This command enables dot1x in the Switch. The dot1x is an authentication mechanism. It acts as mediator between the authentication server and the supplicant (client). If the client accesses the protected resources, it contacts the authenticator with EAPOL frames.

dot1x system-auth-control

no dot1x system-auth-control

This command shuts down dot1x feature. By shutting down the dot1x feature, the supplicant-authenticator-authentication server architecture is dissolved. The data transport and authentication are directly governed by the authentication

server/server. When shutdown, all resources acquired by dot1x module are released to the system.

shutdown dot1x

no shutdown dot1x

This command clears dot1x counters for all the ports on the Switch.

dot1x clear statistics {interface <iftype> <ifnum> | all},

• interface - Displays all static multicast MAC address entries for the specified interface.

  • gigabitethernet - A version of LAN standard architecture that supports data transfer up to 1 Gigabit per second.

This command enables/disables DoS prevention.

security-suite

no security-suite

This command configures Dot1x Guest VLAN ID.

dot1x guest-vlan <short (1-4094)>

no dot1x guest-vlan

• <vlan –id> - This is a unique value that represents the specific VLAN. This value ranges between 1 and 4094.

This command configures dot1x with default values for this port. The previous configurations on this port are reset to the default values. These details are not displayed but are the basic settings for a port.

dot1x default

This command sets the maximum number of EAP (Extensible Authentication Protocol) retries to the client by the authenticator before restarting authentication process. The count value ranges between 1 and 10.

dot1x max-req <count(1-10)>

no dot1x max-req

This command sets the maximum number of EAPOL retries to the authenticator. The value range is 1 to 65535.

dot1x max-start <count(1-65535)>

no dot1x max-start

This command enables periodic re-authentication from authenticator to client. The periodic re-authentication is requested to ensure if the same supplicant is accessing the protected resources. The amount of time between periodic re- authentication attempts can be configured manually.

dot1x reauthentication

no dot1x reauthentication

This command sets the dot1x timers. The timer module manages timers, creates memory pool for timers, creates timer list, starts and stops timer. It provides handlers to respective expired timers.

dot1x timeout {quiet-period <short(0-65535)> | {reauth-period | server-timeout | supp-timeout | tx-period | start-period | held- period | auth-period} <short(1-65535)>}

no dot1x timeout {quiet-period | reauth-period | server- timeout | supp-timeout | tx-period | start-period | held-period

| auth-period}

• quiet-period <value (0-65535)> - Configures the quiet- period. Number of seconds that the Switch remains in the quiet state following a failed authentication exchange with the client.

• reauth-period - Configures the reath-period. Number of seconds between re-authentication attempts.

• server-timeout - Configures the number of seconds that the Switch waits for the retransmission of packets to the authentication server.

• supp-timeout - Configures the number of seconds that the Switch waits for the retransmission of packets to the client.

• tx-period - Configures the number of seconds that the Switch waits for a response to an EAP-request/identity frame, from the client before retransmitting the request.

• start-period - Configures the number of seconds that the supplicant waits between successive retries to the authenticator.

• held-period - Configures the number of seconds that the supplicant waits before trying to acquire the authenticator.

• auth-period <value(1-65535)> - Configures the number of seconds that the supplicant waits before timing-out the authenticator

This command configures the authenticator port control parameter. The dot1x exercises port based authentication to increase the security of the network. The different Modes employed to the ports offer varied access levels. The 802.1x protocol is supported on both Layer 2 static-access ports and Layer 3 routed ports.

dot1x port-control {auto|force-authorized|force-unauthorized}

no dot1x port-control

• auto - Configures the 802.1x authentication process in this port. Causes the port to begin the unauthorized state, allowing only EAPOL frames to be sent and received through the port. The authentication process begins when the link state of the port transitions from down to up or when an EAPOL-start frame is received. The Switch requests the identity of the client and begins relaying authentication messages between the client and the authentication server. The Switch can uniquely identify each client attempting to access the network by the client's MAC address.

• force-authorized - Configures the port to allow all the traffic through this port. Disables 802.1X authentication and causes the port to transit to the authorized state without requiring authentication exchange. The port transmits and receives normal traffic without 802.1X- based authentication of the client.

• force-unauthorized - Configures the port to block all the traffic through this port. Causes the port to remain in the unauthorized state, ignoring all attempts by the client to authenticate. The Switch cannot provide authentication services to the client through the interface.

This command enables/disables guest-vlan feature.

dot1x guest-vlan enable

no dot1x guest-vlan enable

This command displays dot1x information. The configured information can be viewed by running this show command. When there is any change in the configuration to ensure that the port is configured as desired, the show command is used.

show dot1x [{ interface <interface-type> <interface-id> | statistics interface <interface-type> <interface-id> | supplicant- statistics interface <interface-type> <interface-id>|local- database | mac-info [address <aa.aa.aa.aa.aa.aa>] | mac- statistics [address <aa.aa.aa.aa.aa.aa>] | all }]

• interface <interface-type> <interface-id> - Displays dot1x parameters for the Switch or the specified interface.

• statistics interface <interface-type> <interface-id> - Displays dot1x authenticator port statistics parameters for the Switch or the specified interface.

• supplicant-statistics interface<interface-type> <interface- id> - Displays dot1x supplicant statistics parameters for the Switch or the specified interface.

• local-database - Displays dot1x authentication server database with user name and password.

• mac-info [address <aa.aa.aa.aa.aa.aa>] - Displays dot1x information for all MAC session or the specified MAC address.

• mac-statistics [address <aa.aa.aa.aa.aa.aa>] - Displays dot1x MAC statistic for all MAC session or the specified MAC address.

• all - Displays dot1x status for all interfaces.

Displays dot1x Guest Vlan information.

show dot1x guest-vlan

Displays Dos information.

show security-suite

This command initiates re-authentication of all dot1x-enabled ports or the specified dot1x-enabled port. This initializes the state machines and sets up the environment for fresh authentication.

Re-authentication is manually configured if periodic re- authentication is not enabled. Re-authentication is requested by the authentication server to the supplicant to furnish the identity without waiting for the configured number of seconds (re-authperiod). If no interface is specified, re-authentication is initiated on all dot1x ports.

dot1x re-authenticate [interface <interface-type><interface- id>]

• <interface type> - Configures the specified type of interface.

• <interface id> - Configures the specified interface identifier. This is a unique value that represents the specific interface. This value is a combination of slot number and port number separated by a slash. For Example: 0/1 represents that the slot number is 0 and port number is 1.

This command exits the current mode and reverts to the mode used prior to the current mode.

exit

This command exits the current mode and reverts to the mode used prior to the current mode.