7.1.5 Configuring Authentication Mode Options
This section describes how to configure authentication mode options and parameters.
- <Structure of this section>
(1) Restricting the number of authenticated terminals
- Points to note
-
Limit the maximum number of authenticated users per authentication unit. For IEEE802.1X authentication, this function is enabled when terminal authentication mode is set for the authentication submode.
Command examples
-
(config)# interface gigabitethernet 1/0/1
(config-if)# dot1x multiple-authentication
(config-if)# dot1x port-control auto
(config-if)# dot1x max-supplicant 50
Specifies 50 as the maximum number of authenticated users permitted at port 1/0/1.
(2) Switch setting of terminal detection operation
The Switch sends EAP-Request/Identity packets to the multicast address at the interval specified by the tx-period command to prompt terminals to begin an authentication sequence. This procedure specifies what form of authentication sequence takes place when a terminal that is already authenticated responds to an EAP-Request/Identity packet. By default, such terminals do not participate in authentication.
- Points to note
-
In shortcut mode, the authentication sequence is abbreviated to reduce the load on the Switch. In disable mode, the switch does not send regular EAP-Request/Identity packets in an environment where authenticated terminals are present. full mode is intended for environments where supplicants that cannot cope with an abbreviated authentication sequence attempt authentication. Note that full mode places a higher burden on the switch and must be used with caution. In auto mode, the switch does not send an EAP-Request/Identity message to the multicast address. Instead, the switch sends EAP-Request/Identity messages only to terminals from which it receives an arbitrary packet.
Command examples
-
(config)# interface gigabitethernet 1/0/1
(config-if)# dot1x multiple-authentication
(config-if)# dot1x port-control auto
(config-if)# dot1x supplicant-detection disable
Configures the switch to stop transmitting EAP-Request/Identity messages when an authenticated terminal is present at port 1/0/1.