12-31
Cisco IE 3000 Switch Software Configuration Guide
OL-13018-03
Chapter 12 Configuring IEEE 802.1x Port-Based Authentication
Configuring 802.1x Authentication
•
In multidomain authentication (MDA) mode, one device is allowed for the access VLAN, and one
IP phone is allowed for the voice VLAN.
•
In multiple-host mode, only one 802.1x supplicant is allowed on the port, but an unlimited number
of non-802.1x hosts are allowed on the access VLAN. An unlimited number of devices are allowed
on the voice VLAN.
Configuring 802.1x Readiness Check
The 802.1x readiness check monitors 802.1x activity on all the switch ports and displays information
about the devices connected to the ports that support 802.1x. You can use this feature to determine if
the devices connected to the switch ports are 802.1x-capable.
The 802.1x readiness check is allowed on all ports that can be configured for 802.1x. The readiness
check is not available on a port that is configured as
dot1x force-unauthorized
.
Follow these guidelines to enable the readiness check on the switch:
•
The readiness check is typically used before 802.1x is enabled on the switch.
•
If you use the
dot1x test eapol-capable
privileged EXEC command without specifying an
interface, all the ports on the switch stack are tested.
•
When you configure the
dot1x test eapol-capable
command on an 802.1x-enabled port, and the
link comes up, the port queries the connected client about its 802.1x capability. When the client
responds with a notification packet, it is 802.1x-capable. A syslog message is generated if the client
responds within the timeout period. If the client does not respond to the query, the client is
not 802.1x-capable. No syslog message is generated.
•
The readiness check can be sent on a port that handles multiple hosts (for example, a PC that is
connected to an IP phone). A syslog message is generated for each of the clients that respond to the
readiness check within the timer period.
Beginning in privileged EXEC mode, follow these steps to enable the 802.1x readiness check on the
switch:
This example shows how to enable a readiness check on a switch to query a port. It also shows the
response received from the queried port verifying that the device connected to it is 802.1x-capable:
switch#
dot1x test eapol-capable interface gigabitethernet1/2
DOT1X_PORT_EAPOL_CAPABLE:DOT1X: MAC 00-01-02-4b-f1-a3 on gigabitethernet1/2 is EAPOL
capable
Command
Purpose
Step 1
dot1x test eapol-capable
[
interface
interface-id
]
Enable the 802.1x readiness check on the switch.
(Optional) For
interface-id
specify the port on which to check for 802.1x
readiness.
Note
If you omit the optional
interface
keyword, all interfaces on the
switch are tested.
Step 1
configure terminal
(Optional) Enter global configuration mode.
Step 2
dot1x test timeout
timeout
(Optional) Configure the timeout used to wait for EAPOL response. The
range is from 1 to 65535 seconds. The default is 10 seconds.
Step 3
end
(Optional) Return to privileged EXEC mode.
Step 4
show running-config
(Optional) Verify your modified timeout values.
Содержание IE 3000
Страница 36: ...xxxiv Cisco IE 3000 Switch Software Configuration Guide OL 13018 03 Preface ...
Страница 784: ...39 20 Cisco IE 3000 Switch Software Configuration Guide OL 13018 03 Chapter 39 Troubleshooting Troubleshooting Tables ...
Страница 874: ...Index IN 42 Cisco IE 3000 Switch Software Configuration Guide OL 13018 03 ...