DXS-3600-32S CLI Reference Guide

DXS-3600-32S 10GbE Layer 2/3 Switch CLI Reference Guide

802.1X Commands

2-1 dot1x default

This command is used to reset the IEEE 802.1X parameters on a specific port to their default settings.

dot1x default

Parameters

None.

Default

Command Mode

Port control mode - Auto

Port PAE type - None

Port control direction - Both

Quiet period when authentication fails - 60 seconds

Re-authentication interval when authentication succeeds - 3600 seconds

Default timeout value waiting for a response from RADIUS - 30 seconds

Default timeout value waiting for a reply from Supplicant - 30 seconds

Default transmission interval from the Authenticator to the Supplicant - 30 seconds

Default maximum number of authentication request - 2 times

Re-authentication state on the port - Disabled

Interface Configuration Mode.

Command Default Level

Level: 8

Usage Guideline

This command is used to reset all the IEEE 802.1X parameters on a specific port to their default settings.

Example

This example shows how to reset the 802.1X parameters on port 1.

DXS-3600-32S#configure terminal

DXS-3600-32S(config)#interface tenGigabitEthernet 1

DXS-3600-32S(config-if)#dot1x default

DXS-3600-32S(config-if)#

2-2 dot1x port-control

This command is used to manually control the authorization state on a specific port. Use the no form of this command to reset the authorization state of the specific port to its default state (auto).

dot1x port-control {auto | force-authorized | force-unauthorized} no dot1x port-control

Parameters auto force-authorized force-unauthorized

Specifies to enable IEEE 802.1X authentication. The state (authorized or unauthorized) for a specific port is determined according to the outcome of the authentication.

Specifies to force a specific port to change to the authorized state without an authentication exchange.

Specifies to deny all access on a specific port by forcing the port to change to the unauthorized state, ignoring all authentication attempts.

Default

The default authorization state is auto.

Command Mode



Level: 8

Usage Guideline

The configuration for this command on a specific port won’t be in operation if you don’t configure the port as an IEEE 802.1X PAE authenticator by using the ‘dot1x

pae authenticator’ command.

6


Example

This example shows how to deny all access to port 1.



DXS-3600-32S(config-if)#dot1x port-control force-unauthorized


2-3 dot1x pae authenticator

This command is used to configure a specific port as an IEEE 802.1X port access entity (PAE) authenticator. Use the no form of this command to disable IEEE 802.1X authentication on the port.

dot1x pae authenticator no dot1x pae

Parameters

Default

Command Mode

None.

The 802.1X is disabled on a port by default.



Level: 8

Usage Guideline

You must also globally enable IEEE 802.1X authentication on the switch by using the

‘dot1x system-auth-control’ command.

Example

This example shows how to configure port 1 as an IEEE 802.1X PAE authenticator.



DXS-3600-32S(config-if)#dot1x pae authenticator


2-4 dot1x control-direction

This command is used to configure the direction of the traffic on a controlled port as unidirectional (in) or bidirectional

(both). Use the no form of this command to reset the control direction of a port to its default value (both).

dot1x control-direction {both | in} no dot1x control-direction

Parameters both in

Specifies to enable bidirectional control. Both incoming and outgoing traffic through an IEEE 802.1X-enabled port are prevented if the port is not in the authorized state.

Specifies to enable unidirectional control. Incoming traffic through an IEEE 802.1Xenabled port is prohibited if the port is not the authorized state.

Default

Command Mode

The default is in bidirectional mode.



Level: 8

7

Usage Guideline


The configuration for this command on a specific port won’t be in operation if you don’t configure the port as an IEEE 802.1X PAE authenticator by using the ‘dot1x

pae authenticator’ command.

When the port is in the force-unauthorized state or in the unauthorized state after authentication, the traffic is controlled based on the setting of this command.

When the port is in the force-authorized state or becomes authorized after authentication, the traffic will be allowed in both directions.

Example

This example shows how to specify the direction of traffic through Ethernet port 1.

The direction is set as unidirectional.



