Specify user-based authentication or return to port-based authentication

User-based 802.1X authentication:

Syntax:


aaa port-access authenticator <port-list> client-limit <1-32>

Used after executing aaa port-access authenticator <port-list> to convert authentication from port-based to user-based. Specifies user-based 802.1X authentication and the maximum number of 802.1X-authenticated client sessions allowed on each of the ports in <port-list>. If a port currently has no authenticated client sessions, the next authenticated client session the port accepts determines the untagged VLAN membership to which the port is assigned during the session. If another client session begins later on the same port while an earlier session is active, the later session will be on the same untagged VLAN membership as the earlier session.

NOTE:

The client limit is 32 clients per-port for MAC-auth and Web-auth; the client limit for 802.1X is 32 clients per port. The MAC-auth and Web-auth limit of 32 clients only applies when there are fewer than 16,384 authentication clients on the entire switch. After the limit of 16,384 clients is reached, no additional authentication clients are allowed on any port for any method.

Port-based 802.1X authentication:

Syntax:


aaa port-access authenticator <port-list> client-limit
no aaa port-access authenticator <port-list> client-limit

Used to convert a port from user-based authentication to port-based authentication, which is the default setting for ports on which authentication is enabled. (Executing aaa port-access authenticator <port-list> enables 802.1X authentication on <port-list> and enables port-based authentication.) If a port currently has no authenticated client sessions, the next authenticated client session the port accepts determines the untagged VLAN membership to which the port is assigned during the session. If another authenticated client session begins later on the same port while an earlier session is active, the later session replaces the currently active session and will be on the untagged VLAN membership specified by the RADIUS server for the later session.

Configuring user-based 802.1X authentication Enables ports 10-12 to operate as authenticators, and then configures the ports for user-based authentication.

Configuring user-based 802.1X authentication

switch(config)# aaa port-access authenticator 10-12
switch(config)# aaa port-access authenticator 10-12 client-limit 4

Configuring port-based 802.1X authentication

switch(config)# aaa port-access authenticator 13-15
switch(config)# no aaa port-access authenticator 13-15 client-limit