3.10.11 Network Access Server (NAS) Configuration
Use this command to configure the IEEE 802.1X and MAC-based authentication system settings. Globally Enable/Disable NAS, Enable/Disable Reauthentication and set the Reauthentication Period (successfully authenticated supplicants/clients are reauthenticated after the interval specified by the Reauthentication Period). Set the time for retransmission of Request Identity EAPOL frames and Aging period (authentication timer inactivity). Set the Hold Time (if a client is denied access it is put on hold in the Unauthorized state). Globally enable/disable Guest VLAN functionality, RADIUS-server assigned QoS Class functionality and RADIUS-server assigned VLAN functionality.
Command Syntax:
dot1x system-auth-control dot1x re-authentication dot1x authentication timer re-authenticate <v_1_to_3600>
dot1x timeout tx-period <v_1_to_65535>
dot1x authentication timer inactivity <v_10_to_100000>
dot1x timeout quiet-period <v_10_to_1000000>
dot1x feature { [ guest-vlan ] [ radius-qos ] [ radius-vlan ] }
dot1x guest-vlan <value>
dot1x max-reauth-req <value>
dot1x guest-vlan supplicant Argument | Description | |
Parameter |
| Determines the period, in seconds, after which a connected client must be reauthenticated. This is only active if the Reauthentication Enabled checkbox is checked. Valid values are in the range 1 to 3600 seconds. The default value is 3600. |
| Determines the time for retransmission of Request Identity EAPOL frames. Valid values are in the range 1 to 65535 seconds. The default value is 30. | |
| Aging period (authentication timer inactivity) can be set to a number between 10 and 1000000 seconds. The default value is 300. Hold time (quiet period) can be set to a number between 10 and 1000000 seconds. The default value is 10. | |
| Value that a port's Port VLAN ID is set to if a port is moved into the Guest VLAN. Valid values are in the range of 1–4095. The default value is 1. | |
| The number of times the switch transmits an EAPOL Request Identity frame without response before considering entering the Guest VLAN. Valid values are in the range [1; 255]. The default value is 2. | |
Default | N.A | |
Mode | Global Configuration mode | |
Usage | Set the system global NAS parameters. To revert to the default values, use the ‘no’ version of the command. | |
Example | Example 1: Enable NAS on the switch, enable reauthentication and set the period to 3000 seconds. Example 2: Disable NAS. | |
NAS per Port configuration. Set the port authentication mode. Enable/disable per-port state of RADIUS-assigned QoS. Enable/disable per-port state of RADIUS-assigned VLAN. Enable/Disable guest VLAN.
dot1x port-control { force-authorized | force-unauthorized | auto | single | multi | mac-based }
dot1x radius-qos dot1x radius-vlan dot1x guest-vlanArgument | Description | |
Parameter |
| The switch sends one EAPOL Success frame when the port link comes up, and any client on the port is allowed network access without authentication. |
| The switch sends one EAPOL Failure frame when the port link comes up, and any client on the port is disallowed network access. | |
| Port-based 802.1X authentication | |
| Single Host 802.1X authentication | |
| Multiple Host 802.1X authentication | |
| Switch authenticates on behalf of the client | |
Default | N.A | |
Mode | Port List Interface mode | |
Usage | Set the port NAS parameters. To revert to the default values (disabled), use the ‘no’ version of the command. | |
Example | Example 1: Set port 2 to single Host 802.1X Authentication with Guest VLAN enabled. Example 2: Change the port 2 state back to default forced authorized. | |