Switch CLI Reference Guide

Port-Based Network Access Control Commands

dot1x system-auth-control
Command Objective

This command enables dot1x in the Switch. The dot1x is an authentication mechanism. It acts as mediator between the authentication server and the supplicant (client). If the client accesses the protected resources, it contacts the authenticator with EAPOL frames.

Syntax

dot1x system-auth-control

no dot1x system-auth-control

ModeGlobal Configuration Mode
shutdown dot1x
Command Objective

This command shuts down dot1x feature. By shutting down the dot1x feature, the supplicant-authenticator-authentication server architecture is dissolved. The data transport and authentication are directly governed by the authentication

server/server. When shutdown, all resources acquired by dot1x module are released to the system.

Syntax

shutdown dot1x

no shutdown dot1x

ModeGlobal Configuration Mode
dot1x clear statistics
Command Objective

This command clears dot1x counters for all the ports on the Switch.

Syntax

dot1x clear statistics {interface <iftype> <ifnum> | all},

Parameter Description
  • interface - Displays all static multicast MAC address entries for the specified interface.

    • gigabitethernet - A version of LAN standard architecture that supports data transfer up to 1 Gigabit per second.

ModeGlobal Configuration Mode
security-suite
Command Objective

This command enables/disables DoS prevention.

Syntax

security-suite

no security-suite

ModeGlobal Configuration Mode
dot1x guest-vlan
Command Objective

This command configures Dot1x Guest VLAN ID.

Syntax

dot1x guest-vlan <short (1-4094)>

no dot1x guest-vlan

Parameter Description
  • <vlan –id> - This is a unique value that represents the specific VLAN. This value ranges between 1 and 4094.

ModeGlobal Configuration Mode
dot1x default
Command Objective

This command configures dot1x with default values for this port. The previous configurations on this port are reset to the default values. These details are not displayed but are the basic settings for a port.

Syntax

dot1x default

ModeInterface Configuration Mode
dot1x max-req
Command Objective

This command sets the maximum number of EAP (Extensible Authentication Protocol) retries to the client by the authenticator before restarting authentication process. The count value ranges between 1 and 10.

Syntax

dot1x max-req <count(1-10)>

no dot1x max-req

ModeInterface Configuration Mode
dot1x max-start
Command Objective

This command sets the maximum number of EAPOL retries to the authenticator. The value range is 1 to 65535.

Syntax

dot1x max-start <count(1-65535)>

no dot1x max-start

ModeInterface Configuration Mode
dot1x reauthentication
Command Objective

This command enables periodic re-authentication from authenticator to client. The periodic re-authentication is requested to ensure if the same supplicant is accessing the protected resources. The amount of time between periodic re- authentication attempts can be configured manually.

Syntax

dot1x reauthentication

no dot1x reauthentication

ModeInterface Configuration Mode
dot1x timeout
Command Objective

This command sets the dot1x timers. The timer module manages timers, creates memory pool for timers, creates timer list, starts and stops timer. It provides handlers to respective expired timers.

Syntax

dot1x timeout {quiet-period <short(0-65535)> | {reauth-period | server-timeout | supp-timeout | tx-period | start-period | held- period | auth-period} <short(1-65535)>}

no dot1x timeout {quiet-period | reauth-period | server- timeout | supp-timeout | tx-period | start-period | held-period

| auth-period}

Parameter Description
  • quiet-period <value (0-65535)> - Configures the quiet- period. Number of seconds that the Switch remains in the quiet state following a failed authentication exchange with the client.

  • reauth-period - Configures the reath-period. Number of seconds between re-authentication attempts.

  • server-timeout - Configures the number of seconds that the Switch waits for the retransmission of packets to the authentication server.

  • supp-timeout - Configures the number of seconds that the Switch waits for the retransmission of packets to the client.

  • tx-period - Configures the number of seconds that the Switch waits for a response to an EAP-request/identity frame, from the client before retransmitting the request.

  • start-period - Configures the number of seconds that the supplicant waits between successive retries to the authenticator.

  • held-period - Configures the number of seconds that the supplicant waits before trying to acquire the authenticator.

