40-16
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
OL-8978-04
Chapter 40 Configuring 802.1X Authentication
Configuring 802.1X Authentication on the Switch
If the authentication server goes down after a host has already been authenticated through the normal
authentication process, the switch checks if the port is a critical port. If the switch determines that the port is
a critical port, the normal reauthentication process is temporarily disabled for the port and the port is given
network access until the authentication server becomes active and restarts the authentication process.
To specify a port as a critical port, perform this task in privileged mode:
This example shows how to specify a port as a critical port:
Console> (enable) set port dot1x 5/48 critical enable
Port 5/48 critical-port option is enabled
Console> (enable)
This example shows how to verify the 802.1X configuration:
Console> (enable) show port dot1x 5/48
Port Auth-State BEnd-State Port-Control Port-Status
----- ------------------- ---------- ------------------- -------------
5/48 - - force-authorized -
Port Port-Mode Re-authentication Shutdown-timeout Control-Mode
admin oper
----- ------------- ----------------- ---------------- ---------------
5/48 SingleAuth disabled disabled Both -
Port Posture-Token Critical Termination action Session-timeout
----- ------------- -------- ------------------ ---------------
5/48 - YES - -
Console> (enable)
Enabling Multiple 802.1X Authentications
You can specify multiple authentications so that more than one host can gain access to an 802.1X port.
Cisco-proprietary multiple authentication allows multiple dot1x-hosts on a port; every host is
authenticated separately. Use these guidelines when enabling multiple 802.1X authentications:
• The traffic from the non-802.1X hosts on multiple authenticated ports is blocked.
• You cannot enable a guest VLAN on multiple authenticated ports.
• You cannot enable multiple authentication on a MVAP.
• Multiple authenticated ports go into the port VLAN and will not go into a RADIUS-assigned VLAN.
• You need to enable port security on a port before you can enable multiple authentications on the port.
• You cannot disable port security on a multiple authenticated port.
• The port security timers are used on multiple authenticated ports. The reauthentication timers are
not used on multiple authenticated ports.
Task Command
Step 1
Specify a port as a critical port. set port dot1x mod/port critical {enable |
disable}
Step 2
Verify the 802.1X configuration. show port dot1x mod/port
To Next Page
Loading...
Need help?
General