DXS-3600-32S(config-if)#dot1x control-direction in


2-5 dot1x timeout

This command is used to configure the IEEE 802.1X timers.

dot1x timeout {quiet-period <sec 0-65535> | reauth-period <sec 1-65535> | server-timeout <sec 1-65535> |

supp-timeout <sec 1-65535> | tx-period <sec 1-65535>}

Parameters

quiet-period <sec 0-

65535>

reauth-period <sec 1-

65535>

server-timeout <sec 1-

65535>

supp-timeout <sec 1-

65535>

Number of seconds that the switch will be in the quiet state in the wake of a failed authentication process. The range is 0 to 65535

Number of seconds between re-authentication attempts. The range is 1 to 65535.

Number of seconds that the switch will wait for the request from the authentication server before timing out the server. The range is 1 to 65535.

Number of seconds that the switch will wait for the response from the supplicant before timing out the supplicant. The range is 1 to 65535.

tx-period <sec 1-65535> Number of seconds that the switch will wait for a response to an EAP-Request or

Identity frame from the supplicant before retransmitting the request. The range is 1 to 65535

Default

Command Mode

The default quiet period when authentication fails is 60 seconds (quiet-period).

The default re-authentication interval when authentication succeeds is 3600 seconds

(reauth-period).

The default timeout value waiting for a response from RADIUS is 30 seconds

(server-timeout).

The default timeout value waiting for a reply from Supplicant is 30 seconds (supptimeout).

The default transmission interval from the Authenticator to the Supplicant is 30 seconds (tx-period).



Level: 8

Usage Guideline

The ‘dot1x timeout reauth-period’ command is in operation only if you have enabled re-authentication by using the ‘dot1x re-authentication interface

configuration’ command.

8


Example

This example shows how to configure the quiet period, reauthentication period, server timeout value, supplicant timeout value, and transmission period for Ethernet port 1 to be 20, 1000, 15, 15, and 10 seconds, respectively.



DXS-3600-32S(config-if)#dot1x timeout quiet-period 20

DXS-3600-32S(config-if)#dot1x timeout reauth-period 1000

DXS-3600-32S(config-if)#dot1x timeout server-timeout 15

DXS-3600-32S(config-if)#dot1x timeout supp-timeout 15

DXS-3600-32S(config-if)#dot1x timeout tx-period 10


2-6 dot1x max-req

This command is used to configure the maximum number of times that the backend authentication state machine will retransmit an Extensible Authentication Protocol (EAP) request frame to the supplicant before restarting the authentication process. Use the no form of this command to reset the maximum number of times to its default value.

dot1x max-req <int 1-10>

no dot1x max-req

Parameters

max-req <int 1-10> Number of times that the switch retransmits an EAP frame to the supplicant before restarting the authentication process. The range is 1 to 10.

Default

Command Mode

The default value is 2 times.



Level: 8

Usage Guideline

This command is used to set the maximum number of times that the backend authentication state machine will retransmit an Extensible Authentication Protocol

(EAP) request frame to the supplicant before restarting the authentication process.

Example

This example shows how to set the maximum number of retries allowed on port 1.

The maximum number of retries is set to 3.



DXS-3600-32S(config-if)#dot1x max-req 3


2-7 dot1x reauthentication

This command is used to enable periodic reauthentication. Use the no form of this command to return to disable periodic reuthentication.

dot1x reauthentication no dot1x reauthentication

Parameters

Default

Command Mode

None.

The periodic reauthentication on interface is disabled by default.



Level: 8

9

Usage Guideline


You can configure the number of seconds between reauthentication attempts by using the ‘dot1x timeout reauth-period’ command.

Example

This example shows how to enable periodic reauthentication on Ethernet port 1.



DXS-3600-32S(config-if)#dot1x reauthentication


2-8 dot1x re-authenticate

This command is used to reauthenticate a specific port or a specific MAC address.

dot1x re-authenticate {interface <interface-id> | mac-address <mac-address>}

Parameters

interface <interface-id>

mac-address <mac-

address>

(Optional) Specifies a port to reauthenticate. Valid interfaces are physical ports.

