5.5.2 Parameter setting of Layer 2 authentication common configuration command
- <Structure of this section>
(1) Settings for forwarding ARP from a terminal in the pre-authentication status to an external device
- Points to note
-
Configures the Switch to forward ARP packets received from unauthorized terminals to a destination outside the Switch.
Command examples
-
(config)# interface gigabitethernet 1/0/10
(config-if)# web-authentication port
(config-if)# mac-authentication port
(config-if)# authentication arp-relay
(config-if)# exit
Configures the switch to forward ARP packets through port 1/0/10, which is subject to Web and MAC-based authentication.
(2) Configuring Authentication-Only Access Lists
- Points to note
-
Specify an authentication-only access list that permits communication from a terminal in the pre-authentication status to an external device (as described in authentication ip access-group command.).
Command examples
-
(config)# ip access-list extended 100
(config-ext-nacl)# permit udp any any eq bootps
(config-ext-nacl)# permit ip any host 10.0.0.1
(config-ext-nacl)# exit
(config)# interface gigabitethernet 1/0/10
(config-if)# web-authentication port
(config-if)# mac-authentication port
(config-if)# authentication ip access-group 100
(config-if)# exit
Configures an authentication IPv4 access list that permits unauthorized terminals to broadcast DHCP packets and to access IP address 10.0.0.1 (the DNS server).
(3) Configuring Forced Authentication
- Points to note
-
Forcibly authenticate terminals when there is no response from the RADIUS server.For MAC or Web authentication, this configuration forcibly authenticates terminals when no data is in the internal MAC-based authentication DB or Web authentication DB.
Command examples
-
(config)# authentication force-authorized enable
Enables forced authentication.
(4) Setting VLAN ID to switch when forcibly authenticating
- Points to note
-
Configures the VLAN ID the switch assigns to a terminal that undergoes forced authentication in dynamic VLAN mode.
Command examples
-
(config)# interface gigabitethernet 1/0/5
(config-if)# switchport mode mac-vlan
(config-if)# switchport mac vlan 100,200
(config-if)# web-authentication port
(config-if)# mac-authentication port
(config-if)# authentication force-authorized vlan 100
(config-if)# exit
Specifies that VLAN ID 100 is assigned to terminals that undergo forced authentication while attached to port 1/0/5, which is configured for Web and MAC-based authentication in dynamic VLAN mode.
(5) Setting the Authentication Limit for Each Device
- Points to note
-
Sets the maximum number of Layer 2 authenticated users allowed across the entire switch.
Command examples
-
(config)# authentication max-user 512
Limits the total number of Layer 2 authenticated users to 512.
(6) Configuring Per-Port Authentication Limits
- Points to note
-
Sets the maximum number of Layer 2 authenticated users allowed on a specific port.
Command examples
-
(config)# interface gigabitethernet 1/0/5
(config-if)# switchport mode access
(config-if)# switchport access vlan 10
(config-if)# mac-authentication port
(config-if)# authentication max-user 64
(config-if)# exit
Limits the number of authenticated users at the authenticating port 1/0/5 to 64.
(7) Setting dead interval times when accessing RADIUS servers
- Points to note
-
Specify a dead interval for RADIUS server access.When there is no response from the RADIUS server with the highest priority, the Switch starts using the RADIUS server with the next highest priority.This procedure specifies how long the Switch waits before trying the highest-priority RADIUS server again.
Command examples
-
(config)# authentication radius-server dead-interval 20
Specifies a dead interval of 20 minutes for RADIUS servers.
(8) Configuring deauthorization when moving to an unauthenticated port
- Points to note
-
Configure settings to cancel the authentication status when a move to an unauthenticated port is detected.
Command examples
-
(config)# authentication auto-logout strayer
Set to cancel the authentication status.
(9) Suppressing deauthorization on link-down
- Points to note
-
Sets whether to cancel the authentication status when a port is linked down.
Command examples
-
(config)# interface gigabitethernet 1/0/5
(config-if)# switchport mode access
(config-if)# switchport access vlan 10
(config-if)# mac-authentication port
(config-if)# no authentication logout linkdown
(config-if)# exit
Configures port 1/0/5 to not cancel the authentication status when the port is linked down.