- aaa authentication banner through aaa group server tacacs+
- aaa nas port extended through address ipv6 (TACACS+)
- authentication command bounce-port ignore through auth-type
- clear dot1x through clear eap
- client through crl
- crypto ca authenticate through crypto ca trustpoint
- crypto key generate rsa
- Index
- authentication command bounce-port ignore through auth-type
- authentication command bounce-port ignore
- authentication command disable-port ignore
- authentication control-direction
- authentication event fail
- authentication event server alive action reinitialize
- authentication event server dead action authorize
- authentication fallback
- authentication host-mode
- authentication open
- authentication order
- authentication priority
- authentication timer inactivity
- authentication timer restart
- authentication violation
- auth-type
periodic
port-control
reauthenticate
authentication command bounce-port ignore through auth-type
authentication command bounce-port ignore through auth-type
- authentication command bounce-port ignore
- authentication command disable-port ignore
- authentication control-direction
- authentication event fail
- authentication event server alive action reinitialize
- authentication event server dead action authorize
- authentication fallback
- authentication host-mode
- authentication open
- authentication order
- authentication periodic
- authentication port-control
- authentication priority
- authentication timer inactivity
- authentication timer reauthenticate
- authentication timer restart
- authentication violation
- auth-type
authentication command bounce-port ignore
To configure the router to ignore a RADIUS Change of Authorization (CoA) bounce port command, use the authentication command bounce-port ignore command in global configuration mode. To return to the default status, use the no form of this command.
authentication command bounce-port ignore
no authentication command bounce-port ignore
Syntax Description
This command has no arguments or keywords.
Command Default
The router accepts a RADIUS CoA bounce port command.
Command Modes
Global configuration
Command History
|
Release |
Modification |
|---|---|
|
12.2(52)SE |
This command was introduced. |
|
12.2(33)SXI4 |
This command was integrated into Cisco IOS Release 12.2(33)SXI4. |
|
15.2(2)T |
This command was integrated into Cisco IOS Release 15.2(2)T. |
Usage Guidelines
A RADIUS CoA bounce port command sent from a RADIUS server can cause a link flap on an authentication port, which triggers Dynamic Host Configuration Protocol (DHCP) renegotiation from one or more hosts connected to this port. This incident can occur when there is a VLAN change and the endpoint is a device (such as a printer) that does not have a mechanism to detect a change on this authentication port. The authentication command bounce-port ignore command configures the router to ignore the RADIUS CoA bounce port command to prevent a link flap from occuring on any hosts that are connected to an authentication port.
Examples
This example shows how to configure the router to ignore a RADIUS CoA bounce port command:
Router(config)# aaa new-model Router(config)# authentication command bounce-port ignore
Related Commands
|
Command |
Description |
|---|---|
|
authentication command disable-port ignore |
Configures the router to ignore a RADIUS server CoA disable port command. |
authentication command disable-port ignore
To allow the router to ignore a RADIUS server Change of Authorization (CoA) disable port command, use the authentication command disable-port ignore command in global configuration mode. To return to the default status, use the no form of this command.
authentication command disable-port ignore
no authentication command disable-port ignore
Syntax Description
This command has no arguments or keywords.
Command Default
The router accepts a RADIUS CoA disable port command.
Command Modes
Global configuration
Command History
|
Release |
Modification |
|---|---|
|
12.2(52)SE |
This command was introduced. |
|
12.2(33)SXI4 |
This command was integrated into Cisco IOS Release 12.2(33)SXI4. |
|
15.2(2)T |
This command was integrated into Cisco IOS Release 15.2(2)T. |
Usage Guidelines
The RADIUS server CoA disable port command administratively shuts down the authentication port that is hosting a session, resulting in session termination. Use the authentication command disable-port ignore command to configure the router to ignore the RADIUS server CoA disable port command so that the authentication port and other hosts on this authentication port are not disconnected.