(Optional) Specifies a MAC address to re-authenticate. The function can be used only if the authentication mode is host-based.

Default

This command has no default value.

Command Mode

Global Configuration Mode.


Level: 8

Usage Guideline

Under port-based mode, use the parameter interface <interface-id> to reauthenticate a specific port. Under host-based mode, use the parameter mac-

address <mac-address> to reauthenticate a specific MAC address.

Example

This example shows how to reauthenticate Ethernet port 1.


DXS-3600-32S(config)#dot1x re-authenticate interface tenGigabitEthernet 1

DXS-3600-32S(config)#

2-9 dot1x initialize

This command is used to initialize the authenticator state machine on a specific port or associated with a specific MAC address.

dot1x initialize {interface <interface-id> | mac-address <mac-address>}

Parameters

interface <interface-id>

mac-address <mac-

address>

(Optional) Specifies a port on which the authenticator state machine will be initialized. Valid interfaces are physical ports.

(Optional) Specifies a MAC address with which the authenticator state machine associates will be initialized. The function can be used only if the authentication mode is host-based.

Default

Command Mode

None.



Level: 8

10

Usage Guideline


Under port-based mode, use the parameter interface <interface-id> to initialize a specific port. Under host-based mode, use the parameter mac-address <mac-

address> to initialize a specific MAC address.

Example

This example shows how to initialize the authenticator state machine on Ethernet port 1.


DXS-3600-32S(config)#dot1x initialize interface tenGigabitEthernet 1


2-10 dot1x system-auth-control

This command is used to globally enable IEEE 802.1X authentication on the switch. Use the no form of this command to disable IEEE 802.1X function.

dot1x system-auth-control no dot1x system-auth-control

Parameters

Default

Command Mode

None.

802.1X is disabled globally by default.



Level: 8

Usage Guideline

Use this command to enable 802.1X authentication globally.

Example

This example shows how to enable IEEE 802.1X authentication on the switch.


DXS-3600-32S(config)#dot1x system-auth-control


2-11 dot1x system-max-user

This command is used to configure the maximum number of users that can be learned via 802.1X authentication. Use the no form of this command to reset to the defaulting settings.

dot1x system-max-user <int 1-4096>

no dot1x system-max-user

Parameters

<int 1-4096>

Specifies the maximum number of users.

Default

Command Mode

By default, the maximum number of users that can be learned via 802.1X authentication is 4096.



Level: 8

Usage Guideline

The setting is a global limitation on the maximum number of users that can be learned via 802.1X authentication. In addition to the global limitation, the maximum number of users per port is also limited.

11


Example

This example shows how to configure the maximum number of users, that is allowed to be learned via the 802.1X authentication. The maximum number of users allowed is 128.


DXS-3600-32S(config)#dot1x system-max-user 128


2-12 dot1x port-max-user

This command is used to configure the maximum number of users that can be learned via 802.1X authentication on a specific port. Use the no form of this command to reset to the defaulting settings.

dot1x port-max-user <int 1-4096>

no dot1x port-max-user

Parameters

<int 1-4096>

Specifies the maximum number of users on a port.

Default

By default, the maximum number of users that can be learned via 802.1X authentication on a port is 16.


Command Mode


Level: 8

Usage Guideline

The setting is an interface limitation on the maximum number of users that can be learned via 802.1X authentication. In addition to the interface limitation, the global maximum number of users is also limited.

Example

This example shows how to configure the maximum numbers of users allowed on port 1. The maximum number of users allowed is 32.



DXS-3600-32S(config-if)#dot1x port-max-user 32


2-13 dot1x system-fwd-pdu

This command is used to globally control the forwarding of EAPoL PDUs. Use the no form of this command to reset to the defaulting settings.

dot1x system-fwd-pdu no dot1x system-fwd-pdu

Parameters

Default

Command Mode

None.

802.1X can not forward EAPoL PDUs by default.



