OcNOS-SP : Layer 2 Guide : Layer 2 Command Reference : 802.1x Commands
802.1x Commands
This chapter describes the 802.1X commands.
auth-mac
Use this command to enable MAC based authentication standalone on the interface level.
Use the no form of this command to disable/remove the auth-MAC from interface level.
Command Syntax
auth-mac
no auth-mac
Parameters
None.
Default
Command message will not be displayed and disabled.
Command Mode
Interface mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#configure terminal
(config)#interface eth0
(config-if)#auth-mac
(config-if)#commit
 
#configure terminal
(config)#interface eth0
(config-if)#no auth-mac
(config-if)#commit
(config-if)#end
auth-mac mode
Use this command to enable MAC authentication mode on an interface.
Use the no parameter with this command to disable MAC authentication mode on an interface.
Command Syntax
auth-mac mode (filter|shutdown)
no auth-mac mode
Parameters
filter
Filter the frames for the MAC when in an unauthorized state.
shutdown
Shut down the interface when the MAC is unauthenticated.
Default
No default value is specified.
Command Mode
Interface mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#configure terminal
(config)#interface eth0
(config-if)#auth-mac mode filter
(config-if)#commit
 
#configure terminal
(config)#interface eth0
(config-if)#no auth-mac mode
(config-if)#commit
auth-mac system-auth-ctrl
Use this command to enable MAC authentication globally. If MAC authentication is not enabled, other MAC authentication related commands throw an error when issued.
Use the no parameter with this command to disable MAC authentication globally.
Command Syntax
auth-mac system-auth-ctrl
no auth-mac system-auth-ctrl
Parameters
None
Default
Authentication system messages are not displayed.
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#auth-mac system-auth-ctrl
 
(config)#no auth-mac system-auth-ctrl
auth-port
Use this command to specify a port for Radius authentication.
Use the no parameter with this command to disable this feature.
Command Syntax
auth-port <1-65535>
no auth-port
Parameters
<0-65535>
Port number.
Default
The default port number is 1812.
Command Mode
Configure Radius server mode
Applicability
This command was introduced in OcNOS version 6.0.0.
Examples
#configure terminal
(config)#radius-server dot1x host 1.1.1.1
(config-radius-server)#auth-port 1233
(config-radius-server)#no auth-port
debug dot1x
Use this command to turn on or turn off 802.1x debugging at various levels.
Use the no parameter with this command to turn off debugging.
Command Syntax
debug dot1x (all|)
debug dot1x event
debug dot1x nsm
debug dot1x packet
debug dot1x timer
no debug dot1x (all|)
no debug dot1x event
no debug dot1x nsm
no debug dot1x packet
no debug dot1x timer
Parameters
all
Sets debugging for all 802.1x levels.
event
Sets debugging for 802.1x events.
nsm
Sets debugging for 802.1x NSM information.
packet
Sets debugging for 802.1x packets.
timer
Sets debugging for 802.1x timer.
Default
No default value is specified.
Command Mode
Exec, Privileged Exec, and Configure modes
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#debug dot1x all
(config)#debug dot1x event
dot1x mac-auth-bypass
Use this command allows you to enable/disable MAC-authentication-bypass as fallback on the interface level which has dot1x configured.
Use the no form of this command to remove the MAC-auth-bypass.
Command Syntax
dot1x mac-auth-bypass (enable|disable)
no dot1x mac-auth-bypass
Parameters
dot1x
IEEE 802.1X Port-Based Access Control
mac-auth-bypass
 
Quiet period in the HELD state (default 60 sec)
disable
Disable MAC authentication bypass
enable
Enable MAC authentication bypass
Default
Command message will not be displayed and disabled.
Command Mode
Interface mode
Applicability
This command was introduced before OcNOS version 5.0
Examples
#conf t
Enter configuration commands, one per line. End with CNTL/Z.
(config)#int xe10
(config-if)#dot1x mac-auth-bypass enable
(config-if)#commit
(config-if)#
(config-if)#no dot1x mac-auth-bypass
(config-if)#commit
(config-if)#end
dot1x port-control
Use this command to force a port state.
Use the no parameter with this command to remove a port from the 802.1x management.
Command Syntax
dot1x port-control (force-unauthorized|force-authorized|auto)
no dot1x port-control
Parameters
auto
Specify to enable authentication on port.
force-authorized
 
