802.1x Commands
This chapter provides a description, syntax, and examples of the 802.1X commands. It includes the following commands:
auth-mac auth-fail-action
Use this command to specify the required action after authentication fails for any source MAC (Media Access Control). If drop-traffic is specified, data destined to that MAC is dropped. The MAC will be added to the forwarding database in Discarded mode.
If restrict-vlan is specified, the unauthorized MAC is added to a restricted VLAN. The MAC will be added to the forwarding database in Forwarding mode.
Command Syntax
auth-mac auth-fail-action (restrict-vlan <2-4094>|drop-traffic)
Parameters
drop-traffic
Drops traffic destined to unauthorized source.
restrict-vlan
Adds unauthorized MAC address to restricted VLAN.
<2-4094>
Identity of the VLAN in the range of <2-4094>.
Default
drop-traffic
Command Mode
Interface mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#configure terminal
(config)#interface eth0
(config-if)#auth-mac auth-fail-action restrict-vlan 12
auth-mac disable
Use this command to disable MAC authentication on an interface. See the
auth-mac enable command to enable MAC authentication on a interface.
Command Syntax
auth-mac disable
auth-mac disable mode (filter|shutdown)
Parameters
mode
Use this parameter to disable the MAC authentication mode on an interface.
filter
Filter the frames for the MAC when in an unauthorized state.
shutdown
Shut down the interface when the MAC is unauthenticated.
Default
No default value is specified.
Command Mode
Interface mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#configure terminal
(config)#interface eth0
(config-if)#auth-mac disable
#configure terminal
(config)#interface eth0
(config-if)#auth-mac disable mode filter
(config)#interface eth0
(config-if)#auth-mac disable mode shutdown
auth-mac dynamic-vlan-creation
Use this command to enable or disable dynamic VLAN creation after successful MAC authentication.
Command Syntax
auth-mac dynamic-vlan-creation (enable|disable)
Parameters
disable
Disables dynamic VLAN creation: after a successful authentication, the MAC will be added to the forwarding database with the default VLAN
enable
Enables dynamic VLAN creation: after a successful authentication, the MAC under authentication will be added to the VLAN identifier attribute in the radius server configuration file
Default
Disabled
Command Mode
Interface mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#interface eth0
(config-if)#auth-mac dynamic-vlan-creation disable
#configure terminal
(config)#interface eth0
(config-if)#auth-mac dynamic-vlan-creation enable
auth-mac enable
Use this command to enable MAC authentication on an interface. See the
auth-mac disable command to disable MAC authentication on an interface.
Command Syntax
auth-mac enable
auth-mac enable mode (filter|shutdown)
Parameters
mode
Use this parameter to enable the MAC authentication mode on an interface.
filter
Filter the frames for the MAC when in an unauthorized state.
shutdown
Shut down the interface when the MAC is unauthenticated.
Default
By default, MAC authentication is globally disabled on the device.
Command Mode
Interface mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#configure terminal
(config)#interface eth0
(config-if)#auth-mac enable
#configure terminal
(config)#interface eth0
(config-if)#auth-mac enable mode filter
(config)#interface eth0
(config-if)#auth-mac enable mode shutdown
auth-mac mac-aging
Use this command to either enable or disable MAC aging. When enabled, a MAC entry is added to the forwarding database, with aging time equal to the bridge aging time. Otherwise, the MAC entry will not be aged out. If MAC aging is disabled, the MAC entry will not be aged out.
Command Syntax
auth-mac mac-aging (enable|disable)
Parameters
disable
Disables MAC aging.
enable
Enables MAC aging.
Default
Disabled.
Command Mode
Interface mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#configure terminal
(config)#interface eth0
(config-if)#auth-mac mac-aging disable
#configure terminal
(config)#interface eth0
(config-if)#auth-mac mac-aging enable
auth-mac system-auth-ctrl
Use this command to enable MAC authentication globally. If MAC authentication is not enabled, other MAC authentication related commands throw an error when issued.
Use the no parameter with this command to disable MAC authentication globally.
Command Syntax
auth-mac system-auth-ctrl
no auth-mac system-auth-ctrl
Parameters
None
Default
Authentication system messages are not displayed.