Level: 8

Usage Guideline

When 802.1X functionality is disabled globally or for a port, and if 802.1X is set to forward EAPoL PDUs both globally and for the port, a received EAPOL packet on the port will be flooded in the same VLAN to those ports which have 802.1X forwarding EAPoL PDUs enabled and 802.1X is disabled (globally or just for the port). 802.1X can not forward EAPoL PDUs by default.

12


Example

This example shows how to enable the forwarding of EAPoL PDUs, globally, on the switch.


DXS-3600-32S(config)#dot1x system-fwd-pdu


2-14 dot1x port-fwd-pdu

This command used to control the forwarding of EAPoL PDUs on specific ports. Use the no form of this command to reset to the defaulting settings.

dot1x port-fwd-pdu no dot1x port-fwd-pdu

Parameters

Default

Command Mode

None.

802.1X can not forward EAPoL PDUs on all ports by default.



Level: 8

Usage Guideline

This is a per-port setting to control the forwarding of EAPOL PDUs. When 802.1X functionality is disabled globally or for a port, and if 802.1X is set to forward EAPoL

PDUs both globally and for the port, a received EAPOL packet on the port will be flooded in the same VLAN to those ports which have 802.1X forwarding EAPoL

PDUs and 802.1X is disabled (globally or just for the port). 802.1X can not forward

EAPoL PDUs on all ports by default.

Example

This example shows how to enable the forwarding of EAPoL PDUs on port 1.


DXS-3600-32S(config)#dot1x system-fwd-pdu

DXS-3600-32S(config)#end



DXS-3600-32S(config-if)#no dot1x pae

DXS-3600-32S(config-if)#dot1x port-fwd-pdu


2-15 show dot1x

This command is used to display the IEEE 802.1X global configuration, interface configuration, authentication state, statistics, diagnostics, and session statistics.

show dot1x [[interface INTERFACE-ID] {auth-configuration | auth-state | statistics | diagnostics | session-

statistics}]

Parameters

interface INTERFACE-ID (Optional) Specifies a port to display authentication state, configuration, statistics, diagnostics, or session statistics.

auth-configuration auth-state

Displays the IEEE 802.1X interface configuration.

Displays the IEEE 802.1X authentication state.

statistics diagnostics session-statistics

Displays the IEEE 802.1X information about the authenticator statistics

Displays the IEEE 802.1X information about the authenticator diagnostics.

Displays the IEEE 802.1X information about the authenticator session statistics.

13


Default

Command Mode

None.

Privileged EXEC Mode.


Level: 3

Usage Guideline

Use this command display the IEEE 802.1X global configuration, interface configuration, authentication state, statistics, diagnostics, and session statistics.

When no interface is specified, information about all interfaces will be displayed.

Example

DXS-3600-32S#show dot1x

This example shows how to display the 802.1X global configuration.

802.1X : Disabled

Forward EAPOL PDU : Disabled

Max User : 4096

DXS-3600-32S#

Example

This example shows how to display the 802.1X configuration for the interface TGi/1.

DXS-3600-32S#show dot1x interface tenGigabitEthernet 1 auth-configuration

Interface : TGi/1

Capability : None

AdminCrlDir : Both

OperCrlDir : Both

Port Control : Auto

QuietPeriod : 60 sec

TxPeriod : 30 sec

SuppTimeout : 30 sec

ServerTimeout : 30 sec

MaxReq : 2 times

ReAuthPeriod : 3600 sec

ReAuthenticate : Disabled

Forward EAPOL PDU On Port : Disabled

Max User On Port : 16

DXS-3600-32S#

Example

This example shows how to display the 802.1X authentication state.

DXS-3600-32S#show dot1x auth-state

Status: A - Authorized; U - Unauthorized; (P): Port-Based 802.1X;Pri:Priority

Interface MAC Address Auth PAE State Backend State Status VID Pri

VID

------ ----------------- --- -------------- ------------- ------ ---- ---

TGi/1 00-00-00-00-00-01 10 Authenticated Idle A 4004 3

TGi/1 00-00-00-00-00-02 10 Authenticated Idle A 1234 -

TGi/1 00-00-00-00-00-04 30 Authenticating Response U - -

TGi/2 - (P) - Authenticating Request U - -

TGi/3 - (P) - Connecting Idle U - -

TGi/14 - (P) - Held Fail U - -

Total Authenticating Hosts :2

Total Authenticated Hosts :2

DXS-3600-32S#

14


Example

This example shows how to display the 802.1X statistics for the interface TGi/1.

