Home » Cisco Manuals » Modems » Cisco NM-HD-1V= » Manual Viewer

Cisco NM-HD-1V= User Guide - Page 10

Authentication Initiation and Message Exchange, dot1x port-control auto

UPC - 746320823355

Add to My Manuals
Save this manual to your list of manuals

Page 10 highlights

Feature Overview 16- and 36-Port Ethernet Switch Module for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Authentication Initiation and Message Exchange The switch or the client can initiate authentication. If you enable authentication on a port by using the dot1x port-control auto interface configuration command, the switch must initiate authentication when it determines that the port link state changes from down to up. It then sends an EAP-request/identity frame to the client to request its identity (typically, the switch sends an initial identity/request frame followed by one or more requests for authentication information). Upon receipt of the frame, the client responds with an EAP-response/identity frame. However, if during bootup, the client does not receive an EAP-request/identity frame from the switch, the client can initiate authentication by sending an EAPOL-start frame, which prompts the switch to request the client's identity. Note If 802.1x is not enabled or supported on the network access device, any EAPOL frames from the client are dropped. If the client does not receive an EAP-request/identity frame after three attempts to start authentication, the client transmits frames as if the port is in the authorized state. A port in the authorized state effectively means that the client has been successfully authenticated. For more information, see the "Ports in Authorized and Unauthorized States" section on page 11. When the client supplies its identity, the switch begins its role as the intermediary, passing EAP frames between the client and the authentication server until authentication succeeds or fails. If the authentication succeeds, the switch port becomes authorized. For more information, see the "Ports in Authorized and Unauthorized States" section on page 11. The specific exchange of EAP frames depends on the authentication method being used. Figure 2 shows a message exchange initiated by the client using the One-Time-Password (OTP) authentication method with a RADIUS server. Figure 2 Client Message Exchange Cisco router with Ethernet switch network module Authentication server (RADIUS) EAPOL-Start EAP-Request/Identity EAP-Response/Identity EAP-Request/OTP EAP-Response/OTP EAP-Success RADIUS Access-Request RADIUS Access-Challenge RADIUS Access-Request RADIUS Access-Accept Port Authorized EAPOL-Logoff Port Unauthorized 88851 Cisco IOS Release 12.2(2)XT, 12.2(8)T, and 12.2(15)ZJ 10

