Configuring IEEE 802.1x

Configuring IEEE 802.1x on an authenticator switch port consists of:

  • Setting the authentication mode globally and per port
  • Configuring optional authentication port parameters globally and per port
  • Globally enabling 802.1x authentication for the switch

The following procedure describes how to configure IEEE 802.1x on an authenticator switch port. Unspecified parameters use their default values.

Click to expand in new window

IEEE 802.1x Configuration

Step Task Command(s)
1 Set the IEEE 802.1x authentication mode both globally and per port:
  • auto - The switch will only forward authenticated frames.
  • forced-auth - 802.1x authentication is effectively disabled for this port. All received frames are forwarded.
  • forced-unauth - 802.1x authentication is effectively disabled on the port. If 802.1x is the only authentication method on the port, all frames are dropped.
set dot1x auth-config authcontrolled-portcontrol {auto | forced-auth | forced-unauth}
 
Note: Before enabling 802.1x authentication on the switch, you must set the authentication mode of ports that will not be participating in 802.1x authentication to forced-authorized to assure that frames will be forwarded on these ports. Examples of this kind of port are connections between switches and connections between a switch and a router.

See the S-, K-, and 7100 Series CLI Reference Guide for a listing of parameter options that come with this command.

 
2 Display the access entity index values. Ports used to authenticate and authorize supplicants utilize access entities that maintain entity state, counters, and statistics for an individual supplicant. You need to know the index value associated with a single entity to enable, disable, initialize, or reauthenticate a single entity. show dot1x auth-session-stats
3 Enable IEEE 802.1x globally on the switch. Ports default to enabled. set dot1x {enable | disable} [port-string] [index index-list]
4 If an entity deactivates due to the supplicant logging off, inability to authenticate, or the supplicant or associated policy settings are no longer valid, you can reinitialize a deactivated access entity. If necessary, reinitialize the specified entity. set dot1x init [index index-list]
5 If the authentication for a supplicant times out or is lost for any reason, you can reauthenticate that supplicant. If necessary, reauthenticate the specified entity. set dot1x reauth [index index-list]
6 Optionally, globally disable 802.1x agent accounting. set dot1x accounting {enable | disable}
7 Display IEEE 802.1x configuration. show dot1x auth-config