Examples
This example shows how to configure the router to ignore a CoA disable port command:
Router(config)# aaa new-model Router(config)# authentication command disable-port ignore
Related Commands
|
Command |
Description |
|---|---|
|
authentication command bounce-port ignore |
Configures the router to ignore a RADIUS server CoA bounce port command. |
authentication control-direction
To set the direction of authentication control on a port, use the authentication control-directioncommand in interface configuration mode. To return to the default setting, use the no form of this command.
authentication control-direction { both | in }
no authentication control-direction
Syntax Description
|
both |
Enables bidirectional control on the port. |
|
in |
Enables unidirectional control on the port. |
Command Default
The port is set to bidirectional mode.
Command Modes
Interface configuration (config-if)
Command History
|
Release |
Modification |
|---|---|
|
12.2(33)SXI |
This command was introduced. |
Usage Guidelines
The IEEE 802.1x standard is implemented to block traffic between the nonauthenticated clients and network resources. This means that nonauthenticated clients cannot communicate with any device on the network except the authenticator. The reverse is true, except for one circumstance--when the port has been configured as a unidirectional controlled port.
Unidirectional State
The IEEE 802.1x standard defines a unidirectional controlled port, which enables a device on the network to "wake up" a client so that it continues to be reauthenticated. When you use the authentication control-direction in command to configure the port as unidirectional, the port changes to the spanning-tree forwarding state, thus allowing a device on the network to wake the client, and force it to reauthenticate.
Bidirectional State
When you use the authentication control-direction both command to configure a port as bidirectional, access to the port is controlled in both directions. In this state, the port does not receive or send packets.
Examples
The following example shows how to enable unidirectional control:
Switch(config-if)# authentication control-direction in
The following examples show how to enable bidirectional control:
Switch(config-if)# authentication control-direction both
authentication event fail
To specify how the Auth Manager handles authentication failures as a result of unrecognized user credentials, use the authentication event failcommand in interface configuration mode. To return to the default setting, use the no form of this command.
authentication event fail [ retry retry-count ] action { authorize vlan vlan-id | next-method }
no authentication event fail
Syntax Description
|
retry retry-count |
(Optional) Specifies how many times the authentication method is tried after an initial failure. |
|
action |
Specifies the action to be taken after an authentication failure as a result of incorrect user credentials. |
|
authorize vlan vlan-id |
Authorizes a restricted VLAN on a port after a failed authentication attempt. |
|
next-method |
Specifies that the next authentication method be invoked after a failed authentication attempt. The order of authentication methods is specified by the authentication order command. |
Command Default
Authentication is attempted two times after the initial failed attempt.
Command Modes
Interface configuration (config-if)
Command History
|
Release |
Modification |
|---|---|
|
12.2(33)SXI |
This command was introduced. |
Usage Guidelines
Only the dot1x authentication method can signal this type of authentication failure.
Examples
The following example specifies that after three failed authentication attempts the port is assigned to a restricted VLAN:
Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface gigabitethernet0/3 Switch(config-if)# authentication event fail retry 3 action authorize vlan 40 Switch(config-if)# end
Related Commands
|
Command |
Description |
|---|---|
|
authentication event no-response action |
Specifies the action to be taken when authentication fails due to a nonresponsive host. |
|
authentication order |
Specifies the order in which authentication methods are attempted. |
authentication event server alive action reinitialize
To reinitialize an authorized Auth Manager session when a previously unreachable authentication, authorization, and accounting (AAA) server becomes available, use the authentication event server alive action reinitialize command in interface configuration mode. To return to the default setting, use the no form of this command.
authentication event server alive action reinitialize
no authentication event server alive action reinitialize
Syntax Description
This command has no arguments or keywords.
Command Default
The session is not reinitialized .
Command Modes
Interface configuration (config-if)
Command History
|
Release |
Modification |
|---|---|
|
12.2(33)SXI |
This command was introduced. |
Usage Guidelines
Use the authentication event server alive action reinitialize command to reinitialize authorized sessions when a previously unreachable AAA server becomes available.
