• Max Count – The maximum number of hosts that can connect to a port when the
operation mode is set to Multi-Host. (Range: 1-1024; Default: 5)
• Mode – Sets the authentication mode to one of the following options:
- Auto – Requires a dot1x-aware client to be authorized by the authentication
server. Clients that are not dot1x-aware will be denied access.
- Force-Authorized – Forces the port to grant access to all clients, either
dot1x-aware or otherwise. (This is the default setting.)
- Force-Unauthorized – Forces the port to deny access to all clients, either
dot1x-aware or otherwise.
802.1X port authentication and port security (page 6-16) cannot be configured
together on the same port. Only one of these security mechanisms can be applied.
802.1X port authentication cannot be configured on trunk ports. In other words, a
static or dynamically configured trunk cannot be set to Auto or Force-Unauthorized
mode.
When 802.1X authentication is enabled on a port, the MAC address learning
function for this interface is disabled, and the addresses dynamically learned on
this port are removed.
Authenticated MAC addresses are stored as dynamic entries in the switch’s secure
MAC address table. Configured static MAC addresses are added to the secure
address table when seen on a switch port. Static addresses are treated as
authenticated without sending a request to a RADIUS server.
When port status changes to down, all MAC addresses are cleared from the secure
MAC address table. Static VLAN assignments are not restored.
• Re-authentication – Sets the client to be re-authenticated after the interval
specified by the Re-authentication Period. (Default: Disabled)
•
Max Request
– Sets the maximum number of times the switch port will retransmit
an EAP request packet to the client before it times out the authentication session.
(Range: 1-10; Default 2)
• Quiet Period – Sets the time that a switch port waits after the Max Request count
has been exceeded before attempting to acquire a new client. (Range: 1-65535
seconds; Default: 60 seconds)
• Re-authentication Period – Sets the time period after which a connected client
must be re-authenticated. (Range: 1-65535 seconds; Default: 3600 seconds)
• TX Period – Sets the time period during an authentication session that the switch
waits before re-transmitting an EAP packet. (Range: 1-65535; Default: 30 seconds)
• Authorized –
- Yes – Connected client is authorized.
- No – Connected client is not authorized.
- Blank – Displays nothing when dot1x is disabled on a port.
• Supplicant – Indicates the MAC address of a connected client.
• Trunk – Indicates if the port is configured as a trunk port.
6-21
Configuring 802.1X Port Authentication
6