Before you begin
Enable the 802.1X feature on the Cisco NX-OS device.
SUMMARY STEPS
1.
dot1x initialize interface ethernet slot/port
DETAILED STEPS
Purpose
Command or Action
Initializes 802.1X authentication on the Cisco NX-OS
device or on a specified interface.
dot1x initialize interface ethernet slot/port
Example:
Step 1
switch# dot1x initialize interface ethernet 2/1
Changing 802.1X Authentication Timers for an Interface
You can change the following 802.1X authentication timers on the Cisco NX-OS device interfaces:
Quiet-period timer
When the Cisco NX-OS device cannot authenticate the supplicant, the switch remains idle for a set period
of time and then tries again. The quiet-period timer value determines the idle period. An authentication
failure might occur because the supplicant provided an invalid password. You can provide a faster
response time to the user by entering a smaller number than the default. The default is the value of the
global quiet period timer. The range is from 1 to 65535 seconds.
Rate-limit timer
The rate-limit period throttles EAPOL-Start packets from supplicants that are sending too many
EAPOL-Start packets. The authenticator ignores EAPOL-Start packets from supplicants that have
successfully authenticated for the rate-limit period duration. The default value is 0 seconds and the
authenticator processes all EAPOL-Start packets. The range is from 1 to 65535 seconds.
Switch-to-authentication-server retransmission timer for Layer 4 packets
The authentication server notifies the switch each time that it receives a Layer 4 packet. If the switch
does not receive a notification after sending a packet, the Cisco NX-OS device waits a set period of time
and then retransmits the packet. The default is 30 seconds. The range is from 1 to 65535 seconds.
Switch-to-supplicant retransmission timer for EAP response frames
The supplicant responds to the EAP-request/identity frame from the Cisco NX-OS device with an
EAP-response/identity frame. If the Cisco NX-OS device does not receive this response, it waits a set
period of time (known as the retransmission time) and then retransmits the frame. The default is 30
seconds. The range is from 1 to 65535 seconds.
Switch-to-supplicant retransmission timer for EAP request frames
The supplicant notifies the Cisco NX-OS device it that received the EAP request frame. If the authenticator
does not receive this notification, it waits a set period of time and then retransmits the frame. The default
is the value of the global retransmission period timer. The range is from 1 to 65535 seconds.
Inactive period timeout
When the Cisco NX-OS device remains inactive for a set period of time. The timeout inactivity-period
value determines the inactive period. The recommended minimum value is1800 seconds. You must
ensure that the value is less than the value of the re-authentication time.
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
193
Configuring 802.1X
Changing 802.1X Authentication Timers for an Interface