DXS-3600-32S#show dot1x interface tenGigabitEthernet 1 statistics

MAC Address : 00-00-00-00-00-02


EapolFramesRx 0

EapolFramesTx 6

EapolStartFramesRx 0

EapolReqIdFramesTx 6

EapolLogoffFramesRx 0

EapolReqFramesTx 0

EapolRespIdFramesRx 0

EapolRespFramesRx 0

InvalidEapolFramesRx 0

EapLengthErrorFramesRx 0

LastEapolFrameVersion 0

LastEapolFrameSource 00-00-00-00-00-03

DXS-3600-32S#

Example

This example shows how to display the 802.1X diagnostics for the interface TGi/1.

DXS-3600-32S#show dot1x interface tenGigabitEthernet 1 diagnostics

MAC Address : 00-00-00-00-00-02


EntersConnecting 20

EapLogoffsWhileConnecting 0

EntersAuthenticating 0

SuccessWhileAuthenticating 0

TimeoutsWhileAuthenticating 0

FailWhileAuthenticating 0

ReauthsWhileAuthenticating 0

EapStartsWhileAuthenticating 0

EapLogoffWhileAuthenticating 0

ReauthsWhileAuthenticated 0

EapStartsWhileAuthenticated 0

EapLogoffWhileAuthenticated 0

BackendResponses 0

BackendAccessChallenges 0

BackendOtherRequestsToSupplicant 0

BackendNonNakResponsesFromSupplicant 0

BackendAuthSuccesses 0

BackendAuthFails 0

DXS-3600-32S#

15


Example

This example shows how to display the 802.1X session statistics for the interface

TGi/1.

DXS-3600-32S#show dot1x interface tenGigabitEthernet 1 session

MAC Address : 00-00-00-00-00-02


SessionOctetsRx 0

SessionOctetsTx 0

SessionFramesRx 0

SessionFramesTx 0

SessionId ether1_1-1

SessionAuthenticMethod Remote Authentication Server

SessionTime 3

SessionTerminateCause NotTerminatedYet

SessionUserName user_test

DXS-3600-32S#

16

DXS-3600-32S CLI Reference Guide

802.1X Commands

2-1 dot1x default

2-2 dot1x port-control

2-3 dot1x pae authenticator

2-4 dot1x control-direction

2-5 dot1x timeout

2-6 dot1x max-req

2-7 dot1x reauthentication

2-8 dot1x re-authenticate

2-9 dot1x initialize

2-10 dot1x system-auth-control

2-11 dot1x system-max-user

2-12 dot1x port-max-user

2-13 dot1x system-fwd-pdu

2-14 dot1x port-fwd-pdu

2-15 show dot1x

Related manuals

Table of contents

DXS-3600-32S CLI Reference Guide

802.1X Commands

2-1 dot1x default

2-2 dot1x port-control

2-3 dot1x pae authenticator

2-4 dot1x control-direction

2-5 dot1x timeout

2-6 dot1x max-req

2-7 dot1x reauthentication

2-8 dot1x re-authenticate

2-9 dot1x initialize

2-10 dot1x system-auth-control

2-11 dot1x system-max-user

2-12 dot1x port-max-user

2-13 dot1x system-fwd-pdu

2-14 dot1x port-fwd-pdu

2-15 show dot1x

Related manuals

D-Link

DXS-3600-16S

D-Link

DXS-3600-16S

D-Link

DXS-3600-16S

D-Link

DXS-3600 Series

D-Link

DXS-3600 Series

D-Link

DXS-3600 Series

D-Link

DXS-1210-10TS

Table of contents