Examples
The following example specifies that authorized sessions are reinitialized when a previously unreachable AAA server becomes available:
Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface gigabitethernet0/3 Switch(config-if)# authentication event server alive action reinitialize Switch(config-if)# end
Related Commands
|
Command |
Description |
|---|---|
|
authentication event server dead action authorize |
Specifies how to handle authorized sessions when the AAA server is unreachable. |
authentication event server dead action authorize
To authorize Auth Manager sessions when the authentication, authorization, and accounting (AAA) server becomes unreachable, use the authentication event server dead action authorize command in interface configuration mode. To return to the default setting, use the no form of this command.
authentication event server dead action authorize vlan vlan-id
no authentication event server dead action authorize
Syntax Description
|
vlan vlan-id |
Authorizes a restricted VLAN on a port after a failed authentication attempt. |
Command Default
No session is authorized.
Command Modes
Interface configuration (config-if)
Command History
|
Release |
Modification |
|---|---|
|
12.2(33)SXI |
This command was introduced. |
Usage Guidelines
Use the authentication event server dead action authorize command to authorize sessions even when the AAA server is unavailable.
Examples
The following example specifies that when the AAA server becomes unreachable, the port is assigned to a VLAN:
Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface gigabitethernet0/3 Switch(config-if)# authentication event server dead action authorize vlan 40 Switch(config-if)# end
Related Commands
|
Command |
Description |
|---|---|
|
authentication event server alive action reinitialize |
Reinitializes an authorized session when a previously unreachable AAA server becomes available. |
authentication fallback
To enable a web authentication fallback method, use the authentication fallback command in interface configuration mode. To disable web authentication fallback, use the no form of this command.
authentication fallback fallback-profile
no authentication fallback
Syntax Description
|
fallback-profile |
The name of the fallback profile for web authentication. |
Command Default
Web authentication fallback is not enabled.
Command Modes
Interface configuration (config-if)
Command History
|
Release |
Modification |
|---|---|
|
12.2(33)SXI |
This command was introduced. |
|
15.2(2)T |
This command was integrated into Cisco IOS Release 15.2(2)T. |
Usage Guidelines
Use the authentication fallback command to specify the fallback profile for web authentication. Use the fallback profile command to specify the details of the profile.
Examples
The following example shows how to specify a fallback profile on a port:
Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# interface gigabitethernet1/0/3 Router(config-if)# authentication fallback profile1 Router(config-if)# end
Related Commands
|
Command |
Description |
|---|---|
|
fallback profile |
Specifies the profile for web authentication. |
authentication host-mode
To allow hosts to gain access to a controlled port, use the authentication host-mode command in interface configuration mode. To return to the default setting, use the no form of this command.
authentication host-mode { single-host | multi-auth | multi-domain | multi-host } [open]
no authentication host-mode
Syntax Description
|
single-host |
Specifies that only one client can be authenticated on a port at any given time. A security violation occurs if more than one client is detected. |
|
multi-auth |
Specifies that multiple clients can be authenticated on the port at any given time. |
|
multi-domain |
Specifies that only one client per domain (DATA or VOICE) can be authenticated at a time. |
|
multi-host |
Specifies that after the first client is authenticated all subsequent clients are allowed access. |
|
open |
(Optional) Specifies that the port is open; that is, there are no access restrictions. |
Command Default
Access to a port is not allowed.
Command Modes
Interface configuration (config-if)
Command History
|
Release |
Modification |
|---|---|
|
12.2(33)SXI |
This command was introduced. |
|
15.2(2)T |
This command was integrated into Cisco IOS Release 15.2(2)T. |
Usage Guidelines
Before you use this command, you must use the authentication port-control command with the keyword auto.
