Configure EAP on a Port

About this task

Configure EAP or change the authentication status on one or more ports.

Ports are force-authorized by default. Force-authorized ports are always authorized and are not authenticated by the RADIUS server. You can change this setting so that the ports are always unauthorized.

Procedure

In the Device Physical View tab, select the port you need to configure.
In the navigation pane, expand Configuration > Edit > Port.
Select General.
Select the EAPOL tab.
Optional: Select the AllowNonEapHost check box to enable hosts that do not participate in 802.1X authentication to get network access.
Select the Status option as auto or forceAuthorized.
In the MultiHostMaxClients field, type the maximum limit of allowed EAP and NEAP clients supported on this port.
In the GuestVlanId field, type the VLAN ID to be used as a Guest VLAN ID.

This step does not apply to VSP 8600 Series or XA1400 Series.
In the FailOpenVlanId field, type the Fail Open VLAN ID.

This step does not apply to VSP 8600 Series or XA1400 Series.
In the NonEapMaxClients field, type the maximum number NEAP authentication MAC addresses allowed on this port.
In the EapMaxClients field, type the maximum number of EAP authentication MAC addresses allowed on this port.
Select the MultiHostSingleAuthEnabled check box to automatically authenticate NEAP MAC addresses on this port.
In the PortGuestIsid field, type the I-SID to be used as a Guest I-SID.

This step does not apply to VSP 8600 Series or XA1400 Series.
In the FailOpenIsid field, type the Fail Open I-SID.

This step does not apply to VSP 8600 Series or XA1400 Series.
Select the AdminTrafficControl option as inOut or in.
Optional: Select the LldpAuthEnabled check box to enable LLDP authentication for network access.

This step does not apply to VSP 4450 Series, VSP 8600 Series, or XA1400 Series.
Select the ReAuthEnabled field.
In the QuietPeriod field, type the time interval.
In the ReauthPeriod field, type the time between reauthentication.
In the RetryMax field, type the number of times.
Select Apply.

EAPoL Field Descriptions

Use the data in the following table to use the EAPoL tab.


Name	Description
PortCapabilities	Displays the capabilities of the Port Access Entity (PAE) associated with the port. This parameter indicates whether Authenticator functionality, supplicant functionality, both, or neither, is supported by the PAE of the port. The following capabilities are supported by the PAE of the port: authImplemented: A Port Access Controller Protocol (PACP) Extensible Authentication Protocol (EAP) authenticator functions are implemented. virtualPortsImplemented: Virtual Port functions are implemented.
PortVirtualPortsEnable	Displays the status of the Virtual Ports function for the real port as True or False.
PortCurrentVirtualPorts	Displays the current number of virtual ports running in the port
PortAuthenticatorEnable	Displays the status of the Authenticator function in the Port Access Entity (PAE) as True or False.
PortSupplicantEnable	Displays the Supplicant function in the Port Access Entity (PAE) as True or False.
AllowNonEapHost	Enables network access to hosts that do not participate in 802.1X authentication. The default is disabled.
Status	Configures the authentication status for this port. The default is forceAuthorized. auto: enables the EAP authentication process by sending the EAP request messages to the RADIUS server. forceAuthorized: disables the EAP authentication and puts the port into force-full authorized mode.
MultiHostMaxClients	Specifies the value representing the maximum number of supplicants allowed to get authenticated on the port.
GuestVlanId	Specifies the VLAN to be used as a Guest VLAN. Access to unauthenticated hosts connected to this port is provided through this VLAN. 0 indicates that Guest VLAN is not enabled for this port.
FailOpenVlanId	Specifies the Fail Open VLAN ID for this port. If the switch declares the RADIUS servers unreachable, then all new devices are allowed access into the configured Fail Open VLAN. 0 indicates that Fail Open VLAN is not enabled for this port.
NonEapMaxClients	Specifies the maximum number of NEAP authentication MAC addresses allowed on this port. Zero indicates that NEAP authentication is disabled for this port.
EAPMaxClients	Specifies the maximum number of EAP authentication MAC addresses allowed on this port. Zero indicates that EAP authentication is disabled for this port
MultiHostSingleAuthEnabled	Indicates that the unauthenticated devices can access the network only after an EAP or NEAP client is successfully authenticated on the port. The VLAN to which the devices are allowed access is the authenticated client's VLAN. The default is false.
PortGuestIsid Note: Exception: Not supported on VSP 8600 Series or XA1400 Series.	Specifies the I-SID to be used as a Guest I-SID. Access to unauthenticated hosts connected to this port is provided through this I-SID. 0 indicates that Guest I-SID is not enabled for this port.
FailOpenIsid Note: Exception: Not supported on VSP 8600 Series or XA1400 Series.	Specifies the Fail Open I-SID for this port. If the switch declares the RADIUS servers unreachable, then all new devices are allowed access into the configured Fail Open I-SID. 0 indicates that Fail Open I-SID is not enabled for this port.
FlexUniStatus Note: Exception: Not supported on VSP 4450 Series, VSP 8600 Series, or XA1400 Series.	Displays the current Flex-UNI status for this port.
AdminTrafficControl Note: Exception: Not supported on VSP 8600 Series or XA1400 Series.	Configures the Administrative Traffic Control. The default is inOut. inOut: enables the Admin Traffic Control for input and output traffic. in: enables the Admin Traffic Control for input traffic only.
OperTrafficControl Note: Exception: Not supported on VSP 8600 Series or XA1400 Series.	Displays the current Operational Traffic Control status.
LldpAuthEnabled Note: Exception: Not supported on VSP 4450 Series, VSP 8600 Series, or XA1400 Series.	Enables LLDP authentication for this port. The default is disabled.
PortOrigin Note: Exception: not supported on VSP 8600 Series and XA1400 Series.	Specifies the source of EAP configuration on the port: config - through CLI or EDM autoSense - through Zero Touch Fabric Configuration
DynamicMHSAEnabled Note: Exception: Not supported on VSP 4450 Series, VSP 8600 Series, or XA1400 Series.	Displays the Dynamic MHSA configuration status.
ReauthOrigin Note: Exception: not supported on VSP 8600 Series and XA1400 Series.	Specifies the origin of EAPOL reauthentication configuration on the port, either manually configured through CLI or dynamically configured through RADIUS.
ReauthPeriodOrigin Note: Exception: not supported on VSP 8600 Series and XA1400 Series.	Specifies the origin of EAPOL reauthentication period configuration on the port, either manually configured through CLI or dynamically configured through RADIUS.
TrafficControlOrigin	Specifies the origin of Traffic Control configuration on the port. The supported values are: config - Traffic Control is enabled by the user. radius - Traffic Control is enabled by Extensible Authentication Protocol (EAP) through Remote Authentication Dial-In User Service (RADIUS) response.
Authenticator configuration	Displays the current Authenticator Port Access Entity (PAE) state. The states are: authenticate authenticated Failed
ReAuthEnabled	Reauthenticates an existing supplicant at the time interval specified in ReAuthPeriod. The default is disabled.
QuietPeriod	Configures the time interval (in seconds) between authentication failure and the start of a new authentication.
ReAuthPeriod	Reauthenticates an existing supplicant at the time interval specified in ReAuthPeriod. Configures the time interval (in seconds) between successive reauthentications. The default is 3600 (1 hour).
RetryMax	Specifies the maximum Extensible Authentication Protocol (EAP) requests sent to the supplicant before timing out the session. The default is 2.
RetryCount	Specifies the maximum number of retries attempted.