|
Facilité d'utilisation
Client authentication is controlled centrally by a RADIUS server using EAP (Extensible Authentication Protocol). Table 43-1 802.1X Port Authentication Commands Command Function Mode Page dot1x system-auth-control Enables dot1x globally on the switch. GC 43-1 dot1x default Resets all dot1x parameters to their default values GC 43-2 dot1x max-req Sets the maximum number of times that the switch retransmits an EAP request/identity packet to the clientbefore it times out the authentication session IC 43-2 dot1x port-control Sets dot1x mode for a port interface IC 43-2 dot1x operation-mode Allows single or multiple hosts on an dot1x port IC 43-3 dot1x re-authenticate Forces re-authentication on specific ports PE 43-4 dot1x re-authentication Enables re-authentication for all ports IC 43-4 dot1x timeout quiet-period Sets the time that a switch port waits after the MaxRequest Count has been exceeded before attempting toacquire a new client IC 43-5 dot1x timeout re-authperiod Sets the time period after which a connected client must be re-authenticated IC 43-5 dot1x timeout tx-period Sets the time period during an authentication session thatthe switch waits before re-transmitting an EAP packet IC 43-6 show dot1x Shows all dot1x related information PE 43-6 dot1x system-auth-control This command enables IEEE 802.1X port authentication globally on the switch. Use the no form to restore the default. Syntax [no] dot1x system-auth-control Default Setting Disabled Command Mode Global Configuration Example Console(config)#dot1x system-auth-control Console(config)# 43 802.1X Port Authentication dot1x default This command sets all configurable dot1x global and port settings to their default values. Command Mode Global Configuration Example Console(config)#dot1x default Console(config)# dot1x max-req This command sets the maximum number of times the switch port will retransmit an EAP request/identity packet to the client before it times out the authentication session. Use the no form to restore the default. Syntax dot1x max-req count no dot1x max-req count – The maximum number of requests (Range: 1-10) Default 2 Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x max-req 2 Console(config-if)# dot1x port-control This command sets the dot1x mode on a port interface. Use the no form to restore the default. Syntax dot1x port-control {auto | force-authorized | force-unauthorized} no dot1x port-control • auto – Requires a dot1x-aware connected client to be authorized by the RADIUS server. Clients that are not dot1x-aware will be denied access. dot1x operation-mode 43 • force-authorized – Configures the port to grant access to all clients, either dot1x-aware or otherwise. • force-unauthorized – Configures the port to deny access to all clients, either dot1x-aware or otherwise. Default force-authorized Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x port-control auto Console(config-if)# dot1x operation-mode This command allows single or multiple hosts (clients) to connect to an 802.1X-authorized port. Use the no form with no keywords to restore the default to single host. Use the no form with the multi-host max-count keywords to restore the default maximum count. Syntax dot1x operation-mode {single-host | multi-host [max-count count]} no dot1x operation-mode [multi-host max-count] • single-host – Allows only a single host to connect to this port. • multi-host – Allows multiple host to connect to this port. • max-count – Keyword for the maximum number of hosts. • count – The maximum number of hosts that can connect to a port. (Range: 1-1024; Default: 5) Default Single-host Command Mode Interface Configuration Command Usage • The “max-count” parameter specified by this command is only effective if the dot1x mode is set to “auto” by the dot1x port-control command (page 4-105). • In “multi-host” mode, only one host connected to a port needs to pass authentication for all other hosts to be granted network access. Similarly, a port can become unauthorized for all hosts if one attached host fails re-authentication or sends an EAPOL logoff message. 43 802.1X Port Authentication Example Console(config)#interface eth 1/2 Console(config-if)#dot1x operation-mode multi-host max-count 10 Console(config-if)# dot1x re-authenticate This command forces re-authentication on all ports or a specific interface. Syntax dot1x re-authenticate [interface] interface • ethernet unit/port -unit - Stack unit. (Range: Always 1) -port - Port number. (Range: 1-24/48) Command Mode Privileged Exec Command Usage The re-authentication process verifies the connected client’s user ID and password on the RADIUS server. During re-authentication, the client remains connected the network and the process is handled transparently by the dot1x client software. Only if re-authentication fails is the port blocked. Example Console#dot1x re-authenticate Console# dot1x re-authent...
Ce manuel est également adapté pour les modèles :Matériel de réseau - Direk Tronik 24/48-Port (4.82 mb)
Matériel de réseau - Direk Tronik ES4524D (4.82 mb)