802.1x Commands
This chapter provides a description, syntax, and examples of the 802.1X commands. It includes the following commands:
auth-mac
Use this command to enable MAC authentication on an interface.
Use the no parameter with this command to disable MAC authentication on an interface.
Command Syntax
auth-mac
no auth-mac
Parameters
None
Default
No default value is specified.
Command Mode
Interface mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#configure terminal
(config)#interface eth0
(config-if)#auth-mac
(config-if)#commit
#configure terminal
(config)#interface eth0
(config-if)#no auth-mac
(config-if)#commit
auth-mac mode
Use this command to enable MAC authentication mode on an interface.
Use the no parameter with this command to disable MAC authentication mode on an interface.
Command Syntax
auth-mac mode (filter|shutdown)
no auth-mac mode
Parameters
filter
Filter the frames for the MAC when in an unauthorized state.
shutdown
Shut down the interface when the MAC is unauthenticated.
Default
No default value is specified.
Command Mode
Interface mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#configure terminal
(config)#interface eth0
(config-if)#auth-mac mode filter
(config-if)#commit
#configure terminal
(config)#interface eth0
(config-if)#no auth-mac mode
(config-if)#commit
auth-mac dynamic-vlan-creation
Use this command to enable dynamic VLAN creation after successful MAC authentication. Use the no form of the command to disable dynamic VLAN creation.
Command Syntax
auth-mac dynamic-vlan-creation
no auth-mac dynamic-vlan-creation
Parameters
None.
Default
Disabled
Command Mode
Interface mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#interface eth0
(config-if)#no auth-mac dynamic-vlan-creation
#configure terminal
(config)#interface eth0
(config-if)#auth-mac dynamic-vlan-creation
auth-mac mac-aging
Use this command to enable MAC aging. When enabled, a MAC entry is added to the forwarding database, with aging time equal to the bridge aging time. Otherwise, the MAC entry will not be aged out. If MAC aging is disabled, the MAC entry will not be aged out.
Use no form of this command to disable MAC aging.
Command Syntax
auth-mac mac-aging
no auth-mac mac-aging
Parameters
None.
Default
Disabled.
Command Mode
Interface mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#configure terminal
(config)#interface eth0
(config-if)#no auth-mac mac-aging
#configure terminal
(config)#interface eth0
(config-if)#auth-mac mac-aging
auth-mac system-auth-ctrl
Use this command to enable MAC authentication globally. If MAC authentication is not enabled, other MAC authentication related commands throw an error when issued.
Use the no parameter with this command to disable MAC authentication globally.
Command Syntax
auth-mac system-auth-ctrl
no auth-mac system-auth-ctrl
Parameters
None
Default
Authentication system messages are not displayed.
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#auth-mac system-auth-ctrl
(config)#no auth-mac system-auth-ctrl
auth-port
Use this command to configure a RADIUS server and specify port for RADIUS authentication.
Use the no parameter with this command to disable this feature.
Command Syntax
auth-port <1-65535>
no auth-port
Parameters
<0-65535>
Port number.
Default
The default value of auth-port is 1812.
Command Mode
Configure Radius server mode
Applicability
This command was introduced before OcNOS Version 6.0.
Examples
#configure terminal
(config)#radius-server dot1x
(config-radius-server)#auth-port 1233
(config-radius-server)#no auth-port 1233
debug dot1x
Use this command to turn on or turn off 802.1x debugging at various levels.
Use the no parameter with this command to turn off debugging.
Command Syntax
debug dot1x (all|)
debug dot1x event
debug dot1x nsm
debug dot1x packet
debug dot1x timer
no debug dot1x (all|)
no debug dot1x event
no debug dot1x nsm
no debug dot1x packet
no debug dot1x timer
Parameters
all
Sets debugging for all 802.1x levels.
event
Sets debugging for 802.1x events.
nsm
Sets debugging for 802.1x NSM information.
packet
Sets debugging for 802.1x packets.
timer
Sets debugging for 802.1x timer.
Default
No default value is specified.
Command Mode
Exec, Privileged Exec, and Configure modes
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#debug dot1x all
(config)#debug dot1x event
dot1x port-control
Use this command to force a port state.
Use the no parameter with this command to remove a port from the 802.1x management.
