802.1x Protocol
NVIDIA Docs Hub  NVIDIA Networking  Networking Software  Switch Software  NVIDIA Onyx User Manual v3.10.4006  802.1x Protocol

On This Page

The 802.1x (dot1x) standard describes a way to authenticate hosts (or supplicants) and to allow connection only to a list of allowed hosts pre-configured on an authentication server. The authentication is performed by the switch (authenticator) which negotiates the authentication with a RADIUS server (authentication server). This allows to block traffic from non-authenticated sources.

The 802.1x protocol defines the following roles:

  • Supplicant – the host. It provides the authentication credentials to the authenticator and awaits approval.

  • Authenticator – the device that connects the supplicant to the network, and checks the authentication with the authentication server. The authenticator is also in charge of blocking and isolating of new client till authenticated and allowing communication once the client has passed the authentication. The switch acts as an authenticator.

  • Authentication server – a RADIUS server which can authenticate the user.

Warning

The 802.1x is available only on access physical ports. It is not available on LAG and MLAG ports.

Warning

A local analyzer port cannot support 802.1x protocol.

Warning

802.1x cannot be activated on router port interfaces.

Warning

802.1x cannot run on a port configured to switchport trunk or hybrid.

Warning

Management interfaces cannot be configured as 802.1x port access entity (PAE) authenticators.

802.1x Operating Modes

The following operating modes are supported in 802.1x:

  • Single host – only one supplicant can communicate through the port.Once authentication of the supplicant is accepted by the authentication server, the switch allows it access. If the supplicant logs off or the port state is changed, the port becomes unauthenticated. And if a different supplicant tries to access through this port, its bidirectional traffic is discarded (including authentication traffic).

    Note

    An exception to this is multicast and broadcast traffic which do get transmitted over the interface once authenticated and are exposed to an unauthorized supplicant if it exists.

  • Multi-host mode – allows connection of multiple hosts over a single port. Only the first supplicant is authenticated. Subsequent hosts have network access without the need to authenticate.

Configuring 802.1x

  1. Enable 802.1x protocol.

    Copy
    Copied!
                
    
            
    switch (config) # protocol dot1x

  2. Enable the system as authenticator.

    Copy
    Copied!
                
    
            
    switch (config) # dot1x system-auth-control

  3. Configure RADIUS server parameters.

    Copy
    Copied!
                
    
            
    switch (config) # dot1x radius-server host 10.10.10.10 key my4uth3nt1c4t10nk3y retransmit 2 timeout 3

  4. Enter the configuration mode of an Ethernet interface.

    Copy
    Copied!
                
    
            
    switch (config) # interface ethernet 1/1
switch (config interface ethernet 1/1) #

  5. Configure the interface as a port access entity authenticator.

    Copy
    Copied!
                
    
            
    switch (config interface ethernet 1/1) # dot1x pae authenticator

  6. Configure the interface to perform authentication on ingress traffic.

    Copy
    Copied!
                
    
            
    switch (config interface ethernet 1/1) # dot1x port-control auto

  7. Verify 802.1x configuration.

    Copy
    Copied!
                
    
            
    switch (config interface ethernet 1/1) # show dot1x interfaces ethernet 1/1
 
Eth1/1
  PAE Status:                      Enabled
  Configured host mode:            Multi-host
  Configured port-control:         Auto
  Authentication status:           Unauthorized
  Re-Authentication:               Disabled
  Re-Authentication period (sec):  -
  Tx wait period (sec):            30
  Quiet period (sec):              60
  Max request retry:               2
  Last EAPOL RX source MAC:        00:00:00:00:00:00

Dot1x Commands

protocol dot1x

protocol dot1x

no protocol dot1x

Enables 802.1x EAPOL protocol.

The no form of the command disables 802.1x EAPOL protocol.

Syntax Description

N/A

Default

Disabled

Configuration Mode

config

History

3.4.2008

Example

 
switch (config)# protocol dot1x

Related Commands

Notes


dot1x clear-statistics

dot1x clear-statistics

Resets the 802.1x counters on all or a specific port.

Syntax Description

N/A

Default

N/A

Configuration Mode

config

config interface ethernet

History

3.4.2008

Example

 
switch (config)# dot1x clear-statistics

Related Commands

Notes


dot1x pae authenticator

dot1x pae authenticator

no dot1x pae authenticator

Configures the port as a 802.1x port access entity (PAE) authenticator.

