Chapter 13 802.1x Port Security

Chapter 13 802.1x Port Security
Chapter 13
802.1x Port Security
This section explains the basic concepts behind 802.1x port security, including switch roles, how the
switches communicate, and the procedure used for authenticating clients.
13.1
•
Section 13.1: 802.1x Port Security Introduction
•
Section 13.2: 802.1x Port Security Description
•
Section 13.3: Configuring 802.1x Port Security
•
Section 13.4: Displaying 802.1x information
•
Section 13.5: IEEE 802.1x Configuration Commands
802.1x Port Security Introduction
Port security control who can send or receive traffic from an individual switch port. An end node is not
allowed to send or receive traffic through a port until the node is authenticated by a RADIUS server.
This prevents unauthorized individuals from connecting to a switch port to access your network. Only
designated valid users on a RADIUS server will be allowed to use the switch to access the network.
651
802.1x Port Security Description
Chapter 13: 802.1x Port Security
13.2
802.1x Port Security Description
13.2.1
Switch Roles for 802.1x Configurations
The 802.1x standard specifies the roles of Supplicant (client), Authenticator, and Authentication
Server in a network. Figure 11-1 illustrates these roles.
Figure 13-1: Authenticator, Supplicant, and Authentication Server in an 802.1x configuration
RADIUS Server
(Authentication Server)
Arista Switch
(Authenticator)
Client/Supplicant
Authentication server – The switch that validates the client and specifies whether or not the client may
access services on the switch. The switch supports Authentication Servers running RADIUS.
Authenticator – The switch that controls access to the network. In an 802.1x configuration, the switch
serves as the Authenticator. As the Authenticator, it moves messages between the client and the
Authentication Server. The Authenticator either grants or does not grant network access to the client
based on the identity data provided by the client, and the authentication data provided by the
Authentication Server.
Supplicant/Client – The client provides a username or password data to the Authenticator. The
Authenticator sends this data to the Authentication Server. Based on the supplicant’s information, the
Authentication Server determines whether the supplicant can use services given by the Authenticator.
The Authentication Server gives this data to the Authenticator, which then provides services to the
client, based on the authentication result.
13.2.2
Authentication Process
The authentication that occurs between a supplicant, authenticator, and authentication server include
the following processes.
•
652
Either the authenticator (a switch port) or the supplicant starts an authentication message
exchange. The switch starts an exchange when it detects a change in the status of a port, or if it
gets a packet on the port with a source MAC address that is not included in the MAC address table.
Chapter 13: 802.1x Port Security
13.2.3
802.1x Port Security Description
•
An authenticator starts the negotiation by sending an EAP-Request/Identity packet. A supplicant
starts the negotiation with an EAPOL-Start packet, to which the authenticator answers with a
EAP-Request/Identity packet.
•
The supplicant answers with an EAP-Response/Identity packet to the authentication server via the
authenticator.
•
The authentication server responds with an EAP-Request packet to the supplicant via the
authenticator.
•
The supplicant responds with an EAP-Response.
•
The authentication server transmits either an EAP-Success packet or EAP-Reject packet to the
supplicant.
•
If an EAP-Reject is received, the supplicant will receive an EAP-Reject message and their traffic
will not be forwarded.
Communication Between the Switches
For communication between the switches, 802.1x port security uses the Extensible Authentication
Protocol (EAP), defined in RFC 2284 and the RADIUS authentication protocol.
The 802.1x standard defines a method for encapsulating EAP messages so they can be sent over a
LAN. This encapsulated kind of EAP is known as EAP over LAN (EAPOL). The standard also specifies
a means of transferring the EAPOL information between the client or Supplicant, Authenticator, and
Authentication Server.
EAPOL messages are passed between the Supplicant’s and Authenticator’s Port Access Entity (PAE).
Figure 13-2 shows the relationship between the Authenticator PAE and the Supplicant PAE.
Figure 13-2: Authenticator PAE and Supplicant PAE
Authentication
Server
RADIUS
Messages
Arista Switch
(Authenticator)
Authenticator
PAE
EAPOL
Messages
Supplicant
PAE
802.1X-Enabled
Supplicant
653
802.1x Port Security Description
Chapter 13: 802.1x Port Security
Authenticator PAE: The Authenticator PAE communicates with the Supplicant PAE to receive the
Supplicant’s identifying information. Behaving as a RADIUS client, the Authenticator PAE passes the
Supplicant’s information to the Authentication Server, which decides whether to grant the Supplicant
access. If the Supplicant passes authentication, the Authenticator PAE allows it access to the port.