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#auth-mac system-auth-ctrl
(config)#no auth-mac system-auth-ctrl
debug dot1x
Use this command to turn on or turn off 802.1x debugging at various levels.
Use the no parameter with this command or the undebug command to turn off debugging.
Command Syntax
debug dot1x (all|)
debug dot1x event
debug dot1x nsm
debug dot1x packet
debug dot1x timer
no debug dot1x (all|)
no debug dot1x event
no debug dot1x nsm
no debug dot1x packet
no debug dot1x timer
undebug dot1x (all|)
undebug dot1x event
undebug dot1x packet
undebug dot1x nsm
undebug dot1x timer
Parameters
all
Sets debugging for all 802.1x levels.
event
Sets debugging for 802.1x events.
nsm
Sets debugging for 802.1x NSM information.
packet
Sets debugging for 802.1x packets.
timer
Sets debugging for 802.1x timer.
Default
No default value is specified.
Command Mode
Exec, Privileged Exec, and Configure modes
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#debug dot1x all
(config)#debug dot1x event
dot1x initialize
Use this command to unauthorize a port, and attempt reauthentication on the specified interface.
Command Syntax
dot1x initialize interface IFNAME
Parameters
interface
Interface name.
Default
No default value is specified.
Command Mode
Privileged Exec
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#dot1x initialize interface eth0
dot1x keytxenabled
Use this command to enable or disable key transmission over an Extensible Authentication Protocol (EAP) packet between the authenticator and supplicant.
Command Syntax
dot1x keytxenabled (enable|disable)
Parameters
disable
Disables the key transmission.
enable
Enables the key transmission.
Default
The dot1x keytxenabled default is disabled.
Command Mode
Interface mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#configure terminal
(config)#interface eth0
(config-if) #dot1x keytxenabled disable
#configure terminal
(config)#interface eth0
(config-if) #dot1x keytxenabled enable
dot1x port-control
Use this command to force a port state.
Use the no parameter with this command to remove a port from the 802.1x management.
Command Syntax
dot1x port-control dir (in|both)
dot1x port-control (force-unauthorized|force-authorized|auto)
no dot1x port-control
Parameters
auto
Specify to enable authentication on port.
dir
Specify the packet control direction.
both
Discard receive and transmit packets from the supplicant
in
Discard receive packets from the supplicant
force-authorized
Specify to force a port to always be in an authorized state.
force-unauthorized
Specify to force a port to always be in an unauthorized state.
Default
The dot1x port-control default is active.
Command Mode
Interface mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#interface eth0
(config-if)#dot1x port-control auto
(config)#interface eth0
(config-if)#no dot1x port-control
dot1x protocol-version
Use this command to set the protocol version of dot1x to 1 or 2. The protocol version must be synchronized with the Xsupplicant being used in that interface.
Use the no parameter with this command to set the protocol version to the default value (2).
Command Syntax
dot1x protocol-version <1-2>
no dot1x protocol-version
Parameters
<1-2>
Indicates the EAP Over LAN (EAPOL) version.
Default
The default dot1x protocol version is 2.
Command Mode
Interface mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#configure terminal
(config)#interface eth0
(config-if)#dot1x protocol-version 2
(config)#interface eth0
(config-if)#no dot1x protocol-version
dot1x quiet-period
Use this command to set the quiet-period time interval.
When a switch cannot authenticate a client, the switch remains idle for a quiet-period interval of time, then tries again. By administratively changing the quiet-period interval, by entering a lower number than the default, a faster response time can be provided.
Use the no parameter with this command to set the configured quiet period to the default (60 seconds).
Command Syntax
dot1x quiet-period <1-65535>
no dot1x quiet-period
Parameter
<1-65535>
Seconds between the retrial of authentication.
Default
The default dot1x protocol version is 2.
Command Mode
Interface mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#configure terminal
(config)#interface eth0
(config-if)#dot1x quiet-period 200
dot1x reauthMax
Use this command to set the maximum reauthentication value, which sets the maximum number of reauthentication attempts after which the port will be unauthorized.
Use the no parameter with this command to set the reauthentication maximum to the default value (2).
