Filter
Top Products
2-561
Catalyst 6500 Series Switch Command Reference—Release 8.6
OL-8977-01
Chapter 2 Catalyst 6500 Series Switch and ROM Monitor Commands
set port dot1x
When configuring the authentication failure VLAN, follow these configuration guidelines and be aware
of these restrictions:
• After three failed 802.1X authentication attempts by the supplicant, the port is moved to the
authentication failure VLAN where the supplicant can access the network. These three attempts
introduce a delay of 3 minutes before the port is enabled in the authentication failure VLAN and the
EAP success packet is sent to the supplicant (1 minute per failed attempt based on the default quiet
period of 60 seconds after each failed attempt).
• The number of failed 802.1X authentication attempts is counted from the time of the linkup to the
point where the port is moved into the authentication failure VLAN. When the port moves into the
authentication failure VLAN, the failed-attempts counter is reset.
• Only the authenticated-failed users are moved to the authentication failure VLAN.
• The authentication failure VLAN is supported only in the single-authentication mode (the default
port mode).
• The authentication failure VLAN is not supported on a port that is configured as a unidirectional
port.
• The supplicant’s MAC address is added to the CAM table and only its MAC address is allowed on
the authentication failure VLAN port. Any new MAC address that appears on the port is treated as
a security violation.
• The authentication failure VLAN port cannot be part of an RSPAN VLAN or a private VLAN.
• On multiple VLAN access ports (MVAPs), the authentication failure VLAN and the auxiliary VLAN
cannot be the same.
• The authentication failure VLAN and port security features do not conflict with each other.
Additionally, other security features such as Dynamic ARP Inspection (DAI), Dynamic Host
Configuration Protocol (DHCP) snooping, and IP Source Guard can be enabled and disabled
independently on the authentication failure VLAN.
• The authentication failure VLAN is independent of the guest VLAN. However, the guest VLAN can
be the same VLAN as the authentication failure VLAN. If you do not want to differentiate between
the non-802.1X-capable hosts and the authentication-failed hosts, you may configure both to the same
VLAN (either a guest VLAN or an authentication failure VLAN).
• High availability is supported with the authentication failure VLAN.
When you enter the set port dot1x mod/port critical enable command, 802.1X still attempts to
authenticate the specified port in the normal way. However, if attempts to reach the authentication server
fail, the port is still given access to the network in the administratively-configured VLAN or in the native
VLAN of the port. A port can only be configured as a critical port if it is in single-authentication mode.
After a critical port has been given access to the network, if the authentication server becomes available,
the critical port returns to the unauthorized state. The normal authentication process is restarted, and
after the port is authenticated, it is moved into the RADIUS server-specified VLAN. At this point, you
need to initialize the port manually by entering the set port dot1x mod/port initialize command.
If the authentication server goes down after a host has already been authenticated through the normal
authentication process, the switch checks to see if the port is a critical port. If the port is a critical port,
the normal reauthentication process is temporarily disabled for the port. The port is given network access
until the authentication server becomes active and restarts the authentication process.
By default, the session timeout value from the RADIUS server takes precedence over the
reauthentication value that is configured by entering set dot1x re-authperiod seconds. With the session
timeout override option, you can specify on a per-port basis which timeout value is applied. If session
timeout override is enabled, the session timeout value from the RADIUS server is applied. If session
timeout override is disabled, the configured reauthentication value is applied.