In multi-host mode, only one of the attached hosts has to be successfully authorized for all hosts to be granted network access. If the port becomes unauthorized (reauthentication fails or an Extensible Authentication Protocol over LAN [EAPOL] logoff message is received), all attached clients are denied access to the network.
Examples
:The following example shows how to enable authentication in multi-host mode:
Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# authentication port-control auto Switch(config-if)# authentication host-mode multi-host
Related Commands
|
Command |
Description |
|---|---|
|
authentication port-control |
Displays information about interfaces. |
authentication open
To enable open access on this port, use the authentication open command in interface configuration mode. To disable open access on this port, use the no form of this command.
authentication open
no authentication open
Syntax Description
This command has no arguments or keywords.
Command Default
Disabled.
Command Modes
Interface configuration (config-if)
Command History
|
Release |
Modification |
|---|---|
|
12.2(33)SXI |
Support for this command was introduced. |
Usage Guidelines
Open Access allows clients or devices to gain network access before authentication is performed.
You can verify your settings by entering the show authentication privileged EXEC command.
This command overrides the authentication host-mode session-type open global configuration mode command for the port only.
Examples
The following example shows how to enable open access to a port:
Router(config-if)# authentication open Router(config-if)#
The following example shows how to enable open access to a port:
Router(config-if)# no authentication open Router(config-if)#
Related Commands
|
Command |
Description |
|---|---|
|
show authentication |
Displays Authentication Manager information. |
authentication order
To specify the order in which the Auth Manager attempts to authenticate a client on a port, use the authentication order command in interface configuration mode. To return to the default authentication order, use the no form of this command.
authentication order { dot1x [ mab | webauth ] [webauth] | mab [ dot1x | webauth ] [webauth] | webauth }
no authentication order
Syntax Description
|
dot1x |
Specifies IEEE 802.1X authentication. |
|
mab |
Specifies MAC-based authentication(MAB). |
|
webauth |
Specifies web-based authentication. |
Command Default
The default authentication order is dot1x, mab, and webauth.
Command Modes
Interface configuration (config-if)
Command History
|
Release |
Modification |
|---|---|
|
12.2(33)SXI |
This command was introduced. |
|
15.2(2)T |
This command was integrated into Cisco IOS Release 15.2(2)T. |
Usage Guidelines
Use the authentication order command to specify explicitly which authentication methods are run and the order in which they are run. Each method may be entered only once in the list and no method can be listed after webauth.
Examples
The following example sets the authentication order for a port:
Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# interface fastethernet0/1 Router(config-if)# authentication order mab dot1x Router(config-if)# end Router#
Related Commands
|
Command |
Description |
|---|---|
|
authentication priority |
Specifies the priority of authentication methods on a port. |
authentication periodic
To enable automatic reauthentication on a port, use the authentication periodic command in interface configuration or template configuration mode. To disable, use the no form of this command.
 Note | Effective with Cisco IOS Release 12.2(33)SXI, the authentication periodic command replaces the dot1x reauthentication command. |
authentication periodic
no authentication periodic
Syntax Description
This command has no arguments or keywords.
Command Default
Reauthentication is disabled.
Command Modes
Interface configuration (config-if)
Template configuration (config-template)
Command History
|
Release |
Modification |
|---|---|
|
12.2(33)SXI |
This command was introduced. |
|
15.2(2)T |
This command was integrated into Cisco IOS Release 15.2(2)T. |
|
15.2(2)E |
This command was integrated into Cisco IOS Release 15.2(2)E. This command is supported in template configuration mode. |
|
Cisco IOS XE Release 3.6E |
This command was integrated into Cisco IOS XE Release 3.6E. This command is supported in template configuration mode. |
Usage Guidelines
Use the authentication periodic command to enable automatic reauthentication on a port. To configure the interval between reauthentication attempts, use the authentication timer reauthenticate command.
Examples
The following example shows how to enable reauthentication and sets the interval to 1800 seconds:
Device(config)# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Device(config)# interface fastethernet0/2 Device(config-if)# authentication periodic Device(config-if)# authentication timer reauthenticate 1800
The following example shows how to enable reauthentication and sets the interval to 1800 seconds for an interface template:
Device# configure terminal Device(config)# template user-template1 Device(config-template)# authentication periodic Device(config-template)# end
Related Commands
|
Command |
Description |
|---|---|
|
authentication timer reauthenticate |
Specifies the period of time between attempts to reauthenticate an authorized port. |
authentication port-control
To configure the authorization state of a controlled port, use the authentication port-control command in interface configuration mode. To disable the port-control value, use the no form of this command.
Note | Effective with Cisco IOS Release 12.2(33)SXI, the authentication port-control command replaces the dot1x port-control command. |
authentication port-control { auto | force-authorized | force-unauthorized }
no authentication port-control
Syntax Description
|
auto |
Enables port-based authentication and causes the port to begin in the unauthorized state, allowing only Extensible Authentication Protocol over LAN (EAPOL) frames to be sent and received through the port. |
|
force-authorized |
Disables IEEE 802.1X on the interface and causes the port to change to the authorized state without requiring any authentication exchange. The port transmits and receives normal traffic without 802.1X-based authentication of the client. The force-authorized keyword is the default. |
|
force-unauthorized |
Denies all access through this interface by forcing the port to change to the unauthorized state, ignoring all attempts by the client to authenticate. |
Command Default
Ports are authorized without authentication exchanges.
Command Modes
Interface configuration (config-if)
Command History
|
Release |
Modification |
|---|---|
|
12.2(33)SXI |
This command was introduced. |
|
15.2(2)T |
This command was integrated into Cisco IOS Release 15.2(2)T. |
Usage Guidelines
To verify port-control settings, use the show interfaces command and check the Status column in the 802.1X Port Summary section of the display. An enabled status means that the port-control value is set to auto or to force-unauthorized.
The authentication process begins when the link state of the port transitions from down to up or when an EAPOL-start frame is received. The system requests the identity of the client and begins relaying authentication messages between the client and the authentication server.
With CSCtr06196, use the dot1x pae authenticator command in interface configuration mode to set the Port Access Entity (PAE) type.
Examples
The following example shows how to specify that the authorization status of the client be determined by the authentication process:
Device# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Device(config)# interface ethernet0/2 Device(config-if)# authentication port-control auto
Related Commands
|
Command |
Description |
|---|---|
|
show interfaces |
Configures the authorization state of a controlled port. |
authentication priority
To specify the priority of authentication methods on a port, use the authentication prioritycommand in interface configuration mode. To return to the default, use the no form of this command.
authentication priority { dot1x [ mab | webauth ] [webauth] | mab [ dot1x | webauth ] [webauth] | webauth }
no authentication priority
Syntax Description
|
dot1x |
Specifies IEEE 802.1X authentication. |
|
mab |
Specifies MAC-based authentication. |
|
webauth |
Specifies web-based authentication. |
Command Default
The default priority order is dot1x, mab, and webauth.
Command Modes
Interface configuration (config-if)
Command History
|
Release |
Modification |
|---|---|
|
12.2(33)SXI |
This command was introduced. |
|
15.2(2)T |
This command was integrated into Cisco IOS Release 15.2(2)T. |
Usage Guidelines
The authentication order command specifies the order in which authentication methods are attempted. This order is the default priority. To override the default priority and allow higher priority methods to interrupt a running authentication method, use the authentication priority command.
Examples
The following example shows the commands used to configure the authentication order and the authentication priority on a port:
Router# configure terminal Router(config)# interface fastethernet0/1 Router(config-if)# authentication order mab dot1x webauth Router(config-if)# authentication priority dot1x mab Router(config-if)# end Router#
Related Commands
|
Command |
Description |
|---|---|
|
authentication order |
Specifies the order in which the Auth Manager attempts to authenticate a client on a port. |
authentication timer inactivity
To configure the time after which an inactive Auth Manager session is terminated, use the authentication timer inactivitycommand in interface configuration mode. To disable the inactivity timer, use the no form of this command.
authentication timer inactivity { seconds | server }
no authentication timer inactivity
Syntax Description
|
seconds |
The period of inactivity, in seconds, allowed before an Auth Manager session is terminated and the port is unauthorized. The range is from 1 to 65535. |
|
server |
Specifies that the period of inactivity is defined by the Idle-Timeout value (RADIUS Attribute 28) on the authentication, authorization, and accounting (AAA) server. |
Command Default
The inactivity timer is disabled.
Command Modes
Interface configuration (config-if)
Command History
|
Release |
Modification |
|---|---|
|
12.2(33)SXI |
This command was introduced. |
|
15.2(2)T |
This command was integrated into Cisco IOS Release 15.2(2)T. |
Usage Guidelines
In order to prevent reauthentication of inactive sessions, use the authentication timer inactivitycommand to set the inactivity timer to an interval shorter than the reauthentication interval set with the authentication timer reauthenticate command.
Examples
The following example sets the inactivity interval on a port to 900 seconds:
Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface GigabitEthernet6/0 Switch(config-if)# authentication timer inactivity 900 Switch(config-if)# end
Related Commands
|
Command |
Description |
|---|---|
|
configuration timer reauthenticate |
Specifies the time after which the Auth Manager attempts to reauthenticate an authorized port. |
|
authentication timer restart |
Specifies the interval after which the Auth Manager attempts to authenticate an unauthorized port. |
authentication timer reauthenticate
To specify the period of time between which the Auth Manager attempts to reauthenticate authorized ports, use the authentication timer reauthenticate command in interface configuration or template configuration mode. To reset the reauthentication interval to the default, use the no form of this command.
authentication timer reauthenticate { seconds | server }
no authentication timer reauthenticate
Syntax Description
|
seconds |
The number of seconds between reauthentication attempts. The range is from 1 to 65535. The default is 3600. |
|
server |
Specifies that the interval between reauthentication attempts is defined by the Session-Timeout value (RADIUS Attribute 27) on the authentication, authorization, and accounting (AAA) server. |
Command Default
The automatic reauthentication interval is set to 3600 seconds.
Command Modes
Interface configuration (config-if)
Template configuration (config-template)
Command History
|
Release |
Modification |
|---|---|
|
12.2(33)SXI |
This command was introduced. |
|
15.2(2)T |
This command was integrated into Cisco IOS Release 15.2(2)T. |
|
15.2(2)E |
This command was integrated into Cisco IOS Release 15.2(2)E. This command is supported in template configuration mode. |
|
Cisco IOS XE Release 3.6E |
This command was integrated into Cisco IOS XE Release 3.6E. This command is supported in template configuration mode. |
Usage Guidelines
Use the authentication timer reauthenticate command to set the automatic reauthentication interval of an authorized port. If you use the authentication timer inactivity command to configure an inactivity interval, configure the reauthentication interval to be longer than the inactivity interval.
Examples
The following example shows how to set the reauthentication interval on a port to 1800 seconds:
Device# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Device(config)# interface GigabitEthernet6/0 Device(config-if)# authentication timer reauthenticate 1800 Device(config-if)# end
The following example shows how to set the reauthentication interval on a port to 1500 seconds for an interface template:
Device# configure terminal Device(config)# template user-template1 Device(config-template)# authentication timer reauthenticate 1500 Device(config-template)# end
Related Commands
|
Command |
Description |
|---|---|
|
authentication periodic |
Enables automatic reauthentication. |
|
authentication timer inactivity |
Specifies the interval after which the Auth Manager ends an inactive session. |
|
authentication timer restart |
Specifies the interval after which the Auth Manager attempts to authenticate an unauthorized port. |
authentication timer restart
To specify the period of time after which the Auth Manager attempts to authenticate an unauthorized port, use the authentication timer restart command in interface configuration mode. To reset the interval to the default value, use the no form of this command.
authentication timer restart seconds
no authentication timer restart
Syntax Description
|
seconds |
The number of seconds between attempts to authenticate an unauthorized port. The range is 1 to 65535. The default is 60. |
Command Default
No attempt is made to authenticate unauthorized ports.
