Configure EAP on a Port
About this task
Configure EAP or change the authentication status on one or more ports.
Ports are force-authorized by default. Force-authorized ports are always authorized and are not authenticated by the RADIUS server. You can change this setting so that the ports are always unauthorized.
Procedure
- In the Device Physical View tab, select the port you need to configure.
- In the navigation pane, expand .
- Select General.
- Select the EAPOL tab.
- Optional: Select the AllowNonEapHost check box to enable hosts that do not participate in 802.1X authentication to get network access.
- Select the Status option as auto or forceAuthorized.
- In the MultiHostMaxClients field, type the maximum limit of allowed EAP and NEAP clients supported on this port.
- In the GuestVlanId field, type the VLAN ID to be used as a Guest VLAN ID.
- In the FailOpenVlanId field, type the Fail Open VLAN ID.
- In the NonEapMaxClients field, type the maximum number NEAP authentication MAC addresses allowed on this port.
- In the EapMaxClients field, type the maximum number of EAP authentication MAC addresses allowed on this port.
- Select the MultiHostSingleAuthEnabled check box to automatically authenticate NEAP MAC addresses on this port.
- In the PortGuestIsid field, type the I-SID to be used as a Guest I-SID.
- In the FailOpenIsid field, type the Fail Open I-SID.
- Select the AdminTrafficControl option as inOut or in.
- Optional: Select the LldpAuthEnabled check box to enable LLDP authentication for network access.
- Select the ReAuthEnabled field.
- In the QuietPeriod field, type the time interval.
- In the ReauthPeriod field, type the time between reauthentication.
- In the RetryMax field, type the number of times.
- Select Apply.
EAPoL Field Descriptions
Use the data in the following table to use the EAPoL tab.
Name |
Description |
---|---|
PortCapabilities |
Displays the capabilities of the Port Access Entity (PAE) associated with the port. This parameter indicates whether Authenticator functionality, supplicant functionality, both, or neither, is supported by the PAE of the port. The following capabilities are supported by the PAE of the port:
|
PortVirtualPortsEnable |
Displays the status of the Virtual Ports function for the real port as True or False. |
PortCurrentVirtualPorts |
Displays the current number of virtual ports running in the port |
PortAuthenticatorEnable |
Displays the status of the Authenticator function in the Port Access Entity (PAE) as True or False. |
PortSupplicantEnable |
Displays the Supplicant function in the Port Access Entity (PAE) as True or False. |
AllowNonEapHost |
Enables network access to hosts that do not participate in 802.1X authentication. The default is disabled. |
Status |
Configures the authentication status for this port. The default is forceAuthorized.
|
MultiHostMaxClients |
Specifies the value representing the maximum number of supplicants allowed to get authenticated on the port. |
GuestVlanId |
Specifies the VLAN to be used as a Guest VLAN. Access to unauthenticated hosts connected to this port is provided through this VLAN. 0 indicates that Guest VLAN is not enabled for this port. |
FailOpenVlanId |
Specifies the Fail Open VLAN ID for this port. If the switch declares the RADIUS servers unreachable, then all new devices are allowed access into the configured Fail Open VLAN. 0 indicates that Fail Open VLAN is not enabled for this port. |
NonEapMaxClients |
Specifies the maximum number of NEAP authentication MAC addresses allowed on this port. Zero indicates that NEAP authentication is disabled for this port. |
EAPMaxClients |
Specifies the maximum number of EAP authentication MAC addresses allowed on this port. Zero indicates that EAP authentication is disabled for this port |
MultiHostSingleAuthEnabled |
Indicates that the unauthenticated devices can access the network only after an EAP or NEAP client is successfully authenticated on the port. The VLAN to which the devices are allowed access is the authenticated client's VLAN. The default is false. |
PortGuestIsid | Specifies the I-SID to be used as a Guest I-SID. Access to unauthenticated hosts connected to this port is provided through this I-SID. 0 indicates that Guest I-SID is not enabled for this port. |
FailOpenIsid |
Specifies the Fail Open I-SID for this port. If the switch declares the RADIUS servers unreachable, then all new devices are allowed access into the configured Fail Open I-SID. 0 indicates that Fail Open I-SID is not enabled for this port. |
FlexUniStatus | Displays the current Flex-UNI status for this port. |
AdminTrafficControl |
Configures the Administrative Traffic Control. The default is
inOut.
|
OperTrafficControl | Displays the current Operational Traffic Control status. |
LldpAuthEnabled | Enables LLDP authentication for this port. The default is disabled. |
PortOrigin |
Specifies the source of EAP configuration on the port:
|
DynamicMHSAEnabled | Displays the Dynamic MHSA configuration status. |
ReauthOrigin |
Specifies the origin of EAPOL reauthentication configuration on the port, either manually configured through CLI or dynamically configured through RADIUS. |
ReauthPeriodOrigin |
Specifies the origin of EAPOL reauthentication period configuration on the port, either manually configured through CLI or dynamically configured through RADIUS. |
TrafficControlOrigin |
Specifies the origin of Traffic Control configuration on the port. The supported values are:
|
Authenticator configuration |
Displays the current Authenticator Port Access Entity (PAE) state. The states are:
|
ReAuthEnabled |
Reauthenticates an existing supplicant at the time interval specified in ReAuthPeriod. The default is disabled. |
QuietPeriod |
Configures the time interval (in seconds) between authentication failure and the start of a new authentication. |
ReAuthPeriod |
Reauthenticates an existing supplicant at the time interval specified in ReAuthPeriod. Configures the time interval (in seconds) between successive reauthentications. The default is 3600 (1 hour). |
RetryMax |
Specifies the maximum Extensible Authentication Protocol (EAP) requests sent to the supplicant before timing out the session. The default is 2. |
RetryCount |
Specifies the maximum number of retries attempted. |