dot1x
config>port>ethernet
Supported on all 7210 SAS platforms as described in this document
Commands in this context configure port-specific 802.1x authentication attributes. This context can only be used when configuring Fast Ethernet, Gigabit Ethernet, or 10-Gigabit Ethernet LAN ports on an appropriate MDA.
[no] mac-auth
config>port>ethernet>dot1x
7210 SAS-Dxp
This command enables MAC-based authentication. To use MAC-based authentication, 802.1x authentication must first be enabled using the port-control auto command.
When MAC-based authentication is enabled, and the mac-auth-wait timer expires, the 7210 SAS begins listening on the port for valid Ethernet frames. The source MAC address of a received frame is used for MAC-based authentication.
MAC authentication and Dot1x authentication or VLAN authentication are mutually exclusive and cannot be configured on the same port.
The no form of this command disables MAC-based authentication.
no mac-auth
mac-auth-wait seconds
no mac-auth-wait
config>port>ethernet>dot1x
7210 SAS-Dxp
This command configures the delay period before MAC authentication is activated.
The no form of this command disables the delay and allows MAC authentication to be used immediately.
no mac-auth-wait
Specifies the MAC authentication delay period, in seconds.
max-auth-req max-auth-request
config>port>ethernet>dot1x
Supported on all 7210 SAS platforms as described in this document
This command configures the maximum number of times that the 7210 SAS will send an access request RADIUS message to the RADIUS server. If a reply is not received from the RADIUS server after the specified number attempts, the 802.1x authentication procedure is considered to have failed.
The no form of this command reverts to the default value.
2
Specifies the maximum number of RADIUS retries.
port-control [auto | force-auth | force-unauth]
config>port>ethernet>dot1x
Supported on all 7210 SAS platforms as described in this document
This command configures the 802.1x authentication mode.
The no form of this command reverts to the default value.
force-auth
Specifies that 802.1x authentication will be disabled and causes the port to transition to the authorized state without requiring any authentication exchange. The port transmits and receives normal traffic without requiring 802.1x-based host authentication.
Specifies that the port will remain in the unauthorized state, ignoring all attempts by the hosts to authenticate. The switch cannot provide authentication services to the host through the interface.
Specifies that 802.1x authentication will be enabled. The port starts in the unauthorized state, allowing only EAPOL frames to be sent and received through the port. Both the 7210 SAS and the host can initiate an authentication procedure. The port will remain in an unauthorized state (no traffic except EAPOL frames is allowed) until the first client is authenticated successfully. After this, traffic is allowed on the port for all connected hosts.
quiet-period seconds
no quiet-period
config>port>ethernet>dot1x
Supported on all 7210 SAS platforms as described in this document
This command configures the period between two authentication sessions during which no EAPOL frames are sent by the 7210 SAS.
The no form of this command reverts to the default value.
30
Specifies the quiet period in seconds.
radius-plcy name
no radius-plcy
config>port>ethernet>dot1x
Supported on all 7210 SAS platforms as described in this document
This command configures the RADIUS policy to be used for 802.1x authentication. An 802.1x RADIUS policy must be configured (under config>security>dot1x) before it can be associated with a port. If the RADIUS policy-id does not exist, an error is returned. Only one 802.1x RADIUS policy can be associated with a port at a time.
The no form of this command removes the RADIUS policy association.
no radius-plcy
Specifies an existing 802.1x RADIUS policy name.
re-auth-period seconds
no re-auth-period
config>port>ethernet>dot1x
Supported on all 7210 SAS platforms as described in this document
This command configures the period after which re-authentication is performed. This value is only relevant if re-authentication is enabled.
The no form of this command reverts to the default value.
3600
Specifies the re-authentication delay period in seconds.
[no] re-authentication
config>port>ethernet>dot1x
Supported on all 7210 SAS platforms as described in this document
This command enables or disables periodic 802.1x re-authentication.
When re-authentication is enabled, the 7210 SAS will re-authenticate clients on the port every re-auth-period seconds.
The no form of this command reverts to the default value.
re-authentication
server-timeout seconds
no server-timeout
config>port>ethernet>dot1x
Supported on all 7210 SAS platforms as described in this document
This command configures the period during which the 7210 SAS waits for the RADIUS server to responds to its access request message. When this timer expires, the 7210 SAS will re-send the access request message, up to the specified number times.
The no form of this command reverts to the default value.
30
Specifies the server timeout period in seconds.
supplicant-timeout seconds
no supplicant-timeout
config>port>ethernet>dot1x
Supported on all 7210 SAS platforms as described in this document
This command configures the period during which the 7210 SAS waits for a client to respond to its EAPOL messages. When the supplicant-timeout expires, the 802.1x authentication session is considered to have failed.
The no form of this command reverts to the default value.
30
Specifies the server timeout period in seconds.
transmit-period seconds
no transmit-period
config>port>ethernet>dot1x
Supported on all 7210 SAS platforms as described in this document
This command configures the period after which the 7210 SAS sends a new EAPOL request message.
The no form of this command reverts to the default value.
30
Specifies the server transmit period in seconds.
[no] tunneling
config>port>ethernet>dot1x
7210 SAS-D, 7210 SAS-Dxp, 7210 SAS-K 2F1C2T, 7210 SAS-K 2F6C4T, 7210 SAS-K 3SFP+ 8C
This command enables tunneling of dot1x frames. With dot1x tunneling enabled, dot1x frames received on the port are transparently forwarded to the remote end of the service. To forwards dot1x frames transparently the port on which tunneling is enabled must be configured with NULL SAP and the NULL SAP must be configured in an Epipe service. Tunneling is not supported for any other port encapsulation or when using any other service.
Additionally, dot1x protocol must be disabled on the port (using the command configure> port> ethernet> dot1x> port-control force-auth) before dot1x tunneling can be enabled using this command. If dot1x is configured to use either force-unauath or auto, then dot1x tunneling cannot be enabled. If dot1x tunneling is enabled, then the user cannot configure either force-unauth or auto.
The no form of this command disables dot1x tunneling.
no tunneling
[no] vlan-auth
config>port>ethernet>dot1x
7210 SAS-Dxp
This command enables VLAN-based authentication. To use VLAN-based authentication, 802.1x authentication must first be enabled using the port-control auto command.
When VLAN-based authentication is enabled, all traffic for all VLANs on the port is blocked. VLAN-tagged EAPOL messages are forwarded to the RADIUS server for authentication. If authentication is successful, the VLAN corresponding to the successfully authenticated VLAN-tagged EAPOL message is unblocked and traffic is processed for the configured service. If authentication fails, the VLAN continues to be blocked.
VLAN authentication and MAC authentication are mutually exclusive and cannot be configured on the same port.
The no form of this command disables VLAN-based authentication.
no vlan-auth
down-when-looped
config>port>ethernet
Supported on all 7210 SAS platforms as described in this document
This command configures Ethernet loop detection attributes.
keep-alive timer
no keep-alive
config>port>ethernet>dwl
Supported on all 7210 SAS platforms as described in this document
This command configures the time interval between keep-alive PDUs.
no keep-alive
Specifies the time interval, in seconds, between keep-alive PDUs.
retry-timeout timer
no retry-timeout
config>port>ethernet>dwl
Supported on all 7210 SAS platforms as described in this document
This command configures the minimum wait time before re-enabling the port after loop detection.
no retry-timeout
Specifies the minimum wait time before re-enabling port after loop detection.