Configure EAP on a Port

About this task

Configure EAP or change the authentication status on one or more ports.

Ports are force-authorized by default. Force-authorized ports are always authorized and are not authenticated by the RADIUS server. You can change this setting so that the ports are always unauthorized.

Procedure

  1. In the Device Physical View tab, select the port you need to configure.
  2. In the navigation pane, expand Configuration > Edit > Port.
  3. Select General.
  4. Select the EAPOL tab.
  5. Optional: Select AllowNonEapHost to enable hosts that do not participate in 802.1X authentication to get network access.
  6. Select the Status option as auto or forceAuthorized.
  7. In MultiHostMaxClients, type the maximum limit of allowed EAP and NEAP clients supported on this port.
  8. In GuestVlanId, type the VLAN ID to be used as a Guest VLAN ID.
  9. In FailOpenVlanId, type the Fail Open VLAN ID.
  10. In NonEapMaxClients, type the maximum number NEAP authentication MAC addresses allowed on this port.
  11. In EapMaxClients, type the maximum number of EAP authentication MAC addresses allowed on this port.
  12. Select MultiHostSingleAuthEnabled to automatically authenticate NEAP MAC addresses on this port.
  13. In PortGuestIsid, type the I-SID to be used as a Guest I-SID.
  14. In FailOpenIsid, type the Fail Open I-SID.
  15. Select the AdminTrafficControl option as inOut or in.
  16. Optional: Select LldpAuthEnabled to enable LLDP authentication for network access.
  17. Select ReAuthEnabled.
  18. In QuietPeriod, type the time interval.
  19. In ReauthPeriod, type the time between re-authentication.
  20. In RetryMax, type the number of times.
  21. Select Apply.

EAPoL Field Descriptions

Use the data in the following table to use the EAPoL tab.

Name

Description

PortCapabilities

Displays the capabilities of the Port Access Entity (PAE) associated with the port. This parameter indicates whether Authenticator functionality, supplicant functionality, both, or neither, is supported by the PAE of the port.

The following capabilities are supported by the PAE of the port:

  • authImplemented: A Port Access Controller Protocol (PACP) Extensible Authentication Protocol (EAP) authenticator functions are implemented.

  • virtualPortsImplemented: Virtual Port functions are implemented.

PortVirtualPortsEnable

Displays the status of the Virtual Ports function for the real port as True or False.

PortCurrentVirtualPorts

Displays the current number of virtual ports running in the port

PortAuthenticatorEnable

Displays the status of the Authenticator function in the Port Access Entity (PAE) as True or False.

PortSupplicantEnable

Displays the Supplicant function in the Port Access Entity (PAE) as True or False.

AllowNonEapHost

Enables network access to hosts that do not participate in 802.1X authentication. The default is disabled.

Status

Configures the authentication status for this port. The default is forceAuthorized.

  • auto: enables the EAP authentication process by sending the EAP request messages to the RADIUS server.

  • forceAuthorized: disables the EAP authentication and puts the port into force-full authorized mode.

MultiHostMaxClients

Specifies the value representing the maximum number of supplicants allowed to get authenticated on the port.

GuestVlanId

Specifies the VLAN to be used as a Guest VLAN. Access to unauthenticated hosts connected to this port is provided through this VLAN. 0 indicates that Guest VLAN is not enabled for this port.

FailOpenVlanId

Specifies the Fail Open VLAN ID for this port. If the switch declares the RADIUS servers unreachable, then all new devices are allowed access into the configured Fail Open VLAN. 0 indicates that Fail Open VLAN is not enabled for this port.

NonEapMaxClients

Specifies the maximum number of NEAP authentication MAC addresses allowed on this port. Zero indicates that NEAP authentication is disabled for this port.

EAPMaxClients

Specifies the maximum number of EAP authentication MAC addresses allowed on this port. Zero indicates that EAP authentication is disabled for this port

MultiHostSingleAuthEnabled

Indicates that the unauthenticated devices can access the network only after an EAP or NEAP client is successfully authenticated on the port. The VLAN to which the devices are allowed access is the authenticated client's VLAN. The default is false.
PortGuestIsid Specifies the I-SID to be used as a Guest I-SID. Access to unauthenticated hosts connected to this port is provided through this I-SID. 0 indicates that Guest I-SID is not enabled for this port.
FailOpenIsid

Specifies the Fail Open I-SID for this port. If the switch declares the RADIUS servers unreachable, then all new devices are allowed access into the configured Fail Open I-SID. 0 indicates that Fail Open I-SID is not enabled for this port.
FlexUniStatus Displays the current Flex-UNI status for this port.
AdminTrafficControl
Configures the Administrative Traffic Control. The default is inOut.

  • inOut: enables the Admin Traffic Control for input and output traffic.

  • in: enables the Admin Traffic Control for input traffic only.

OperTrafficControl Displays the current Operational Traffic Control status.
LldpAuthEnabled Enables LLDP authentication for this port. The default is disabled.

PortOrigin

Specifies the source of EAP configuration on the port:

  • config - through CLI or EDM

  • autoSense - through Zero Touch Fabric Configuration
DynamicMHSAEnabled Displays the Dynamic MHSA configuration status.

ReauthOrigin

Specifies the origin of EAPOL reauthentication configuration on the port, either manually configured through CLI or dynamically configured through RADIUS.

ReauthPeriodOrigin

Specifies the origin of EAPOL reauthentication period configuration on the port, either manually configured through CLI or dynamically configured through RADIUS.

TrafficControlOrigin

Specifies the origin of Traffic Control configuration on the port. The supported values are:

  • config - Traffic Control is enabled by the user.

  • radius - Traffic Control is enabled by Extensible Authentication Protocol (EAP) through Remote Authentication Dial-In User Service (RADIUS) response.

Authenticator configuration

Displays the current Authenticator Port Access Entity (PAE) state.

The states are:

  • authenticate

  • authenticated

  • Failed

ReAuthEnabled

Reauthenticates an existing supplicant at the time interval specified in ReAuthPeriod. The default is disabled.

QuietPeriod

Configures the time interval (in seconds) between authentication failure and the start of a new authentication.

ReAuthPeriod

Specifies the time interval, in seconds, between successive authentication. Configure the value to 0 to prevent EAP or NEAP sessions from aging out.

Caution: Preventing re-authentication can introduce a security risk.

The default is 3600 (1 hour).

RetryMax

Specifies the maximum Extensible Authentication Protocol (EAP) requests sent to the supplicant before timing out the session. The default is 2.

RetryCount

Specifies the maximum number of retries attempted.
9039040-00 Rev AB