Port Authentication

Step 1

Click Security > 802.1X Authentication > Port Authentication.

• Supplicant Status—Either Authorized or Unauthorized for an interface on which 802.1x supplicant has been enabled.

• Supplicant Credentials—Name of the credential structure used for the supplicant interface, so the possible value is any name or N/A if the supplicant isn’t enabled. If a port has a configured supplicant credential name, the value for the port control parameters is Supplicant. This value overrides any other port control information received from the port.

Step 2

Select a port and click Edit.

Step 3

Enter the parameters.

• Interface—Select a port.

• Current Port Control—Displays the current port authorization state. If the state is Authorized, the port is either authenticated or the Administrative Port Control is Force Authorized. Conversely, if the state is Unauthorized, then the port is either not authenticated or the Administrative Port Control is Force Unauthorized. If supplicant is enabled on an interface, the current port control is Supplicant.

• Administrative Port Control—Select the Administrative Port Authorization state. The options are:

  • Force Unauthorized—Denies the interface access by moving the interface into the unauthorized state. The device doesn’t provide authentication services to the client through the interface.

  • Auto—Enables port-based authentication and authorization on the device. The interface moves between an authorized or unauthorized state based on the authentication exchange between the device and the client.

  • Force Authorized—Authorizes the interface without authentication.

• RADIUS VLAN Assignment—Select to enable Dynamic VLAN assignment on the selected port.

  • Disable—Feature is not enabled.

  • Reject—If the RADIUS server authorized the supplicant, but didn’t provide a supplicant VLAN, the supplicant is rejected.

  • Static—If the RADIUS server authorized the supplicant, but didn’t provide a supplicant VLAN, the supplicant is accepted.

• Guest VLAN—Select to enable using a guest VLAN for unauthorized ports.

• Open Access—Select to successfully authenticate the port even though authentication fails.

• 802.1X Based Authentication—Select to enable 802.1X authentication on the port.

• MAC-Based Authentication—Select to enable port authentication based on the supplicant MAC address. Only 8 MAC-based authentications can be used on the port.

  Note	For MAC authentication to succeed, the RADIUS server supplicant username and password must be the supplicant MAC address. The MAC address must be in lower case letters and entered without the. Or - separators; for example: 0020aa00bbcc.

• Web-Based Authentication—Select to enable web-based authentication based on the supplicant MAC address.

• Periodic Reauthentication—Select to enable port reauthentication attempts after the specified Reauthentication Period.

• Reauthentication Period—Enter the number of seconds after which the selected port is reauthenticated.

• Reauthenticate Now—Select to enable immediate port reauthentication.

• Authenticator State—Displays the defined port authorization state. The options are:

  • Initialize—In process of coming up.

  • Force-Authorized—Controlled port state is set to Force-Authorized (forward traffic).

  • Force-Unauthorized—Controlled port state is set to Force-Unauthorized (discard traffic).

    Note	If the port isn’t in Force-Authorized or Force-Unauthorized, it’s in Auto Mode and the authenticator displays the state of the authentication in progress. After the port is authenticated, the state is shown as Authenticated.

• Time Range—Select to enable limiting authentication to a specific time range.

• Time Range Name—If Time Range is selected, click the Edit button to be redirected to the time range page and select the time range name to be used.

• Maximum WBA Login Attempts—Enter the maximum number of login attempts allowed for web-based authentication. Select either Infinite for no limit or User Defined to set a limit.

• Maximum WBA Silence Period—Enter the maximum length of the silent period for web-based authentication allowed on the interface. Select either Infinite for no limit or User Defined to set a limit.

• Max Hosts—Enter the maximum number of authorized hosts allowed on the interface.

  Select either Infinite for no limit, or User Defined to set a limit.

  Note	Set this value to 1 to simulate single-host mode for web-based authentication in multi-sessions mode.

• Quiet Period—Enter the length of the quiet period.

• Resending EAP—Enter the number of seconds that the device waits for a response to an Extensible Authentication Protocol (EAP) request/identity frame from the supplicant (client) before resending the request.

• Max EAP Requests—Enter the maximum number of EAP requests that will be sent. If a response isn’t received after the defined period (supplicant timeout), the authentication process is restarted.

• EAP Max Retries—Enter the maximum number of EAP retries that can be sent.

• EAP Timeout—Enter the maximum time that is waited for EAP responses before timeout occurs.

• Supplicant Timeout—Enter the number of seconds that lapses before EAP requests are resent to the supplicant.

• Server Timeout—Enter the number of seconds that lapses before the device resends a request to the authentication server.

• Supplicant—Select to enable 802.1X.

• Credentials—Select credentials from the drop-down list to use for this supplicant. This parameter is available only if supplicant is enabled on the interface. Edit links to the Supplicant Credentials page where credentials can be configured.

• Supplicant Held Timeout—Enter the time period during which the supplicant waits before restarting authentication after receiving the FAIL response from the RADIUS server.

Step 4

Click Apply. The port settings are written to the Running Configuration file.