Command Syntax
dot1x port-control (force-unauthorized|force-authorized|auto)
no dot1x port-control
Parameters
auto
Specify to enable authentication on port.
force-authorized
Specify to force a port to always be in an authorized state.
force-unauthorized
Specify to force a port to always be in an unauthorized state.
Default
The dot1x port-control default is active.
Command Mode
Interface mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#interface eth0
(config-if)#dot1x port-control auto
(config)#interface eth0
(config-if)#no dot1x port-control
dot1x protocol-version
Use this command to set the protocol version of dot1x to 1 or 2. The protocol version must be synchronized with the Xsupplicant being used in that interface.
Use the no parameter with this command to set the protocol version to the default value (2).
Command Syntax
dot1x protocol-version <1-2>
no dot1x protocol-version
Parameters
<1-2>
Indicates the EAP Over LAN (EAPOL) version.
Default
The default dot1x protocol version is 2.
Command Mode
Interface mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#configure terminal
(config)#interface eth0
(config-if)#dot1x protocol-version 2
(config)#interface eth0
(config-if)#no dot1x protocol-version
dot1x quiet-period
Use this command to set the quiet-period time interval.
When a switch cannot authenticate a client, the switch remains idle for a quiet-period interval of time, then tries again. By administratively changing the quiet-period interval, by entering a lower number than the default, a faster response time can be provided.
Use the no parameter with this command to set the configured quiet period to the default (60 seconds).
Command Syntax
dot1x quiet-period <1-65535>
no dot1x quiet-period
Parameter
<1-65535>
Seconds between the retrial of authentication.
Default
The default dot1x quiet-period is 60.
Command Mode
Interface mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#configure terminal
(config)#interface eth0
(config-if)#dot1x quiet-period 200
dot1x reauthMax
Use this command to set the maximum reauthentication value, which sets the maximum number of reauthentication attempts after which the port will be unauthorized.
Use the no parameter with this command to set the reauthentication maximum to the default value (2).
Command Syntax
dot1x reauthMax <1-10>
no dot1x reauthMax
Parameter
<1-10>
Indicates the maximum number of reauthentication attempts after which the port will be unauthorized.
Default
The default is 2.
Command Mode
Interface mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
The following sets the maximum reauthentication value to 5.
#configure terminal
(config)#interface eth0
(config-if)#dot1x reauthMax 5
The following sets the reauthentication maximum to the default value.
#configure terminal
(config)#interface eth0
(config-if)#no dot1x reauthMax
dot1x reauthentication
Use this command to enable reauthentication on a port.
Use the no parameter to disable reauthentication on a port.
Command Syntax
dot1x reauthentication
no dot1x reauthentication
Parameters
None
Default
The dot1x reauthentication default is disabled.
Command Mode
Interface mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#interface eth0
(config-if)#dot1x reauthentication
dot1x system-auth-ctrl
Use this command to enable globally authentication.
Use the no parameter to disable globally authentication.
Command Syntax
dot1x system-auth-ctrl
no dot1x system-auth-ctrl
Parameters
None
Default
Authentication is off by default.
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#configure terminal
(config)#dot1x system-auth-ctrl
dot1x timeout re-authperiod
Use this command to set the interval between reauthorization attempts.
Use the no parameter to disable the interval between reauthorization attempts.
Command Syntax
dot1x timeout re-authperiod <1-4294967295>
no dot1x timeout re-authperiod
Parameter
<1-4294967295>
Specify the seconds between reauthorization attempts.
Default
Default time is 3600 seconds
Command Mode
Interface mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#configure terminal
(config)#interface eth0
(config-if)#dot1x timeout re-authperiod 25
dot1x timeout server-timeout
Use this command to set the authentication sever response timeout.
Use the no parameter to disable the authentication sever response timeout.
Command Syntax
dot1x timeout server-timeout <1-65535>
no dot1x timeout server-timeout
Parameter
<1-65535>
Specify the authentication server response timeout.
Default
Default timeout is 30 seconds.
Command Mode
Interface mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#interface eth0
(config-if)#dot1x timeout server-timeout 555
(config)#interface eth0
(config-if)#no dot1x timeout server-timeout
dot1x timeout supp-timeout
Use this command to set the interval for a supplicant to respond.
Use the no parameter to disable the authentication sever response timeout.
Command Syntax
dot1x timeout supp-timeout <1-65535>
no dot1x timeout supp-timeout
Parameter
<1-65535>
Specify the authentication server response timeout.
