Configuration:
dot1x max-req: The dot1x max-req interface configuration command sets the maximum number of times that the device sends an Extensible Authentication Protocol (EAP) - request frame (assuming that no response is received) to the client before restarting the authentication process.
Other definition:
Sets the number of times that the switch retransmits an EAP-Request frame of a type other than EAP-Request/Identity to the client before restarting the authentication process.
dot1x max-reauth-req: The number of times that the switch restarts the authentication process before the port changes to an unauthorized state.
Other definition: The number of times that the switch sends an EAP-request/identity frame (assuming no response is received) to the client before restarting the authentication process.
The number of EAP-Request/Identity retransmissions is controlled by the dot1x max-reauth-req command; the number of retransmissions for other EAP-Request frames is controlled by the dot1x max-req command.
Timers:
dot1x timeout re-authperiod: The dot1x timeout re-authperiod interface configuration command sets the number of seconds between re-authentication attempts. To return to the default setting, use the no form of this command.
dot1x timeout quiet-period: The dot1x timeout quiet-period interface configuration command sets the number of seconds that the device remains in the quiet state following a failed authentication exchange (for example, the client provided an invalid password). To return to the default setting, use the no form of this command.
dot1x timeout tx-period: The dot1x timeout tx-period interface configuration command sets the number of seconds that the device waits for a response to an Extensible Authentication Protocol (EAP) - request/identity frame from the client before resending the request. To return to the default setting, use the no form of this command.
dot1x timeout supp-timeout: The dot1x timeout supp-timeout interface configuration command sets the time that the device waits for a response before retransmitting an Extensible Authentication Protocol (EAP)-request frame to the client. To return to the default setting, use the no form of this command.
dot1x timeout server-timeout: The dot1x timeout server-timeout interface configuration mode command sets the time that the device waits for a response from the authentication server before retransmitting packets. To return to the default setting, use the no form of this command.
Authorization Features:
Critical Vlan: is Assigning a VLAN , when AAA server is not reachable.
authentication event server dead action authorize vlan vlan-id
Guest Vlan: is Assigning a VLAN, when the client doesn't have the ability to get authenticated.
authentication event no-response action authorize vlan vlan-id
Auth fail(Restricted) Vlan: Assigning a VLAN, when the client has ability to get authenticated but authentication fails like users with wrong credentials. auth-fail vlan won't work in multi-auth mode(Just think about having two devices on that port, one being able to authenticate and another showing up that fails and pulling the complete port into the auth-fail VLAN: that's probably not what your customer wants)
authentication event fail action authorize vlan vlan-id [OR]
dot1x auth-fail vlan vlan-id
Commands:
aaa authentication dot1x default group radius none
-- Uses no authentication. The client is automatically authenticated by the switch without using the information supplied by the client.
Dynamic VLAN Assignment with RADIUS Server:
Radius attributes needs to be passed:
tunnel-type=VLAN
tunnel-medium-type=ALL_802
tunnel-private-group-id="Vlanname" or "uservlanid"
For rsim:
attribute 64 numeric 13
attribute 65 numeric 6
attribute 81 string "nms"
Configuratoin needed on switch:
1. aaa authorization network default group radius
2. "vlanname" or "vlanid" that is sent from radius server need to configured on the switch.
References:
ACS 5.2 configuration:
http://www.cisco.com/en/US/products/ps10315/products_configuration_example09186a0080bc8129.shtml
ACS4.x configuration:
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
References:
http://docs.us.dell.com/support/edocs/network/pc6024/en/cli/html/802.htm#1054577
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/19ew/configuration/guide/dot1x.html
dot1x max-req: The dot1x max-req interface configuration command sets the maximum number of times that the device sends an Extensible Authentication Protocol (EAP) - request frame (assuming that no response is received) to the client before restarting the authentication process.
Other definition:
Sets the number of times that the switch retransmits an EAP-Request frame of a type other than EAP-Request/Identity to the client before restarting the authentication process.
dot1x max-reauth-req: The number of times that the switch restarts the authentication process before the port changes to an unauthorized state.
Other definition: The number of times that the switch sends an EAP-request/identity frame (assuming no response is received) to the client before restarting the authentication process.
The number of EAP-Request/Identity retransmissions is controlled by the dot1x max-reauth-req command; the number of retransmissions for other EAP-Request frames is controlled by the dot1x max-req command.
Timers:
dot1x timeout re-authperiod: The dot1x timeout re-authperiod interface configuration command sets the number of seconds between re-authentication attempts. To return to the default setting, use the no form of this command.
dot1x timeout quiet-period: The dot1x timeout quiet-period interface configuration command sets the number of seconds that the device remains in the quiet state following a failed authentication exchange (for example, the client provided an invalid password). To return to the default setting, use the no form of this command.
dot1x timeout tx-period: The dot1x timeout tx-period interface configuration command sets the number of seconds that the device waits for a response to an Extensible Authentication Protocol (EAP) - request/identity frame from the client before resending the request. To return to the default setting, use the no form of this command.
dot1x timeout supp-timeout: The dot1x timeout supp-timeout interface configuration command sets the time that the device waits for a response before retransmitting an Extensible Authentication Protocol (EAP)-request frame to the client. To return to the default setting, use the no form of this command.
dot1x timeout server-timeout: The dot1x timeout server-timeout interface configuration mode command sets the time that the device waits for a response from the authentication server before retransmitting packets. To return to the default setting, use the no form of this command.
Authorization Features:
Critical Vlan: is Assigning a VLAN , when AAA server is not reachable.
authentication event server dead action authorize vlan vlan-id
Guest Vlan: is Assigning a VLAN, when the client doesn't have the ability to get authenticated.
authentication event no-response action authorize vlan vlan-id
Auth fail(Restricted) Vlan: Assigning a VLAN, when the client has ability to get authenticated but authentication fails like users with wrong credentials. auth-fail vlan won't work in multi-auth mode(Just think about having two devices on that port, one being able to authenticate and another showing up that fails and pulling the complete port into the auth-fail VLAN: that's probably not what your customer wants)
authentication event fail action authorize vlan vlan-id [OR]
dot1x auth-fail vlan vlan-id
Commands:
aaa authentication dot1x default group radius none
-- Uses no authentication. The client is automatically authenticated by the switch without using the information supplied by the client.
Dynamic VLAN Assignment with RADIUS Server:
Radius attributes needs to be passed:
tunnel-type=VLAN
tunnel-medium-type=ALL_802
tunnel-private-group-id="Vlanname" or "uservlanid"
For rsim:
attribute 64 numeric 13
attribute 65 numeric 6
attribute 81 string "nms"
Configuratoin needed on switch:
1. aaa authorization network default group radius
2. "vlanname" or "vlanid" that is sent from radius server need to configured on the switch.
References:
ACS 5.2 configuration:
http://www.cisco.com/en/US/products/ps10315/products_configuration_example09186a0080bc8129.shtml
ACS4.x configuration:
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
References:
http://docs.us.dell.com/support/edocs/network/pc6024/en/cli/html/802.htm#1054577
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/19ew/configuration/guide/dot1x.html
