Reconfigure settings for port-access

The commands in this section are initially set by default and can be reconfigured as needed.

Syntax

aaa port-access authenticator <port-list> [<item>]

Parameters

<port-list>

Specifies the ports acted on by this command.

<item>

Specifies one of these items:

auth-vid <vlan-id>

Configures an existing, static VLAN to be the Authorized-Client VLAN.

clear-statistics

Clears authenticator statistics counters.

client-limit <1-32>

Set the maximum number of clients to allow on the port. With no client limit, authentication happens in port-based mode, otherwise it happens in client-based mode.

control {authorized | auto | unauthorized}

Controls authentication mode on the specified port.

authorized

Also termed “Force Authorized”. Gives access to a device connected to the port. In this case, the device does not have to provide 802.1X credentials or support 802.1X authentication. (You can still configure console, Telnet, or SSH security on the port.)

auto

This is the default. The device connected to the port must support 802.1X authentication and provide valid credentials to get network access. (Optional: You can use the Open VLAN mode to provide a path for clients without 802.1X supplicant software to download this software and begin the authentication process.)

initialize

On the specified ports, blocks inbound and outbound traffic and restarts the 802.1X authentication process. This happens only on ports configured with control auto and actively operating as 802.1X authenticators.

NOTE:

If a specified port is configured with control authorized and port-security, and the port has learned an authorized address, the port will remove this address and learn a new one from the first packet it receives.

logoff-period <1-999999999>

Configures the time the switch waits for client activity before removing an inactive client from the port. (Default: 300 seconds)

max-requests <1-10>

Sets the number of authentication attempts that must time out before authentication fails and the authentication session ends. If you are using the Local authentication option, or are using RADIUS authentication with only one host server, the switch will not start another session until a client tries a new access attempt. If you are using RADIUS authentication with two or three host servers, the switch will open a session with each server, in turn, until authentication occurs or there are no more servers to try. During the quiet-period, if any, you cannot reconfigure this parameter. (Default: 2)

quiet-period <0-65535>

Sets the period during which the port does not try to acquire a supplicant. The period begins after the last attempt authorized by the max-requests parameter fails. (Default: 60 seconds)

reauth-period <0-9999999>

Sets the time after which clients connected must be reauthenticated. When the timeout is set to 0, the reauthentication is disabled (Default: 0 second)

reauthenticate

Forces reauthentication (unless the authenticator is in 'HELD' state).

server-timeout <1-300>

Sets the time the switch waits for a server response to an authentication request. If there is no response within the configured time frame, the switch assumes that the authentication attempt has timed out. Depending on the current max-requests setting, the switch will either send a new request to the server or end the authentication session. (Default: 30 seconds)

supplicant-timeout <1-300>

Sets the time the switch waits for a supplicant response to an EAP request. If the supplicant does not respond within the configured time frame, the session times out. (Default: 30 seconds)

tx-period <0-65535>

Sets the time the port waits to retransmit the next EAPOL PDU during an authentication session. (Default: 30 seconds)

unauth-period <0-255>

Specifies a delay in seconds for placing a port on the Unauthorized-Client VLAN. This delay allows more time for a client with 802.1X supplicant capability to initiate an authentication session. If a connected client does not initiate a session before the timer expires, the port is assigned to the Unauthenticated-Client VLAN. (Default: 0 seconds)

unauth-vid <vlan-id>

Configures an existing static VLAN to be the Unauthorized-Client VLAN. This enables you to provide a path for clients without supplicant software to download the software and begin an authentication session.

NOTE: About tx-period and identity request triggers

The actual period between EAPOL PDU retransmits is influenced by the state of authenticating or connecting clients. The trigger for EAPOL identity requests depends on the following:

  • The tx-period configured.

  • The number of clients connected to the switch and the state of the clients.

If there is one client connected and:

  • The client is in the authenticated state, tx-period expiry will not trigger an identity request.

  • The client is in the connecting state, tx-period expiry will trigger an identity request to the client MAC.

  • The client MAC address is not known, then upon tx-period expiry, the switch will send the next identity request to the well-known client MAC (EAPOL group multicast address).

If there are two clients connected, and:

  • One client is in the connecting state, tx-period expiry will trigger an identity request to the client MAC. In this case, it is assumed that there is no traffic from the second client and that the switch is not aware of the second client.

  • Two clients are in the connecting state (and if the logoff period does not expire before tx-period expiry), then each client will maintain separate timers and identity requests will be sent at regular intervals.

  • One client is in the authenticated state and the second client is in the connecting state, then the identity request will be triggered upon expiry of any client timer. In this case, if the first client timer expires, then the first client MAC will send an identity request to the second client MAC. Therefore, the identity request send interval may be different than what is set for tx-period.

  • Two clients are in the authenticated state, upon tx-period expiry, the switch will not send an identity request.

  • Both clients are not sending any traffic, the switch will send identity requests to the well-known client MAC (EAPOL group multicast address).