  • auth-period <value(1-65535)> - Configures the number of seconds that the supplicant waits before timing-out the authenticator

ModeInterface Configuration Mode
dot1x port-control
Command Objective

This command configures the authenticator port control parameter. The dot1x exercises port based authentication to increase the security of the network. The different Modes employed to the ports offer varied access levels. The 802.1x protocol is supported on both Layer 2 static-access ports and Layer 3 routed ports.

Syntax

dot1x port-control {auto|force-authorized|force-unauthorized}

no dot1x port-control

Parameter Description
  • auto - Configures the 802.1x authentication process in this port. Causes the port to begin the unauthorized state, allowing only EAPOL frames to be sent and received through the port. The authentication process begins when the link state of the port transitions from down to up or when an EAPOL-start frame is received. The Switch requests the identity of the client and begins relaying authentication messages between the client and the authentication server. The Switch can uniquely identify each client attempting to access the network by the client's MAC address.

  • force-authorized - Configures the port to allow all the traffic through this port. Disables 802.1X authentication and causes the port to transit to the authorized state without requiring authentication exchange. The port transmits and receives normal traffic without 802.1X- based authentication of the client.

  • force-unauthorized - Configures the port to block all the traffic through this port. Causes the port to remain in the unauthorized state, ignoring all attempts by the client to authenticate. The Switch cannot provide authentication services to the client through the interface.

ModeInterface Configuration Mode
dot1x guest-vlan enable
Command Objective

This command enables/disables guest-vlan feature.

Syntax

dot1x guest-vlan enable

no dot1x guest-vlan enable

ModeInterface Configuration Mode
show dot1x
Command Objective

This command displays dot1x information. The configured information can be viewed by running this show command. When there is any change in the configuration to ensure that the port is configured as desired, the show command is used.

Syntax

show dot1x [{ interface <interface-type> <interface-id> | statistics interface <interface-type> <interface-id> | supplicant- statistics interface <interface-type> <interface-id>|local- database | mac-info [address <aa.aa.aa.aa.aa.aa>] | mac- statistics [address <aa.aa.aa.aa.aa.aa>] | all }]

Parameter Description
  • interface <interface-type> <interface-id> - Displays dot1x parameters for the Switch or the specified interface.

  • statistics interface <interface-type> <interface-id> - Displays dot1x authenticator port statistics parameters for the Switch or the specified interface.

  • supplicant-statistics interface<interface-type> <interface- id> - Displays dot1x supplicant statistics parameters for the Switch or the specified interface.

  • local-database - Displays dot1x authentication server database with user name and password.

  • mac-info [address <aa.aa.aa.aa.aa.aa>] - Displays dot1x information for all MAC session or the specified MAC address.

  • mac-statistics [address <aa.aa.aa.aa.aa.aa>] - Displays dot1x MAC statistic for all MAC session or the specified MAC address.

  • all - Displays dot1x status for all interfaces.

ModePrivileged EXEC Mode
show dot1x guest-vlan
Command Objective

Displays dot1x Guest Vlan information.

Syntax

show dot1x guest-vlan

ModePrivileged EXEC Mode
show security-suite
Command Objective

Displays Dos information.

Syntax

show security-suite

ModePrivileged EXEC Mode
dot1x re-authenticate
Command Objective

This command initiates re-authentication of all dot1x-enabled ports or the specified dot1x-enabled port. This initializes the state machines and sets up the environment for fresh authentication.

Re-authentication is manually configured if periodic re- authentication is not enabled. Re-authentication is requested by the authentication server to the supplicant to furnish the identity without waiting for the configured number of seconds (re-authperiod). If no interface is specified, re-authentication is initiated on all dot1x ports.

Syntax

dot1x re-authenticate [interface <interface-type><interface- id>]

Parameter Description
  • <interface type> - Configures the specified type of interface.

  • <interface id> - Configures the specified interface identifier. This is a unique value that represents the specific interface. This value is a combination of slot number and port number separated by a slash. For Example: 0/1 represents that the slot number is 0 and port number is 1.

ModePrivileged EXEC Mode
exit
Command Objective

This command exits the current mode and reverts to the mode used prior to the current mode.

Syntax

exit

Description

This command exits the current mode and reverts to the mode used prior to the current mode.

ModeAll

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.