Upload
dophuc
View
224
Download
1
Embed Size (px)
Citation preview
667
Chapter 13
802.1x Port SecurityThis section explains the basic concepts behind 802.1x port security, including switch roles, how theswitches communicate, and the procedure used for authenticating clients.
• Section 13.1: 802.1x Port Security Introduction
• Section 13.2: 802.1x Port Security Description
• Section 13.3: Configuring 802.1x Port Security
• Section 13.4: Displaying 802.1x information
• Section 13.5: IEEE 802.1x Configuration Commands
13.1 802.1x Port Security IntroductionPort security control who can send or receive traffic from an individual switch port. An end node is notallowed to send or receive traffic through a port until the node is authenticated by a RADIUS server.
This prevents unauthorized individuals from connecting to a switch port to access your network. Onlydesignated valid users on a RADIUS server will be allowed to use the switch to access the network.
668
802.1x Port Security Description Chapter 13: 802.1x Port Security
13.2 802.1x Port Security Description
13.2.1 Switch Roles for 802.1x Configurations
The 802.1x standard specifies the roles of Supplicant (client), Authenticator, and AuthenticationServer in a network. Figure 13-1 illustrates these roles.
Authentication server – The switch that validates the client and specifies whether or not the client mayaccess services on the switch. The switch supports Authentication Servers running RADIUS.
Authenticator – The switch that controls access to the network. In an 802.1x configuration, the switchserves as the Authenticator. As the Authenticator, it moves messages between the client and theAuthentication Server. The Authenticator either grants or does not grant network access to the clientbased on the identity data provided by the client, and the authentication data provided by theAuthentication Server.
Supplicant/Client – The client provides a username or password data to the Authenticator. TheAuthenticator sends this data to the Authentication Server. Based on the supplicant’s information, theAuthentication Server determines whether the supplicant can use services given by the Authenticator.The Authentication Server gives this data to the Authenticator, which then provides services to theclient, based on the authentication result.
13.2.2 Authentication Process
The authentication that occurs between a supplicant, authenticator, and authentication server includethe following processes.
• Either the authenticator (a switch port) or the supplicant starts an authentication messageexchange. The switch starts an exchange when it detects a change in the status of a port, or if itgets a packet on the port with a source MAC address that is not included in the MAC address table.
Figure 13-1: Authenticator, Supplicant, and Authentication Server in an 802.1x configuration
Client/Supplicant
RADIUS Server(Authentication Server)
Arista Switch(Authenticator)
Chapter 13: 802.1x Port Security 802.1x Port Security Description
669
• An authenticator starts the negotiation by sending an EAP-Request/Identity packet. A supplicantstarts the negotiation with an EAPOL-Start packet, to which the authenticator answers with aEAP-Request/Identity packet.
• The supplicant answers with an EAP-Response/Identity packet to the authentication server via theauthenticator.
• The authentication server responds with an EAP-Request packet to the supplicant via theauthenticator.
• The supplicant responds with an EAP-Response.
• The authentication server transmits either an EAP-Success packet or EAP-Reject packet to thesupplicant.
• If an EAP-Reject is received, the supplicant will receive an EAP-Reject message and their trafficwill not be forwarded.
13.2.3 Communication Between the Switches
For communication between the switches, 802.1x port security uses the Extensible AuthenticationProtocol (EAP), defined in RFC 2284 and the RADIUS authentication protocol.
The 802.1x standard defines a method for encapsulating EAP messages so they can be sent over aLAN. This encapsulated kind of EAP is known as EAP over LAN (EAPOL). The standard also specifiesa means of transferring the EAPOL information between the client or Supplicant, Authenticator, andAuthentication Server.
EAPOL messages are passed between the Supplicant’s and Authenticator’s Port Access Entity (PAE).Figure 13-2 shows the relationship between the Authenticator PAE and the Supplicant PAE.
Figure 13-2: Authenticator PAE and Supplicant PAE
AuthenticationServer
AuthenticatorPAE
SupplicantPAE
Arista Switch(Authenticator)
RADIUSMessages
EAPOLMessages
802.1X-EnabledSupplicant
670
802.1x Port Security Description Chapter 13: 802.1x Port Security
Authenticator PAE: The Authenticator PAE communicates with the Supplicant PAE to receive theSupplicant’s identifying information. Behaving as a RADIUS client, the Authenticator PAE passes theSupplicant’s information to the Authentication Server, which decides whether to grant the Supplicantaccess. If the Supplicant passes authentication, the Authenticator PAE allows it access to the port.