Specify to force a port to always be in an authorized state.
force-unauthorized
 
Specify to force a port to always be in an unauthorized state.
Default
The dot1x port-control default is active.
Command Mode
Interface mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#interface eth0
(config-if)#dot1x port-control auto
 
(config)#interface eth0
(config-if)#no dot1x port-control
dot1x protocol-version
Use this command to set the protocol version of dot1x to 1 or 2. The protocol version must be synchronized with the Xsupplicant being used in that interface.
Use the no parameter with this command to set the protocol version to the default value (2).
Command Syntax
dot1x protocol-version <1-2>
no dot1x protocol-version
Parameters
<1-2>
Indicates the EAP Over LAN (EAPOL) version.
Default
The default dot1x protocol version is 2.
Command Mode
Interface mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#configure terminal
(config)#interface eth0
(config-if)#dot1x protocol-version 2
 
(config)#interface eth0
(config-if)#no dot1x protocol-version
dot1x quiet-period
Use this command to set the quiet-period time interval.
When a switch cannot authenticate a client, the switch remains idle for a quiet-period interval of time, then tries again. By administratively changing the quiet-period interval, by entering a lower number than the default, a faster response time can be provided.
Use the no parameter with this command to set the configured quiet period to the default (60 seconds).
Command Syntax
dot1x quiet-period <1-65535>
no dot1x quiet-period
Parameter
<1-65535>
Seconds between the retrial of authentication.
Default
The default dot1x quiet-period is 60.
Command Mode
Interface mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#configure terminal
(config)#interface eth0
(config-if)#dot1x quiet-period 200
dot1x reauthentication
Use this command to enable reauthentication on a port.
Use the no parameter to disable reauthentication on a port.
Command Syntax
dot1x reauthentication
no dot1x reauthentication
Parameters
None
Default
The dot1x reauthentication default is disabled.
Command Mode
Interface mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#interface eth0
(config-if)#dot1x reauthentication
dot1x reauthMax
Use this command to set the maximum reauthentication value, which sets the maximum number of reauthentication attempts after which the port will be unauthorized.
Use the no parameter with this command to set the reauthentication maximum to the default value (2).
Command Syntax
dot1x reauthMax <1-10>
no dot1x reauthMax
Parameter
<1-10>
Indicates the maximum number of reauthentication attempts after which the port will be unauthorized.
Default
The default is 2.
Command Mode
Interface mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
The following sets the maximum reauthentication value to 5.
#configure terminal
(config)#interface eth0
(config-if)#dot1x reauthMax 5
The following sets the reauthentication maximum to the default value.
#configure terminal
(config)#interface eth0
(config-if)#no dot1x reauthMax
dot1x system-auth-ctrl
Use this command to enable globally authentication.
Use the no parameter to disable globally authentication.
Command Syntax
dot1x system-auth-ctrl
no dot1x system-auth-ctrl
Parameters
None
Default
Authentication is off by default.
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#configure terminal
(config)#dot1x system-auth-ctrl
dot1x timeout re-authperiod
Use this command to set the interval between reauthorization attempts.
Use the no parameter to disable the interval between reauthorization attempts.
Command Syntax
dot1x timeout re-authperiod <1-4294967295>
no dot1x timeout re-authperiod
Parameter
<1-4294967295>
Specify the seconds between reauthorization attempts.
Default
Default time is 3600 seconds
Command Mode
Interface mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#configure terminal
(config)#interface eth0
(config-if)#dot1x timeout re-authperiod 25
dot1x timeout server-timeout
Use this command to set the authentication sever response timeout.
Use the no parameter to disable the authentication sever response timeout.
Command Syntax
dot1x timeout server-timeout <1-65535>
no dot1x timeout server-timeout
Parameter
<1-65535>
Specify the authentication server response timeout.
Default
Default timeout is 30 seconds.
Command Mode
Interface mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#interface eth0
(config-if)#dot1x timeout server-timeout 555
 
(config)#interface eth0
(config-if)#no dot1x timeout server-timeout
 
dot1x timeout supp-timeout
Use this command to set the interval for a supplicant to respond.
Use the no parameter to disable the authentication sever response timeout.
Command Syntax
dot1x timeout supp-timeout <1-65535>
no dot1x timeout supp-timeout
Parameter
<1-65535>
Specify the authentication server response timeout.
Default
Default timeout is 30 seconds.
Command Mode
Interface mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#configure terminal
(config)#interface eth0
(config-if)#dot1x timeout supp-timeout 40
 