Command Syntax
dot1x reauthMax <1-10>
no dot1x reauthMax
Parameter
<1-10>
Indicates the maximum number of reauthentication attempts after which the port will be unauthorized.
Default
The default is 2.
Command Mode
Interface mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
The following sets the maximum reauthentication value to 5.
#configure terminal
(config)#interface eth0
(config-if)#dot1x reauthMax 5
The following sets the reauthentication maximum to the default value.
#configure terminal
(config)#interface eth0
(config-if)#no dot1x reauthMax
dot1x reauthentication
Use this command to enable reauthentication on a port.
Use the no parameter to disable reauthentication on a port.
Command Syntax
dot1x reauthentication
no dot1x reauthentication
Parameters
None
Default
The dot1x reauthentication default is disabled.
Command Mode
Interface mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#interface eth0
(config-if)#dot1x reauthentication
dot1x system-auth-ctrl
Use this command to enable globally authentication.
Use the no parameter to disable globally authentication.
Command Syntax
dot1x system-auth-ctrl
no dot1x system-auth-ctrl
Parameters
None
Default
Authentication is off by default.
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#configure terminal
(config)#dot1x system-auth-ctrl
dot1x timeout re-authperiod
Use this command to set the interval between reauthorization attempts.
Use the no parameter to disable the interval between reauthorization attempts.
Command Syntax
dot1x timeout re-authperiod <1-4294967295>
no dot1x timeout re-authperiod
Parameter
<1-4294967295>
Specify the seconds between reauthorization attempts.
Default
Default time is 3600 seconds
Command Mode
Interface mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#configure terminal
(config)#interface eth0
(config-if)#dot1x timeout re-authperiod 25
dot1x timeout server-timeout
Use this command to set the authentication sever response timeout.
Use the no parameter to disable the authentication sever response timeout.
Command Syntax
dot1x timeout server-timeout <1-65535>
no dot1x timeout server-timeout
Parameter
<1-65535>
Specify the authentication server response timeout.
Default
Default timeout is 30 seconds.
Command Mode
Interface mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#interface eth0
(config-if)#dot1x timeout server-timeout 555
(config)#interface eth0
(config-if)#no dot1x timeout server-timeout
dot1x timeout supp-timeout
Use this command to set the interval for a supplicant to respond.
Use the no parameter to disable the authentication sever response timeout.
Command Syntax
dot1x timeout supp-timeout <1-65535>
no dot1x timeout supp-timeout
Parameter
<1-65535>
Specify the authentication server response timeout.
Default
Default timeout is 30 seconds.
Command Mode
Interface mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#configure terminal
(config)#interface eth0
(config-if)#dot1x timeout supp-timeout 40
(config)#interface eth0
(config-if)#no dot1x timeout supp-timeout
dot1x timeout tx-period
Use this command to set the interval between successive attempts to request an ID.
Use the no parameter to disable the interval between successive attempts to request an ID.
Command Syntax
dot1x timeout tx-period <1-65535>
no dot1x timeout tx-period
Parameter
<1-65535>
Specify the authentication server response timeout.
Default
Default timeout is 30 seconds.
Command Mode
Interface mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#interface eth0
(config-if)#dot1x timeout tx-period 34
(config)#interface eth0
(config-if)#no dot1x timeout tx-period
ip radius source-interface
Use this command to set the local address sent in packets to the radius server.
Use the no parameter to clear the local address.
Command Syntax
ip radius source-interface HOSTNAME PORT
no ip radius source-interface
Parameters
HOSTNAME
Specify the radius client in the dotted IP address, or in the hostname format.
PORT
Specify the radius client port number. The default port number is 1812.
Default
The default port number is 1812.
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#ip radius source-interface myhost 1812
(config)#no ip radius source-interface
radius-server dot1x deadtime
Use this command to specify the number of minutes a radius server, which is not responding to authentication requests, is passed over by requests for radius authentication. To improve radius response times when some servers might be unavailable, use this command to cause the unavailable servers to be skipped immediately.
Use the no form of this command to set deadtime to the default value of 0.
Command Syntax
radius-server dot1x deadtime MIN
no radius-server dot1x deadtime
Parameter
dot1x
IEEE 802.1X Port-Based Access Control.