The no form of the command disables the port from being a 802.1x PAE authenticator.

Syntax Description

N/A

Default

Disabled

Configuration Mode

config interface ethernet

History

3.4.2008

Example

 
switch (config interface ethernet 1/2)# dot1x system-auth-control

Related Commands

Notes


dot1x host-mode

dot1x host-mode [multi-host | single-host]

no dot1x host-mode

Configures the authentication mode to either multi-host or single-host.

The no form of the command resets the parameter to its default.

Syntax Description

multi-host

Sets the interface to operate in a port-based mode

single-host

Sets the interface to operate in a MAC-based mode with support of a single supplicant per interface

Default

single-host

Configuration Mode

config interface ethernet

History

3.4.2008

3.4.2300

Added “single-host” option

Example

 
switch (config interface ethernet 1/2)# dot1x host-mode single-host

Related Commands

Notes


dot1x port-control

dot1x port-control [auto | force-authorized | force-unauthorized]

no dot1x port-control

Configures 802.1x port access entity (PAE) port-control.

The no form of the command resets the parameter to its default.

Syntax Description

auto

The authenticator uses PAE authentication services to allow or block the port traffic

force-authorized

Allows traffic on this port regardless of supplicant authorization

force-unauthorized

Blocks traffic on this port regardless of supplicant authorization

Default

Force-authorized

Configuration Mode

config interface ethernet

History

3.4.2008

Example

 
switch (config interface ethernet 1/2)# dot1x port-control auto

Related Commands

Notes


dot1x radius-server host

dot1x radius-server host <IP address> [enable | auth-port <port> | key <password> | prompt-key | retransmit <retries> | timeout <seconds>]

no dot1x radius-server host <IP address> enable

Configure 802.1x RADIUS server IP address.

The no form of the command disables 802.1x RADIUS server.

Syntax Description

auth-port

Sets 802.1x RADIUS port to use with this server

Range: 1-65535

enable

Sets 802.1x RADIUS as administratively enabled

key

Configures 802.1x global RADIUS shared secret for servers

prompt-key

Prompts for key, rather than entering on command line

retransmit

Configure 802.1x global RADIUS retransmit count for servers

Range: 0-5 seconds

timeout

Configures 802.1x global RADIUS timeout value for servers

Range: 1-60 seconds

Default

auth-port: 1812

key: empty string

retransmit: 1

timeout: 3

Configuration Mode

config

History

3.4.2008

Example

 
switch (config)# dot1x radius-server host 10.10.10.10 auth-port 65535 prompt-key enable

Related Commands

Notes

  • The no form of the various parameters resets them to their default values as indicated in the Default section above

  • It is possible to configure up to 5 RADIUS servers

  • It is possible to configure only 1 authentication port per RADIUS server IP

dot1x reauthenticate

dot1x reauthenticate

no dot1x reauthenticate

Enables supplicant re-authentication according to the configuration of command dot1x timeout reauthentication.

The no form of the command disables supplicant re-authentication.

Syntax Description

N/A

Default

Disabled

Configuration Mode

config interface ethernet

History

3.4.2008

Example

 
switch (config interface ethernet 1/2)# dot1x reauthenticate

Related Commands

Notes


dot1x system-auth-control

dot1x system-auth-control

no dot1x system-auth-control

Enables the system as authenticator.

The no form of the command disables the system as authenticator.

Syntax Description

N/A

Default

Disabled

Configuration Mode

config

History

3.4.2008

Example

 
switch (config)# dot1x system-auth-control

Related Commands

Notes


dot1x timeout reauthentication

dot1x timeout reauthentication <period>

no dot1x timeout reauthentication

Configures the number of seconds between re-authentication attempts.

The no form of the command resets the parameter to its default.

Syntax Description

period

Time in second

Range: 1-65535

Default

3600 seconds

Configuration Mode

config interface ethernet

History

3.4.2008

Example

 
switch (config interface ethernet 1/2)# dot1x timeout reauthentication 3600

Related Commands

Notes


dot1x timeout quiet-period

dot1x timeout quiet-period <period>

no dot1x timeout quiet-period

Configures the number of seconds that the authenticator remains quiet following a failed authentication exchange with the supplicant.

The no form of the command resets the parameter to its default.