Supplicant PAE – The Supplicant PAE provides information about the client to the Authenticator PAE
and replies to requests from the Authenticator PAE. The Supplicant PAE may initiate the authentication
procedure with the Authenticator PAE, as well as send logoff messages.
13.2.4
Controlled and Uncontrolled Ports
A physical port on the switch used with 802.1x has two virtual access points that include a controlled
port and an uncontrolled port. The controlled port grants full access to the network. The uncontrolled
port only gives access for EAPOL traffic between the client and the Authentication Server. When a
client is authenticated successfully, the controlled port is opened to the client.
Figure 13-3: Ports before and after client authentication
Authentication
Server
Authentication
Server
Services
PAE
Services
PAE
Arista Switch
(Authenticator)
Arista Switch
(Authenticator)
Controlled Port
(Unauthorized)
Uncontrolled Port
Physical Port
Controlled Port
(Authorized)
Uncontrolled Port
Physical Port
PAE
802.1X-Enabled
Supplicant
Before Authentication
PAE
802.1X-Enabled
Supplicant
After Authentication
The uncontrolled port on the Authenticator is the only one open before a client is authenticated. The
uncontrolled port permits only EAPOL frames to be swapped between the client and the Authentication
Server. No traffic is allowed to pass through the controlled port in the unauthorized state.
During authentication, EAPOL messages are swapped between the Supplicant PAE and the
Authenticator PAE, and RADIUS messages are swapped between the Authenticator PAE and the
Authentication Server. If the client is successfully authenticated, the controlled port becomes
authorized, and traffic from the client can flow through the port normally.
654
Chapter 13: 802.1x Port Security
802.1x Port Security Description
All controlled ports on the switch are placed in the authorized state, allowing all traffic, by default. When
authentication is initiated, the controlled port on the interface is initially set in the unauthorized state. If
a client connected to the port is authenticated successfully, the controlled port is set in the authorized
state.
13.2.5
Message Exchange During Authentication
Figure 13-4 illustrates an exchange of messages between an 802.1x-enabled client, a switch operating
as Authenticator, and a RADIUS server operating as an Authentication Server.
Figure 13-4: Message exchange during authentication
RADIUS Server
(Authentication Server)
Client/Supplicant
Arista Device
(Authenticator)
Port Unauthorized
EAP-Request/Identity
EAP-Response/Identity
RADIUS Access-Request
EAP-Request/MD5-Challenge
RADIUS Access-Challenge
EAP-Response/Identity
RADIUS Access-Request
EAP-Success
RADIUS Access-Accept
Port Authorized
EAP-Logoff
Port Unauthorized
Arista switches support MD5-challenge TLS and any other EAP-encapsulated authentication types in
EAP Request or Response messages. In other words, the switches are transparent to the
authentication scheme used.
13.2.6
Authenticating Multiple Clients Connected to the Same Port
Arista switches support 802.1x authentication for ports with more than one client connected to them
(multi-host mode). Figure 13-5 illustrates a sample configuration where multiple clients are connected
to a single 802.1x port.
If there are multiple clients connected to a single 802.1x-enabled port, the switch authenticates each
individually. Each client’s authentication state is independent of the others, so that if one authenticated
client disconnects from the network, it won't impact the authentication status of any of the other
authenticated clients.
655
802.1x Port Security Description
Chapter 13: 802.1x Port Security
Figure 13-5: Multiple clients connected to a 802.1x-enabled port
RADIUS Server
(Authentication Server)
Arista Switch
(Authenticator)
Hub
Clients/Supplicants running 802.1X-compliant client software
656
Chapter 13: 802.1x Port Security
13.3
Configuring 802.1x Port Security
Configuring 802.1x Port Security
Basic steps to implementing 802.1x Port-based Network Access Control and RADIUS accounting on
the switch:
Step 1 A RADIUS server is required on one or more of your network servers or management stations.
802.1x is not supported with the TACACS+ authentication protocol.
