Configure EAP on an Extreme Integrated Application Hosting Port

About this task

Perform this procedure to configure EAP or change the authentication status on Extreme Integrated Application Hosting (IAH) ports. IAH ports are force-authorized by default and are not authenticated by the RADIUS server. You can change this setting so that the IAH ports stay unauthorized.

Procedure

  1. In the navigation pane, expand Configuration > Edit > Insight Port.
  2. Select the IAH port you want to configure.
  3. Select the EAPOL tab.
  4. Optional: Select AllowNonEapHost.
  5. In the Status field, select the required option.
  6. In the MultiHostMaxClients field, enter a value.
  7. In the GuestVlanId field, enter a VLAN ID.
  8. In the FailOpenVlanId field, enter a VLAN ID.
  9. In the NonEapMaxClients field, enter a value.
  10. In the EapMaxClients field, enter a value.
  11. Select MultiHostSingleAuthEnabled.
  12. In the PortGuestIsid field, type the I-SID to be used as a Guest I-SID.
  13. In the FailOpenIsid field, type the Fail Open I-SID.
  14. Select the AdminTrafficControl option as inOut or in.
  15. Select the LldpAuthEnabled check box to enable LLDP authentication for network access.
  16. Select ReAuthEnabled.
  17. In the QuietPeriod field, enter a time interval.
  18. In the ReAuthPeriod field, enter a time interval.
  19. In the RetryMax field, type a value.
  20. Select Apply.

EAPOL Field Descriptions

Use data in the following table to use the EAPOL tab.

Name

Description

PortCapabilities

Shows the capabilities of the Port Access Entity (PAE) associated with the Extreme Integrated Application Hosting (IAH) port. This parameter indicates whether Authenticator functionality, supplicant functionality, both, or neither, is supported by the PAE of the IAH port.

The following capabilities are supported by the PAE of the IAH port:

  • authImplemented: A Port Access Controller Protocol (PACP) Extensible Authentication Protocol (EAP) authenticator functions are implemented.

  • virtualPortsImplemented: Virtual Port functions are implemented.

PortVirtualPortsEnable

Shows the status of the Virtual Ports function for the IAH port.

PortCurrentVirtualPorts

Shows the current number of virtual ports running on the IAH port.

PortAuthenticatorEnable

Shows the status of the Authenticator function in the PAE.

PortSupplicantEnable

Shows the Supplicant function in the PAE.

AllowNonEapHost

Enables network access to hosts that do not participate in 802.1X authentication. The default is disabled.

Status

Specifies the authentication status for the IAH port.

  • auto - enables EAP authentication process by sending the EAP request messages to the RADIUS server.

  • forceAuthorized - disables EAP authentication and puts the IAH port into force-full authorized mode.

The default is forceAuthorized.

MultiHostMaxClients

Specifies the maximum number of supplicants authenticated on the IAH port.

GuestVlanId

Specifies the VLAN ID to be used as a Guest. Access to unauthenticated hosts connected to the IAH port is provided through this VLAN. 0 indicates that Guest VLAN is not enabled.

FailOpenVlanId

Specifies the Fail Open VLAN ID for the specific IAH port. If RADIUS server is not reachable on the switch, then all new devices are allowed access to the configured Fail Open VLAN ID. 0 indicates that Fail Open VLAN ID is not enabled.

NonEapMaxClients

Specifies the maximum number of NEAP authentication MAC addresses allowed on the specific IAH port. 0 indicates that NEAP authentication is disabled.

EAPMaxClients

Specifies the maximum number of EAP authentication MAC addresses allowed on the specific IAH port. 0 indicates that EAP authentication is disabled.

MultiHostSingleAuthEnabled

Enables the functionality for network access to the unauthenticated devices only after an EAP or NEAP client is successfully authenticated on the IAH port. The VLAN ID to which the devices are allowed access is the authenticated client's VLAN. The default is disabled.

PortGuestIsid

Specifies the I-SID to be used as a Guest I-SID. Access to unauthenticated hosts connected to the IAH port is provided through this I-SID. 0 indicates that Guest I-SID is not enabled for this port.

FailOpenIsid

Specifies the Fail Open I-SID for the IAH port. If the switch declares the RADIUS servers unreachable, then all new devices are allowed access into the configured Fail Open I-SID. 0 indicates that Fail Open I-SID is not enabled for this port.

FlexUniStatus

Displays the current Flex-UNI status for this IAH port.

AdminTrafficControl

Configures the Administrative Traffic Control. The default is inOut.
  • inOut: enables the Admin Traffic Control for input and output traffic.

  • in: enables the Admin Traffic Control for input traffic only.

OperTrafficControl

Displays the current Operational Traffic Control status.

LldpAuthEnabled

Enables LLDP authentication for this IAH port. The default is disabled.

PortOrigin

Specifies the source of EAP configuration on the IAH port:

  • config - through CLI or EDM

  • autoSense - through Zero Touch Fabric Configuration

DynamicMHSAEnabled

Displays the Dynamic MHSA configuration status.

TrafficControlOrigin

Indicates the origin of Traffic Control configuration on the port. The supported values are:

  • config - Traffic Control is enabled by the user.

  • radius - Traffic Control is enabled by Extensible Authentication Protocol (EAP) through Remote Authentication Dail-In User Service (RADIUS) response.

Authenticate

Shows the current Authenticator Port Access Entity (PAE) authenticate status.

Authenticated

Shows the current Authenticator Port Access Entity (PAE) authenticated status.

Failed

Shows the current Authenticator Port Access Entity (PAE) failure status.

ReAuthEnabled

Enables reauthentication of an existing supplicant based on the specified reauthentication time interval. The default is disabled.

QuietPeriod

Specifies the time interval (in seconds) between authentication failure and start of authentication.

ReauthPeriod

Specifies the time interval (in seconds) between successive reauthentications. The default is 3600 (1 hour).

RetryMax

Specifies the maximum Extensible Authentication Protocol (EAP) requests sent to the supplicant before timing out the session. The default is 2.

RetryCount

Specifies the maximum number of retries attempted.