Supplicant PAE – The Supplicant PAE provides information about the client to the Authenticator PAEand replies to requests from the Authenticator PAE. The Supplicant PAE may initiate the authenticationprocedure with the Authenticator PAE, as well as send logoff messages.
13.2.4 Controlled and Uncontrolled Ports
A physical port on the switch used with 802.1x has two virtual access points that include a controlledport and an uncontrolled port. The controlled port grants full access to the network. The uncontrolledport only gives access for EAPOL traffic between the client and the Authentication Server. When aclient is authenticated successfully, the controlled port is opened to the client.
The uncontrolled port on the Authenticator is the only one open before a client is authenticated. Theuncontrolled port permits only EAPOL frames to be swapped between the client and the AuthenticationServer. No traffic is allowed to pass through the controlled port in the unauthorized state.
During authentication, EAPOL messages are swapped between the Supplicant PAE and theAuthenticator PAE, and RADIUS messages are swapped between the Authenticator PAE and theAuthentication Server. If the client is successfully authenticated, the controlled port becomesauthorized, and traffic from the client can flow through the port normally.
Figure 13-3: Ports before and after client authentication
AuthenticationServer
AuthenticationServer
Arista Switch(Authenticator)
Arista Switch(Authenticator)
802.1X-EnabledSupplicant
802.1X-EnabledSupplicant
PAE PAE
PAE PAE
Services Services
Uncontrolled Port
Physical Port
Controlled Port(Unauthorized)
Uncontrolled Port Controlled Port(Authorized)
Physical Port
Before Authentication After Authentication
Chapter 13: 802.1x Port Security 802.1x Port Security Description
671
All controlled ports on the switch are placed in the authorized state, allowing all traffic, by default. Whenauthentication is initiated, the controlled port on the interface is initially set in the unauthorized state. Ifa client connected to the port is authenticated successfully, the controlled port is set in the authorizedstate.
13.2.5 Message Exchange During Authentication
Figure 13-4 illustrates an exchange of messages between an 802.1x-enabled client, a switch operatingas Authenticator, and a RADIUS server operating as an Authentication Server.
Arista switches support MD5-challenge TLS and any other EAP-encapsulated authentication types inEAP Request or Response messages. In other words, the switches are transparent to theauthentication scheme used.
13.2.6 Authenticating Multiple Clients Connected to the Same Port
Arista switches support 802.1x authentication for ports with more than one client connected to them(multi-host mode). Figure 13-5 illustrates a sample configuration where multiple clients are connectedto a single 802.1x port.
When multiple clients are connected to a single 802.1x-enabled port, the port starts receiving packetsfrom multiple clients. The port authenticates the packets received from any one client, and the packetsreceived from other clients are dropped, until the packets from the client connected is authenticated.When the client authentication is complete, the port is open to accept all packets from other clientsconnected, and these packets do not require any authentication.
Figure 13-4: Message exchange during authentication
RADIUS Server(Authentication Server)
Arista Device(Authenticator)
Client/Supplicant
Port Unauthorized
EAP-Response/Identity
EAP-Request/Identity
EAP-Response/Identity
EAP-Request/MD5-Challenge
EAP-Success
EAP-Logoff
Port Authorized
Port Unauthorized
RADIUS Access-Request
RADIUS Access-Challenge
RADIUS Access-Request
RADIUS Access-Accept
672
802.1x Port Security Description Chapter 13: 802.1x Port Security
Figure 13-5: Multiple clients connected to a 802.1x-enabled port
RADIUS Server(Authentication Server)
Arista Switch(Authenticator)
Clients/Supplicants running 802.1X-compliant client software
Hub
Chapter 13: 802.1x Port Security Configuring 802.1x Port Security
673
13.3 Configuring 802.1x Port SecurityBasic steps to implementing 802.1x Port-based Network Access Control and RADIUS accounting onthe switch:
Step 1 A RADIUS server is required on one or more of your network servers or management stations.
802.1x is not supported with the TACACS+ authentication protocol.