Step 2 You must create supplicant accounts on the RADIUS server:
•
The account for a supplicant connected to an authenticator port must have a username and
password combination when set to the 802.1x authentication mode. The maximum username
length is 38 alphanumeric characters and spaces, and the maximum length for a password is
16 alphanumeric characters and spaces.
•
An account for the supplicant connected to an authenticator port and placed in the MAC
address-based authentication mode needs use the MAC address of the node as both the
username and password.
•
Connected clients to an 802.1x authenticator port will require 802.1x client software.
Step 3 The RADIUS client must be configured by entering the IP addresses and encryption keys of
the authentication servers on your network.
Step 4 The port access control settings must be configured on the switch. This includes the following:
•
Specifying the port roles.
•
Configuring 802.1x port parameters.
•
Enabling 802.1x Port-based Network Access Control.
Guidelines
13.3.1
•
Do not set a port that is connected to a RADIUS authentication server to the authenticator role as
an authentication server cannot authenticate itself.
•
A supplicant connected to an authenticator port set to the 802.1x username and password
authentication method must have 802.1x client software.
•
To prevent unauthorized individuals from accessing the network through unattended network
workstations, end users of 802.1x port-based network access control should always log off when
they are finished with a work session.
•
The RADIUS client should be configured on the switch before activating port-based access control.
Configuring 802.1x Authentication Methods
IEEE 802.1x port security relies on external client-authentication methods, which must be configured
for use. The method currently supported on Arista switches is RADIUS authentication. To configure the
switch to use a RADIUS server for client authentication, use the aaa authentication dot1x command.
Example
•
The aaa authentication dot1x command configures the authentication, authorization, and
accounting (AAA) methods to be used on interfaces running IEEE 802.1X. The following configures
the switch to use RADIUS authentication.
switch(config)# aaa authentication dot1x default group radius
switch(config)#
657
Configuring 802.1x Port Security
13.3.2
Chapter 13: 802.1x Port Security
Globally Enable IEEE 802.1x
To enable IEEE 802.1X port authentication globally on the switch, use the dot1x system-auth-control
command.
•
This command enables IEEE 802.1X globally on the switch.
switch(config)#dot1x system-auth-control
switch(config)
13.3.3
Designating Authenticator Ports
For ports to act as authenticator ports to connected supplicants, those ports must be designated using
the dot1x port-control command.
The auto option of the dot1x port-control command designates an authenticator port for immediate
use, blocking all traffic that is not authenticated by the RADIUS server.
Example
•
This command configures Ethernet 1 to immediately begin functioning as an authenticator port.
switch(config)#interface ethernet 1
switch(config-if-Et1)#dot1x port-control auto
switch(config-if-Et1)#
The force-authorized option of the dot1x port-control command sets the state of the port to
authorized without authentication, allowing traffic to continue uninterrupted.
Example
•
These commands designate Ethernet 1 as an authenticator port that will forward packets without
authentication.
switch(config)#interface ethernet 1
switch(config-if-Et1)#dot1x port-control force-authorized
switch(config-if-Et1)#
To designate a port as an authenticator but prevent it from authorizing any traffic, use the
force-unauthorized option of the dot1x port-control command.
Example
•
The force-unauthorized option of the dot1x port-control command places the specified port in
the unauthorized state, which will deny any access requests from users of the ports.
switch(config)#interface ethernet 1
switch(config-if-Et1)#dot1x port-control force-authorized
switch(config-if-Et1)#
13.3.4
Configuring Re-authentication
The dot1x reauthentication and dot1x timeout reauth-period commands configure authenticator
ports to require re-authentication from clients at regular intervals.
658
Chapter 13: 802.1x Port Security
Configuring 802.1x Port Security
Example
•
These commands configure the Ethernet interface 1 authenticator to require re-authentication from
clients every 6 hours (21600 seconds).
switch(config)#interface ethernet 1
switch(config-if-Et1)#dot1x reauthentication
switch(config-if-Et1)#dot1x timeout reauth-period 21600
switch(config-if-Et1)#
•
These commands deactivate re-authentication on Ethernet interface 1.
switch(config)#interface ethernet 1
switch(config-if-Et1)#no dot1x reauthentication
switch(config-if-Et1)#
13.3.5
Setting the EAP Request Maximum
The dot1x max-reauth-req command configures the number of times the switch retransmits an 802.1x
Extensible Authentication Protocol (EAP) request packet before ending the conversation and restarting
authentication.
