dot1x
config>port>ethernet
This command enables access to the context to configure port-specific 802.1x authentication attributes on an Ethernet port.
[no] mac-auth
config>port>ethernet>dot1x
This command enables MAC-based authentication. To use MAC-based authentication, 802.1x authentication must first be enabled using the port-control auto command.
When MAC-based authentication is enabled, and the mac-auth-wait timer expires, the 7705 SAR begins listening on the port for valid Ethernet frames. The source address of a received frame is used for MAC-based authentication.
The no form of this command disables MAC-based authentication.
no mac-auth
mac-auth-wait seconds
no mac-auth-wait
config>port>ethernet>dot1x
This command configures the delay period before MAC authentication is activated and the 7705 SAR searches for a valid client MAC address.
The no form of this command disables the delay and allows MAC authentication to be used immediately.
no mac-auth-wait
specifies the MAC authentication delay period in seconds
max-auth-req max-auth-request
no max-auth-req
config>port>ethernet>dot1x
This command configures the maximum number of times that the 7705 SAR will send an access request RADIUS message to the RADIUS server. If a reply is not received from the RADIUS server after the specified number of attempts, the 802.1x authentication process is considered to have failed.
The no form of this command returns the value to the default.
2
the maximum number of RADIUS retries
port-control {auto | force-auth | force-unauth}
no port-control
config>port>ethernet>dot1x
This command configures the 802.1x authentication mode.
The no form of this command returns the value to the default.
force-auth
enables 802.1x authentication. The port starts in the unauthorized state, allowing only EAPOL frames to be sent and received through the port. Both the 7705 SAR and the host (supplicant) can initiate an authentication process. The port will remain in the unauthorized state until the first supplicant is authenticated successfully. After this, traffic is allowed on the port for all connected hosts.
disables 802.1x authentication and causes the port to transition to the authorized state without requiring any authentication exchange. The port transmits and receives normal traffic without requiring 802.1x-based host authentication.
causes the port to remain in the unauthorized state, ignoring all attempts by the hosts to authenticate. The authenticator cannot provide authentication services to the host through the interface.
quiet-period seconds
no quiet-period
config>port>ethernet>dot1x
This command configures the time between two authentication sessions during which no EAPOL frames are sent by the 7705 SAR. The timer is started after sending an EAP-Failure message or after expiry of the supplicant timeout timer.
The no form of this command returns the value to the default.
60
specifies the quiet period in seconds
radius-plcy name
no radius-plcy
config>port>ethernet>dot1x
This command configures the RADIUS policy to be used for 802.1x authentication. An 802.1x RADIUS policy must be configured (under config>system>security>dot1x) before it can be associated with a port. If the RADIUS policy ID does not exist, an error is returned. Only one 802.1x RADIUS policy can be associated with a port at a time.
The no form of this command removes the RADIUS policy association.
no radius-plcy
specifies an existing 802.1x RADIUS policy name
re-auth-period seconds
no re-auth-period
config>port>ethernet>dot1x
This command configures the number of seconds the system will wait before performing reauthentication. This value is only relevant if reauthentication is enabled with the re-authentication command.
The no form of this command returns the value to the default.
3600
specifies the reauthentication delay period in seconds
[no] re-authentication
config>port>ethernet>dot1x
This command enables or disables periodic 802.1x reauthentication.
When reauthentication is enabled, the 7705 SAR will reauthenticate clients on the port after waiting the number of seconds defined by the re-auth-period command.
The no form of this command disables 802.1x reauthentication.
no re-authentication
server-timeout seconds
no server-timeout
config>port>ethernet>dot1x
This command configures the time during which the 7705 SAR waits for the RADIUS server to respond to its access request message. When this timer expires, the 7705 SAR will resend the access request message, up to the number of times specified by the max-auth-req command.
The no form of this command returns the value to the default.
30
specifies the server timeout period in seconds
supplicant-timeout seconds
no supplicant-timeout
config>port>ethernet>dot1x
This command configures the time the 7705 SAR waits for a client to respond to its EAPOL messages. When the supplicant timeout period expires, the 802.1x authentication session is considered to have failed.
The no form of this command returns the value to the default.
30
specifies the supplicant timeout period in seconds
transmit-period seconds
no transmit-period
config>port>ethernet>dot1x
This command configures the time after which the 7705 SAR sends a new EAPOL request message.
The no form of this command returns the value to the default.
30
specifies the server transmit period in seconds
[no] tunneling
config>port>ethernet>dot1x
This command enables the tunneling of untagged 802.1x frames received on a port for both Epipe and VPLS services using a null SAP or a default SAP on a dot1q or qinq port. When configured, untagged 802.1x frames are switched into the service with the corresponding supported SAP. 802.1x tunneling is supported only when the port-control command is set to force-auth.
The no form of this command disables tunneling of untagged 802.1x frames.
no tunneling