Default
Default timeout is 30 seconds.
Command Mode
Interface mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#configure terminal
(config)#interface eth0
(config-if)#dot1x timeout supp-timeout 40
(config)#interface eth0
(config-if)#no dot1x timeout supp-timeout
dot1x timeout tx-period
Use this command to set the interval between successive attempts to request an ID.
Use the no parameter to disable the interval between successive attempts to request an ID.
Command Syntax
dot1x timeout tx-period <1-65535>
no dot1x timeout tx-period
Parameter
<1-65535>
Specify the authentication server response timeout.
Default
Default timeout is 30 seconds.
Command Mode
Interface mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#interface eth0
(config-if)#dot1x timeout tx-period 34
(config)#interface eth0
(config-if)#no dot1x timeout tx-period
ip radius source-interface
Use this command to set the local address sent in packets to the radius server.
Use the no parameter to clear the local address.
Command Syntax
ip radius source-interface A.B.C.D <1-65535>
no ip radius source-interface
Parameters
A.B.C.D
IPv4 address of the RADIUS server.
<1-65535>
Port number.
Default
The default port number is 1812.
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#ip radius source-interface myhost 1812
(config)#no ip radius source-interface
key-string
Use this command to define a password in plain-text to be used by a key.
The password is stored as encrypted, and is displayed in encrypted text when show running-config command is executed.
Use the no parameter with this command to disable this feature.
Command Syntax
key-string WORD
no key-string
Parameter
WORD
Specify a string of characters to be used as a password by the key. The length of the string should be between 1-64 characters.
Default
By default, password is not configured.
Command Mode
Configure Radius server mode
Applicability
This command was introduced in OcNOS Version 6.0.
Examples
#configure terminal
(config)#radius-server dot1x host 1.1.1.1
(config-radius-server)#key-string 1234567890
(config-radius-server)#no key-string
key-string encrypted
Use this command to define a password in its encrypted format to be used by a key.
Use the no parameter with this command to disable this feature.
Command Syntax
key-string encrypted WORD
no key-string
Parameter
WORD
Specify a string of characters to be used as a password by the key. The length of the string should be between 18-130 characters.
Default
By default, password is not configured.
Command Mode
Configure Radius server mode
Applicability
This command was introduced in OcNOS Version 6.0.
Examples
#configure terminal
(config)#radius-server dot1x host 1.1.1.1
(config-radius-server)#key-string encrypted 0x16176d21cc1688d995
(config-radius-server)#no key-string
radius-server dot1x host
Use this command to specify the IP address or host name of the remote radius server host and assign authentication and accounting destination port numbers. Multiple radius-server host commands can be used to specify multiple hosts. The software searches for hosts in the order they are specified.
If no host-specific timeout, retransmit, or key values are specified, the global values apply to that host.
If the auth-port parameter is not specified, the default value of the auth-port is used. If the auth-port is not specified to unconfigure, and the default value of the auth-port does not match with the port you are trying to unconfigure, then the specified radius-server host will not be unconfigured.
Use the no form of the command to unconfigure a specified radius-server.
Command Syntax
radius-server dot1x host (A.B.C.D)
no radius-server dot1x host (A.B.C.D)
Parameters
dot1x
IEEE 802.1X Port-Based Access Control.
A.B.C.D
IPv4 address of the RADIUS server.
Default
The default value of auth-port is 1812.
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#radius-server dot1x host 1.1.1.1
(config-radius-server)#
(config)#no radius-server dot1x host 1.1.1.1
retransmit
Use this command to specify the number of times the router transmits each radius request to the server before giving up.
Use the no form of this command to disable retransmission.
Command Syntax
retransmit <0-100>
no retransmit
Parameter
<0-100>
Specify the retransmit value. Enter a value in the range 0 to 100. If no retransmit value is specified, the global value is used.
Default
The default value is 3.
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#radius-server dot1x host 1.1.1.1
(config-radius-server)#retransmit 12
(config-radius-server)#no retransmit
show debugging dot1x
Use this command to display the status of the debugging of the 802.1x system.
Command Syntax
show debugging dot1x
Parameters
None
Command Mode
Privileged Exec mode
Applicability
This command was introduced in OcNOS Version 6.0.
