Configuring Flexible authentication globally

The following steps configure Flexible authentication at the global level.

  1. Enter the configure terminal command to enter global configuration mode.
    device# configure terminal
  2. Enter the authentication command to enter authentication configuration mode.
    device(config)# authentication
    All the global authentication configurations are available in the authentication configuration mode.
  3. (Optional) Enter the auth-order mac-auth dot1x command to change the sequence of authentication methods to MAC authentication followed by 802.1X authentication if required.
    Note: If the 802.1X authentication and MAC authentication methods are enabled on the same port, by default, the authentication sequence is set to perform 802.1X authentication followed by MAC authentication.
    device(config-authen)# auth-order mac-auth dot1x
  4. Enter the auth-default-vlan command to configure the authentication default VLAN (auth-default VLAN).
    Note: The auth-default VLAN must be configured to enable Flexible authentication before enabling 802.1X authentication or MAC authentication.
    device(config-authen)# auth-default-vlan 2
    All ports are moved to the auth-default VLAN as MAC VLAN member when 802.1X authentication or MAC authentication is enabled. The client remains in the auth-default VLAN if the RADIUS server does not return VLAN information upon authentication or if the RADIUS timeout action is specified as "success" when RADIUS server is not reachable.
  5. (Optional) Enter the restricted-vlan command to configure the restricted VLAN.
    device(config-authen)# restricted-vlan 4
    When a restricted VLAN is configured, you can configure the authentication failure action as moving the client to the restricted VLAN. If a restricted VLAN is not configured, when authentication fails, the client's MAC address is blocked in the hardware.
  6. (Optional) Enter the auth-fail-action command to move the port to the restricted VLAN after authentication failure.
    device(config-authen)# auth-fail-action restricted-vlan
  7. (Optional) Enter the critical-vlan command to configure the VLAN in which the port should be placed when the RADIUS server times out while authenticating or reauthenticating.
    device(config-authen)# critical-vlan 20
  8. (Optional) Enter the auth-timeout-action command to move the port to the critical VLAN after RADIUS authentication timeout.
    device(config-authen)# auth-timeout-action critical-vlan
  9. (Optional) Enter the auth-mode command to enable multiple untagged mode, which allows Flexible authentication-enabled ports to be members of multiple untagged VLANs or single-host and multiple-hosts mode.
    Note: By default, a Flexible authentication-enabled port can be a member of only one untagged VLAN (single-untagged mode), and other clients that are authenticated with different dynamic untagged VLANs are blocked.
    device(config-authen)# auth-mode multiple-untagged
  10. (Optional) Enter the disable-aging permitted-mac-only command to prevent the permitted MAC sessions from being aged out. Or enter the disable-aging denied-mac-only to prevent the denied MAC sessions from aging out.
    device(config-authen)# disable-aging permitted-mac-only

    You can disable aging of either the permitted (authenticated and restricted) sessions or the denied sessions. Once configured, MAC addresses that are authenticated or denied by a RADIUS server are not aged out if no traffic is received from the MAC address for a certain period of time. Aging for a permitted or non-blocked MAC address occurs in two phases, MAC aging and software aging. The MAC aging interval is configured using the mac-age-time command. By default, mac-age-time is set to 300 seconds. After the normal MAC aging period for permitted clients (or clients in a restricted VLAN), the software aging period begins. The max-sw-age command is used to specify the software aging period and by default is set to 120 seconds. After the software aging period ends, the client session ages out and is removed from the session table.

    If during software aging, traffic is received from a client, the MAC address of the client is updated in the hardware table, and the client continues to communicate. Software aging is not applicable for blocked MAC addresses.

    The hardware aging period for blocked MAC addresses is set to 70 seconds by default, and it can be configured using the max-hw-age command. Once the hardware aging period ends, the blocked MAC address ages out and can be authenticated again if the ICX device receives traffic from the MAC address.

  11. (Optional) Enter the max-hw-age command to configure the hardware aging period for denied MAC addresses.
    device(config-authen)# max-hw-age 160
  12. (Optional) Enter the max-sw-age command to configure the software aging period.
    device(config-authen)# max-sw-age 160
  13. (Optional) Enter the max-sessions command to configure the number of clients allowed on a port, the default being 2.
    device(config-authen)# max-sessions 32
  14. (Optional) Enter the re-authentication command to configure the ICX device to periodically reauthenticate the authenticated clients.
    device(config-authen)# re-authentication
    Note: When the periodic reauthentication is enabled, the device reauthenticates clients every 3600 seconds (one hour) by default. The reauthentication interval configured using the reauth-period command takes precedence.
  15. (Optional) Enter the reauth-period command to configure the interval at which authenticated clients are reauthenticated. The default period is an hour, or 3600 seconds.
    device(config-authen)# reauth-period 2000
  16. (Optional) Enter the reauth-timeout command to configure the interval at which non-authenticated clients in restricted or critical or guest access are reauthenticated. The default period is 300 seconds.
    Note: Reauthentication is supported for restricted and critical access and not supported for guest access.
    device(config-authen)# reauth-timeout 120
  17. (Optional) Specify the IPv4 or IPv6 ingress or egress ACLs to be applied when clients are non-authenticated for various reasons, such as auth-failure, auth-timeout, and access becomes restricted, critical, or guest. Authenticated clients can be assigned ACLs by the RADIUS server.
    device(config-authen)# default-acl ipv4/ipv6 <acl> in/out
  18. (Optional) Specify the voice VLAN to be used to add the port as tagged in voice VLAN when it is not provided by the RADIUS server and when the clients are non-authenticated for various reasons, such as auth-failure and auth-timeout.
    device(config-authen)# voice-vlan 200