802.1X Commands

This chapter contains the following sections:

dot1x guest-vlan enable

To enable the guest VLAN feature on the switch and specify a VLAN as the guest VLAN, use the dot1x guest-vlan enable Global Configuration mode command.

To disable the guest VLAN feature on the switch, use the no form of this command.

Syntax

dot1x guest-vlan vlan-id enable

no dot1x guest-vlan enable

Parameters

vlan-id —Identifier of the VLAN set as the guest VLAN.

Default Configuration

Guest VLAN is disabled on the switch.

Command Mode

Global Configuration mode

User Guidelines

Use the dot1x guest-vlan enable Interface Configuration mode command to enable unauthorized users on an interface to access the guest VLAN.

If the guest VLAN is defined and enabled, the interface automatically joins the guest VLAN when the interface is unauthorized and leaves it when the interface becomes authorized. To be able to join or leave the guest VLAN, the interface should not be a static member of the guest VLAN.

Example

The following example sets VLAN 2 as the guest VLAN:

switchxxxxxx(config)# dot1x guest-vlan 2 enable

dot1x guest-vlan enable (Interface)

To enable unauthorized users on the interface accessing the guest VLAN, use the dot1x guest-vlan enable Interface Configuration (Ethernet) mode command.

To disable unauthorized users on the interface accessing the guest VLAN, use the no form of this command.

Syntax

dot1x guest-vlan enable

no dot1x guest-vlan enable

Parameters

N/A

Default Configuration

Unauthorized users cannot access the guest VLAN by default.

Command Mode

Interface Configuration (Ethernet) mode

User Guidelines

The switch can have only one guest VLAN. The guest VLAN is defined in the dot1x guest-vlan enable Global Configuration mode command.

Example

The following example enables unauthorized users on gi15 to access the guest VLAN:

switchxxxxxx(config)# interface gi15
switchxxxxxx(config-if)# dot1x guest-vlan enable

dot1x host-mode

To allow a single host (client) or multiple hosts on an IEEE 802.1X-authorized port, use the dot1x host-mode Interface Configuration mode command.

To restore the default setting, use the no form of this command.

Syntax

dot1x host-mode {multi-host | single-host | multi-sessions}

no dot1x host-mode

Parameters

multi-host—Enable multiple-host mode.

single-host—Enable single-host mode.

multi-sessions—Enable multiple-sessions mode.

Default Configuration

Default mode is multi-host.

Command Mode

Interface Configuration mode

User Guidelines

In multiple hosts mode only one of the attached hosts must be successfully authorized for all hosts to be granted network access. If the port becomes unauthorized, all attached clients are denied access to the network.

In multiple sessions mode each host must be successfully authorized in order to grant network access. Please note that packets are NOT encrypted, and after success full authentication filtering is based on the source MAC address only.

It is recommended to enable reauthentication when working in multiple-sessions mode in order to detect user logout for users that have not logged off.

In single host mode there is only one attached host and only this authenticated host can access the network.

Example

The following example sets the host mode:

switchxxxxxx(config)# interface gi1
switchxxxxxx(config-if)# dot1x host-mode multi-host
switchxxxxxx(config-if)# dot1x host-mode single-host
switchxxxxxx(config-if)# dot1x host-mode multi-sessions

dot1x max-hosts

To set the maximum authenticated hosts allowed, use the dot1x max-hosts Interface Configuration mode command.

To restore the default value, use the no form of this command.

Syntax

dot1x max-hosts number

no dot1x max-hosts

Parameters

max-hosts number—Maximum allowed authenticated hosts number. (Range: 1–256.)

Default Configuration

The default maximum host number is 256

Command Mode

Interface Configuration mode

User Guidelines

The command is relevant only for multi-sessions mode.

Example

The following example sets the maximum host number to 5:

switchxxxxxx(config)# interface gi1
switchxxxxxx(config-if)# dot1x max-hosts 5

dot1x max-req

To set the maximum number of times that the switch sends an Extensible Authentication Protocol (EAP) request or identity frame (assuming that no response is received) to the client before restarting the authentication process, use the dot1x max-req Interface Configuration mode command.

To revert to its default setting, use the no form of this command.