Example
•
These commands set the number of times the authenticator sends an EAP request packet to the
client before restarting authentication.
switch(config)#interface ethernet 1
switch(config-if-Et1)#dot1x max-reauth-req 4
switch(config-if-Et1)#
13.3.6
Disabling Authentication on a Port
To disable authentication on an authenticator port, use the no dot1x port-control command.
Example
•
These commands disable authentication on Ethernet interface 1.
switch(config)#interface ethernet 1
switch(config-if-Et1)#no dot1x port-control
switch(config-if-Et1)#
13.3.7
Setting the Quiet Period
If the switch fails to immediately authenticate the client, the time the switch waits before trying again is
specified by the dot1x timeout quiet-period command. This timer also indicates how long a client that
failed authentication is blocked.
Example
•
These commands set the 802.1x quiet period for Ethernet interface 1 to 30 seconds.
switch(config)#interface ethernet 1
switch(config-if-Et1)#dot1x timeout quiet-period 30
659
Displaying 802.1x information
13.3.8
Chapter 13: 802.1x Port Security
Setting the Transmission Timeout
Authentication and re-authentication are accomplished by the authenticator sending an Extensible
Authentication Protocol (EAP) request to the supplicant and the supplicant sending a reply which the
authenticator forwards to an authentication server. If the authenticator doesn’t receive a reply to the
EAP request, it waits a specified period of time before retransmitting. To configure that wait time, use
the dot1x timeout tx-period command.
Example
•
These commands configure Ethernet interface 1 to wait 30 seconds before retransmitting EAP
requests to the supplicant.
switch(config)#interface Ethernet 1
switch(config-if-Et1)#dot1x timeout tx-period 30
switch(config-if-Et1)#
13.3.9
Clearing 802.1x Statistics
The clear dot1x statistics command resets the 802.1x counters.
Example
•
This command clears the 802.1x counters on all interfaces.
switch#clear dot1x statistics all
switch#
•
This command clears the 802.1x counters on Ethernet interface 1.
switch#clear dot1x statistics interface ethernet 1
switch#
13.4
Displaying 802.1x information
You can display information about 802.1x on the switch and on individual ports.
13.4.1
Displaying port security configuration information
The show dot1x command shows information about the 802.1x configuration on the specified port or
ports.
Example
•
This commands displays IEEE 802.1x configuration information for Ethernet interface 5.
switch#show dot1x interface ethernet 5
Dot1X Information for Ethernet5
-------------------------------------------PortControl
: auto
QuietPeriod
: 60 seconds
TxPeriod
: 5 seconds
ReauthPeriod
: 3600 seconds
MaxReauthReq
: 2
switch#
13.4.2
Displaying 802.1x summary information
Use the show dot1x all summary command to display IEEE 802.1x status for all ports.
660
Chapter 13: 802.1x Port Security
Displaying 802.1x information
Example
•
The following commands display a summary of IEEE 802.1x status.
switch#show dot1x all summary
Interface
Client
Status
------------------------------------------------------------Ethernet5
None
Unauthorized
switch#
13.4.3
Displaying 802.1x statistics
Use the show dot1x statistics command to display 802.1x statistics for the specified port or ports.
Example
•
This command displays IEEE 802.1x statistics for Ethernet interface 5.
switch#show dot1x interface ethernet 5 statistics
Dot1X Authenticator Port Statistics for Ethernet5
------------------------------------------------RxStart = 0
RxLogoff = 0
RxRespId = 0
RxResp = 0
RxInvalid = 0
RxTotal = 0
TxReqId = 0
TxReq = 0
TxTotal = 0
RxVersion = 0
LastRxSrcMAC = 0000.0000.0000
switch#
661
IEEE 802.1x Configuration Commands
13.5
IEEE 802.1x Configuration Commands
Global Configuration Commands
•
dot1x system-auth-control
Interface Configuration Commands – Ethernet Interface
•
•
•
•
•
•
•
dot1x max-reauth-req
dot1x pae authenticator
dot1x port-control
dot1x reauthentication
dot1x timeout quiet-period
dot1x timeout reauth-period
dot1x timeout tx-period
Privileged EXEC Commands
•
•
•
•
662
clear dot1x statistics
show dot1x
show dot1x statistics
show dot1x all summary
Chapter 13: 802.1x Port Security
Chapter 13: 802.1x Port Security
IEEE 802.1x Configuration Commands
clear dot1x statistics
The clear dot1x statistics command resets the 802.1x counters on the specified interface or all
interfaces.
