To specify which servers are used for authentication when 802.1X authentication is enabled, use the aaa authentication dot1x command in Global Configuration mode. To restore the default configuration, use the no form of this command.

Syntax

aaa authentication dot1x default {radius | none | {radius none}}

no aaa authentication dot1x default

Parameters

• radius - Uses the list of all RADIUS servers for authentication

• none - Uses no authentication

Default Configuration

RADIUS server.

Command Mode

Global Configuration mode

User Guidelines

You can select either authentication by a RADIUS server, no authentication (none), or both methods.

If you require that authentication succeeds even if no RADIUS server response was received, specify none as the final method in the command line.

Example

The following example sets the 802.1X authentication mode to RADIUS server authentication. Even if no response was received, authentication succeeds.

switchxxxxxx(config)# aaa authentication dot1x default radius none

To clear 802.1X statistics, use the clear dot1x statistics command in Privileged EXEC mode.

Syntax

clear dot1x statistics [interface-id]

Parameters

• interface-id—Specify an Ethernet port ID.

Default Configuration

Statistics on all ports are cleared.

Command Mode

Privileged EXEC mode

User Guidelines

This command clears all the counters displayed in the show dot1x and show dot1x statistics command.

Example

switchxxxxxx# clear dot1x statistics

To define a guest VLAN, use the dot1x guest-vlan mode command in Interface (VLAN) Configuration mode. To restore the default configuration, use the no form of this command.

Syntax

dot1x guest-vlan

no dot1x guest-vlan

Default Configuration

No VLAN is defined as a guest VLAN.

Command Mode

Interface (VLAN) Configuration mode

User Guidelines

A device can have only one global guest VLAN.

The guest VLAN must be a static VLAN and it cannot be removed.

An unauthorized VLAN cannot be configured as guest VLAN.

Example

The following example defines VLAN 2 as a guest VLAN.

switchxxxxxx(config)# interface vlan 2
switchxxxxxx(config-if)# dot1x guest-vlan

To enable unauthorized users on the access interface to the guest VLAN, use the dot1x guest-vlan enable command in Interface Configuration mode. To disable access, use the no form of this command.

Syntax

dot1x guest-vlan enable

no dot1x guest-vlan enable

Default Configuration

The default configuration is disabled.

Command Mode

Interface (Ethernet) Configuration mode

User Guidelines

The guest VLAN and the WEB-Based authentication cannot be configured on a port at the same time.

This command cannot be configured if the monitoring VLAN is enabled on the interface.

If the port does not belong to the guest VLAN it is added to the guest VLAN as an egress untagged port.

If the authentication mode is single-host or multi-host, the value of PVID is set to the guest VLAN_ID.

If the authentication mode is multi-sessions mode, the PVID is not changed and all untagged traffic and tagged traffic not belonging to the unauthenticated VLANs from unauthorized hosts are mapped to the guest VLAN.

If 802.1X is disabled, the port static configuration is reset.

Example

The following example enables unauthorized users on gi1/0/1 to access the guest VLAN.

switchxxxxxx(config)# interface gi1/0/1
switchxxxxxx(config-if)# dot1x guest-vlan enable

To set the time delay between enabling 802.1X (or port up) and adding a port to the guest VLAN, use the dot1x guest-vlan timeout command in Global Configuration mode. To restore the default configuration, use the no form of this command.

Syntax

dot1x guest-vlan timeout timeout

no dot1x guest-vlan timeout

Parameters

• timeout—Specifies the time delay in seconds between enabling 802.1X (or port up) and adding the port to the guest VLAN. (Range: 30–180).

Default Configuration

The guest VLAN is applied immediately.

Command Mode

Global Configuration mode

User Guidelines

This command is relevant if the guest VLAN is enabled on the port. Configuring the timeout adds a delay from enabling 802.1X (or port up) to the time the device adds the port to the guest VLAN.

Example

The following example sets the delay between enabling 802.1X and adding a port to a guest VLAN to 60 seconds.

switchxxxxxx(config)# dot1x guest-vlan timeout 60

To allow a single host (client) or multiple hosts on an IEEE 802.1X-authorized port, use the dot1x host-mode command in Interface Configuration mode. To restore the default configuration, use the no form of this command.

Syntax

dot1x host-mode {multi-host | single-host | multi-sessions}

Parameters

• multi-host—Enable multiple-hosts mode.

