Enabling 802.1X authentication

The following steps are for enabling and activating 802.1X authentication and for configuring certain 802.1X-specific commands.

  1. Enter the configure terminal command to enter global configuration mode.
    device# configure terminal
  2. Enter the authentication command to enter authentication mode.
    device(config)# authentication
  3. Enter the dot1x enable command to enable 802.1X authentication.
    device(config-authen)# dot1x enable
  4. Enter the dot1x enable { all | ethernet unit/slot/pot [ to unit/slot/pot ] } command to enable 802.1X authentication on all interfaces, a single interface, or a specific set of interfaces.
    device(config-authen)# dot1x enable all
  5. Enter the dot1x port-control auto command to set the controlled port in the unauthorized state until authentication takes place between the client and the authentication server.
    The following example configures the command globally.
    device(config-authen)# dot1x port-control auto all
    The following example configures the command on a single interface. (Interface configuration overrides global configuration if they differ.)
    
    device(config-authen)# device(config-authen)# dot1x port-control auto ethernet 1/1/1
    Once the client passes authentication, the port becomes authorized. This activates authentication on an 802.1X-enabled interface. The controlled port remains in the authorized state until the client logs off.
  6. (Optional) Enter the dot1x guest-vlan command to configure the VLAN into which the port should be placed when the client's response to the dot1x requests for authentication times out.
    device(config-authen)# dot1x guest-vlan
  7. (Optional) Configure the timeout parameters that determine the time interval for client reauthentication and EAP retransmissions using the following commands:
    • Enter the dot1x timeout quiet-period command to configure the amount of time the ICX device should wait before reauthenticating the client.
      device(config-authen)# dot1x timeout quiet-period 30
    • Enter the dot1x timeout tx-period command to configure the amount of time the ICX device should wait before retransmitting EAP-Request/Identity frames to the client.
      device(config-authen)# dot1x timeout tx-period 30
    • Enter the dot1x timeout supplicant command to configure the amount of time the ICX device should wait before retransmitting RADIUS EAP-Request/Challenge frames to the client.
      device(config-authen)# dot1x timeout supplicant 30
    Based on the timeout parameters, the client is reauthenticated, and EAP-Request/Identity frames and EAP-Request/Challenge frames are retransmitted.
  8. (Optional) Enter the dot1x max-reauth-req command to configure the maximum number of times EAP-Request/Identity frames are sent for reauthentication after the first authentication attempt.
    device(config-authen)# dot1x max-reauth-req 4
    If no EAP Response/Identity frame is received from the client after the specified number of EAP-Request/Identity frame retransmissions, the device restarts the authentication process with the client.
  9. (Optional) Enter the dot1x max-req command to configure the maximum number of times EAP-Request/Challenge frames are retransmitted when an EAP Response/Identity frame is not received from the client.
    device(config-authen)# dot1x max-req 3
  10. (Optional) Enter the dot1x macuath-override command to configure the device to perform MAC authentication after 8021.x authentication, if 802.1x authentication fails for the clients.
    Note: This command is applicable only when the authentication sequence is configured as 8021.x authentication followed by MAC authentication.
    device(config-authen)# dot1x macauth-override