Security Measures
175
Instruction Manual - NXA-ENET8-POE+
Control Mode
Sets the authentication mode to one of the following options:
• Auto - Requires a dot1x-aware client to be authorized by the authentication server. Clients that
are not dot1x-aware will be denied access.
• Force-Authorized - Forces the port to grant access to all clients, either dot1x-aware or
otherwise. (This is the default setting.)
• Force-Unauthorized - Forces the port to deny access to all clients, either dot1x-aware or
otherwise.
Operation Mode
Allows single or multiple hosts (clients) to connect to an 802.1x-authorized port. (Default: Single-
Host)
• Single-Host - Allows only a single host to connect to this port.
• Multi-Host - Allows multiple host to connect to this port.
In this mode, only one host connected to a port needs to pass authentication for all other hosts
to be granted network access. Similarly, a port can become unauthorized for all hosts if one
attached host fails re- authentication or sends an EAPOL log off message.
• MAC-Based - Allows multiple hosts to connect to this port, with each host needing to be
authenticated.
In this mode, each host connected to a port needs to pass authentication. The number of hosts
allowed access to a port operating in this mode is limited only by the available space in the
secure address table (i.e., up to 1024 addresses).
Max Count
The maximum number of hosts that can connect to a port when the Multi-Host operation mode is
selected. (Range: 1-1024; Default: 5)
Max Request
Sets the maximum number of times the switch port will retransmit an EAP request packet to the
client before it times out the authentication session. (Range: 1-10; Default 2)
Quiet Period
Sets the time that a switch port waits after the Max Request Count has been exceeded before
attempting to acquire a new client. (Range: 1-65535 seconds; Default: 60 seconds)
Tx Period
Sets the time period during an authentication session that the switch waits before re-transmitting
an EAP packet. (Range: 1-65535; Default: 30 seconds)
Supplicant Timeout
Sets the time that a switch port waits for a response to an EAP request from a client before re-
transmitting an EAP packet. (Range: 1-65535; Default: 30 seconds)
This command attribute sets the timeout for EAP-request frames other than EAP-request/identity
frames. If dot1x authentication is enabled on a port, the switch will initiate authentication when
the port link state comes up. It will send an EAP-request/identity frame to the client to request its
identity, followed by one or more requests for authentication information. It may also send other
EAP-request frames to the client during an active connection as required for re-authentication.
Server Timeout
Sets the time that a switch port waits for a response to an EAP request from an authentication
server before re-transmitting an EAP packet. (Default: 0 seconds)
A RADIUS server must be set before the correct operational value of 10 seconds will be displayed
in this field. (See the
Configuring Remote Login Authentication Servers
more information.)
Re-authentication Status
Sets the client to be re-authenticated after the interval specified by the Re-authentication Period.
Re-authentication can be used to detect if a new device is plugged into a switch port. (Default:
Disabled)
Re-authentication Period
Sets the time period after which a connected client must be re-authenticated. (Range: 1-65535
seconds; Default: 3600 seconds)
Re-authentication Max Retries
The maximum number of times the switch port will retransmit an EAP request/identity packet to
the client before it times out the authentication session. (Range: 1-10; Default: 2)
Intrusion Action
Sets the port's response to a failed authentication.
• Block Traffic - Blocks all non-EAP traffic on the port. (This is the default setting.)
• Guest VLAN - All traffic for the port is assigned to a guest VLAN. The guest VLAN must be
separately configured (see the
section on page 88) and mapped on
each port (see the
Configuring Network Access for Ports
Supplicant List
Supplicant
MAC address of authorized client
Authenticator PAE State Machine
State
Current state (including initialize, disconnected, connecting, authenticating, authenticated,
aborting, held, force_authorized, force_unauthorized)
Reauth Count
Number of times connecting state is re-entered.
Current Identifier
Identifier sent in each EAP Success, Failure or Request packet by the Authentication Server.
Backend State Machine
State
Current state (including request, response, success, fail, timeout, idle, initialize)
Security - Port Authentication Options