• single-host—Enable single-hosts mode.

• multi-sessions—Enable multiple-sessions mode.

Default Configuration

Default mode is multi-host.

Command Mode

Interface (Ethernet) Configuration mode

User Guidelines

Single-Host Mode

The single-host mode manages the authentication status of the port: the port is authorized if there is an authorized host. In this mode, only a single host can be authorized on the port.

When a port is unauthorized and the guest VLAN is enabled, untagged traffic is remapped to the guest VLAN. Tagged traffic is dropped unless the VLAN tag is the guest VLAN or the unauthenticated VLANs. If guest VLAN is not enabled on the port, only tagged traffic belonging to the unauthenticated VLANs is bridged.

When a port is authorized, untagged and tagged traffic from the authorized host is bridged based on the static vlan membership configured at the port. Traffic from other hosts is dropped.

A user can specify that untagged traffic from the authorized host will be remapped to a VLAN that is assigned by a RADIUS server during the authentication process. In this case, tagged traffic is dropped unless the VLAN tag is the RADIUS-assigned VLAN or the unauthenticated VLANs.

The switch removes from FDB all MAC addresses learned on a port when its authentication status is changed from authorized to unauthorized.

Multi-Host Mode

The multi-host mode manages the authentication status of the port: the port is authorized after at least one host is authorized.

When a port is unauthorized and the guest VLAN is enabled, untagged traffic is remapped to the guest VLAN. Tagged traffic is dropped unless the VLAN tag is the guest VLAN or the unauthenticated VLANs. If guest VLAN is not enabled on the port, only tagged traffic belonging to the unauthenticated VLANs is bridged.

When a port is authorized, untagged and tagged traffic from all hosts connected to the port is bridged based on the static vlan membership configured at the port.

A user can specify that untagged traffic from the authorized port will be remapped to a VLAN that is assigned by a RADIUS server during the authentication process. In this case, tagged traffic is dropped unless the VLAN tag is the RADIUS assigned VLAN or the unauthenticated VLANs.

The switch removes from FDB all MAC addresses learned on a port when its authentication status is changed from authorized to unauthorized.

Multi-Sessions Mode

Unlike the single-host and multi-host modes (port-based modes) the multi-sessions mode manages the authentication status for each host connected to the port (session-based mode). If the multi-sessions mode is configured on a port the port does have any authentication status. Any number of hosts can be authorized on the port. The command can limit the maximum number of authorized hosts allowed on the port.

Each authorized client requires a TCAM rule. If there is no available space in the TCAM, the authentication is rejected.

When using the dot1x host-mode command to change the port mode to single-host or multi-host when authentication is enabled, the port state is set to unauthorized.

If the dot1x host-mode command changes the port mode to multi-session when authentication is enabled, the state of all attached hosts is set to unauthorized.

To change the port mode to single-host or multi-host, set the port (dot1x port-control) to force-unauthorized, change the port mode to single-host or multi-host, and set the port to authorization auto.

Tagged traffic belonging to the unauthenticated VLANs is always bridged regardless if a host is authorized or not.

When the guest VLAN is enabled, untagged and tagged traffic from unauthorized hosts not belonging to the unauthenticated VLANs is bridged via the guest VLAN.

Traffic from an authorized hosts is bridged in accordance with the port static configuration. A user can specify that untagged and tagged traffic from the authorized host not belonging to the unauthenticated VLANs will be remapped to a VLAN that is assigned by a RADIUS server during the authentication process.

The switch does not remove from FDB the host MAC address learned on the port when its authentication status is changed from authorized to unauthorized. The MAC address will be removed after the aging timeout expires.

802.1x enabled on a port associated with a port channel has the following limitations:

• Only the 802.1X-based authentication is supported.

• Only the multi-host (legacy 802.1x mode) mode is supported.

Example

switchxxxxxx(config)# interface gi1/0/1
switchxxxxxx(config-if)# dot1x host-mode multi-host

To configure the maximum number of authorized hosts allowed on the interface, use the dot1x max-hosts command in Interface Configuration mode. To restore the default configuration, use the no form of this command.

Syntax

dot1x max-hosts count

no dot1x max-hosts

Parameters

• count—Specifies the maximum number of authorized hosts allowed on the interface. May be any 32 bits positive number.

Default Configuration

No limitation.

