To configure 802.1x port authentication on a port, do the following:
1. Select the Security tab.
The Security tab is displayed. See Figure 52 on page 158.
2. From the Security tab, select 802.1x Port Authentication.
The 802.1x Authentication page is displayed. See Figure 59 on page 177.
3. Click Edit next to the port that you want to modify.
The Modify 802.1x Authentication page is displayed. See Figure 60.
Figure 60. Modify 802.1x Authentication Page 4. Use the pull-down menu next to the Port Role field to select
“Authenticator.”
179
The Modify 802.1x Authentication page “Authenticator” expands. See Figure 61.
Figure 61. Modify 802.1x Authentication Page Expanded
180
5. Modify the following fields as needed:
Port Id— Indicates the port number.
Port Role— Indicates that you’ve selected the port as an Authenticator.
Authentication Mode— Indicates the authentication mode.
Choose from the following:
Unauthorized Sets the port to the 802.1x
authenticator role, in the unauthorized state. Although the port is in the authenticator role, the switch blocks all authentication on the port. If you set all the ports on the switch to this setting, then no clients can log on and forward packets through them.
Force-authorized Sets port to the 802.1x authenticator role, in the force-authorized state. A port in the force-authorized state transitions to the authorized state without any authentication exchanges required. The port transmits and receives traffic normally without 802.1X-based authentication of the clients.
Auto Sets the port to the 802.1X port-based authenticator role. A port in this state begins in the unauthorized state, forwarding only EAPOL frames, until a client has logged on successfully.
Timeouts
The following fields set the timers for this feature:
Quiet Period— Sets the number of seconds that an authenticator port remains in the quiet state following a failed authentication exchange with a client. The range is 0 to 65,535 seconds. The default value is 60 seconds.
Tx-period— Sets the number of seconds an authenticator port waits for a response to an EAP-request/identity frame from a client before retransmitting the request. The default value is 30 seconds.
The range is 1 to 65,535 seconds.
Reauth-period— Specifies the time interval that an authenticator port requires a client to reauthenticate. The range is 1 to 65,535 seconds. The default value is 4,294,967,295 seconds.
181
Supplicant-timeout— Sets the timer used by the switch to
determine authentication server timeout conditions. The range is 1 to 600 seconds. The default value is 30 seconds.
Server-timeout— Sets the timer used by the switch to determine authentication server timeout conditions. The range is 1 to 600 seconds. The default value is 30 seconds.
Re-authentication— Activates reauthentication on the authenticator port. The client must periodically reauthenticate according to the time interval set with the Reauth-period timer.
Click the box to activate this field.
Number of Re-auth Requests— Specifies the maximum number of times the switch retransmits EAP Request packets to an client before it times out an authentication session. The range is 1 to 10 retransmissions. The default value is 2.
Port Control Direction— Specifies whether authenticator ports that are in the unauthorized state should forward egress broadcast and multicast traffic. Choose from the following:
In Specifies that authenticator ports in the unauthorized state should forward egress broadcast and multicast traffic and discard the ingress broadcast and multicast traffic. This is the default setting.
Both Specifies that authenticator ports in the
unauthorized state should discard both ingress and egress broadcast and multicast traffic.
Dynamic VLAN Creation— Activates dynamic VLAN assignments of authenticator ports. Click the box to activate this field.
Type— Activates dynamic VLAN assignments of authenticator ports. Choose from the following:
Single Specifies that an authenticator port forwards packets of only those supplicants that have the same VID as the supplicant who initially logged on.
Multi Specifies that an authenticator port forwards packets of all supplicants, regardless of the VIDs in their client accounts on the RADIUS server.
Guest VLAN— Specifies the ID number of a VLAN that is the guest VLAN of an authenticator port. You can enter only one VID.
The range is 1 to 5.
182
Host Mode— Sets the operating modes on authenticator ports.
Choose from the following:
Single-host Specifies the single operating mode. An authenticator port set to this mode
forwards only those packets from the one client who initially logs on. This is the default setting.
Multi-host Specifies the multiple host operating mode. An authenticator port set to this mode forwards all packets after one client logs on. This is referred to as piggy-backing.
Multi-supplicant Specifies the multiple supplicant operating mode. An authenticator port set to this mode requires that all clients log on.
Mac Authentication— Activates MAC address-based
authentication on authenticator ports. An authenticator port that uses this type of authentication extracts the source MAC address from the initial frames from a supplicant and automatically sends it as the supplicant’s user name and password to the authentication server. This authentication method does not require 802.1x client software on supplicant nodes. Click the box to activate this field.
Re-Auth Learning— Forces ports that are using MAC address authentication into the unauthorized state. You may use this setting to reauthenticate the nodes on authenticator ports. Click the box to activate this field.
6. Click Apply.
183