(config)#interface eth0
(config-if)#no dot1x timeout supp-timeout
dot1x timeout tx-period
Use this command to set the interval between successive attempts to request an ID.
Use the no parameter to disable the interval between successive attempts to request an ID.
Command Syntax
dot1x timeout tx-period <1-65535>
no dot1x timeout tx-period
Parameter
<1-65535>
Specify the authentication server response timeout.
Default
Default timeout is 30 seconds.
Command Mode
Interface mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#interface eth0
(config-if)#dot1x timeout tx-period 34
 
(config)#interface eth0
(config-if)#no dot1x timeout tx-period
ip radius source-interface
Use this command to set the local address sent in packets to the radius server.
Use the no parameter to clear the local address.
Command Syntax
ip radius source-interface A.B.C.D <1-65535>
no ip radius source-interface
Parameters
A.B.C.D
IPv4 address of the RADIUS server.
<1-65535>
Port number.
Default
The default port number is 1812.
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#ip radius source-interface 12.12.12.1 1812
(config)#no ip radius source-interface
 
key-string
Use this command to define a password in plain text.
The password is stored as encrypted and is displayed in encrypted text when the show running-config command is executed.
Use the no parameter with this command to disable this feature.
Command Syntax
key-string WORD
no key-string
Parameter
WORD
A string of characters to use as a password (1-64 characters).
Default
By default, the password is not configured.
Command Mode
Configure Radius server mode
Applicability
This command was introduced in OcNOS version 6.0.0.
Examples
#configure terminal
(config)#radius-server dot1x host 1.1.1.1
(config-radius-server)#key-string 1234567890
(config-radius-server)#no key-string
key-string encrypted
Use this command to define a password in encrypted format.
Use the no parameter with this command to disable this feature.
Command Syntax
key-string encrypted WORD
no key-string
Parameter
WORD
A string of characters to use as a password (18-130 characters).
Default
By default, password is not configured.
Command Mode
Configure Radius server mode
Applicability
This command was introduced in OcNOS version 6.0.0.
Examples
#configure terminal
(config)#radius-server dot1x host 1.1.1.1
(config-radius-server)#key-string encrypted 0x16176d21cc1688d995
(config-radius-server)#no key-string
radius-server dot1x host
Use this command to specify the IP address of the remote radius server host and assign authentication and accounting destination port numbers. Multiple radius-server host commands can be used to specify multiple hosts. The software searches for hosts in the order they are specified.
If no host-specific auth-port, timeout, retransmit, key-string, or key-string encrypted values are specified, the global default values apply to that host.
Use the no form of the command to unconfigure a specified radius-server.
Command Syntax
radius-server dot1x host (A.B.C.D)
no radius-server dot1x host (A.B.C.D)
Parameters
dot1x
IEEE 802.1X Port-Based Access Control.
A.B.C.D
IPv4 address of the RADIUS server.
Default
The default value of auth-port is 1812.
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#radius-server dot1x host 1.1.1.1
(config-radius-server)#
(config)#no radius-server dot1x host 1.1.1.1
retransmit
Use this command to specify the number of times to transmit each Radius request to the server before giving up.
Use the no form of this command to disable retransmission.
Command Syntax
retransmit <0-100>
no retransmit
Parameter
<0-100>
Number of times to transmit each Radius request (0-100).
Default
The default value is 3.
Command Mode
Configure Radius server mode
Applicability
This command was introduced in OcNOS version 6.0.0.
Examples
#configure terminal
(config)#radius-server dot1x host 1.1.1.1
(config-radius-server)#retransmit 12
(config-radius-server)#no retransmit
show debugging dot1x
Use this command to display the status of the debugging of the 802.1x system.
Command Syntax
show debugging dot1x
Parameters
None
Command Mode
Privileged Exec mode
Applicability
This command was introduced in OcNOS version 6.0.0.
Example
#show debugging dot1x
802.1X debugging status:
 
show dot1x
Use this command to display the state of the whole system.
Command Syntax
show dot1x
show dot1x all
show dot1x host
show dot1x diagnostics interface IFNAME
show dot1x interface IFNAME
show dot1x sessionstatistics (interface IFNAME|)
show dot1x statistics interface IFNAME
Parameters
all
Display all information.
host
Show operational radius-server dot1x host information for a specific host (IPv4 address) or for all hosts.
diagnostics
Display diagnostics information.
interface
Display diagnostics interface information.
interface
Display interface information.
sessionstatistics
 
Display session statistics.
interface
Display session statistics interface information.
statistics
Display statistics information.
interface
Display statistics interface information.
Command Mode
Exec mode and Privileged Exec mode
Applicability
This command was introduced before OcNOS version 1.3.
Displayed Output
The following tables describes the output for the show dot1x all command and the show dot1x interface command.
 