MIN
Length of time (in minutes) that a radius server is skipped over by transaction requests, up to a maximum of 1440 minutes (24 hours). Enter a value in the range 1 to 1440.
Default
Deadtime is set to 0
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#radius-server dot1x deadtime 10
(config)#no radius-server dot1x deadtime
radius-server dot1x host
Use this command to specify the IP address or host name of the remote radius server host and assign authentication and accounting destination port numbers. Multiple radius-server host commands can be used to specify multiple hosts. The software searches for hosts in the order they are specified. If no host-specific timeout, retransmit, or key values are specified, the global values apply to that host.
If the auth-port parameter is not specified, it will take the default value of the auth-port. If you do not specify the auth-port to unconfigure, and the default value of the auth-port does not match the port you are trying to unconfigure, the specified radius-server host will not be unconfigured.
Use the no form of the command to unconfigure a specified radius-server.
Command Syntax
radius-server dot1x host (A.B.C.D|HOSTNAME|X:X::X:X)(|(key ((0 WORD) | (7 WORD) | (WORD))(|(auth-port <0-65535> (|(timeout <1-60> (|(retransmit <1-100>)))))))
no radius-server dot1x host (A.B.C.D|HOSTNAME|X:X::X:X)(|(key ((0 WORD) | (7 WORD) | (WORD))(|(auth-port <0-65535> (|(timeout (|(retransmit <1-100>)))))))
Parameters
dot1x
IEEE 802.1X Port-Based Access Control.
A.B.C.D
IPv4 address of the RADIUS server.
HOSTNAME
Host name or DNS name of the RADIUS server.
X:X::X:X
IPv6 address of the RADIUS server.
auth-port
RADIUS server's port for authentication.
key
Specify the global shared key.
retransmit
Global RADIUS server retransmit count.
timeout
Specify the RADIUS server timeout(default: 5 seconds).
0
To specify shared key in clear-text form.
7
To specify shared key in encrypted form.
WORD
RADIUS shared secret(clear text) (Max Size 63).
<0-65535>
Port number.
<0-100>
Global RADIUS server retransmit count.
<1-60>
RADIUS server timeout period in seconds.
Default
The default value of auth-port is 1645.
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#radius-server dot1x host hostname auth-port 1233 timeout 1 retransmit 2
(config)#no radius-server dot1x host hostname auth-port 1233
radius-server dot1x key
Use this command to set the shared secret key between a Radius server and a client.
Use the no form of the command to undo this configuration.
Command Syntax
radius-server dot1x key ((0 WORD) | (7 WORD) | (WORD))
no radius-server dot1x key ((0 WORD) | (7 WORD) | (WORD))
Parameter
dot1x
IEEE 802.1X Port-Based Access Control.
0
To specify shared key in clear-text form.
7
To specify shared key in encrypted form.
WORD
Shared secret among radius server and 802.1X client (Max Size 63).
Default
No default value is specified.
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#radius-server dot1x key 0 abcd
#configure terminal
(config)#no radius-server dot1x 0 abcd
radius-server dot1x retransmit
Use this command to specify the number of times the router transmits each radius request to the server before giving up.
Use the no form of this command to disable retransmission.
Command Syntax
radius-server dot1x retransmit RETRIES
no radius-server dot1x retransmit
Parameter
dot1x
IEEE 802.1X Port-Based Access Control.
RETRIES
Specify the retransmit value. Enter a value in the range 1 to 100. If no retransmit value is specified, the global value is used.
Default
The default value is 3.
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#radius-server dot1x retransmit 12
(config)#no radius-server dot1x retransmit
radius-server dot1x timeout
Use this command to specify the number of seconds a router waits for a reply to a radius request before retransmitting the request.
Use the no parameter to use the default value.
Command Syntax
radius-server dot1x timeout <1-60>
no radius-server dot1x timeout
Parameter
dot1x
IEEE 802.1X Port-Based Access Control.
<1-60>
RADIUS server timeout period in seconds.
Default
The default value is 5 seconds.
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#radius-server dot1x timeout 20
#configure terminal
(config)#no radius-server dot1x timeout
show debugging dot1x
Use this command to display the status of the debugging of the 802.1x system.