Syntax

dot1x max-req count

no dot1x max-req

Parameters

count—The maximum number of times that the switch sends an EAP request or identity frame before restarting the authentication process. (Range: 1 to 10)

Default Configuration

The default maximum number of attempts is 2.

Command Mode

Interface Configuration (Ethernet) mode

User Guidelines

The default value of this command should be changed only to adjust to unusual circumstances, such as unreliable links or specific behavioral problems with certain clients and authentication servers.

Example

The following example sets the maximum number of EAP requests to 6:

switchxxxxxx(config)# interface gi15
switchxxxxxx(config-if)# dot1x max-req 6

dot1x port-control

To enable manual control of the port authorization state, use the dot1x port-control Interface Configuration (Ethernet) mode command.

To disable manual control of the port authorization state, use the no form of this command.

Syntax

dot1x port-control {auto | force-authorized | force-unauthorized}

no dot1x port-control

Parameters

auto—Enables 802.1X authentication on the interface and causes it to transition to the authorized or unauthorized state, based on the 802.1X authentication exchange between the switch and the client.

force-authorized—Disables 802.1X authentication on the interface and causes the interface to transition to the authorized state without any authentication exchange required. The interface resends and receives normal traffic without 802.1X-based client authentication.

force-unauthorized—Denies all access through this interface by forcing it to transition to the unauthorized state and ignoring all attempts by the client to authenticate. The switch cannot provide authentication services to the client through this interface.

Default Configuration

The interface is in the force-authorized state.

Command Mode

Interface Configuration (Ethernet) mode

User Guidelines

In order to proceed to the forwarding state immediately after successful authentication, we recommend that you disable STP or enable the STP PortFast mode on 802.1X edge ports (ports in auto state that are connected to end stations).

Example

The following example enables 802.1X authentication in auto mode on gi15:

switchxxxxxx(config)# interface gi15
switchxxxxxx(config-if)# dot1x port-control auto

dot1x radius-attributes vlan

To enable user-based VLAN assignment, use the dot1x radius-attributes vlan Interface Configuration mode command.

To disable user-based VLAN assignment, use the no form of this command.

Syntax

dot1x radius-attribute vlan {reject | static}

no dot1x radius-attribute vlan

Parameters

reject—If the RADIUS server authenticated the supplicant, but did not provide a supplicant VLAN, the supplicant is rejected.

static—If the RADIUS server authenticated the supplicant, but did not provide a supplicant VLAN, the supplicant is accepted.

Default Configuration

Disabled

Command Mode

Interface Configuration mode

User Guidelines

When RADIUS attributes are enabled and the RADIUS accept message does not contain the supplicant's VLAN as an attribute, the supplicant is rejected in reject mode.

Packets to the supplicant are sent untagged.

After successful authentication, the port remains a member in the guest VLAN.

Example

The following example sets VLAN assign mode to reject:

switchxxxxxx(config)# interface gi1
switchxxxxxx(config-if)# dot1x radius-attributes vlan reject

dot1x reauthentication

To enable periodic reauthentication of the client, use the dot1x reauthentication Interface Configuration (Ethernet) mode command.

To disable periodic reauthentication of the client, use the no form of this command.

Syntax

dot1x reauthentication

no dot1x reauthentication

Parameters

N/A

Default Configuration

Periodic reauthentication is disabled.

Command Mode

Interface Configuration (Ethernet) mode

Example

switchxxxxxx(config)# interface gi15
switchxxxxxx(config-if)# dot1x reauthentication

dot1x system-auth-control

To enable 802.1X globally on the switch, use the dot1x system-auth-control Global Configuration mode command.

To disable 802.1X globally on the switch, use the no form of this command.

Syntax

dot1x system-auth-control

no dot1x system-auth-control

Parameters

N/A

Default Configuration

802.1X is disabled.

Command Mode

Global Configuration mode

Example

switchxxxxxx(config)# dot1x system-auth-control

dot1x timeout server-timeout

To set the time interval during which the device waits for a response from the authentication server, use the dot1x timeout server-timeout Interface Configuration mode command.

To restore the default server timeout, use the no form of this command.

Syntax

dot1x timeout server-timeout seconds

no dot1x timeout server-timeout

Parameters

server-timeout seconds—Specifies the time interval in seconds during which the device waits for a response from the authentication server. (Range: 1–65535 seconds.)

Default Configuration

The default timeout period is 30 seconds.

