dot1x (authenticator)

Configures 802.1X authenticator settings

Dot1x (or 802.1x) is an IEEE standard for network authentication. It enables media-level (layer 2) access control, providing the capability to permit or deny connectivity based on user or device identity. Dot1x allows port-based access using authentication. An dot1x enabled port can be dynamically enabled or disabled depending on user identity or device connection.

Devices supporting dot1x allow the automatic provision and connection to the wireless network without launching a Web browser at login. When within range of a dot1x network, a device automatically connects and authenticates without needing to manually login.

Before authentication, the endpoint is unknown, and traffic is blocked. Upon authentication, the endpoint is known and traffic is allowed. The controller or service platform uses source MAC filtering to ensure only the authenticated endpoint is allowed to send traffic.

Supported in the following platforms

Access Points — AP410i/e, AP460i/e, AP505i, AP510i/e, AP560i/h
Wireless Controllers — NX5500, NX7500

Syntax

dot1x authenticator [guest-vlan|host-mode|max-reauth-req|port-control|reauthenticate|timeout]

dot1x authenticator [guest-vlan <1-4094>|host-mode [multi-host|single-host]|max-reauth-req <1-10>|
port-control [auto|force-authorized|force-unauthorized]|reauthenticate|timeout [quiet-period|reauth-period] 
<1-65535>]

Note

The dot1x (802.1x) supplicant settings are documented in the next section.

Parameters

dot1x authenticator [guest-vlan <1-4094>|host-mode [multi-host|single-host]|
max-reauth-req <1-10>|port-control [auto|force-authorized|force-unauthorized]|
reauthenticate|timeout [quiet-period|reauth-period]]


dot1x authenticator	Configures 802.1x authenticator settings
guest-vlan <1-4094>	Configures the guest VLAN for this interface. This is the VLAN, traffic is bridged on if this port is unauthorized and the guest VLAN is globally enabled. Select the VLAN index from 1 - 4094.
host-mode [multi-host\| single-host]	Configures the host mode for this interface multi-host – Configures multiple host mode single-host – Configures single host mode. This is the default setting.
max-reauth-req <1-10>	Configures maximum number of re-authorization retries for the supplicant. This is the maximum number of re-authentication attempts made before this port is moved to unauthorized. <1-10> – Specify a value from 1 -10. The default is 2.
port-control [auto\| force-authorized\| force-unauthorized]	Configures port control state auto – Configures auto port state force-authorized – Configures authorized port state. This is the default setting. force-unauthorized – Configures unauthorized port state
reauthenticate	Enables re-authentication for this port. When enabled, clients are forced to re-authenticate on this port. The setting is disabled by default. Therefore, clients are not required to re-authenticate for connection over this port until this setting is enabled.
timeout [quiet-period\|reauth-period] <1-65535>	Configures timeout settings for this interface quiet-period – Configures the quiet period timeout in seconds. This is the interval, in seconds, between successive client authentication attempts. reauth-period – Configures the time after which re-authentication is initiated The following option is common to ‘quiet-period‘ and ‘reauth-period‘ keywords: <1-65535> – Specify a ‘quiet-period‘ or ‘reauth-period‘ from 1 - 65535 seconds.

Example

nx9500-6C8809(config-profile-testNX5500-if-ge1)#dot1x authenticator guest-vlan 2

nx9500-6C8809(config-profile-testNX5500-if-ge1)#dot1x authenticator host-mode multi-host

nx9500-6C8809(config-profile-testNX5500-if-ge1))#dot1x authenticator max-reauth-req 6

nx9500-6C8809(config-profile-testNX5500-if-ge1)#dot1x authenticator reauthenticate

nx9500-6C8809(config-profile-testNX5500-if-ge1)#show context
 interface ge1
  dot1x authenticator host-mode multi-host
  dot1x authenticator guest-vlan 2
  dot1x authenticator reauthenticate
  dot1x authenticator max-reauth-count 6
  ip dhcp trust
  qos trust dscp
  qos trust 802.1p
nx9500-6C8809(config-profile-testNX5500-if-ge1)#

The following examples show the configurations made on an NX5500 to enable it as a dot1X authenticator:

Configure AAA policy on the authenticator, and identify the authentication server as onboard (self):
```
NX5500-229D58(config-aaa-policy-aaa-wireddot1x)#show context
aaa-policy aaa-wireddot1x
authentication server 1 onboard controller
NX5500-229D58(config-aaa-policy-aaa-wireddot1x)#
```
This AAA policy is used in the authenticator‘s self configuration mode as shown in the last step.
Configure RADIUS user policy on the authenticator:
```
nx5500-229D58(config-radius-user-pool-wired-dot1x-users)#show con
radius-user-pool-policy wired-dot1x-users
user bob password 0 bob1234
nx5500-229D58(config-radius-user-pool-wired-dot1x-users)#
```
The user name and password configured here should match that of the supplicant. For more information, see the examples provided in the dot1x (supplicant) section.

Configure RADIUS server policy on the authenticator, and associate the RADIUS user policy created in the previous step:

nx5500-229D58(config-radius-server-policy-for-wired-dot1x)#show con
radius-server-policy for-wired-dot1x
use radius-user-pool-policy wired-dot1x-users
nx5500-229D58(config-radius-server-policy-for-wired-dot1x)#

In the authenticator‘s self configuration mode, associate the RADIUS server policy, created in the previous step, and configure other parameters (in bold) as shown in the following example:
```
nx5500-229D58(config-device-00-15-29-22-9D-58)#use radius-server-policy for-wired-dot1x
```

In the authenticator‘s interface > ge configuration mode, configure the following parameters:

nx5500-229D58(config-device-00-15-29-22-9D-58-if-ge2)#dot1x authenticator host-mode single-host

nx5500-229D58(config-device-00-15-29-22-9D-58-if-ge2)#dot1x authenticator port-control auto

In the authenticator‘s self configuration mode, configure the following parameters:

nx5500-229D58(config-device-00-15-29-22-9D-58)#dot1x system-auth-control

nx5500-229D58(config-device-00-15-29-22-9D-58)#dot1x use aaa-policy aaa-wireddot1x

Following example displays the above configured parameters:

nx5500-229D58(config-device-00-15-29-22-9D-58)#show context
use profile default-nx5500
use rf-domain default
hostname nx5500-229D58
 use radius-server-policy for-wired-dot1x
interface me1
  ip address 192.168.0.1/24
interface ge2
  dot1x authenticator host-mode single-host
  dot1x authenticator port-control auto
interface vlan1
  ip address dhcp
  ip dhcp client request options all
logging on
logging console debugging
dot1x system-auth-control
dot1x use aaa-policy aaa-wireddot1x
--More--
nx5500-229D58(config-device-00-15-29-22-9D-58)

Related Commands


no	Disables or reverts interface settings to their default