Example
#show debugging dot1x
802.1X debugging status:
show dot1x
Use this command to display IEEE 802.1x port-based access control information.
Command Syntax
show dot1x
show dot1x all
show dot1x host
show dot1x diagnostics interface IFNAME
show dot1x interface IFNAME
show dot1x sessionstatistics interface IFNAME
show dot1x statistics interface IFNAME
Parameters
all
Display all IEEE 802.1x port-based access control information.
host
Show operational radius-server dot1x host information for a specific host (IPv4 address) or for all hosts.
diagnostics
Display diagnostics information.
IFNAME
Interface name.
sessionstatistics
Display the statistics for a session.
statistics
Display the statistics.
Command Mode
Exec mode and Privileged Exec mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
The following is an output of this command displaying the state of the system.
#show dot1x
% 802.1x authentication enabled
% Radius server address: 192.168.1.1.1812
% Radius client address: dhcp128.mySite.com.12103
% Next radius message id: 0
The following is an output of this command displaying detailed information for all ports.
#show dot1x all
% 802.1x authentication enabled
% Radius server address: 192.168.1.1.1812
% Radius client address: dhcp128.mySite.com.12103
% Next radius message id: 0
% Dot1x info for interface eth1 - 3
% portEnabled: true - portControl: auto
% portStatus: unauthorized - currentId: 11
% reAuthenticate: disabled
% abort:F fail:F start:F timeout:F success:F
% PAE: state: connecting - portMode: auto
% PAE: reAuthCount: 2 - rxRespId: 0
% PAE: quietPeriod: 60 - reauthMax: 2 - txPeriod: 30
% BE: state: idle - reqCount: 0 - idFromServer: 0
% BE: suppTimeout: 30 - serverTimeout: 30 - maxReq: 2
% CD: adminControlledDirections: in - operControlledDirections: in
% CD: bridgeDetected: false
% KR: rxKey: false
% KT: keyAvailable: false - keyTxEnabled: false
The following tables describes the output of the show dot1x command.
Table 8-18: Port variables
Entry | Description |
---|
portEnabled | Interface operational status (Up-true/down-false) |
portControl | Current control status of the port for 802.1x control |
portStatus | 802.1x status of the port (authorized/unauthorized) |
reAuthenticate | Reauthentication enabled/disabled status on port |
reAuthPeriod | Reauthentication period |
Table 8-19: Supplicant PAE related global variables
Entry | Description |
---|
abort | Abort authentication when true |
fail | Failed authentication attempt when false |
start | Start authentication when true |
timeout | Authentication attempt timed out when true |
success | Authentication successful when true |
Table 8-20: 802.1x Operational state of interface
Entry | Description |
---|
mode | Configured 802.1x mode |
reAuthCount | Reauthentication count |
quietperiod | Time between reauthentication attempts |
reAuthMax | Maximum reauthentication attempts |
Table 8-21: Backend authentication state machine variables and constants
Entry | Description |
---|
state | State of the port. |
reqCount | Number of requests sent to server |
suppTimeout | Number of seconds the port waits for a response when relaying a request from the authentication server to the supplicant before resending the request. |
serverTimeout | Number of seconds the port waits for a reply when relaying a response from the supplicant to the authentication server before timing out. |
maxReq | Maximum number of times a request packet is retransmitted to the supplicant before the authentication session times out. |
Table 8-22: Controlled directions state machine
Entry | Description |
---|
adminControlledDirections | Administrative value (Both/In) |
operControlledDirections | Operational Value (Both/In) |
Table 8-23: KR -- Key receive state machine
Entry | Description |
---|
rxKey | True when EAPOL-Key message is received by supplicant or authenticator. false when key is transmitted |
Table 8-24: Key Transmit state machine
Entry | Description |
---|
keyAvailable | False when key has been transmitted by authenticator, true when new key is available for key exchange |
keyTxEnabled | Key transmission enabled/disabled status |
timeout
Use this command to specify the number of seconds a router waits for a reply to a radius request before retransmitting the request.
Use the no parameter to use the default value.
Command Syntax
timeout <0-60>
no timeout
Parameter
<0-60>
RADIUS server timeout period in seconds.
Default
The default value is 5 seconds.
Command Mode
Configure Radius server mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#radius-server dot1x host 1.1.1.1
(config-radius-server)#timeout 20
(config-radius-server)#no timeout