Command Mode
Privileged EXEC
Command Syntax
clear dot1x statistics INTERFACE_NAME
Parameters
•
INTERFACE_NAME
Interface type and number. Options include:
•
all
Display information for all interfaces.
•
interface ethernet e_num
Ethernet interface specified by e_num.
•
interface loopback l_num
Loopback interface specified by l_num.
•
interface management m_num
•
interface port-channel p_num
•
interface vlan v_num
Management interface specified by m_num.
Port-Channel Interface specified by p_num.
VLAN interface specified by v_num.
Example
•
This command resets the 802.1x counters on all interfaces.
switch#clear dot1x statistics all
switch#
663
IEEE 802.1x Configuration Commands
Chapter 13: 802.1x Port Security
dot1x system-auth-control
The dot1x system-auth-control command enables 802.1X authentication on the switch.
The no dot1x system-auth-control and default dot1x system-auth-control commands disables
802.1X authentication by removing the dot1x system-auth-control command from running-config.
Command Mode
Global Configuration
Command Syntax
dot1x system-auth-control
no dot1x system-auth-control
default dot1x system-auth-control
Example
•
This command enables 802.1X authentication on the switch.
switch(config)#dot1x system-auth-control
switch(config)#
•
This command disables 802.1X authentication on the switch.
switch(config)#no dot1x system-auth-control
switch(config)#
664
Chapter 13: 802.1x Port Security
IEEE 802.1x Configuration Commands
dot1x max-reauth-req
The dot1x max-reauth-req command configures how many times the switch retransmits an 802.1x
Extensible Authentication Protocol (EAP) request packet before ending the conversation and restarting
authentication.
The no dot1x max-reauth-req and default dot1x max-reauth-req commands restore the default
value of 2 by deleting the corresponding dot1x max-reauth-req command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Management Configuration
Command Syntax
dot1x max-reauth-req attempts
no dot1x max-reauth-req
default dot1x max-reauth-req
Parameters
•
attempts
maximum number of attempts. Values range from 1 to 10; default value is 2.
Examples
•
This command sets the 802.1x EAP-request retransmit limit to 6.
switch(config-if-Et1)#dot1x max-reauth-req 6
switch(config-if-Et1)#
•
This command restores the default request repetition value of 2.
switch(config-if-Et1)#no dot1x max-reauth-req
switch(config-if-Et1)#
665
IEEE 802.1x Configuration Commands
Chapter 13: 802.1x Port Security
dot1x pae authenticator
The dot1x pae authenticator command sets the port access entity (PAE) type of the configuration
mode interface to authenticator.
The no dot1x pae authenticator and default dot1x pae authenticator commands restore the switch
default by deleting the corresponding dot1x pae authenticator command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Management Configuration
Command Syntax
dot1x pae authenticator
no dot1x pae authenticator
default dot1x pae authenticator
Example
•
These commands configure on Ethernet interface 2 as a port access entity (PAE) authenticator,
which enables IEEE 802.1x on the port.
switch(config-if-Et1)#interface ethernet 2
switch(config-if-Et1)#dot1x pae authenticator
switch(config-if-Et1)#
•
These commands disable IEEE 802.1x authentication on Ethernet interface 2.
switch(config-if-Et1)#interface ethernet 2
switch(config-if-Et1)#no dot1x pae authenticator
switch(config-if-Et1)#
666
Chapter 13: 802.1x Port Security
IEEE 802.1x Configuration Commands
dot1x port-control
The dot1x port-control command configures the configuration mode interface as an authenticator
port and specifies whether it will authenticate traffic.
The no dot1x port-control and default dot1x port-control commands configure the port to pass
traffic without authorization by removing the corresponding dot1x port-control command from
running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Management Configuration
Command Syntax
dot1x port-control STATE
no dot1x port-control
default dot1x port-control
Parameters
•
STATE specifies whether the interface will authenticate traffic. The default value is
force-authorized. Options include:
•
auto configures the port to authenticate traffic using Extensible Authentication Protocol
messages.