Command Mode

Interface Configuration mode

User Guidelines

The actual timeout period can be determined by comparing the value specified by the dot1x timeout server-timeout command to the result of multiplying the number of retries specified by the radius-server retransmit command by the timeout period specified by the radius-server retransmit command, and selecting the lower of the two values.

Example

The following example sets the time interval between retransmission of packets to the authentication server to 3600 seconds:

switchxxxxxx(config)# interface gi1
switchxxxxxx(config-if)# dot1x timeout server-timeout 3600

dot1x timeout quiet-period

To set the time interval that the switch remains in a quiet state following a failed authentication exchange (for example, the client provided an invalid password), use the dot1x timeout quiet-period Interface Configuration (Ethernet) mode command.

To revert to its default setting, use the no form of this command.

Syntax

dot1x timeout quiet-period seconds

no dot1x timeout quiet-period

Parameters

seconds—The time interval in seconds that the switch remains in a quiet state following a failed authentication exchange with the client. (Range: 0 to 65535 seconds)

Default Configuration

The default quiet period is 60 seconds.

Command Mode

Interface Configuration (Ethernet) mode

User Guidelines

During the quiet period, the switch does not accept or initiate the authentication requests.

The default value of this command should only be changed to adjust to unusual circumstances, such as unreliable links or specific behavioral problems with certain clients and authentication servers.

To provide faster response time to the user, a smaller number than the default value should be entered.

Example

The following example sets the time interval to 10 seconds:

switchxxxxxx(config)# interface gi15
switchxxxxxx(config-if)# dot1x timeout quiet-period 10

dot1x timeout reauth-period

To set the number of seconds between reauthentication attempts, use the dot1x timeout reauth-period Interface Configuration (Ethernet) mode command.

To revert to its default setting, use the no form of this command.

Syntax

dot1x timeout reauth-period seconds

no dot1x timeout reauth-period

Parameters

seconds—Number of seconds between reauthentication attempts. (Range: 30 to 65535)

Default Configuration

3600 seconds

Command Mode

Interface Configuration (Ethernet) mode

Example

switchxxxxxx(config)# interface gi15
switchxxxxxx(config-if)# dot1x timeout reauth-period 5000

dot1x timeout supp-timeout

To set the time interval during which the switch waits for a response to an Extensible Authentication Protocol (EAP) request frame from the client before resending the request, use the dot1x timeout supp-timeout Interface Configuration (Ethernet) mode command.

To revert to its default setting, use the no form of this command.

Syntax

dot1x timeout supp-timeout seconds

no dot1x timeout supp-timeout

Parameters

seconds—The time interval in seconds during which the switch waits for a response to an EAP request frame from the client before resending the request. (Range: 1 to 65535 seconds)

Default Configuration

The default timeout period is 30 seconds.

Command Mode

Interface Configuration (Ethernet) mode

User Guidelines

The default value of this command should be changed only to adjust to unusual circumstances, such as unreliable links or specific behavioral problems with certain clients and authentication servers.

Example

The following example sets the time interval to 3600 seconds:

switchxxxxxx(config)# interface gi15
switchxxxxxx(config-if)# dot1x timeout supp-timeout 3600

dot1x timeout tx-period

To set the time interval during which the device waits for a response to an Extensible Authentication Protocol (EAP) request/identity frame from the client before resending the request, use the dot1x timeout tx-period Interface Configuration (Ethernet) mode command.

To restore the default tx period, use the no form of this command.

Syntax

dot1x timeout tx-period seconds

no dot1x timeout tx-period

Parameters

tx-period seconds—Specifies the time interval in seconds during which the device waits for a response to an EAP-request/identity frame from the client before resending the request. (Range: 30–65535 seconds.)

Default Configuration

The default timeout period is 30 seconds.

Command Mode

Interface Configuration mode

User Guidelines

The default value of this command should be changed only to adjust to unusual circumstances, such as unreliable links or specific behavioral problems with certain clients and authentication servers.

Example

The following command sets the time interval during which the device waits for a response to an EAP request/identity frame to 60 seconds: 

switchxxxxxx(config)# interface gi1
switchxxxxxx(config-if)# dot1x timeout tx-period 60

dot1x violation-mode

To configure the action to be taken, when a station whose MAC address is not the supplicant MAC address, attempts to access the interface, use the dot1x violation-mode Interface Configuration mode command.

