Configuring a Supplicant Switch Port

You must enable supplicant operation on a port before changing the supplicant configuration. This means you must execute the supplicant command once without any other parameters, then execute it again with a supplicant parameter you want to configure. If the intended authenticator port uses RADIUS authentication, then use the identity and secret options to configure the RADIUS-expected credentials on the supplicant port. If the intended authenticator port uses Local 802.1X authentication, then use the identity and secret options to configure the authenticator switch’s local user name and password on the supplicant port.

Syntax


aaa port-access supplicant [ethernet] <port-list>

To enable supplicant operation on the designated ports, execute this command without any other parameters. After doing this, you can use the command again with the following parameters to configure supplicant operation. (Use one instance of the command for each parameter you want to configure The no form disables supplicant operation on the designated ports.


[identity <username>]

Sets the user name and password to pass to the authenticator port when a challenge-request packet is received from the authenticator port due to an authentication request. If the intended authenticator port is configured for RADIUS authentication, then <username> and <password> must be the username and password expected by the RADIUS server. If the intended authenticator port is configured for Local authentication, then <username> and <password> must be the user name and password configured on the Authenticator switch. (Default: Null.)


aaa port-access supplicant [ethernet] <port-list> 
 [secret]

Enter secret: <password>

Repeat secret: <password>

Sets the secret password to be used by the port supplicant when an MD5 authentication request is received from an authenticator. The switch prompts you to enter the secret password after the command is invoked.

NOTE:

When the switch is in enhanced secure mode, commands that take a password as a parameter have the echo of the password typing replaced with asterisks. The input for the password is prompted for interactively. For more information, see Secure mode(FIPS).


[encrypted-secret]

Specify secret as a base64-encoded aes-256 encrypted string.


[auth-timeout <1 - 300>]

Sets the delay period the port waits to receive a challenge from the authenticator. If the request times out, the port sends another request, up to the number of attempts specified by the max-start parameter. (Default: 30 seconds).


[max-start <1 - 10>]

Defines the maximum number of times the supplicant port requests authentication. (Default: 3).


[held-period <0 - 65535>]

Sets the time period the supplicant port waits after an active 802.1X session fails before trying to re- acquire the authenticator port. (Default: 60 seconds)


[start-period <1 - 300>]

Sets the delay between Start packet retransmissions. That is, after a supplicant sends a start packet, it waits during the start-period for a response. If no response comes during the start- period, the supplicant sends a new start packet. The max-start setting (above) specifies how many start attempts are allowed in the session. (Default: 30 seconds)


aaa port-access supplicant [ethernet] <port-list> 
 [initialize]

On the specified ports, blocks inbound and outbound traffic and restarts the 802.1X authentication process. Affects only ports configured as 802.1X supplicants.


[clear-statistics]

Clears and restarts the 802.1X supplicant statistics counters.