Command Mode

Interface (Ethernet) Configuration mode

User Guidelines

By default, the number of authorized hosts allowed on an interface is not limited. To limit the number of authorized hosts allowed on an interface, use the dot1x max-hosts command.

This command is relevant only for multi-session mode.

Example

The following example limits the maximum number of authorized hosts on Ethernet port gi1/0/1 to 6:

switchxxxxxx(config)# interface gi1/0/1
switchxxxxxx(config-if)# dot1x max-hosts 6

To set the maximum number of times that the device sends an Extensible Authentication Protocol (EAP) request/identity frame (assuming that no response is received) to the client before restarting the authentication process, use the dot1x max-req command in Interface Configuration mode. To restore the default configuration, use the no form of this command.

Syntax

dot1x max-req count

no dot1x max-req

Parameters

• count—Specifies the maximum number of times that the device sends an EAP request/identity frame before restarting the authentication process. (Range: 1–10).

Default Configuration

The default maximum number of attempts is 2.

Command Mode

Interface (Ethernet) Configuration mode

User Guidelines

The default value of this command should be changed only to adjust to unusual circumstances, such as unreliable links or specific behavioral problems with certain clients and authentication servers.

Example

The following example sets the maximum number of times that the device sends an EAP request/identity frame to 6.

switchxxxxxx(config)# interface gi1/0/1
switchxxxxxx(config-if)# dot1x max-req 6

To enable manual control of the port authorization state, use the dot1x port-control command in Interface Configuration mode. To restore the default configuration, use the no form of this command.

Syntax

dot1x port-control {auto | force-authorized | force-unauthorized} [time-range time-range-name]

no dot1x port-control

Parameters

• auto—Enables 802.1X authentication on the port and causes it to transition to the authorized or unauthorized state, based on the 802.1X authentication exchange between the device and the client.

• force-authorized—Disables 802.1X authentication on the interface and causes the port to transition to the authorized state without any authentication exchange required. The port sends and receives traffic without 802.1X-based client authentication.

• force-unauthorized—Denies all access through this port by forcing it to transition to the unauthorized state and ignoring all attempts by the client to authenticate. The device cannot provide authentication services to the client through this port.

• time-range time-range-name—Specifies a time range. When the Time Range is not in effect, the port state is Unauthorized. (Range: 1-32 characters).

Default Configuration

The port is in the force-authorized state.

Command Mode

Interface (Ethernet) Configuration mode

User Guidelines

802.1X authentication cannot be enabled on an interface if port security feature is already enabled on the same interface.

Note	It is recommended to disable spanning tree or to enable spanning-tree PortFast mode on 802.1X edge ports in auto state that are connected to end stations, in order to proceed to the forwarding state immediately after successful authentication.

Example

The following example sets 802.1X authentication on gi1/0/1 to auto mode.

switchxxxxxx(config)# interface gi1/0/1
switchxxxxxx(config-if)# dot1x port-control auto

To initiate manually re-authentication of all 802.1X-enabled ports or the specified 802.1X-enabled port, use the dot1x re-authenticate command in Privileged EXEC mode.

Syntax

dot1x re-authenticate [interface-id]

Parameters

• interface-id—Specifies an Ethernet port.

Default Configuration

If no port is specified, command is applied to all ports.

Command Mode

Privileged EXEC mode

Example

The following command manually initiates re-authentication of 802.1X-enabled gi1/0/1:

switchxxxxxx# dot1x re-authenticate gi1/0/1

To enable periodic re-authentication of the client, use the dot1x reauthentication command in Interface Configuration mode. To restore the default configuration, use the no form of this command.

Syntax

dot1x reauthentication

no dot1x reauthentication

Default Configuration

Periodic re-authentication is disabled.

Command Mode

Interface (Ethernet, OOB) Configuration mode

Example

switchxxxxxx(config)# interface gi1/0/1
switchxxxxxx(config-if)# dot1x reauthentication

To enable 802.1X globally, use the dot1x system-auth-control command in Global Configuration mode. To restore the default configuration, use the no form of this command.

Syntax

dot1x system-auth-control

no dot1x system-auth-control

Default Configuration

Disabled.

Command Mode

Global Configuration mode

Example

The following example enables 802.1X globally.

switchxxxxxx(config)# dot1x system-auth-control

To set the time interval that the device remains in a quiet state following a failed authentication exchange, use the dot1x timeout quiet-period command in Interface Configuration mode. To restore the default configuration, use the no form of this command.