Step 2 You must create supplicant accounts on the RADIUS server:
• The account for a supplicant connected to an authenticator port must have a username andpassword combination when set to the 802.1x authentication mode. The maximum usernamelength is 38 alphanumeric characters and spaces, and the maximum length for a password is16 alphanumeric characters and spaces.
• An account for the supplicant connected to an authenticator port and placed in the MACaddress-based authentication mode needs use the MAC address of the node as both theusername and password.
• Connected clients to an 802.1x authenticator port will require 802.1x client software.
Step 3 The RADIUS client must be configured by entering the IP addresses and encryption keys ofthe authentication servers on your network.
Step 4 The port access control settings must be configured on the switch. This includes the following:
• Specifying the port roles.
• Configuring 802.1x port parameters.
• Enabling 802.1x Port-based Network Access Control.
Guidelines
• Do not set a port that is connected to a RADIUS authentication server to the authenticator role asan authentication server cannot authenticate itself.
• A supplicant connected to an authenticator port set to the 802.1x username and passwordauthentication method must have 802.1x client software.
• To prevent unauthorized individuals from accessing the network through unattended networkworkstations, end users of 802.1x port-based network access control should always log off whenthey are finished with a work session.
• The RADIUS client should be configured on the switch before activating port-based access control.
13.3.1 Configuring 802.1x Authentication Methods
IEEE 802.1x port security relies on external client-authentication methods, which must be configuredfor use. The method currently supported on Arista switches is RADIUS authentication. To configure theswitch to use a RADIUS server for client authentication, use the aaa authentication dot1x command.
Example
• The aaa authentication dot1x command configures the authentication, authorization, andaccounting (AAA) methods to be used on interfaces running IEEE 802.1X. The following configuresthe switch to use RADIUS authentication.
switch(config)# aaa authentication dot1x default group radiusswitch(config)#
674
Configuring 802.1x Port Security Chapter 13: 802.1x Port Security
13.3.2 Globally Enable IEEE 802.1x
To enable IEEE 802.1X port authentication globally on the switch, use the dot1x system-auth-controlcommand.
• This command enables IEEE 802.1X globally on the switch.
switch(config)#dot1x system-auth-controlswitch(config)
13.3.3 Designating Authenticator Ports
For ports to act as authenticator ports to connected supplicants, those ports must be designated usingthe dot1x port-control command.
The auto option of the dot1x port-control command designates an authenticator port for immediateuse, blocking all traffic that is not authenticated by the RADIUS server.
Example
• This command configures Ethernet 1 to immediately begin functioning as an authenticator port.
switch(config)#interface ethernet 1switch(config-if-Et1)#dot1x port-control autoswitch(config-if-Et1)#
The force-authorized option of the dot1x port-control command sets the state of the port toauthorized without authentication, allowing traffic to continue uninterrupted.
Example
• These commands designate Ethernet 1 as an authenticator port that will forward packets withoutauthentication.
switch(config)#interface ethernet 1switch(config-if-Et1)#dot1x port-control force-authorizedswitch(config-if-Et1)#
To designate a port as an authenticator but prevent it from authorizing any traffic, use theforce-unauthorized option of the dot1x port-control command.
Example
• The force-unauthorized option of the dot1x port-control command places the specified port inthe unauthorized state, which will deny any access requests from users of the ports.
switch(config)#interface ethernet 1switch(config-if-Et1)#dot1x port-control force-authorizedswitch(config-if-Et1)#
13.3.4 Configuring Re-authentication
The dot1x reauthentication and dot1x timeout reauth-period commands configure authenticatorports to require re-authentication from clients at regular intervals.
Chapter 13: 802.1x Port Security Configuring 802.1x Port Security
675
Example
• These commands configure the Ethernet interface 1 authenticator to require re-authentication fromclients every 6 hours (21600 seconds).
switch(config)#interface ethernet 1switch(config-if-Et1)#dot1x reauthenticationswitch(config-if-Et1)#dot1x timeout reauth-period 21600switch(config-if-Et1)#
• These commands deactivate re-authentication on Ethernet interface 1.
switch(config)#interface ethernet 1switch(config-if-Et1)#no dot1x reauthenticationswitch(config-if-Et1)#
13.3.5 Setting the EAP Request Maximum
The dot1x max-reauth-req command configures the number of times the switch retransmits an 802.1xExtensible Authentication Protocol (EAP) request packet before ending the conversation and restartingauthentication.
Example
• These commands set the number of times the authenticator sends an EAP request packet to theclient before restarting authentication.
switch(config)#interface ethernet 1switch(config-if-Et1)#dot1x max-reauth-req 4switch(config-if-Et1)#
13.3.6 Disabling Authentication on a Port
To disable authentication on an authenticator port, use the no dot1x port-control command.
Example
• These commands disable authentication on Ethernet interface 1.
switch(config)#interface ethernet 1switch(config-if-Et1)#no dot1x port-controlswitch(config-if-Et1)#
13.3.7 Setting the Quiet Period
If the switch fails to immediately authenticate the client, the time the switch waits before trying again isspecified by the dot1x timeout quiet-period command. This timer also indicates how long a client thatfailed authentication is blocked.
Example
• These commands set the 802.1x quiet period for Ethernet interface 1 to 30 seconds.
switch(config)#interface ethernet 1switch(config-if-Et1)#dot1x timeout quiet-period 30
676
Displaying 802.1x information Chapter 13: 802.1x Port Security
13.3.8 Setting the Transmission Timeout
Authentication and re-authentication are accomplished by the authenticator sending an ExtensibleAuthentication Protocol (EAP) request to the supplicant and the supplicant sending a reply which theauthenticator forwards to an authentication server. If the authenticator doesn’t receive a reply to theEAP request, it waits a specified period of time before retransmitting. To configure that wait time, usethe dot1x timeout tx-period command.
Example
• These commands configure Ethernet interface 1 to wait 30 seconds before retransmitting EAPrequests to the supplicant.
switch(config)#interface Ethernet 1switch(config-if-Et1)#dot1x timeout tx-period 30switch(config-if-Et1)#
13.3.9 Clearing 802.1x Statistics
The clear dot1x statistics command resets the 802.1x counters.
Example
• This command clears the 802.1x counters on all interfaces.
switch#clear dot1x statistics allswitch#
• This command clears the 802.1x counters on Ethernet interface 1.
switch#clear dot1x statistics interface ethernet 1switch#
13.4 Displaying 802.1x informationYou can display information about 802.1x on the switch and on individual ports.
13.4.1 Displaying port security configuration information
The show dot1x command shows information about the 802.1x configuration on the specified port orports.
Example
• This commands displays IEEE 802.1x configuration information for Ethernet interface 5.
switch#show dot1x interface ethernet 5Dot1X Information for Ethernet5--------------------------------------------PortControl : autoQuietPeriod : 60 secondsTxPeriod : 5 secondsReauthPeriod : 3600 secondsMaxReauthReq : 2switch#
13.4.2 Displaying 802.1x summary information
Use the show dot1x all summary command to display IEEE 802.1x status for all ports.
Chapter 13: 802.1x Port Security Displaying 802.1x information
677
Example
• The following commands display a summary of IEEE 802.1x status.
switch#show dot1x all summaryInterface Client Status-------------------------------------------------------------Ethernet5 None Unauthorizedswitch#
13.4.3 Displaying 802.1x statistics
Use the show dot1x statistics command to display 802.1x statistics for the specified port or ports.
Example
• This command displays IEEE 802.1x statistics for Ethernet interface 5.
switch#show dot1x interface ethernet 5 statisticsDot1X Authenticator Port Statistics for Ethernet5-------------------------------------------------RxStart = 0 RxLogoff = 0 RxRespId = 0RxResp = 0 RxInvalid = 0 RxTotal = 0TxReqId = 0 TxReq = 0 TxTotal = 0RxVersion = 0 LastRxSrcMAC = 0000.0000.0000switch#
678
IEEE 802.1x Configuration Commands Chapter 13: 802.1x Port Security
13.5 IEEE 802.1x Configuration CommandsGlobal Configuration Commands• dot1x system-auth-control
Interface Configuration Commands – Ethernet Interface• dot1x max-reauth-req• dot1x pae authenticator• dot1x port-control• dot1x reauthentication• dot1x timeout quiet-period• dot1x timeout reauth-period• dot1x timeout tx-period
Privileged EXEC Commands• clear dot1x statistics• show dot1x• show dot1x statistics• show dot1x all summary
Chapter 13: 802.1x Port Security IEEE 802.1x Configuration Commands
679
clear dot1x statistics
The clear dot1x statistics command resets the 802.1x counters on the specified interface or allinterfaces.
Command ModePrivileged EXEC
Command Syntaxclear dot1x statistics INTERFACE_NAME
Parameters• INTERFACE_NAME Interface type and number. Options include:
• all Display information for all interfaces.
• interface ethernet e_num Ethernet interface specified by e_num.
• interface loopback l_num Loopback interface specified by l_num.
• interface management m_num Management interface specified by m_num.
• interface port-channel p_num Port-Channel Interface specified by p_num.
• interface vlan v_num VLAN interface specified by v_num.
Example• This command resets the 802.1x counters on all interfaces.
switch#clear dot1x statistics allswitch#
680
IEEE 802.1x Configuration Commands Chapter 13: 802.1x Port Security
dot1x system-auth-control
The dot1x system-auth-control command enables 802.1X authentication on the switch.
The no dot1x system-auth-control and default dot1x system-auth-control commands disables802.1X authentication by removing the dot1x system-auth-control command from running-config.
Command ModeGlobal Configuration
Command Syntaxdot1x system-auth-controlno dot1x system-auth-controldefault dot1x system-auth-control
Example• This command enables 802.1X authentication on the switch.
switch(config)#dot1x system-auth-controlswitch(config)#
• This command disables 802.1X authentication on the switch.
switch(config)#no dot1x system-auth-controlswitch(config)#
Chapter 13: 802.1x Port Security IEEE 802.1x Configuration Commands
681
dot1x max-reauth-req
The dot1x max-reauth-req command configures how many times the switch retransmits an 802.1xExtensible Authentication Protocol (EAP) request packet before ending the conversation and restartingauthentication.
The no dot1x max-reauth-req and default dot1x max-reauth-req commands restore the defaultvalue of 2 by deleting the corresponding dot1x max-reauth-req command from running-config.
Command ModeInterface-Ethernet ConfigurationInterface-Management Configuration
Command Syntaxdot1x max-reauth-req attemptsno dot1x max-reauth-reqdefault dot1x max-reauth-req
Parameters• attempts maximum number of attempts. Values range from 1 to 10; default value is 2.
Examples• This command sets the 802.1x EAP-request retransmit limit to 6.
switch(config-if-Et1)#dot1x max-reauth-req 6switch(config-if-Et1)#
• This command restores the default request repetition value of 2.
switch(config-if-Et1)#no dot1x max-reauth-reqswitch(config-if-Et1)#
682
IEEE 802.1x Configuration Commands Chapter 13: 802.1x Port Security
dot1x pae authenticator
The dot1x pae authenticator command sets the port access entity (PAE) type of the configurationmode interface to authenticator.
The no dot1x pae authenticator and default dot1x pae authenticator commands restore the switchdefault by deleting the corresponding dot1x pae authenticator command from running-config.
Command ModeInterface-Ethernet ConfigurationInterface-Management Configuration
Command Syntaxdot1x pae authenticatorno dot1x pae authenticatordefault dot1x pae authenticator
Example• These commands configure on Ethernet interface 2 as a port access entity (PAE) authenticator,
which enables IEEE 802.1x on the port.
switch(config-if-Et1)#interface ethernet 2switch(config-if-Et1)#dot1x pae authenticatorswitch(config-if-Et1)#
• These commands disable IEEE 802.1x authentication on Ethernet interface 2.
switch(config-if-Et1)#interface ethernet 2switch(config-if-Et1)#no dot1x pae authenticatorswitch(config-if-Et1)#
Chapter 13: 802.1x Port Security IEEE 802.1x Configuration Commands
683
dot1x port-control
The dot1x port-control command configures the configuration mode interface as an authenticatorport and specifies whether it will authenticate traffic.
The no dot1x port-control and default dot1x port-control commands configure the port to passtraffic without authorization by removing the corresponding dot1x port-control command fromrunning-config.
Command ModeInterface-Ethernet ConfigurationInterface-Management Configuration
Command Syntaxdot1x port-control STATEno dot1x port-controldefault dot1x port-control
Parameters• STATE specifies whether the interface will authenticate traffic. The default value is
force-authorized. Options include:
• auto configures the port to authenticate traffic using Extensible Authentication Protocolmessages.
• force-authorized configures the port to pass traffic without authentication.
• force-unauthorized configures the port to block all traffic regardless of authentication.
Examples• These commands configure Ethernet interface 1 to pass traffic without authentication. This is the
default setting.
switch(config)#interface Ethernet 1switch(config-if-Et1)#dot1x port-control force-authorizedswitch(config-if-Et1)#
• These commands configure Ethernet interface 1 to block all traffic.
switch(config)#interface Ethernet 1switch(config-if-Et1)#dot1x port-control force-unauthorizedswitch(config-if-Et1)#
• These commands configure Ethernet interface 1 to authenticate traffic using EAP messages.
switch(config)#interface Ethernet 1switch(config-if-Et1)#dot1x port-control autoswitch(config-if-Et1)#
684
IEEE 802.1x Configuration Commands Chapter 13: 802.1x Port Security
dot1x reauthentication
The dot1x reauthentication command configures the configuration mode interface to requirere-authentication from clients at regular intervals. The interval is set by the dot1x timeoutreauth-period command.
The no dot1x reauthentication and default dot1x reauthentication commands restore the defaultsetting by deleting the corresponding dot1x reauthentication command from running-config.
Command ModeInterface-Ethernet ConfigurationInterface-Management Configuration
Command Syntaxdot1x reauthenticationno dot1x reauthenticationdefault dot1x reauthentication
Example• These commands configure the Ethernet interface 1 authenticator to require periodic
re-authentication from clients.
switch(config)#interface Ethernet 1switch(config-if-Et1)#dot1x reauthenticationswitch(config-if-Et1)#
Chapter 13: 802.1x Port Security IEEE 802.1x Configuration Commands
685
dot1x timeout quiet-period
If the switch fails to immediately authenticate the client, the time the switch waits before trying again isspecified by the dot1x timeout quiet-period command. This timer also indicates how long a client thatfailed authentication is blocked.
The no dot1x timeout quiet-period and default dot1x timeout quiet-period commands restore thedefault quiet period of 60 seconds by removing the corresponding dot1x timeout quiet-periodcommand from running-config.
Command ModeInterface-Ethernet ConfigurationInterface-Management Configuration
Command Syntaxdot1x timeout quiet-period quiet_timeno dot1x timeout quiet-perioddefault dot1x timeout quiet-period
Parameters• quiet_time interval in seconds. Values range from 1 to 65535. Default value is 60.
Example• These commands set the 802.1x quiet period for Ethernet interface 1 to 30 seconds.
switch(config)#interface Ethernet 1switch(config-if-Et1)#dot1x timeout quiet-period 30switch(config-if-Et1)#
686
IEEE 802.1x Configuration Commands Chapter 13: 802.1x Port Security
dot1x timeout reauth-period
The dot1x timeout reauth-period command specifies the time period that the configuration modeinterface waits before requiring re-authentication from clients.
The no dot1x timeout reauth-period and default dot1x timeout reauth-period commands restorethe default period of 60 minutes by removing the corresponding dot1x timeout reauth-periodcommand from running-config.
Command ModeInterface-Ethernet ConfigurationInterface-Management Configuration
Command Syntaxdot1x timeout reauth-period reauth_timeno dot1x timeout reauth-perioddefault dot1x timeout reauth-period
Parameters• reauth_time the number of seconds the interface passes traffic before requiring
re-authentication. Values range from 1 to 65535. Default value is 3600.
Example• These commands configure the Ethernet interface 1 authenticator to require re-authentication from
clients every 6 hours (21600 seconds).
switch(config)#interface Ethernet 1switch(config-if-Et1)#dot1x reauthenticationswitch(config-if-Et1)#dot1x timeout reauth-period 21600switch(config-if-Et1)#
Chapter 13: 802.1x Port Security IEEE 802.1x Configuration Commands
687
dot1x timeout tx-period
Authentication and re-authentication are accomplished by the authenticator sending an ExtensibleAuthentication Protocol (EAP) request to the supplicant and the supplicant sending a reply which theauthenticator forwards to an authentication server. If the authenticator does not get a reply to the EAPrequest, it waits a specified period of time before retransmitting. The dot1x timeout tx-periodcommand configures that wait time.
The no dot1x timeout tx-period and default dot1x timeout tx-period commands restore the defaultwait time by removing the corresponding dot1x timeout tx-period command from running-config.