To restore the default, use the no form of this command.

Syntax

dot1x violation-mode {restrict | protect | shutdown} [trap seconds]

no dot1x violation-mode

Parameters

restrict—Generates a trap when a station whose MAC address is not the supplicant MAC address, attempts to access the interface. The minimum time between the traps is 1 second. Those frames are forwarded but their source addresses are not learned.

protect—Discard frames with source addresses not the supplicant address.

shutdown—Discard frames with source addresses not the supplicant address and shutdown the port.

trap seconds—Send SNMP traps, and specifies the minimum time between consecutive traps. If seconds = 0, traps are disabled.

Default Configuration

Protect.

Command Mode

Interface Configuration mode

User Guidelines

The command is relevant only for single-host mode.

Example

The following command sets the single host violation mode to restrict with trap frequency 10 seconds:

switchxxxxxx(config)# interface gi1
switchxxxxxx(config-if)# dot1x violation-mode restrict trap 10

show dot1x

To display the 802.1X global or specified interface status, use the show dot1x Privileged EXEC mode command.

Syntax

show dot1x [interfaces interface-id]

Parameters

interface-id—Specify port list

Default Configuration

Display for all ports.

Command Mode

Privileged EXEC mode

Example

Example 1—The following example shows 802.1X status on port gi1:

switchxxxxxx#show dot1x interfaces gi1
Interface Configurations
Interface FastEthernet2
  Admin Control          : disabled
  Host Mode              : single-host
  Guest VLAN             : disabled
  RADIUS VLAN Assign     : disable
  Single-host Violation  : restrict
    Trap Frequency       : 3
    Violation Detected   : 0
  Reauthentication       : enabled
  Reauthenticate Period  : 3600
  Max Hosts              : 256
  Quiet Period           : 60
  EAP Max Request        : 2
  EAP TX Period          : 30
  Supplicant Timeout     : 30
  Server Timeout         : 30

Example 2—The following example shows all 802.1X statuses:

switchxxxxxx#show dot1x
Authentication dot1x state     : enabled
Guest VLAN                    : enabled (3)
Interface Configurations
Interface FastEthernet1
  Admin Control          : auto
  Host Mode              : multi-host
  Guest VLAN             : disabled
  RADIUS VLAN Assign     : disable
  Reauthentication       : enabled
  Reauthenticate Period  : 3600
  Max Hosts              : 256
  Quiet Period           : 60
  EAP Max Request        : 2
  EAP TX Period          : 30
  Supplicant Timeout     : 30
  Server Timeout         : 30
Interface FastEthernet2
  Admin Control          : disabled
  Host Mode              : single-host
  Guest VLAN             : disabled
  RADIUS VLAN Assign     : disable
  Single-host Violation  : restrict
    Trap Frequency       : 3
    Violation Detected   : 0
  Reauthentication       : enabled
  Reauthenticate Period  : 3600
  Max Hosts              : 256
  Quiet Period           : 60
  EAP Max Request        : 2
  EAP TX Period          : 30
  Supplicant Timeout     : 30
  Server Timeout         : 30
……

show dot1x authenticated-hosts

To show information for all dot1x authenticated hosts, use the show dot1x authenticated-hosts Privileged EXEC mode command.

Syntax

show dot1x authenticated-hosts

Parameters

N/A

Default Configuration

N/A

Command Mode

Privileged EXEC mode

Example

The following command shows all authenticated hosts:

switchxxxxxx# show dot1x authenticated-hosts
Interface  MAC Address       Session Time   VLAN ID  User Name
---------- ----------------- -------------- -------- ----------------------

The following table describes the significant fields shown in the example:

Field

Description

Interface

Port number.

MAC Address

Supplicant MAC address.

Session Time

Amount of time that the supplicant was logged on the port.

VLAN ID

Supplicant VLAN ID.

User Name

Supplicant name that was authenticated on the port.

show dot1x guest-vlan

To show the 802.1X guest VLAN information for all interfaces, use the show dot1x guest-vlan Privileged EXEC mode command.