Command Syntax
show debugging dot1x
Parameters
None
Command Mode
Privileged Exec mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#show debugging dot1x
802.1X debugging status:
show dot1x
Use this command to display IEEE 802.1x port-based access control information.
Command Syntax
show dot1x
show dot1x all
show dot1x diagnostics interface IFNAME
show dot1x interface IFNAME
show dot1x sessionstatistics interface IFNAME
show dot1x statistics interface IFNAME
Parameters
all
Display all IEEE 802.1x port-based access control information.
diagnostics
Display diagnostics information.
IFNAME
Interface name.
sessionstatistics
Display the statistics for a session.
statistics
Display the statistics.
Command Mode
Exec mode and Privileged Exec mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
The following is an output of this command displaying the state of the system.
#show dot1x
% 802.1x authentication enabled
% Radius server address: 192.168.1.1.1812
% Radius client address: dhcp128.mySite.com.12103
% Next radius message id: 0
The following is an output of this command displaying detailed information for all ports.
#show dot1x all
% 802.1x authentication enabled
% Radius server address: 192.168.1.1.1812
% Radius client address: dhcp128.mySite.com.12103
% Next radius message id: 0
% Dot1x info for interface eth1 - 3
% portEnabled: true - portControl: auto
% portStatus: unauthorized - currentId: 11
% reAuthenticate: disabled
% abort:F fail:F start:F timeout:F success:F
% PAE: state: connecting - portMode: auto
% PAE: reAuthCount: 2 - rxRespId: 0
% PAE: quietPeriod: 60 - reauthMax: 2 - txPeriod: 30
% BE: state: idle - reqCount: 0 - idFromServer: 0
% BE: suppTimeout: 30 - serverTimeout: 30 - maxReq: 2
% CD: adminControlledDirections: in - operControlledDirections: in
% CD: bridgeDetected: false
% KR: rxKey: false
% KT: keyAvailable: false - keyTxEnabled: false
The following tables describes the output of the show dot1x command.
Table 8-21: Port variables
Entry | Description |
|---|
portEnabled | Interface operational status (Up-true/down-false) |
portControl | Current control status of the port for 802.1x control |
portStatus | 802.1x status of the port (authorized/unauthorized) |
reAuthenticate | Reauthentication enabled/disabled status on port |
reAuthPeriod | Reauthentication period |
Table 8-22: Supplicant PAE related global variables
Entry | Description |
|---|
abort | Abort authentication when true |
fail | Failed authentication attempt when false |
start | Start authentication when true |
timeout | Authentication attempt timed out when true |
success | Authentication successful when true |
Table 8-23: 802.1x Operational state of interface
Entry | Description |
|---|
mode | Configured 802.1x mode |
reAuthCount | Reauthentication count |
quietperiod | Time between reauthentication attempts |
reAuthMax | Maximum reauthentication attempts |
Table 8-24: Backend authentication state machine variables and constants
Entry | Description |
|---|
state | State of the port. |
reqCount | Number of requests sent to server |
suppTimeout | Number of seconds the port waits for a response when relaying a request from the authentication server to the supplicant before resending the request. |
serverTimeout | Number of seconds the port waits for a reply when relaying a response from the supplicant to the authentication server before timing out. |
maxReq | Maximum number of times a request packet is retransmitted to the supplicant before the authentication session times out. |
Table 8-25: Controlled directions state machine
Entry | Description |
|---|
adminControlledDirections | Administrative value (Both/In) |
operControlledDirections | Operational Value (Both/In) |
Table 8-26: KR -- Key receive state machine
Entry | Description |
|---|
rxKey | True when EAPOL-Key message is received by supplicant or authenticator. false when key is transmitted |
Table 8-27: Key Transmit state machine
Entry | Description |
|---|
keyAvailable | False when key has been transmitted by authenticator, true when new key is available for key exchange |
keyTxEnabled | Key transmission enabled/disabled status |
snmp restart auth
Use this command to restart SNMP in Authentication
Command Syntax
snmp restart auth
Parameters
None
Default
No default value is specified.
Default
The default port is UDP 162.
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#snmp restart auth