Syntax Description

period

Time in second

Range: 1-65535

Default

60 seconds

Configuration Mode

config interface ethernet

History

3.4.2008

Example

 
switch (config interface ethernet 1/2)# dot1x timeout quiet-period 60

Related Commands

Notes


dot1x timeout tx-period

dot1x timeout tx-period <period>

no dot1x timeout tx-period

Configures the maximum number of seconds that the authenticator waits for supplicant response of EAP-request/identify frame before retransmitting the request.

The no form of the command resets the parameter to its default.

Syntax Description

period

Time in second

Range: 1-65535

Default

30 seconds

Configuration Mode

config interface ethernet

History

3.4.2008

Example

 
switch (config interface ethernet 1/2)# dot1x timeout quiet-period 30

Related Commands

Notes


dot1x max-req

dot1x max-req <retries>

no dot1x max-req

Configures the maximum amount of retries for the authenticator to communicate with the supplicant over EAP.

The no form of the command resets the parameter to its default.

Syntax Description

retries

The number of request retries

Range: 1-10

Default

2

Configuration Mode

config interface ethernet

History

3.4.2008

Example

 
switch (config interface ethernet 1/2)# dot1x max-req 2

Related Commands

Notes


show dot1x

show dot1x

Displays 802.1x information on all interfaces.

Syntax Description

N/A

Default

N/A

Configuration Mode

Any command mode

History

3.4.2008

Example

 
switch (config)# show dot1x
System authentication is enabled
---------------------------------------------------------------------
Port        Pae         Host-mode   Port-control        Status
---------------------------------------------------------------------
Eth1/1      Enabled     multi-host  auto                unauthorized
Eth1/2      Disabled    multi-host  force-authorized    down
Eth1/3      Disabled    multi-host  force-authorized    down
Eth1/4      Disabled    multi-host  force-authorized    down
Eth1/5      Disabled    multi-host  force-authorized    down
Eth1/6      Disabled    multi-host  force-authorized    down
Eth1/7      Disabled    multi-host  force-authorized    down
Eth1/8      Disabled    multi-host  force-authorized    down
Eth1/9      Disabled    multi-host  force-authorized    down
...

Related Commands

Notes


show dot1x interfaces ethernet

show dot1x interfaces ethernet <slot>/<port>

Displays 802.1x interface information.

Syntax Description

<slot>/<port>

Ethernet interface

Default

N/A

Configuration Mode

Any command mode

History

3.4.2008

Example

 
switch (config)# show dot1x interfaces ethernet 1/2
Eth1/2
  PAE Status:                      Enabled
  Configured host mode:            Multi-host
  Configured port-control:         Auto
  Authentication status:           Unauthorized
  Re-Authentication:               Enabled
  Re-Authentication period (sec):  3600
  Tx wait period (sec):            30
  Quiet period (sec):              60
  Max request retry:               2
  Last EAPOL RX source MAC:        00:00:00:00:00:00

Related Commands

Notes


show dot1x interfaces ethernet statistics

show dot1x interfaces ethernet <slot>/<port> statistics

Displays 802.1x interface information.

Syntax Description

<slot>/<port>

Ethernet interface

Default

N/A

Configuration Mode

Any command mode

History

3.4.2008

Example

 
switch (config)# show dot1x interfaces ethernet 1/2 statistics
Eth1/2
  EAPOL frames received:                       3
  EAPOL frames transmitted:                    2
  EAPOL Start frames received:                 1
  EAPOL Logoff frames received:                0
  EAP Response-ID frames received:             2
  EAP Response frames received:                0
  EAP Request-ID frames transmitted:           2
  EAP Request frames transmitted:              0
  Invalid EAPOL frames received:               0
  EAP length error frames received:            0
  Last EAPOL frame version:                    1
  Last EAPOL frame source:                     00:1a:a0:02:e9:8e

Related Commands

Notes


show dot1x radius

show dot1x radius

Displays 802.1x RADIUS settings.

Syntax Description

N/A

Default

N/A

Configuration Mode

Any command mode

History

3.4.2008

Example

 
switch (config)# show dot1x radius
802.1x RADIUS defaults:
    Key:               ********
    Timeout:           3
    Retransmit:        1
No 802.1x RADIUS servers configured.

Related Commands

Notes


© Copyright 2024, NVIDIA. Last updated on Mar 5, 2024.