7.1.3 Configuring Authentication Mode Options
This section describes how to configure authentication mode options and parameters.
- <Structure of this section>
(1) Configuring Authentication Exception Terminal Options
For port-based authentication or VLAN-based authentication (static), this procedure registers a static entry in the MAC address table. For VLAN-based authentication (dynamic), registers a MAC address in a MAC VLAN.
- Points to note
-
For port-based authentication or VLAN-based authentication (static), this procedure registers a static entry in the MAC address table. For VLAN-based authentication (dynamic), it registers a MAC address in a MAC VLAN.
Command examples (port-based authentication)
-
(config)# interface gigabitethernet 1/0/1
(config-if)# switchport mode access
(config-if)# switchport access vlan 10
(config-if)# dot1x multiple-authentication
(config-if)# dot1x port-control auto
(config-if)# exit
Assigns port 1/0/1 to VLAN ID 10, and then configures port-based authentication at the port that specifies terminal authentication mode as the authentication sub-mode.
-
(config)# mac-address-table static 0012.e200.0001 vlan 10 interface gigabitethernet 1/0/1
Adds a static entry for the MAC address (0012.e200.0001) for which you want to permit unauthenticated access to VLAN ID 10 from port 1/0/1.
Command examples (VLAN-based authentication (dynamic))
-
(config)# vlan 100 mac-based
(config-vlan)# mac-address 0012.e200.0001
(config-vlan)# exit
Specifies the MAC address of a terminal to be permitted access to the MAC VLAN assigned VLAN ID 100. The terminal will be able to access VLAN ID 100 without first undergoing IEEE 802.1X authentication.
-
(config)# dot1x vlan dynamic radius-vlan 100
(config)# dot1x vlan dynamic enable
Enables VLAN-based authentication (dynamic) for VLAN ID 100.
(2) Configuring Authentication Exclusion Port Options
- Points to note
-
In a VLAN configured for VLAN-based authentication (static), configure a port to permit network access by unauthenticated devices. If the port belongs to multiple VLANs, devices attached to the port can access all those VLANs.
Command examples
-
(config)# interface gigabitethernet 1/0/1
(config-if)# dot1x force-authorized-port
Configures port 1/0/1 to allow access by unauthenticated devices.Here, port 1/0/1 is a member of a VLAN configured for VLAN-based authentication (static).
- Notes
-
If you add a VLAN configured for VLAN-based authentication (static) to an authentication-exempted port, the port's network connection might be temporarily lost.
(3) Restricting the number of authenticated terminals
- Points to note
-
Limit the maximum number of authenticated users per authentication unit. For port-based authentication, this setting takes effect when terminal authentication mode is the authentication sub-mode.
Command examples (port-based authentication)
-
(config)# interface gigabitethernet 1/0/1
(config-if)# dot1x multiple-authentication
(config-if)# dot1x port-control auto
(config-if)# dot1x max-supplicant 50
Specifies 50 as the maximum number of authenticated users permitted at port 1/0/1.
Command examples (VLAN-based authentication (static))
-
(config)# dot1x vlan 10 max-supplicant 50
Specifies 50 as the maximum number of authenticated users permitted at VLAN ID 10 (configured for VLAN-based authentication (static)).
Command examples (VLAN-based authentication (dynamic))
-
(config)# dot1x vlan dynamic max-supplicant 50
Specifies 50 as the maximum number of authenticated users permitted by VLAN-based authentication (dynamic).
(4) Switch setting of terminal detection operation
The Switch sends EAP-Request/Identity packets to the multicast address at the interval specified by the tx-period command to prompt terminals to begin an authentication sequence. This procedure specifies what form of authentication sequence takes place when a terminal that is already authenticated responds to an EAP-Request/Identity packet. By default, such terminals do not participate in authentication.
- Points to note
-
In shortcut mode, the authentication sequence is abbreviated to reduce the load on the Switch. In disable mode, the switch does not send regular EAP-Request/Identity packets in an environment where authenticated terminals are present. full mode is intended for environments where supplicants that cannot cope with an abbreviated authentication sequence attempt authentication. Note that full mode places a higher burden on the switch and must be used with caution. In auto mode, the switch does not send an EAP-Request/Identity message to the multicast address. Instead, the switch sends EAP-Request/Identity messages only to terminals from which it receives an arbitrary packet.
Command examples (port-based authentication)
-
(config)# interface gigabitethernet 1/0/1
(config-if)# dot1x multiple-authentication
(config-if)# dot1x port-control auto
(config-if)# dot1x supplicant-detection disable
Configures the switch to stop transmitting EAP-Request/Identity messages when an authenticated terminal is present at port 1/0/1.
Command examples (VLAN-based authentication (static))
-
(config)# dot1x vlan 10 supplicant-detection shortcut
Configures the switch to skip re-authentication and consider authentication successful when the switch receives EAP-Response/Identity messages from authenticated terminals in VLAN ID 10 which is configured for VLAN-based authentication (static).
Command examples (VLAN-based authentication (dynamic))
-
(config)# dot1x vlan dynamic supplicant-detection full
Configures the switch to perform the authentication sequence and send requests to the authentication server when the switch receives EAP-Response/Identity messages from terminals authenticated by VLAN-based authentication (dynamic).