Command Modes
Interface configuration (config-if)
Command History
|
Release |
Modification |
|---|---|
|
12.2(33)SXI |
This command was introduced. |
|
15.2(2)T |
This command was integrated into Cisco IOS Release 15.2(2)T. |
Usage Guidelines
Use the authentication timer restart command to specify the interval between attempts to authenticate an unauthorized port. The default interval is 60 seconds.
Examples
The following example sets the authentication timer interval to 120 seconds:
Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# interface GigabitEthernet6/0 Router(config-if)# authentication timer restart 120 Router(config-if)# end
Related Commands
|
Command |
Description |
|---|---|
|
authentication timer inactivity |
Specifies the period of time after which the Auth Manager attempts to authenticate an unauthorized port. |
|
configuration timer reauthenticate |
Specifies the time after which the Auth Manager attempts to reauthenticate an authorized port. |
authentication violation
To specify the action to be taken when a security violation occurs on a port, use the authentication violationcommand in interface configuration mode. To return to the default action, use the no form of this command.
authentication violation { restrict | shutdown }
no authentication violation
Syntax Description
|
restrict |
Specifies that the port restrict traffic with the domain from which the security violation occurs. |
|
shutdown |
Specifies that the port shuts down upon a security violation. |
Command Default
Ports are shut down when a security violation occurs.
Command Modes
Interface configuration (config-if)
Command History
|
Release |
Modification |
|---|---|
|
12.2(33)SXI |
This command was introduced. |
|
15.2(2)T |
This command was integrated into Cisco IOS Release 15.2(2)T. |
Usage Guidelines
Use the authentication violation command to specify the action to be taken when a security violation occurs on a port.
Examples
The following example configures the GigabitEthernet interface to restrict traffic when a security violation occurs:
Switch(config)# interface GigabitEthernet6/2 Enter configuration commands, one per line. End with CNTL/Z. Switch(config-if)# authentication violation restrict Switch(config-if)# end
auth-type
To set policy for devices that are dynamically authenticated or unauthenticated, use the auth-type command in identity profile configuration mode. To remove the policy that was specified, use the no form of this command.
auth-type { authorize | not-authorize } policy policy-name
no auth-type { authorize | not-authorize } policy policy-name
Syntax Description
|
authorize |
Policy is specified for all authorized devices. |
|
not-authorize |
Policy is specified for all unauthorized devices. |
|
policy policy-name |
Specifies the name of the identity policy to apply for the associated authentication result. |
Command Default
A policy is not set for authorized or unauthorized devices.
Command Modes
Identity profile configuration
Command History
|
Release |
Modification |
|---|---|
|
12.3(8)T |
This command was introduced. |
|
12.2(33)SXI |
This command was integrated into Cisco IOS Release 12.2(33)SXI. |
Usage Guidelines
This command is used when a device is dynamically authenticated or unauthenticated by the network access device, and the device requires the name of the policy that should be applied for that authentication result.
Examples
The following example shows that 802.1x authentication applies to the identity policy “grant” for all dynamically authenticated hosts:
Router (config)# ip access-list extended allow-acl Router (config-ext-nacl)# permit ip any any Router (config-ext-nacl)# exit Router (config)# identity policy grant Router (config-identity-policy)# access-group allow-acl Router (config-identity-policy)# exit Router (config)# identity profile dot1x Router (config-identity-prof)# auth-type authorize policy grant
Related Commands
|
Command |
Description |
|---|---|
|
identity policy |
Creates an identity policy. |
|
identity profile dot1x |
Creates an 802.1x identity profile. |
Feedback