dot1x

Profile Config Commands

Configures 802.1x standard authentication controls

Dot1x (or 802.1x) is an IEEE standard for network authentication. It enables media-level (layer 2) access control, providing the capability to permit or deny connectivity based on user or device identity. Dot1x allows port-based access using authentication. An dot1x enabled port can be dynamically enabled or disabled depending on user identity or device connection.

Devices supporting dot1x allow the automatic provision and connection to the wireless network without launching a Web browser at login. When within range of a dot1x network, a device automatically connects and authenticates without needing to manually login.

Before authentication, the endpoint is unknown, and traffic is blocked. Upon authentication, the endpoint is known and traffic is allowed. The controller or service platform uses source MAC filtering to ensure only the authenticated endpoint is allowed to send traffic.

Dot1x authentication capabilities is supported on the following platforms:

Supported on the following devices:

Dot1x supplicant capabilities is supported on the following platforms:

Supported on the following devices:

Syntax

dot1x [guest-vlan|holdtime|system-auth-control|use]
dot1x holdtime <0-600>
dot1x system-auth-control
dot1x guest-vlan supplicant
dot1x use aaa-policy <AAA-POLICY-NAME>

Parameters

dot1x system-auth-control
system-auth-control Enables system auth control. Enables dot1x authorization globally for the controller. This feature is disabled by default.
dot1X holdtime <0-600>
holdtime <0-600> Configures a holdtime value. This is the interval after which an authentication attempt is ignored or failed.
  • <0-600> – Specify a value from 0 - 600 seconds. A value of ‘0‘ indicates no holdtime. The default is 600 seconds or 10 minutes.

Adding a hold time at startup allows time for the network to converge before receiving or transmitting 802.1x authentication packets.

dot1x guest-vlan supplicant
guest-vlan Configures guest VLAN and supplicant behavior. This feature is disabled by default.
supplicant Allows 802.1x capable supplicant to enter guest VLAN. When enabled, this is the VLAN that supplicant‘s traffic is bridged on.
dot1x use aaa-policy <AAA-POLICY-NAME>
use aaa-policy <AAA-POLICY-NAME> Associates a specified 802.1x AAA policy (for MAC authentication) with this access point profile
  • <AAA-POLICY-NAME> – Specify the AAA policy name. Once specified, this AAA policy is utilized for authenticating user requests.

Example

nx9500-6C8809(config-profile-test-nx5500)#dot1x use aaa-policy OnBoarding

nx9500-6C8809(config-profile-test-nx5500)#dot1x system-auth-control

nx9500-6C8809(config-profile-test-nx5500)#show context
profile nx5500 test-nx5500
 no autoinstall configuration
 no autoinstall firmware
 crypto ikev1 policy ikev1-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ikev2 policy ikev2-default
  isakmp-proposal default encryption aes-256 group 2 hash sha
 crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
 crypto ikev1 remote-vpn
 crypto ikev2 remote-vpn
 crypto auto-ipsec-secure
 crypto load-management
 crypto remote-vpn-client
 interface ge1
 interface ge2
 interface ge3
 interface ge4
 interface ge5
 interface ge6
 interface pppoe1
 use firewall-policy default
 service pm sys-restart
 router ospf
 router bgp
 dot1x system-auth-control
 dot1x use aaa-policy OnBoarding
nx9500-6C8809(config-profile-test-nx5500)#

Related Commands

no Disables or reverts settings to their default