•
force-authorized
•
force-unauthorized
configures the port to pass traffic without authentication.
configures the port to block all traffic regardless of authentication.
Examples
•
These commands configure Ethernet interface 1 to pass traffic without authentication. This is the
default setting.
switch(config)#interface Ethernet 1
switch(config-if-Et1)#dot1x port-control force-authorized
switch(config-if-Et1)#
•
These commands configure Ethernet interface 1 to block all traffic.
switch(config)#interface Ethernet 1
switch(config-if-Et1)#dot1x port-control force-unauthorized
switch(config-if-Et1)#
•
These commands configure Ethernet interface 1 to authenticate traffic using EAP messages.
switch(config)#interface Ethernet 1
switch(config-if-Et1)#dot1x port-control auto
switch(config-if-Et1)#
667
IEEE 802.1x Configuration Commands
Chapter 13: 802.1x Port Security
dot1x reauthentication
The dot1x reauthentication command configures the configuration mode interface to require
re-authentication from clients at regular intervals. The interval is set by the dot1x timeout
reauth-period command.
The no dot1x reauthentication and default dot1x reauthentication commands restore the default
setting by deleting the corresponding dot1x reauthentication command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Management Configuration
Command Syntax
dot1x reauthentication
no dot1x reauthentication
default dot1x reauthentication
Example
•
These commands configure the Ethernet interface 1 authenticator to require periodic
re-authentication from clients.
switch(config)#interface Ethernet 1
switch(config-if-Et1)#dot1x reauthentication
switch(config-if-Et1)#
668
Chapter 13: 802.1x Port Security
IEEE 802.1x Configuration Commands
dot1x timeout quiet-period
If the switch fails to immediately authenticate the client, the time the switch waits before trying again is
specified by the dot1x timeout quiet-period command. This timer also indicates how long a client that
failed authentication is blocked.
The no dot1x timeout quiet-period and default dot1x timeout quiet-period commands restore the
default quiet period of 60 seconds by removing the corresponding dot1x timeout quiet-period
command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Management Configuration
Command Syntax
dot1x timeout quiet-period quiet_time
no dot1x timeout quiet-period
default dot1x timeout quiet-period
Parameters
•
quiet_time
interval in seconds. Values range from 1 to 65535. Default value is 60.
Example
•
These commands set the 802.1x quiet period for Ethernet interface 1 to 30 seconds.
switch(config)#interface Ethernet 1
switch(config-if-Et1)#dot1x timeout quiet-period 30
switch(config-if-Et1)#
669
IEEE 802.1x Configuration Commands
Chapter 13: 802.1x Port Security
dot1x timeout reauth-period
The dot1x timeout reauth-period command specifies the time period that the configuration mode
interface waits before requiring re-authentication from clients.
The no dot1x timeout reauth-period and default dot1x timeout reauth-period commands restore
the default period of 60 minutes by removing the corresponding dot1x timeout reauth-period
command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Management Configuration
Command Syntax
dot1x timeout reauth-period reauth_time
no dot1x timeout reauth-period
default dot1x timeout reauth-period
Parameters
•
reauth_time the number of seconds the interface passes traffic before requiring
re-authentication. Values range from 1 to 65535. Default value is 3600.
Example
•
These commands configure the Ethernet interface 1 authenticator to require re-authentication from
clients every 6 hours (21600 seconds).
switch(config)#interface Ethernet 1
switch(config-if-Et1)#dot1x reauthentication
switch(config-if-Et1)#dot1x timeout reauth-period 21600
switch(config-if-Et1)#
670
Chapter 13: 802.1x Port Security
IEEE 802.1x Configuration Commands
dot1x timeout tx-period
Authentication and re-authentication are accomplished by the authenticator sending an Extensible
Authentication Protocol (EAP) request to the supplicant and the supplicant sending a reply which the
authenticator forwards to an authentication server. If the authenticator does not get a reply to the EAP
request, it waits a specified period of time before retransmitting. The dot1x timeout tx-period
command configures that wait time.
The no dot1x timeout tx-period and default dot1x timeout tx-period commands restore the default
wait time by removing the corresponding dot1x timeout tx-period command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Management Configuration
Command Syntax
dot1x timeout tx-period tx_time
no dot1x timeout tx-period
default dot1x timeout tx-period
Parameters
•
tx_time
Values range from 1 to 65535. Default value is 5.