Syntax

dot1x timeout quiet-period seconds

no dot1x timeout quiet-period

Parameters

• seconds—Specifies the time interval in seconds that the device remains in a quiet state following a failed authentication exchange with a client. (Range: 10–65535 seconds).

Default Configuration

The default quiet period is 60 seconds.

Command Mode

Interface (Ethernet) Configuration mode

User Guidelines

During the quiet period, the device does not accept or initiate authentication requests.

The default value of this command should only be changed to adjust to unusual circumstances, such as unreliable links or specific behavioral problems with certain clients and authentication servers.

To provide faster response time to the user, a smaller number than the default value should be entered.

For 802.1x and MAC-based authentication, the number of failed logins is 1.

For WEB-based authentication, the quiet period is applied after a number of failed attempts.

For 802.1x-based and MAC-based authentication methods, the quiet period is applied after each failed attempt.

Example

The following example sets the time interval that the device remains in the quiet state following a failed authentication exchange to 120 seconds.

switchxxxxxx(config)# interface gi1/0/1
switchxxxxxx(config-if)# dot1x timeout quiet-period 120

To set the number of seconds between re-authentication attempts, use the dot1x timeout reauth-period command in Interface Configuration mode. To restore the default configuration, use the no form of this command.

Syntax

dot1x timeout reauth-period seconds

no dot1x timeout reauth-period

Parameters

• reauth-period seconds—Number of seconds between re-authentication attempts. (Range: 300-4294967295).

Default Configuration

3600

Command Mode

Interface (Ethernet) Configuration mode

User Guidelines

The command is only applied to the 802.1x authentication method.

Example

switchxxxxxx(config)# interface gi1/0/1
switchxxxxxx(config-if)# dot1x timeout reauth-period 5000

To set the time interval during which the device waits for a response from the authentication server, use the dot1x timeout server-timeout command in Interface Configuration mode. To restore the default configuration, use the no form of this command.

Syntax

dot1x timeout server-timeout seconds

no dot1x timeout server-timeout

Parameters

• server-timeout seconds—Specifies the time interval in seconds during which the device waits for a response from the authentication server. (Range: 1–65535 seconds).

Default Configuration

The default timeout period is 30 seconds.

Command Mode

Interface (Ethernet) Configuration mode

User Guidelines

The actual timeout period can be determined by comparing the value specified by this command to the result of multiplying the number of retries specified by the radius-server retransmit command by the timeout period specified by the radius-server transmit command, and selecting the lower of the two values.

Example

The following example sets the time interval between retransmission of packets to the authentication server to 3600 seconds.

switchxxxxxx(config)# interface gi1/0/1
switchxxxxxx(config-if)# dot1x timeout server-timeout 3600

To set the time interval during which the device waits for a response to an Extensible Authentication Protocol (EAP) request frame from the client before resending the request, use the dot1x timeout supp-timeout command in Interface Configuration mode. To restore the default configuration, use the no form of this command.

Syntax

dot1x timeout supp-timeout seconds

no dot1x timeout supp-timeout

Parameters

• supp-timeout seconds—Specifies the time interval in seconds during which the device waits for a response to an EAP request frame from the client before resending the request. (Range: 1–65535 seconds).

Default Configuration

The default timeout period is 30 seconds.

Command Mode

Interface (Ethernet) Configuration mode

User Guidelines

The default value of this command should be changed only to adjust to unusual circumstances, such as unreliable links or specific behavioral problems with certain clients and authentication servers.

The command is only applied to the 802.1x authentication method.

Example

The following example sets the time interval during which the device waits for a response to an EAP request frame from the client before resending the request to 3600 seconds.

switchxxxxxx(config)# interface gi1/0/1
switchxxxxxx(config-if)# dot1x timeout supp-timeout 3600

To set the time interval during which the device waits for a response to an Extensible Authentication Protocol (EAP) request/identity frame from the client before resending the request, use the dot1x timeout tx-period command in Interface Configuration mode. To restore the default configuration, use the no form of this command.

Syntax

dot1x timeout tx-period seconds

no dot1x timeout tx-period

Parameters

• seconds—Specifies the time interval in seconds during which the device waits for a response to an EAP-request/identity frame from the client before resending the request. (Range: 30–65535 seconds).

Default Configuration

The default timeout period is 30 seconds.

Command Mode

Interface (Ethernet) Configuration mode

User Guidelines

The default value of this command should be changed only to adjust to unusual circumstances, such as unreliable links or specific behavioral problems with certain clients and authentication servers.

The command is only applied to the 802.1x authentication method.

Example

The following command sets the time interval during which the device waits for a response to an EAP request/identity frame to 60 seconds.

switchxxxxxx(config)# interface gi1/0/1:
switchxxxxxx(config-if)# dot1x timeout tx-period 60

To enable sending traps when an 802.1X authentication method failed, use the dot1x traps authentication failure command in Global Configuration mode. To restore the default configuration, use the no form of this command.

Syntax

dot1x traps authentication failure {[802.1x] [mac] [web]}

no dot1x traps authentication failure

Parameters

• 802.1x—Enables traps for 802.1X-based authentication.

• mac—Enables traps for MAC-based authentication.

• web—Enables traps for WEB-based authentication.

Default Configuration

All traps are disabled.

Command Mode

Global Configuration mode

User Guidelines

Any combination of the keywords are allowed. At least one keyword must be configured.

A rate limit is applied to the traps: not more than one trap of this type can be sent in 10 seconds.

Example

The following example enables sending traps when a MAC address fails to be authorized by the 802.1X mac-authentication access control.

switchxxxxxx(config)# dot1x traps authentication failure 802.1x

To enable sending traps when a host is successfully authorized by an 802.1X authentication method, use the dot1x traps authentication success command in Global Configuration mode. To disable the traps, use the no form of this command.

Syntax

dot1x traps authentication success {[802.1x] [mac] [web]}

no dot1x traps authentication success

Parameters

• 802.1x—Enables traps for 802.1X-based authentication.

• mac—Enables traps for MAC-based authentication.

• web—Enables traps for WEB-based authentication.

Default Configuration

Success traps are disabled.

Command Mode

Global Configuration mode

User Guidelines

Any combination of the keywords are allowed. At least one keyword must be configured.

A rate limit is applied to the traps: not more than one trap of this type can be sent in 10 seconds.

Example

The following example enables sending traps when a MAC address is successfully authorized by the 802.1X MAC-authentication access control.

switchxxxxxx(config)# dot1x traps authentication success mac

To configure the action to be taken when an unauthorized host on authorized port in single-host mode attempts to access the interface, use the dot1x violation-mode command in Interface Configuration mode. To restore the default configuration, use the no form of this command.

Syntax

dot1x violation-mode {restrict | protect | shutdown} [traps seconds]

no dot1x violation-mode

Parameters

• restrict—Generates a trap when a station, whose MAC address is not the supplicant MAC address, attempts to access the interface. The minimum time between the traps is 1 second. Those frames are forwarded but their source addresses are not learned.

• protect—Discard frames with source addresses that are not the supplicant address.

• shutdown—Discard frames with source addresses that are not the supplicant address and shutdown the port.

• trap seconds - Send SNMP traps, and specifies the minimum time between consecutive traps. If seconds = 0 traps are disabled. If the parameter is not specified, it defaults to 1 second for the restrict mode and 0 for the other modes.

Default Configuration

Protect

Command Mode

Interface (Ethernet) Configuration mode

User Guidelines

The command is relevant only for single-host mode.

For BPDU messages whose MAC addresses are not the supplicant MAC address are not discarded in Protect mode.

BPDU message whose MAC addresses are not the supplicant MAC address cause a shutdown in Shutdown mode.

Example

switchxxxxxx(config)# interface gi1/0/1
switchxxxxxx(config-if)# dot1x violation-mode protect

To display the 802.1X interfaces or specified interface status, use the show dot1x command in Privileged EXEC mode.

Syntax

show dot1x [interface interface-id | detailed]

Parameters

• interface-id—Specifies an Ethernet port .

• detailed—Displays information for non-present ports in addition to present ports.

Default Configuration

Display for all ports. If detailed is not used, only present ports are displayed.

Command Mode

Privileged EXEC mode

Example

The following example displays authentication information for all interfaces on which 802.1x is enabled:

switchxxxxxx# show dot1x
Authentication is enabled
Authenticator Global Configuration:
Authenticating Servers: Radius, None
MAC-Based Authentication:
  Type: Radius
  Username Groupsize: 2
  Username Separator: -
  Username case: Lowercase
  Password: MD5 checksum 1238af77aaca17568f12988601fcabed
Unathenticated VLANs: 100, 1000, 1021
Guest VLAN: VLAN 11, timeout 30 sec
Authentication failure traps are enabled for 802.1x+mac
Authentication success traps are enabled for 802.1x
Authentication quiet traps are enabled for 802.1x
Supplicant Global Configuration:
Supplicant Authentication failure traps are enabled
Supplicant Authentication success traps are enabled
gi1/0/1
  Authenticator is enabled
  Supplicant is disabled
  Authenticator Configuration:
  Host mode: multi-sessions
  Authentication methods: 802.1x+mac
  Port Adminstrated status: auto
  Guest VLAN: enabled
  VLAN Radius Attribute: enabled, static
  Open access: disabled
  Time range name: work_hours (Active now)
  Server-timeout: 30 sec
  Maximum Hosts: unlimited
  Maximum Login Attempts: 3
  Reauthentication is enabled
  Reauthentication period: 3600 sec
  Silence period: 1800 sec
  Quiet Period: 60 sec
  Interfaces 802.1X-Based Parameters
    EAP Timeout: 30 sec
    EAP Max-Retrans: 2
    Tx period: 30 sec
    Supplicant timeout: 30 sec
    max-req: 2
  Authentication success: 9
  Authentication fails: 1
  Number of Authorized Hosts: 10
  Supplicant Configuration:
  retry-max: 2
  EAP time period: 15 sec
  Supplicant Held Period: 30 sec
gi1/0/2
  Authenticator is enabled
  Supplicant is disabled
  Authenticator Configuration:
  Host mode: single-host
  Authentication methods: 802.1x+mac
  Port Adminstrated status: auto
  Port Operational status: authorized
  Guest VLAN: disabled
  VLAN Radius Attribute: enabled
  Open access: enabled
  Time range name: work_hours (Active now)
  Server-timeout: 30 sec
  Aplied Authenticating Server: Radius
  Applied Authentication method: 802.1x
  Session Time (HH:MM:SS): 00:25:22
  MAC Address: 00:08:78:32:98:66
  Username: Bob
  Violation:
    Mode: restrict
    Trap: enabled
    Trap Min Interval: 20 sec
    Violations were detected: 9
  Reauthentication is enabled
  Reauthentication period: 3600 sec
  Silence period: 1800 sec
  Quiet Period: 60 sec
  Interfaces 802.1X-Based Parameters
    EAP Timeout: 30 sec
    EAP Max-Retrans: 2
    Tx period: 30 sec
    Supplicant timeout: 30 sec
    max-req: 2
  Authentication success: 2
  Authentication fails: 0
gi1/0/3
  Authenticator is enabled
  Supplicant is disabled
  Authenticator Configuration:
  Host mode: multi-host
  Authentication methods: 802.1x+mac
  Port Adminstrated status: auto
  Port Operational status: authorized
  Guest VLAN: disabled
  VLAN Radius Attribute: disabled
  Time range name: work_hours (Active now)
  Open access: disabled
  Server-timeout: 30 sec
  Aplied Authenticating Server: Radius
  Applied Authentication method: 802.1x
  Session Time (HH:MM:SS): 00:25:22
  MAC Address: 00:08:78:32:98:66
  Username: Bob
  Violation:
    Mode: restrict
    Trap: enabled
    Trap Min Interval: 20 sec
    Violations were detected: 0
  Reauthentication is enabled
  Reauthentication period: 3600 sec
  Silence period: 1800 sec
  Quiet Period: 60 sec
  Interfaces 802.1X-Based Parameters
    EAP Timeout: 30 sec
    EAP Max-Retrans: 2
    Tx period: 30 sec
    Supplicant timeout: 30 sec
    max-req: 2
  Authentication success: 20
  Authentication fails: 0
  Supplicant Configuration:
  retry-max: 2
  EAP time period: 15 sec
  Supplicant Held Period: 30 sec
gi1/0/4
  Authenticator is disabled
  Supplicant is enabled
  Authenticator Configuration:
  Host mode: multi-host
  Authentication methods: 802.1x+mac
  Port Adminstrated status: force-auto
  Guest VLAN: disabled
  VLAN Radius Attribute: disabled
  Time range name: work_hours (Active now)
  Open access: disabled
  Server-timeout: 30 sec
  Aplied Authenticating Server: Radius
  Applied Authentication method: 802.1x
  Session Time (HH:MM:SS): 00:25:22
  MAC Address: 00:08:78:32:98:66
  Username: Bob
  Violation:
    Mode: restrict
    Trap: enabled
    Trap Min Interval: 20 sec
    Violations were detected: 0
  Reauthentication is enabled
  Reauthentication period: 3600 sec
  Silence period: 1800 sec
  Quiet Period: 60 sec
  Interfaces 802.1X-Based Parameters
    EAP Timeout: 30 sec
    EAP Max-Retrans: 2
    Tx period: 30 sec
    Supplicant timeout: 30 sec
    max-req: 2
  Authentication success: 0
  Authentication fails: 0
  Supplicant Configuration:
  retry-max: 2
  EAP time period: 15 sec
  Supplicant Held Period: 30 sec
  Credentials Name: Basic-User
  Supplicant Operational status: authorized

