Reconfigure settings for port-access
The commands in this section are initially set by default and can be reconfigured as needed.
Syntax
aaa port-access authenticator
<port-list> [<item>]
Parameters
<port-list>
Specifies the ports acted on by this command.
<item>
Specifies one of these items:
auth-vid <vlan-id>
Configures an existing, static VLAN to be the Authorized-Client VLAN.
clear-statistics
Clears authenticator statistics counters.
client-limit <1-32>
Set the maximum number of clients to allow on the port. With no client limit, authentication happens in port-based mode, otherwise it happens in client-based mode.
control {authorized | auto | unauthorized}
Controls authentication mode on the specified port.
authorized
Also termed “Force Authorized”. Gives access to a device connected to the port. In this case, the device does not have to provide 802.1X credentials or support 802.1X authentication. (You can still configure console, Telnet, or SSH security on the port.)
auto
This is the default. The device connected to the port must support 802.1X authentication and provide valid credentials to get network access. (Optional: You can use the Open VLAN mode to provide a path for clients without 802.1X supplicant software to download this software and begin the authentication process.)
initialize
On the specified ports, blocks inbound and outbound traffic and restarts the 802.1X authentication process. This happens only on ports configured with
control auto
and actively operating as 802.1X authenticators.NOTE:If a specified port is configured with
control authorized
andport-security
, and the port has learned an authorized address, the port will remove this address and learn a new one from the first packet it receives.
logoff-period <1-999999999>
Configures the time the switch waits for client activity before removing an inactive client from the port. (Default: 300 seconds)
max-requests <1-10>
Sets the number of authentication attempts that must time out before authentication fails and the authentication session ends. If you are using the Local authentication option, or are using RADIUS authentication with only one host server, the switch will not start another session until a client tries a new access attempt. If you are using RADIUS authentication with two or three host servers, the switch will open a session with each server, in turn, until authentication occurs or there are no more servers to try. During the
quiet-period
, if any, you cannot reconfigure this parameter. (Default: 2)
quiet-period <0-65535>
Sets the period during which the port does not try to acquire a supplicant. The period begins after the last attempt authorized by the
max-requests
parameter fails. (Default: 60 seconds)
reauth-period <0-9999999>
Sets the time after which clients connected must be reauthenticated. When the timeout is set to 0, the reauthentication is disabled (Default: 0 second)
reauthenticate
Forces reauthentication (unless the authenticator is in 'HELD' state).
server-timeout <1-300>
Sets the time the switch waits for a server response to an authentication request. If there is no response within the configured time frame, the switch assumes that the authentication attempt has timed out. Depending on the current
max-requests
setting, the switch will either send a new request to the server or end the authentication session. (Default: 30 seconds)
supplicant-timeout <1-300>
Sets the time the switch waits for a supplicant response to an EAP request. If the supplicant does not respond within the configured time frame, the session times out. (Default: 30 seconds)
tx-period <0-65535>
Sets the time the port waits to retransmit the next EAPOL PDU during an authentication session. (Default: 30 seconds)
unauth-period <0-255>
Specifies a delay in seconds for placing a port on the Unauthorized-Client VLAN. This delay allows more time for a client with 802.1X supplicant capability to initiate an authentication session. If a connected client does not initiate a session before the timer expires, the port is assigned to the Unauthenticated-Client VLAN. (Default: 0 seconds)
unauth-vid <vlan-id>
Configures an existing static VLAN to be the Unauthorized-Client VLAN. This enables you to provide a path for clients without supplicant software to download the software and begin an authentication session.
tx-period
and identity request triggersThe actual period between EAPOL PDU retransmits is influenced by the state of authenticating or connecting clients. The trigger for EAPOL identity requests depends on the following:
The
tx-period
configured.The number of clients connected to the switch and the state of the clients.
If there is one client connected and:
The client is in the authenticated state,
tx-period
expiry will not trigger an identity request.The client is in the connecting state,
tx-period
expiry will trigger an identity request to the client MAC.The client MAC address is not known, then upon
tx-period
expiry, the switch will send the next identity request to the well-known client MAC (EAPOL group multicast address).
If there are two clients connected, and:
One client is in the connecting state,
tx-period
expiry will trigger an identity request to the client MAC. In this case, it is assumed that there is no traffic from the second client and that the switch is not aware of the second client.Two clients are in the connecting state (and if the logoff period does not expire before
tx-period
expiry), then each client will maintain separate timers and identity requests will be sent at regular intervals.One client is in the authenticated state and the second client is in the connecting state, then the identity request will be triggered upon expiry of any client timer. In this case, if the first client timer expires, then the first client MAC will send an identity request to the second client MAC. Therefore, the identity request send interval may be different than what is set for
tx-period
.Two clients are in the authenticated state, upon
tx-period
expiry, the switch will not send an identity request.Both clients are not sending any traffic, the switch will send identity requests to the well-known client MAC (EAPOL group multicast address).