Syntax

show dot1x guest-vlan

Parameters

N/A

Default Configuration

N/A

Command Mode

Privileged EXEC mode

Example

switchxxxxxx# show dot1x guest-vlan
 Guest VLAN ID: none (disabled)
  Port  | Guest VLAN | In Guest VLAN
--------+------------+---------------
   gi1  |   Enabled  |       No
   gi2  |   Disabled |       ---
   gi3  |   Disabled |       ---
   gi4  |   Disabled |       ---
   gi5  |   Disabled |       ---
   gi6  |   Disabled |       ---
   gi7  |   Disabled |       ---
   gi8  |   Disabled |       ---
   gi9  |   Disabled |       ---
  gi10  |   Disabled |       ---
  gi11  |   Disabled |       ---
  gi12  |   Disabled |       ---
  gi13  |   Disabled |       ---
  gi14  |   Disabled |       ---
  gi15  |   Enabled  |       No
  gi16  |   Disabled |       ---
  gi17  |   Disabled |       ---
  gi18  |   Disabled |       ---
  gi19  |   Disabled |       ---
  gi20  |   Disabled |       ---
  gi21  |   Disabled |       ---
  gi22  |   Disabled |       ---
  gi23  |   Disabled |       ---
  gi24  |   Disabled |       ---
  gi25  |   Disabled |       ---
  gi26  |   Disabled |       ---
  gi27  |   Disabled |       ---
  gi28  |   Disabled |       ---
  gi29  |   Disabled |       ---
  gi30  |   Disabled |       ---
  gi31  |   Disabled |       ---
  gi32  |   Disabled |       ---
  gi33  |   Disabled |       ---
  gi34  |   Disabled |       ---
  gi35  |   Disabled |       ---
  gi36  |   Disabled |       ---
  gi37  |   Disabled |       ---
  gi38  |   Disabled |       ---
  gi39  |   Disabled |       ---
  gi40  |   Disabled |       ---
  gi41  |   Disabled |       ---
  gi42  |   Disabled |       ---
  gi43  |   Disabled |       ---
  gi44  |   Disabled |       ---
  gi45  |   Disabled |       ---
  gi46  |   Disabled |       ---
  gi47  |   Disabled |       ---
  gi48  |   Disabled |       ---
  gi49  |   Disabled |       ---
  gi50  |   Disabled |       ---
  gi51  |   Disabled |       ---
  gi52  |   Disabled |       ---

The following table describes the significant fields shown in the example:

Field

Description

Guest VLAN ID

Identifier of the VLAN as the guest VLAN.

Port

Port number.

Guest VLAN

Shows whether 802.1X authentication is enabled or disabled on the port.

In Guest VLAN

Shows whether the unauthorized port is in or not in the guest VLAN.

show dot1x sessions

To display the 802.1X authentication sessions information, use the show dot1x sessions Privileged EXEC mode command.

Syntax

show dot1x sessions [ {detail | interfaces interface-id | session-id session-id} ]

Parameters

detail—Display detail information of all sessions.

interfaces interface-id—Display detail information of session on specific interface

session-id session-id—Display detail information of session with specific session id

Default Configuration

Display brief information of all sessions

Command Mode

Privileged EXEC mode

Example

Example 1—The following example shows 802.1X brief session information:

Switchxxxxxx#show dot1x sessions
Total Session Number: 1
Interface  MAC Address       Authenticator State    Status       Session ID
---------- ----------------- ---------------------- ------------ ------------
fa7        68:BD:AB:A5:89:D4 Authorized             Authorized   00000010017DB6C0

The following table describes the significant fields shown in the example:

Field

Description

Interface

The interface name of the session.

MAC Address

Supplicant MAC address.

Authenticator State

802.1X PAE authenticator state

Status

Running—Authentication is ongoing

Authorized—Authentication success

UnAuthorized—Authentication fail

Locked—Supplicant is in quiet period

Session ID

Unique authentication session ID.

Example 2—The following shows 802.1X detail session information:

Switchxxxxxx#show dot1x sessions detail
Interface              : FastEthernet7
MAC Address            : 68:BD:AB:A5:89:D4
Session ID             : 00000010017DB6C0
Authenticator State    : Authorized
User Name              : CP-7975G-SEP68BDABA589D4
Authorized Information
  VLAN                 : N/A
  Reauthenticate Period: 300 (from RADIUS)
Operational Information
  VLAN                 : 1
  Session Time         : 182