The following describes the significant fields shown in the display:

• Port—The port interface-id.

• Host mode—The port authentication configured mode. Possible values: single-host, multi-host, multi-sessions.

  • single-host

  • multi-host

  • multi-sessions

• Authentication methods—Authentication methods configured on port. Possible values are combinations of the following methods:

  • 802.1x

  • mac

  • wba

• Port Administrated status—The port administration (configured) mode. Possible values: force-auth, force-unauth, auto.

• Port Operational status—The port operational (actual) mode. Possible values: authorized or unauthorized.

• Username—Username representing the supplicant identity. This field shows the username if the port control is auto. If the port is Authorized, it displays the username of the current user. If the port is Unauthorized, it displays the last user authorized successfully.

• Quiet period—Number of seconds that the device remains in the quiet state following a failed authentication exchange (for example, the client provided an invalid password).

• Silence period—Number of seconds that If an authorized client does not send traffic during the silence period specified by the command, the state of the client is changed to unauthorized.

• EAP timeout—Time interval in seconds during which the EAP Server (EAPAuthenticator) waits for a response from the EAP client (EAP Peer) before the requestretransmission

• EAP Max Retrans—Maximum number of times that the EAP Server (EAPAuthenticator) retransmits an EAP request when no response from a EAP client (EAPPeer) was received.

• Tx period—Number of seconds that the device waits for a response to an Extensible Authentication Protocol (EAP) request/identity frame from the client before resending the request.

• Max req—Maximum number of times that the device sends an EAP request frame (assuming that no response is received) to the client before restarting the authentication process.

• Server timeout—Number of seconds that the device waits for a response from the authentication server before resending the request.

• Session Time—Amount of time (HH:MM:SS) that the user is logged in.

• MAC address—Supplicant MAC address.

• Authentication success—Number of times the state machine received a Success message from the Authentication Server.

• Authentication fails—Number of times the state machine received a Failure message from the Authentication Server.

To display 802.1X statistics for the specified port, use the show dot1x statistics command in Privileged EXEC mode.

Syntax

show dot1x statistics interface interface-id

Parameters

• interface-id—Specifies an Ethernet port .

Command Mode

Privileged EXEC mode

Example

The following example displays 802.1X statistics for gi1/0/1.

switchxxxxxx# show dot1x statistics interface gi1/0/1
EapolEapFramesRx: 10
EapolStartFramesRx: 0
EapolLogoffFramesRx: 1
EapolAnnouncementFramesRx: 0
EapolAnnouncementReqFramesRx: 0
EapolInvalidFramesRx: 0
EapolEapLengthErrorFramesRx: 0
EapolMkNoCknFramesRx: 0
EapolMkInvalidFramesRx: 0
EapolLastRxFrameVersion: 3
EapolLastRxFrameSource: 00:08:78:32:98:78
EapolSuppEapFramesTx: 0
EapolStartFramesTx: 1
EapolLogoffFramesTx: 0
EapolAnnouncementFramesTx: 0
EapolAnnouncementReqFramesTx: 0
EapolAuthEapFramesTx: 9
EapolMkaFramesTx: 0

The following table describes the significant fields shown in the display:

To display active 802.1X authorized users for the device, use the show dot1x users command in Privileged EXEC mode.

Syntax

show dot1x users [username username]

Parameters

• username username—Specifies the supplicant username (Length: 1–160 characters).

Default Configuration

Display all users.

Command Mode

Privileged EXEC mode