Example
•
These commands configure Ethernet interface 1 to wait 30 seconds before retransmitting EAP
requests to the supplicant.
switch(config)#interface Ethernet 1
switch(config-if-Et1)#dot1x timeout tx-period 30
switch(config-if-Et1)#
671
IEEE 802.1x Configuration Commands
Chapter 13: 802.1x Port Security
show dot1x
The show dot1x command displays 802.1x information for the specified interface.
Command Mode
EXEC
Command Syntax
show dot1x INTERFACE_NAME INFO
Parameters
•
•
INTERFACE_NAME
Interface type and number. Options include:
•
all
•
ethernet e_num
Ethernet interface specified by e_num.
•
loopback l_num
Loopback interface specified by l_num.
•
management m_num
•
port-channel p_num
•
vlan v_num
INFO
Display information for all interfaces.
Management interface specified by m_num.
Port-Channel Interface specified by p_num.
VLAN interface specified by v_num.
Type of information the command displays. Values include:
•
<no parameter>
•
detail
displays summary of the specified interface.
displays all 802.1x information for the specified interface.
Example
•
This command displays 802.1X summary information for Ethernet interface 5.
switch#show dot1x interface ethernet 5
Dot1X Information for Ethernet5
-------------------------------------------PortControl
: auto
QuietPeriod
: 60 seconds
TxPeriod
: 5 seconds
ReauthPeriod
: 3600 seconds
MaxReauthReq
: 2
switch#
•
This command displays detailed 802.1X information for Ethernet interface 5.
switch#show dot1x interface ethernet 5 detail
Dot1X Information for Ethernet5
-------------------------------------------PortControl
: auto
QuietPeriod
: 60 seconds
TxPeriod
: 5 seconds
ReauthPeriod
: 3600 seconds
MaxReauthReq
: 2
Dot1X Authenticator Client
Port Status
switch#
672
: Unauthorized
Chapter 13: 802.1x Port Security
IEEE 802.1x Configuration Commands
show dot1x statistics
The show dot1x statistics command displays 802.1X statistics for the specified port or ports.
Command Mode
EXEC
Command Syntax
show dot1x INTERFACE_NAME statistics
Parameters
•
INTERFACE_NAME
Interface type and number. Options include:
•
all
Display information for all interfaces.
•
ethernet e_num
Ethernet interface specified by e_num.
•
loopback l_num
Loopback interface specified by l_num.
•
management m_num
•
port-channel p_num
•
vlan v_num
Management interface specified by m_num.
Port-Channel Interface specified by p_num.
VLAN interface specified by v_num.
Output Fields
•
RxStart
Number of EAPOL-Start frames received on the port.
•
TxReqId
•
RxVersion
•
RxLogoff
Number of EAPOL-Logoff frames received on the port.
•
RxInvalid
Number of invalid EAPOL frames received on the port.
•
TxReq
•
LastRxSrcMAC
•
RxRespId
•
RxTotal
The total number of EAPOL frames transmitted on the port.
•
TxTotal
The total number of EAPOL frames transmitted on the port.
Number of EAP-Request/Identity frames transmitted on the port.
Version number of the last EAPOL frame received on the port.
Number of transmitted EAP-Request frames that were not EAP-Request/Identity.
The source MAC address in the last EAPOL frame received on the port.
The number of EAP-Response/Identity frames received on the port
Example
•
This command displays the 802.1X statistics for ethernet 5
switch#show dot1x interface ethernet 5 statistics
Dot1X Authenticator Port Statistics for Ethernet5
------------------------------------------------RxStart = 0
RxLogoff = 0
RxRespId = 0
RxStart= 0
RxInvalid = 0
RxTotal = 0
TxReqId = 0
TxReq = 0
TxTotal = 0
RxVersion = 0
LastRxSrcMAC = 0000.0000.0000
switch#
673
IEEE 802.1x Configuration Commands
Chapter 13: 802.1x Port Security
show dot1x all summary
The show dot1x all summary command displays the IEEE 802.1X status for all ports.
Command Mode
EXEC
Command Syntax
show dot1x all summary
Example
•
This command displays the IEEE 802.1X status.
switch#show dot1x all summary
Interface
Client
Status
------------------------------------------------------------Ethernet5
None
Unauthorized
switch#
674
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising