802.1x Port Security - arista.com · 667 Chapter 13 802.1x Port Security This section explains the basic concepts behind 802.1x port security, including switch roles, how the switches

667

Chapter 13

802.1x Port SecurityThis section explains the basic concepts behind 802.1x port security, including switch roles, how theswitches communicate, and the procedure used for authenticating clients.

• Section 13.1: 802.1x Port Security Introduction

• Section 13.2: 802.1x Port Security Description

• Section 13.3: Configuring 802.1x Port Security

• Section 13.4: Displaying 802.1x information

• Section 13.5: IEEE 802.1x Configuration Commands

13.1 802.1x Port Security IntroductionPort security control who can send or receive traffic from an individual switch port. An end node is notallowed to send or receive traffic through a port until the node is authenticated by a RADIUS server.

This prevents unauthorized individuals from connecting to a switch port to access your network. Onlydesignated valid users on a RADIUS server will be allowed to use the switch to access the network.

668

802.1x Port Security Description Chapter 13: 802.1x Port Security

13.2 802.1x Port Security Description

13.2.1 Switch Roles for 802.1x Configurations

The 802.1x standard specifies the roles of Supplicant (client), Authenticator, and AuthenticationServer in a network. Figure 13-1 illustrates these roles.

Authentication server – The switch that validates the client and specifies whether or not the client mayaccess services on the switch. The switch supports Authentication Servers running RADIUS.

Authenticator – The switch that controls access to the network. In an 802.1x configuration, the switchserves as the Authenticator. As the Authenticator, it moves messages between the client and theAuthentication Server. The Authenticator either grants or does not grant network access to the clientbased on the identity data provided by the client, and the authentication data provided by theAuthentication Server.

Supplicant/Client – The client provides a username or password data to the Authenticator. TheAuthenticator sends this data to the Authentication Server. Based on the supplicant’s information, theAuthentication Server determines whether the supplicant can use services given by the Authenticator.The Authentication Server gives this data to the Authenticator, which then provides services to theclient, based on the authentication result.

13.2.2 Authentication Process

The authentication that occurs between a supplicant, authenticator, and authentication server includethe following processes.

• Either the authenticator (a switch port) or the supplicant starts an authentication messageexchange. The switch starts an exchange when it detects a change in the status of a port, or if itgets a packet on the port with a source MAC address that is not included in the MAC address table.

Figure 13-1: Authenticator, Supplicant, and Authentication Server in an 802.1x configuration

Client/Supplicant

RADIUS Server(Authentication Server)

Arista Switch(Authenticator)

Chapter 13: 802.1x Port Security 802.1x Port Security Description

669

• An authenticator starts the negotiation by sending an EAP-Request/Identity packet. A supplicantstarts the negotiation with an EAPOL-Start packet, to which the authenticator answers with aEAP-Request/Identity packet.

• The supplicant answers with an EAP-Response/Identity packet to the authentication server via theauthenticator.

• The authentication server responds with an EAP-Request packet to the supplicant via theauthenticator.

• The supplicant responds with an EAP-Response.

• The authentication server transmits either an EAP-Success packet or EAP-Reject packet to thesupplicant.

• If an EAP-Reject is received, the supplicant will receive an EAP-Reject message and their trafficwill not be forwarded.

13.2.3 Communication Between the Switches

For communication between the switches, 802.1x port security uses the Extensible AuthenticationProtocol (EAP), defined in RFC 2284 and the RADIUS authentication protocol.

The 802.1x standard defines a method for encapsulating EAP messages so they can be sent over aLAN. This encapsulated kind of EAP is known as EAP over LAN (EAPOL). The standard also specifiesa means of transferring the EAPOL information between the client or Supplicant, Authenticator, andAuthentication Server.

EAPOL messages are passed between the Supplicant’s and Authenticator’s Port Access Entity (PAE).Figure 13-2 shows the relationship between the Authenticator PAE and the Supplicant PAE.

Figure 13-2: Authenticator PAE and Supplicant PAE

AuthenticationServer

AuthenticatorPAE

SupplicantPAE


RADIUSMessages

EAPOLMessages

802.1X-EnabledSupplicant

670


Authenticator PAE: The Authenticator PAE communicates with the Supplicant PAE to receive theSupplicant’s identifying information. Behaving as a RADIUS client, the Authenticator PAE passes theSupplicant’s information to the Authentication Server, which decides whether to grant the Supplicantaccess. If the Supplicant passes authentication, the Authenticator PAE allows it access to the port.

Supplicant PAE – The Supplicant PAE provides information about the client to the Authenticator PAEand replies to requests from the Authenticator PAE. The Supplicant PAE may initiate the authenticationprocedure with the Authenticator PAE, as well as send logoff messages.

13.2.4 Controlled and Uncontrolled Ports

A physical port on the switch used with 802.1x has two virtual access points that include a controlledport and an uncontrolled port. The controlled port grants full access to the network. The uncontrolledport only gives access for EAPOL traffic between the client and the Authentication Server. When aclient is authenticated successfully, the controlled port is opened to the client.

The uncontrolled port on the Authenticator is the only one open before a client is authenticated. Theuncontrolled port permits only EAPOL frames to be swapped between the client and the AuthenticationServer. No traffic is allowed to pass through the controlled port in the unauthorized state.

During authentication, EAPOL messages are swapped between the Supplicant PAE and theAuthenticator PAE, and RADIUS messages are swapped between the Authenticator PAE and theAuthentication Server. If the client is successfully authenticated, the controlled port becomesauthorized, and traffic from the client can flow through the port normally.

Figure 13-3: Ports before and after client authentication







PAE PAE

PAE PAE

Services Services

Uncontrolled Port

Physical Port

Controlled Port(Unauthorized)

Uncontrolled Port Controlled Port(Authorized)

Physical Port

Before Authentication After Authentication

Chapter 13: 802.1x Port Security 802.1x Port Security Description

671

All controlled ports on the switch are placed in the authorized state, allowing all traffic, by default. Whenauthentication is initiated, the controlled port on the interface is initially set in the unauthorized state. Ifa client connected to the port is authenticated successfully, the controlled port is set in the authorizedstate.

13.2.5 Message Exchange During Authentication

Figure 13-4 illustrates an exchange of messages between an 802.1x-enabled client, a switch operatingas Authenticator, and a RADIUS server operating as an Authentication Server.

Arista switches support MD5-challenge TLS and any other EAP-encapsulated authentication types inEAP Request or Response messages. In other words, the switches are transparent to theauthentication scheme used.

13.2.6 Authenticating Multiple Clients Connected to the Same Port

Arista switches support 802.1x authentication for ports with more than one client connected to them(multi-host mode). Figure 13-5 illustrates a sample configuration where multiple clients are connectedto a single 802.1x port.

When multiple clients are connected to a single 802.1x-enabled port, the port starts receiving packetsfrom multiple clients. The port authenticates the packets received from any one client, and the packetsreceived from other clients are dropped, until the packets from the client connected is authenticated.When the client authentication is complete, the port is open to accept all packets from other clientsconnected, and these packets do not require any authentication.

Figure 13-4: Message exchange during authentication


Arista Device(Authenticator)

Client/Supplicant

Port Unauthorized

EAP-Response/Identity

EAP-Request/Identity

EAP-Response/Identity

EAP-Request/MD5-Challenge

EAP-Success

EAP-Logoff

Port Authorized

Port Unauthorized

RADIUS Access-Request

RADIUS Access-Challenge

RADIUS Access-Request

RADIUS Access-Accept

672


Figure 13-5: Multiple clients connected to a 802.1x-enabled port



Clients/Supplicants running 802.1X-compliant client software

Hub

Chapter 13: 802.1x Port Security Configuring 802.1x Port Security

673

13.3 Configuring 802.1x Port SecurityBasic steps to implementing 802.1x Port-based Network Access Control and RADIUS accounting onthe switch:

Step 1 A RADIUS server is required on one or more of your network servers or management stations.

802.1x is not supported with the TACACS+ authentication protocol.

Step 2 You must create supplicant accounts on the RADIUS server:

• The account for a supplicant connected to an authenticator port must have a username andpassword combination when set to the 802.1x authentication mode. The maximum usernamelength is 38 alphanumeric characters and spaces, and the maximum length for a password is16 alphanumeric characters and spaces.

• An account for the supplicant connected to an authenticator port and placed in the MACaddress-based authentication mode needs use the MAC address of the node as both theusername and password.

• Connected clients to an 802.1x authenticator port will require 802.1x client software.

Step 3 The RADIUS client must be configured by entering the IP addresses and encryption keys ofthe authentication servers on your network.

Step 4 The port access control settings must be configured on the switch. This includes the following:

• Specifying the port roles.

• Configuring 802.1x port parameters.

• Enabling 802.1x Port-based Network Access Control.

Guidelines

• Do not set a port that is connected to a RADIUS authentication server to the authenticator role asan authentication server cannot authenticate itself.

• A supplicant connected to an authenticator port set to the 802.1x username and passwordauthentication method must have 802.1x client software.

• To prevent unauthorized individuals from accessing the network through unattended networkworkstations, end users of 802.1x port-based network access control should always log off whenthey are finished with a work session.

• The RADIUS client should be configured on the switch before activating port-based access control.

13.3.1 Configuring 802.1x Authentication Methods

IEEE 802.1x port security relies on external client-authentication methods, which must be configuredfor use. The method currently supported on Arista switches is RADIUS authentication. To configure theswitch to use a RADIUS server for client authentication, use the aaa authentication dot1x command.

Example

• The aaa authentication dot1x command configures the authentication, authorization, andaccounting (AAA) methods to be used on interfaces running IEEE 802.1X. The following configuresthe switch to use RADIUS authentication.

switch(config)# aaa authentication dot1x default group radiusswitch(config)#

674

Configuring 802.1x Port Security Chapter 13: 802.1x Port Security

13.3.2 Globally Enable IEEE 802.1x

To enable IEEE 802.1X port authentication globally on the switch, use the dot1x system-auth-controlcommand.

• This command enables IEEE 802.1X globally on the switch.

switch(config)#dot1x system-auth-controlswitch(config)

13.3.3 Designating Authenticator Ports

For ports to act as authenticator ports to connected supplicants, those ports must be designated usingthe dot1x port-control command.

The auto option of the dot1x port-control command designates an authenticator port for immediateuse, blocking all traffic that is not authenticated by the RADIUS server.

Example

• This command configures Ethernet 1 to immediately begin functioning as an authenticator port.

switch(config)#interface ethernet 1switch(config-if-Et1)#dot1x port-control autoswitch(config-if-Et1)#

The force-authorized option of the dot1x port-control command sets the state of the port toauthorized without authentication, allowing traffic to continue uninterrupted.

Example

• These commands designate Ethernet 1 as an authenticator port that will forward packets withoutauthentication.

switch(config)#interface ethernet 1switch(config-if-Et1)#dot1x port-control force-authorizedswitch(config-if-Et1)#

To designate a port as an authenticator but prevent it from authorizing any traffic, use theforce-unauthorized option of the dot1x port-control command.

Example

• The force-unauthorized option of the dot1x port-control command places the specified port inthe unauthorized state, which will deny any access requests from users of the ports.

switch(config)#interface ethernet 1switch(config-if-Et1)#dot1x port-control force-authorizedswitch(config-if-Et1)#

13.3.4 Configuring Re-authentication

The dot1x reauthentication and dot1x timeout reauth-period commands configure authenticatorports to require re-authentication from clients at regular intervals.

Chapter 13: 802.1x Port Security Configuring 802.1x Port Security

675

Example

• These commands configure the Ethernet interface 1 authenticator to require re-authentication fromclients every 6 hours (21600 seconds).

switch(config)#interface ethernet 1switch(config-if-Et1)#dot1x reauthenticationswitch(config-if-Et1)#dot1x timeout reauth-period 21600switch(config-if-Et1)#

• These commands deactivate re-authentication on Ethernet interface 1.

switch(config)#interface ethernet 1switch(config-if-Et1)#no dot1x reauthenticationswitch(config-if-Et1)#

13.3.5 Setting the EAP Request Maximum

The dot1x max-reauth-req command configures the number of times the switch retransmits an 802.1xExtensible Authentication Protocol (EAP) request packet before ending the conversation and restartingauthentication.

Example

• These commands set the number of times the authenticator sends an EAP request packet to theclient before restarting authentication.

switch(config)#interface ethernet 1switch(config-if-Et1)#dot1x max-reauth-req 4switch(config-if-Et1)#

13.3.6 Disabling Authentication on a Port

To disable authentication on an authenticator port, use the no dot1x port-control command.

Example

• These commands disable authentication on Ethernet interface 1.

switch(config)#interface ethernet 1switch(config-if-Et1)#no dot1x port-controlswitch(config-if-Et1)#

13.3.7 Setting the Quiet Period

If the switch fails to immediately authenticate the client, the time the switch waits before trying again isspecified by the dot1x timeout quiet-period command. This timer also indicates how long a client thatfailed authentication is blocked.

Example

• These commands set the 802.1x quiet period for Ethernet interface 1 to 30 seconds.

switch(config)#interface ethernet 1switch(config-if-Et1)#dot1x timeout quiet-period 30

676

Displaying 802.1x information Chapter 13: 802.1x Port Security

13.3.8 Setting the Transmission Timeout

Authentication and re-authentication are accomplished by the authenticator sending an ExtensibleAuthentication Protocol (EAP) request to the supplicant and the supplicant sending a reply which theauthenticator forwards to an authentication server. If the authenticator doesn’t receive a reply to theEAP request, it waits a specified period of time before retransmitting. To configure that wait time, usethe dot1x timeout tx-period command.

Example

• These commands configure Ethernet interface 1 to wait 30 seconds before retransmitting EAPrequests to the supplicant.

switch(config)#interface Ethernet 1switch(config-if-Et1)#dot1x timeout tx-period 30switch(config-if-Et1)#

13.3.9 Clearing 802.1x Statistics

The clear dot1x statistics command resets the 802.1x counters.

Example

• This command clears the 802.1x counters on all interfaces.

switch#clear dot1x statistics allswitch#

• This command clears the 802.1x counters on Ethernet interface 1.

switch#clear dot1x statistics interface ethernet 1switch#

13.4 Displaying 802.1x informationYou can display information about 802.1x on the switch and on individual ports.

13.4.1 Displaying port security configuration information

The show dot1x command shows information about the 802.1x configuration on the specified port orports.

Example

• This commands displays IEEE 802.1x configuration information for Ethernet interface 5.

switch#show dot1x interface ethernet 5Dot1X Information for Ethernet5--------------------------------------------PortControl : autoQuietPeriod : 60 secondsTxPeriod : 5 secondsReauthPeriod : 3600 secondsMaxReauthReq : 2switch#

13.4.2 Displaying 802.1x summary information

Use the show dot1x all summary command to display IEEE 802.1x status for all ports.

Chapter 13: 802.1x Port Security Displaying 802.1x information

677

Example

• The following commands display a summary of IEEE 802.1x status.

switch#show dot1x all summaryInterface Client Status-------------------------------------------------------------Ethernet5 None Unauthorizedswitch#

13.4.3 Displaying 802.1x statistics

Use the show dot1x statistics command to display 802.1x statistics for the specified port or ports.

Example

• This command displays IEEE 802.1x statistics for Ethernet interface 5.

switch#show dot1x interface ethernet 5 statisticsDot1X Authenticator Port Statistics for Ethernet5-------------------------------------------------RxStart = 0 RxLogoff = 0 RxRespId = 0RxResp = 0 RxInvalid = 0 RxTotal = 0TxReqId = 0 TxReq = 0 TxTotal = 0RxVersion = 0 LastRxSrcMAC = 0000.0000.0000switch#

678

IEEE 802.1x Configuration Commands Chapter 13: 802.1x Port Security

13.5 IEEE 802.1x Configuration CommandsGlobal Configuration Commands• dot1x system-auth-control

Interface Configuration Commands – Ethernet Interface• dot1x max-reauth-req• dot1x pae authenticator• dot1x port-control• dot1x reauthentication• dot1x timeout quiet-period• dot1x timeout reauth-period• dot1x timeout tx-period

Privileged EXEC Commands• clear dot1x statistics• show dot1x• show dot1x statistics• show dot1x all summary

Chapter 13: 802.1x Port Security IEEE 802.1x Configuration Commands

679

clear dot1x statistics

The clear dot1x statistics command resets the 802.1x counters on the specified interface or allinterfaces.

Command ModePrivileged EXEC

Command Syntaxclear dot1x statistics INTERFACE_NAME

Parameters• INTERFACE_NAME Interface type and number. Options include:

• all Display information for all interfaces.

• interface ethernet e_num Ethernet interface specified by e_num.

• interface loopback l_num Loopback interface specified by l_num.

• interface management m_num Management interface specified by m_num.

• interface port-channel p_num Port-Channel Interface specified by p_num.

• interface vlan v_num VLAN interface specified by v_num.

Example• This command resets the 802.1x counters on all interfaces.

switch#clear dot1x statistics allswitch#

680


dot1x system-auth-control

The dot1x system-auth-control command enables 802.1X authentication on the switch.

The no dot1x system-auth-control and default dot1x system-auth-control commands disables802.1X authentication by removing the dot1x system-auth-control command from running-config.

Command ModeGlobal Configuration

Command Syntaxdot1x system-auth-controlno dot1x system-auth-controldefault dot1x system-auth-control

Example• This command enables 802.1X authentication on the switch.

switch(config)#dot1x system-auth-controlswitch(config)#

• This command disables 802.1X authentication on the switch.

switch(config)#no dot1x system-auth-controlswitch(config)#


681

dot1x max-reauth-req

The dot1x max-reauth-req command configures how many times the switch retransmits an 802.1xExtensible Authentication Protocol (EAP) request packet before ending the conversation and restartingauthentication.

The no dot1x max-reauth-req and default dot1x max-reauth-req commands restore the defaultvalue of 2 by deleting the corresponding dot1x max-reauth-req command from running-config.

Command ModeInterface-Ethernet ConfigurationInterface-Management Configuration

Command Syntaxdot1x max-reauth-req attemptsno dot1x max-reauth-reqdefault dot1x max-reauth-req

Parameters• attempts maximum number of attempts. Values range from 1 to 10; default value is 2.

Examples• This command sets the 802.1x EAP-request retransmit limit to 6.

switch(config-if-Et1)#dot1x max-reauth-req 6switch(config-if-Et1)#

• This command restores the default request repetition value of 2.

switch(config-if-Et1)#no dot1x max-reauth-reqswitch(config-if-Et1)#

682


dot1x pae authenticator

The dot1x pae authenticator command sets the port access entity (PAE) type of the configurationmode interface to authenticator.

The no dot1x pae authenticator and default dot1x pae authenticator commands restore the switchdefault by deleting the corresponding dot1x pae authenticator command from running-config.


Command Syntaxdot1x pae authenticatorno dot1x pae authenticatordefault dot1x pae authenticator

Example• These commands configure on Ethernet interface 2 as a port access entity (PAE) authenticator,

which enables IEEE 802.1x on the port.

switch(config-if-Et1)#interface ethernet 2switch(config-if-Et1)#dot1x pae authenticatorswitch(config-if-Et1)#

• These commands disable IEEE 802.1x authentication on Ethernet interface 2.

switch(config-if-Et1)#interface ethernet 2switch(config-if-Et1)#no dot1x pae authenticatorswitch(config-if-Et1)#


683

dot1x port-control

The dot1x port-control command configures the configuration mode interface as an authenticatorport and specifies whether it will authenticate traffic.

The no dot1x port-control and default dot1x port-control commands configure the port to passtraffic without authorization by removing the corresponding dot1x port-control command fromrunning-config.


Command Syntaxdot1x port-control STATEno dot1x port-controldefault dot1x port-control

Parameters• STATE specifies whether the interface will authenticate traffic. The default value is

force-authorized. Options include:

• auto configures the port to authenticate traffic using Extensible Authentication Protocolmessages.

• force-authorized configures the port to pass traffic without authentication.

• force-unauthorized configures the port to block all traffic regardless of authentication.

Examples• These commands configure Ethernet interface 1 to pass traffic without authentication. This is the

default setting.

switch(config)#interface Ethernet 1switch(config-if-Et1)#dot1x port-control force-authorizedswitch(config-if-Et1)#

• These commands configure Ethernet interface 1 to block all traffic.

switch(config)#interface Ethernet 1switch(config-if-Et1)#dot1x port-control force-unauthorizedswitch(config-if-Et1)#

• These commands configure Ethernet interface 1 to authenticate traffic using EAP messages.

switch(config)#interface Ethernet 1switch(config-if-Et1)#dot1x port-control autoswitch(config-if-Et1)#

684


dot1x reauthentication

The dot1x reauthentication command configures the configuration mode interface to requirere-authentication from clients at regular intervals. The interval is set by the dot1x timeoutreauth-period command.

The no dot1x reauthentication and default dot1x reauthentication commands restore the defaultsetting by deleting the corresponding dot1x reauthentication command from running-config.


Command Syntaxdot1x reauthenticationno dot1x reauthenticationdefault dot1x reauthentication

Example• These commands configure the Ethernet interface 1 authenticator to require periodic

re-authentication from clients.

switch(config)#interface Ethernet 1switch(config-if-Et1)#dot1x reauthenticationswitch(config-if-Et1)#


685

dot1x timeout quiet-period

If the switch fails to immediately authenticate the client, the time the switch waits before trying again isspecified by the dot1x timeout quiet-period command. This timer also indicates how long a client thatfailed authentication is blocked.

The no dot1x timeout quiet-period and default dot1x timeout quiet-period commands restore thedefault quiet period of 60 seconds by removing the corresponding dot1x timeout quiet-periodcommand from running-config.


Command Syntaxdot1x timeout quiet-period quiet_timeno dot1x timeout quiet-perioddefault dot1x timeout quiet-period

Parameters• quiet_time interval in seconds. Values range from 1 to 65535. Default value is 60.

Example• These commands set the 802.1x quiet period for Ethernet interface 1 to 30 seconds.

switch(config)#interface Ethernet 1switch(config-if-Et1)#dot1x timeout quiet-period 30switch(config-if-Et1)#

686


dot1x timeout reauth-period

The dot1x timeout reauth-period command specifies the time period that the configuration modeinterface waits before requiring re-authentication from clients.

The no dot1x timeout reauth-period and default dot1x timeout reauth-period commands restorethe default period of 60 minutes by removing the corresponding dot1x timeout reauth-periodcommand from running-config.


Command Syntaxdot1x timeout reauth-period reauth_timeno dot1x timeout reauth-perioddefault dot1x timeout reauth-period

Parameters• reauth_time the number of seconds the interface passes traffic before requiring

re-authentication. Values range from 1 to 65535. Default value is 3600.

Example• These commands configure the Ethernet interface 1 authenticator to require re-authentication from

clients every 6 hours (21600 seconds).

switch(config)#interface Ethernet 1switch(config-if-Et1)#dot1x reauthenticationswitch(config-if-Et1)#dot1x timeout reauth-period 21600switch(config-if-Et1)#


687

dot1x timeout tx-period

Authentication and re-authentication are accomplished by the authenticator sending an ExtensibleAuthentication Protocol (EAP) request to the supplicant and the supplicant sending a reply which theauthenticator forwards to an authentication server. If the authenticator does not get a reply to the EAPrequest, it waits a specified period of time before retransmitting. The dot1x timeout tx-periodcommand configures that wait time.

The no dot1x timeout tx-period and default dot1x timeout tx-period commands restore the defaultwait time by removing the corresponding dot1x timeout tx-period command from running-config.


Command Syntaxdot1x timeout tx-period tx_timeno dot1x timeout tx-perioddefault dot1x timeout tx-period

Parameters• tx_time Values range from 1 to 65535. Default value is 5.

Example• These commands configure Ethernet interface 1 to wait 30 seconds before retransmitting EAP

requests to the supplicant.

switch(config)#interface Ethernet 1switch(config-if-Et1)#dot1x timeout tx-period 30switch(config-if-Et1)#

688


show dot1x

The show dot1x command displays 802.1x information for the specified interface.

Command ModeEXEC

Command Syntaxshow dot1x INTERFACE_NAME INFO



• ethernet e_num Ethernet interface specified by e_num.

• loopback l_num Loopback interface specified by l_num.

• management m_num Management interface specified by m_num.

• port-channel p_num Port-Channel Interface specified by p_num.

• vlan v_num VLAN interface specified by v_num.

• INFO Type of information the command displays. Values include:

• <no parameter> displays summary of the specified interface.

• detail displays all 802.1x information for the specified interface.

Example• This command displays 802.1X summary information for Ethernet interface 5.

switch#show dot1x interface ethernet 5Dot1X Information for Ethernet5--------------------------------------------PortControl : autoQuietPeriod : 60 secondsTxPeriod : 5 secondsReauthPeriod : 3600 secondsMaxReauthReq : 2switch#

• This command displays detailed 802.1X information for Ethernet interface 5.

switch#show dot1x interface ethernet 5 detailDot1X Information for Ethernet5--------------------------------------------PortControl : autoQuietPeriod : 60 secondsTxPeriod : 5 secondsReauthPeriod : 3600 secondsMaxReauthReq : 2

Dot1X Authenticator Client

Port Status : Unauthorizedswitch#


689

show dot1x statistics

The show dot1x statistics command displays 802.1X statistics for the specified port or ports.

Command ModeEXEC

Command Syntaxshow dot1x INTERFACE_NAME statistics



• ethernet e_num Ethernet interface specified by e_num.

• loopback l_num Loopback interface specified by l_num.

• management m_num Management interface specified by m_num.

• port-channel p_num Port-Channel Interface specified by p_num.

• vlan v_num VLAN interface specified by v_num.

Output Fields• RxStart Number of EAPOL-Start frames received on the port.

• TxReqId Number of EAP-Request/Identity frames transmitted on the port.

• RxVersion Version number of the last EAPOL frame received on the port.

• RxLogoff Number of EAPOL-Logoff frames received on the port.

• RxInvalid Number of invalid EAPOL frames received on the port.

• TxReq Number of transmitted EAP-Request frames that were not EAP-Request/Identity.

• LastRxSrcMAC The source MAC address in the last EAPOL frame received on the port.

• RxRespId The number of EAP-Response/Identity frames received on the port

• RxTotal The total number of EAPOL frames transmitted on the port.

• TxTotal The total number of EAPOL frames transmitted on the port.

Example• This command displays the 802.1X statistics for ethernet 5

switch#show dot1x interface ethernet 5 statisticsDot1X Authenticator Port Statistics for Ethernet5-------------------------------------------------RxStart = 0 RxLogoff = 0 RxRespId = 0RxStart= 0 RxInvalid = 0 RxTotal = 0TxReqId = 0 TxReq = 0 TxTotal = 0RxVersion = 0 LastRxSrcMAC = 0000.0000.0000switch#

690


show dot1x all summary

The show dot1x all summary command displays the IEEE 802.1X status for all ports.

Command ModeEXEC

Command Syntaxshow dot1x all summary

Example• This command displays the IEEE 802.1X status.

switch#show dot1x all summaryInterface Client Status-------------------------------------------------------------Ethernet5 None Unauthorizedswitch#

Documents

802.1x Port Security - arista.com · 667 Chapter 13 802.1x Port Security This section explains the basic concepts behind 802.1x port security, including switch roles, how the switches