Table 9-23: Port variables
Entry
Description
portEnabled
Interface operational status (Up-true/down-false)
portControl
Current control status of the port for 802.1x control
portStatus
802.1x status of the port (authorized/unauthorized)
reAuthenticate
Reauthentication enabled/disabled status on port
reAuthPeriod
Value holds meaning only if reAuthentication is enabled
 
Table 9-24: Supplicant PAE related global variables
Entry
Description
abort
Indicates that authentication should be aborted when set to true
fail
Indicates failed authentication attempt when set to false
start
Indicates authentication should be started when set to true
timeout
Indicates authentication attempt timed out when set to true
success
Indicates authentication successful when set to true
 
Table 9-25: 802.1x Operational State of Interface
Entry
Description
mode
Configured 802.1x mode
reAuthCount
Reauthentication count
quietperiod
Time between reauthentication attempts
reAuthMax
Maximum reauthentication attempts
 
Table 9-26: Backend Authentication state machine variables and constants
Entry
Description
state
State of the state machine
reqCount
Count of requests sent to server
suppTimeout
Supplicant timeout
serverTimeout
Server timeout
maxReq
Maximum requests to be sent
 
Table 9-27: Controlled Directions State machine
Entry
Description
adminControlledDirections
Administrative value (Both/In)
operControlledDirections
Operational Value (Both/In)
 
Table 9-28: KR -- Key receive state machine
Entry
Description
rxKey
True when EAPOL-Key message is received by supplicant or authenticator. false when key is transmitted
 
Table 9-29: Key Transmit State machine
Entry
Description
keyAvailable
False when key has been transmitted by authenticator, true when new key is available for key exchange
keyTxEnabled
Key transmission enabled/disabled status
Applicability
This command was introduced before OcNOS version 1.3.
Example
The following is an output of this command displaying the state of the system.
#show dot1x
% 802.1x authentication enabled
% Radius server address: 192.168.1.1.1812
% Radius client address: dhcp128.mySite.com.12103
% Next radius message id: 0
The following is an output of this command displaying detailed information for all ports.
#show dot1x all
% 802.1x authentication enabled
% Radius server address: 192.168.1.1.1812
% Radius client address: dhcp128.mySite.com.12103
% Next radius message id: 0
% Dot1x info for interface eth1 - 3
% portEnabled: true - portControl: auto
% portStatus: unauthorized - currentId: 11
% reAuthenticate: disabled
% abort:F fail:F start:F timeout:F success:F
% PAE: state: connecting - portMode: auto
% PAE: reAuthCount: 2 - rxRespId: 0
% PAE: quietPeriod: 60 - reauthMax: 2 - txPeriod: 30
% BE: state: idle - reqCount: 0 - idFromServer: 0
% BE: suppTimeout: 30 - serverTimeout: 30 - maxReq: 2
% CD: adminControlledDirections: in - operControlledDirections: in
% CD: bridgeDetected: false
% KR: rxKey: false
% KT: keyAvailable: false - keyTxEnabled: false
show mab all
Use this command to display the DOT1x timer, MAB status enabled/disabled port status (authorized/unauthorized) and last rejected MAC (if any).
Command Syntax
show mab all
Parameters
None
Default
NA
Command Mode
Exec mode and Privileged Exec mode
Applicability
This command was introduced before OcNOS version 5.0
Examples
#sh mab all
Global MAC Authentication Enabled
RADIUS client address: not configured
 
MAB info for interface xe10
Dot1x timer: Expired
MAB Authentication Enabled
Status: Unauthorized
Last rejected MAC:
 
MAB info for interface xe11
Dot1x timer: Expired
MAB Authentication Disabled
Status: Unknown
Last rejected MAC:
timeout
Use this command to specify the number of seconds a router waits for a reply to a Radius request before retransmitting the request.
Use the no parameter to use the default value.
Command Syntax
timeout <0-60>
no timeout
Parameter
<0-60>
Timeout period in seconds.
Default
The default value is 5 seconds.
Command Mode
Configure Radius server mode
Applicability
This command was introduced in OcNOS version 6.0.0.
Examples
#configure terminal
(config)#radius-server dot1x host 1.1.1.1
(config-radius-server)#timeout 20
(config-radius-server)#no timeout