)Enabling Multiple 802.1X Authentications
You can specify multiple authentications so that more than one host can gain access to an 802.1X port. Cisco-proprietary multiple authentication allows multiple dot1x-hosts on a port; every host is authenticated separately. Use these guidelines when enabling multiple 802.1X authentications:
•
•
•
•
•
•
•
To enable multiple 802.1X authentications, perform this task in privileged mode:
This example shows how to enable multiple 802.1X authentications on port 1 in module 3 and verify the configuration:
Console> (enable) set port dot1x 3/1 multiple-authentication enablePortSecurity should be enabled on port 3/1, before enabling Multiple-authenticationPort Security not enabled on 3/1.Console> (enable) set port security 3/1 enablePort 3/1 security enabled.Console> (enable) set port dot1x 3/1 multiple-authentication enablePort 3/1 Multiple-authentication option enabledConsole> (enable) show port dot1x 3/1Port Auth-State BEnd-State Port-Control Port-Status----- ------------------- ---------- ------------------- -------------3/1 connecting idle auto unauthorizedPort Port-Mode Re-authentication Shutdown-timeout Control-Modeadmin oper----- ------------- ----------------- ---------------- ---------------3/1 MultiAuth disabled disabled Both BothConsole> (enable)Setting and Enabling Automatic Reauthentication of the Host
You can specify how often 802.1X authentication reauthenticates the host if you do so before you enable automatic 802.1X host reauthentication. If you do not specify a time period before you enable host reauthentication, 802.1X defaults to 3600 seconds (the valid values are from 1-65535 seconds).
You can enable automatic 802.1X host reauthentication for the hosts that are connected to a specific port. To manually reauthenticate the host that is connected to a specific port, see the "Manually Reauthenticating the Host" section.
To set how often 802.1X authentication reauthenticates the host and enable automatic 802.1X reauthentication, perform this task in privileged mode:
This example shows how to set automatic reauthentication to 7200 seconds, enable 802.1X reauthentication on port 3/1, and verify the configuration:
Console> (enable) set dot1x re-authperiod 7200dot1x re-authperiod set to 7200 secondsConsole> (enable) set port dot1x 3/1 re-authentication enablePort 3/1 Dot1x re-authentication enabled.Console> (enable) show port dot1x 3/1Port Auth-State BEnd-State Port-Control Port-Status----- ------------------- ---------- ------------------- -------------3/1 connecting idle auto unauthorizedPort Port-Mode Re-authentication Shutdown-timeout Control-Modeadmin oper----- ------------- ----------------- ---------------- ---------------3/1 MultiAuth enabled disabled Both BothConsole> (enable)Manually Reauthenticating the Host
You can manually reauthenticate the host that is connected to a specific port at any time. When you want to configure automatic 802.1X host reauthentication, see the "Setting and Enabling Automatic Reauthentication of the Host" section.
To manually reauthenticate a host that is connected to a specific port, perform this task in privileged mode:
Manually reauthenticate the host that is connected to a specific port.
set port dot1x mod/port re-authenticate
This example shows how to manually reauthenticate the host that is connected to port 1 on module 3:
Console> (enable) set port dot1x 3/1 re-authenticatePort 3/1 re-authenticating...dot1x re-authentication successful...dot1x port 3/1 authorized.Console> (enable)Enabling Multiple Hosts
You can enable a specific port to allow multiple-user access. When a port is enabled for multiple users, and a host that is connected to that port is authorized successfully, any host (with any MAC address) is allowed to send and receive the traffic on that port. If you connect multiple hosts to that port through a hub, you can reduce the security level on that port.
To enable access for multiple hosts on a specific port, perform this task in privileged mode:
This example shows how to enable access for multiple hosts on port 1 on module 3:
Console> (enable) set port dot1x 3/1 multiple-host enablePort 3/1 Multiple-host option enabled.Console> (enable) </