Command ModeInterface-Ethernet ConfigurationInterface-Management Configuration
Command Syntaxdot1x timeout tx-period tx_timeno dot1x timeout tx-perioddefault dot1x timeout tx-period
Parameters• tx_time Values range from 1 to 65535. Default value is 5.
Example• These commands configure Ethernet interface 1 to wait 30 seconds before retransmitting EAP
requests to the supplicant.
switch(config)#interface Ethernet 1switch(config-if-Et1)#dot1x timeout tx-period 30switch(config-if-Et1)#
688
IEEE 802.1x Configuration Commands Chapter 13: 802.1x Port Security
show dot1x
The show dot1x command displays 802.1x information for the specified interface.
Command ModeEXEC
Command Syntaxshow dot1x INTERFACE_NAME INFO
Parameters• INTERFACE_NAME Interface type and number. Options include:
• all Display information for all interfaces.
• ethernet e_num Ethernet interface specified by e_num.
• loopback l_num Loopback interface specified by l_num.
• management m_num Management interface specified by m_num.
• port-channel p_num Port-Channel Interface specified by p_num.
• vlan v_num VLAN interface specified by v_num.
• INFO Type of information the command displays. Values include:
• <no parameter> displays summary of the specified interface.
• detail displays all 802.1x information for the specified interface.
Example• This command displays 802.1X summary information for Ethernet interface 5.
switch#show dot1x interface ethernet 5Dot1X Information for Ethernet5--------------------------------------------PortControl : autoQuietPeriod : 60 secondsTxPeriod : 5 secondsReauthPeriod : 3600 secondsMaxReauthReq : 2switch#
• This command displays detailed 802.1X information for Ethernet interface 5.
switch#show dot1x interface ethernet 5 detailDot1X Information for Ethernet5--------------------------------------------PortControl : autoQuietPeriod : 60 secondsTxPeriod : 5 secondsReauthPeriod : 3600 secondsMaxReauthReq : 2
Dot1X Authenticator Client
Port Status : Unauthorizedswitch#
Chapter 13: 802.1x Port Security IEEE 802.1x Configuration Commands
689
show dot1x statistics
The show dot1x statistics command displays 802.1X statistics for the specified port or ports.
Command ModeEXEC
Command Syntaxshow dot1x INTERFACE_NAME statistics
Parameters• INTERFACE_NAME Interface type and number. Options include:
• all Display information for all interfaces.
• ethernet e_num Ethernet interface specified by e_num.
• loopback l_num Loopback interface specified by l_num.
• management m_num Management interface specified by m_num.
• port-channel p_num Port-Channel Interface specified by p_num.
• vlan v_num VLAN interface specified by v_num.
Output Fields• RxStart Number of EAPOL-Start frames received on the port.
• TxReqId Number of EAP-Request/Identity frames transmitted on the port.
• RxVersion Version number of the last EAPOL frame received on the port.
• RxLogoff Number of EAPOL-Logoff frames received on the port.
• RxInvalid Number of invalid EAPOL frames received on the port.
• TxReq Number of transmitted EAP-Request frames that were not EAP-Request/Identity.
• LastRxSrcMAC The source MAC address in the last EAPOL frame received on the port.
• RxRespId The number of EAP-Response/Identity frames received on the port
• RxTotal The total number of EAPOL frames transmitted on the port.
• TxTotal The total number of EAPOL frames transmitted on the port.
Example• This command displays the 802.1X statistics for ethernet 5
switch#show dot1x interface ethernet 5 statisticsDot1X Authenticator Port Statistics for Ethernet5-------------------------------------------------RxStart = 0 RxLogoff = 0 RxRespId = 0RxStart= 0 RxInvalid = 0 RxTotal = 0TxReqId = 0 TxReq = 0 TxTotal = 0RxVersion = 0 LastRxSrcMAC = 0000.0000.0000switch#
690
IEEE 802.1x Configuration Commands Chapter 13: 802.1x Port Security
show dot1x all summary
The show dot1x all summary command displays the IEEE 802.1X status for all ports.
Command ModeEXEC
Command Syntaxshow dot1x all summary
Example• This command displays the IEEE 802.1X status.
switch#show dot1x all summaryInterface Client Status-------------------------------------------------------------Ethernet5 None Unauthorizedswitch#