Configuration Guide Vol. 2

7.1.3 Configuring Authentication Mode Options

This section describes how to configure authentication mode options and parameters.

<Structure of this section>

(1) Configuring Authentication Exception Terminal Options

For port-based authentication or VLAN-based authentication (static), this procedure registers a static entry in the MAC address table. For VLAN-based authentication (dynamic), registers a MAC address in a MAC VLAN.

Points to note

For port-based authentication or VLAN-based authentication (static), this procedure registers a static entry in the MAC address table. For VLAN-based authentication (dynamic), it registers a MAC address in a MAC VLAN.

Command examples (port-based authentication)

  1. (config)# interface gigabitethernet 1/0/1

    (config-if)# switchport mode access

    (config-if)# switchport access vlan 10

    (config-if)# dot1x multiple-authentication

    (config-if)# dot1x port-control auto

    (config-if)# exit

    Assigns port 1/0/1 to VLAN ID 10, and then configures port-based authentication at the port that specifies terminal authentication mode as the authentication sub-mode.

  2. (config)# mac-address-table static 0012.e200.0001 vlan 10 interface gigabitethernet 1/0/1

    Adds a static entry for the MAC address (0012.e200.0001) for which you want to permit unauthenticated access to VLAN ID 10 from port 1/0/1.

Command examples (VLAN-based authentication (dynamic))

  1. (config)# vlan 100 mac-based

    (config-vlan)# mac-address 0012.e200.0001

    (config-vlan)# exit

    Specifies the MAC address of a terminal to be permitted access to the MAC VLAN assigned VLAN ID 100. The terminal will be able to access VLAN ID 100 without first undergoing IEEE 802.1X authentication.

  2. (config)# dot1x vlan dynamic radius-vlan 100

    (config)# dot1x vlan dynamic enable

    Enables VLAN-based authentication (dynamic) for VLAN ID 100.

(2) Configuring Authentication Exclusion Port Options

Points to note

In a VLAN configured for VLAN-based authentication (static), configure a port to permit network access by unauthenticated devices. If the port belongs to multiple VLANs, devices attached to the port can access all those VLANs.

Command examples

  1. (config)# interface gigabitethernet 1/0/1

    (config-if)# dot1x force-authorized-port

    Configures port 1/0/1 to allow access by unauthenticated devices.Here, port 1/0/1 is a member of a VLAN configured for VLAN-based authentication (static).

Notes

If you add a VLAN configured for VLAN-based authentication (static) to an authentication-exempted port, the port's network connection might be temporarily lost.

(3) Restricting the number of authenticated terminals

Points to note

Limit the maximum number of authenticated users per authentication unit. For port-based authentication, this setting takes effect when terminal authentication mode is the authentication sub-mode.

Command examples (port-based authentication)

  1. (config)# interface gigabitethernet 1/0/1

    (config-if)# dot1x multiple-authentication

    (config-if)# dot1x port-control auto

    (config-if)# dot1x max-supplicant 50

    Specifies 50 as the maximum number of authenticated users permitted at port 1/0/1.

Command examples (VLAN-based authentication (static))

  1. (config)# dot1x vlan 10 max-supplicant 50

    Specifies 50 as the maximum number of authenticated users permitted at VLAN ID 10 (configured for VLAN-based authentication (static)).

Command examples (VLAN-based authentication (dynamic))

  1. (config)# dot1x vlan dynamic max-supplicant 50

    Specifies 50 as the maximum number of authenticated users permitted by VLAN-based authentication (dynamic).

(4) Switch setting of terminal detection operation

The Switch sends EAP-Request/Identity packets to the multicast address at the interval specified by the tx-period command to prompt terminals to begin an authentication sequence. This procedure specifies what form of authentication sequence takes place when a terminal that is already authenticated responds to an EAP-Request/Identity packet. By default, such terminals do not participate in authentication.

Points to note

In shortcut mode, the authentication sequence is abbreviated to reduce the load on the Switch. In disable mode, the switch does not send regular EAP-Request/Identity packets in an environment where authenticated terminals are present. full mode is intended for environments where supplicants that cannot cope with an abbreviated authentication sequence attempt authentication. Note that full mode places a higher burden on the switch and must be used with caution. In auto mode, the switch does not send an EAP-Request/Identity message to the multicast address. Instead, the switch sends EAP-Request/Identity messages only to terminals from which it receives an arbitrary packet.

Command examples (port-based authentication)

  1. (config)# interface gigabitethernet 1/0/1

    (config-if)# dot1x multiple-authentication

    (config-if)# dot1x port-control auto

    (config-if)# dot1x supplicant-detection disable

    Configures the switch to stop transmitting EAP-Request/Identity messages when an authenticated terminal is present at port 1/0/1.

Command examples (VLAN-based authentication (static))

  1. (config)# dot1x vlan 10 supplicant-detection shortcut

    Configures the switch to skip re-authentication and consider authentication successful when the switch receives EAP-Response/Identity messages from authenticated terminals in VLAN ID 10 which is configured for VLAN-based authentication (static).

Command examples (VLAN-based authentication (dynamic))

  1. (config)# dot1x vlan dynamic supplicant-detection full

    Configures the switch to perform the authentication sequence and send requests to the authentication server when the switch receives EAP-Response/Identity messages from terminals authenticated by VLAN-based authentication (dynamic).

[Product name label]

All Rights Reserved, Copyright(C), 2017, 2023, ALAXALA Networks, Corp.