Section	Page
16- and 36-Port Ethernet Switch Module for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series	1
Feature Overview	2
Layer 2 Ethernet Interfaces	2
Switch Virtual Interfaces	5
Routed Ports	5
VLAN Trunk Protocol	5
EtherChannel	7
802.1x Port-Based Authentication	8
Spanning Tree Protocol	12
Cisco Discovery Protocol	24
Switched Port Analyzer	24
Network Security with ACLs	25
Quality of Service	29
Maximum Number of VLAN and Multicast Groups	35
IP Multicast Support	35
IGMP Snooping	35
Global Storm-Control	38
Per-Port Storm-Control	40
Port Security	40
Ethernet Switching in Cisco AVVID Architecture	40
Stacking	41
Flow Control	41
Using Flow-Control Keywords	41
Fallback Bridging	42
Benefits	43
Restrictions	43
Related Features and Technologies	44
Related Documents	44
Supported Platforms	45
Supported Standards, MIBs, and RFCs	45
Prerequisites	46
Configuration Tasks	46
Configuring Layer 2 Interfaces	47
Configuring a Range of Interfaces	47
Defining a Range Macro	48
Verifying Configuration of a Range of Interfaces	48
Configuring Layer 2 Optional Interface Features	48
Interface Speed and Duplex Configuration Guidelines	48
Configuring the Interface Speed	49
Configuring the Interface Duplex Mode	49
Verifying Interface Speed and Duplex Mode Configuration	49
Configuring a Description for an Interface	50
Configuring an Ethernet Interface as a Layer 2 Trunk	50
Verifying an Ethernet Interface as a Layer 2 Trunk	51
Configuring an Ethernet Interface as a Layer 2 Access	52
Verifying an Ethernet Interface as a Layer 2 Access	52
Configuring VLANs	52
Configuring VLANs	53
Verifying the VLAN Configuration.	53
Deleting a VLAN from the Database	53
Verifying VLAN Deletion	54
Configuring VLAN Trunking Protocol	54
Configuring the VTP Server	54
Configuring a VTP Client	55
Disabling VTP (VTP Transparent Mode)	55
Configuring VTP version 2	55
Verifying VTP	56
Configuring Layer 2 EtherChannels (Port-Channel Logical Interfaces)	56
Configuring Layer 2 EtherChannels (Port-Channel Logical Interfaces)	56
Verifying Layer 2 EtherChannels	57
Configuring EtherChannel Load Balancing	58
Verifying EtherChannel Load Balancing	58
Removing an Interface from an EtherChannel	59
Configuring Removing an EtherChannel	59
Verify Removing an EtherChannel	59
Configuring 802.1x Authentication	59
Understanding the Default 802.1x Configuration	60
Enabling 802.1x Authentication	61
Configuring the Switch-to-RADIUS-Server Communication	62
Enabling Periodic Reauthentication	63
Changing the Quiet Period	64
Changing the Switch-to-Client Retransmission Time	64
Setting the Switch-to-Client Frame-Retransmission Number	65
Enabling Multiple Hosts	66
Resetting the 802.1x Configuration to the Default Values	66
Displaying 802.1x Statistics and Status	66
Configuring Spanning Tree	67
Enabling Spanning Tree	67
Verify Spanning Tree	67
Configuring Spanning Tree Port Priority	68
Verify Spanning Tree Port Priority	68
Configuring Spanning Tree Port Cost	68
Verifying Spanning Tree Port Cost	69
Configuring the Bridge Priority of a VLAN	69
Verifying the Bridge Priority of a VLAN	70
Configuring the Hello Time	70
Configuring the Forward-Delay Time for a VLAN	70
Configuring the Maximum Aging Time for a VLAN	70
Configuring the Root Bridge	71
Configuring BackboneFast	71
Disabling Spanning Tree	72
Verifying that Spanning Tree is Disabled	72
Configuring MAC Table Manipulation - Port Security	72
Enabling Known MAC Address Traffic	73
Verifying the MAC Address Secure Configuration	73
Creating a Static or Dynamic Entry in the MAC Address Table	73
Verifying the MAC Address Table	74
Configuring Aging Timer-timer	74
Verifying the Aging Timer	74
Configuring Cisco Discovery Protocol	74
Enabling Cisco Discovery Protocol	75
Verifying the CDP Global Configuration	75
Enabling CDP on an Interface	75
Verifying the CDP Interface Configuration	75
Verifying CDP Neighbors	76
Monitoring and Maintaining CDP	76
Configuring Switched Port Analyzer	76
Specifying the Switched Port Analyzer Session	77
Configuring SPAN Destinations	77
Removing Sources or Destinations from a SPAN Session	77
Configuring Network Security with ACLs	78
Unsupported Features	78
Creating Standard and Extended IP ACLs	78
ACL Numbers	79
Creating a Numbered Standard ACL	80
Creating a Numbered Extended ACL	80
Creating Named Standard and Extended ACLs	83
Including Comments About Entries in ACLs	85
Applying the ACL to an Interface	85
Displaying ACLs	86
Configuring Quality of Service (QoS)	86
Understanding the Default QoS Configuration	87
Configuring Classification Using Port Trust States	87
Configuring the Trust State on Ports and SVIs within the QoS Domain	87
Configuring the CoS Value for an Interface	89
Configuring a QoS Policy	90
Classifying Traffic by Using ACLs	91
Classifying Traffic by Using Class Maps	93
Classifying, Policing, and Marking Traffic by Using Policy Maps	94
Configuring CoS Maps	96
Configuring the CoS-to-DSCP Map	96
Configuring the DSCP-to-CoS Map	96
Displaying QoS Information	97
Configuring Power Management on the Interface	98
Verifying Power Management on the Interface	98
Configuring IP Multicast Layer 3 Switching	98
Enabling IP Multicast Routing Globally	99
Enabling IP PIM on Layer 3 Interfaces	99
Verifying IP Multicast Layer 3 Hardware Switching Summary	100
Verifying the IP Multicast Routing Table	101
Configuring IGMP Snooping	102
Enabling or Disabling IGMP Snooping	102
Enabling IGMP Immediate-Leave Processing	103
Statically Configuring an Interface to Join a Group	103
Configuring a Multicast Router Port	104
Configuring Global Storm-Control	104
Enabling Global Storm-Control	105
Verifying Global Storm-Control	105
Configuring Per-Port Storm-Control	106
Enabling Per-Port Storm-Control	106
Disabling Per-Port Storm-Control	107
Configuring Separate Voice and Data Subnets	107
Voice Traffic and VVID	108
Configuring a Single Subnet for Voice and Data	108
Verifying Switchport Configuration	109
Configuring Ethernet Ports to Support Cisco IP Phones with Multiple Ports	109
IP Addressing	109
Managing the Ethernet Switch Network Module	109
Adding Trap Managers	110
Verifying Trap Managers	110
Configuring IP Information	110
Assigning IP Information to the Switch	110
Specifying a Domain Name and Configuring the DNS	111
Configuring Voice Ports	112
Configuring a Port to Connect to a Cisco 7960 IP phone	113
Disabling Inline Power on a Ethernet switch network module	113
Verifying Inline Power Configuration	114
Enabling Switch Port Analyzer	114
Managing the ARP Table	114
Managing the MAC Address Tables	115
Understanding MAC Addresses and VLANs	115
Changing the Address Aging Time	116
Configuring the Aging Time	116
Verifying Aging-Time Configuration	116
Removing Dynamic Addresses	116
Verifying Dynamic Addresses	117
Adding Secure Addresses	117
Verifying Secure Addresses	117
Configuring Static Addresses	118
Verifying Static Addresses	118
Clearing all MAC Address Tables	119
Configuring Intrachassis Stacking	119
Verifying Intra-chassis Stacking	119
Configuring Flow Control on Gigabit Ethernet Ports	119
Configuring Layer 3 Interfaces	120
Configuring Fallback Bridging	121
Understanding the Default Fallback Bridging Configuration	121
Creating a Bridge Group	121
Preventing the Forwarding of Dynamically Learned Stations	122
Configuring the Bridge Table Aging Time	123
Filtering Frames by a Specific MAC Address	124
Adjusting Spanning-Tree Parameters	124
Monitoring and Maintaining the Network	129
Configuration Examples for the 16- and 36-Port Ethernet Switch Module	130
Range of Interface Examples	130
Single Range Configuration Example	130
Multiple Range Configuration Example	131
Range Macro Definition Example	131
Optional Interface Feature Examples	131
Interface Speed Example	132
Setting the Interface Duplex Mode Example	132
Adding a Description for an Interface Example	132
Configuring an Ethernet Interface as a Layer 2 Trunk Example	132
VLAN Configuration Example	132
VTP Examples	133
VTP Server Example	133
VTP Client Example	133
Disabling VTP (VTP Transparent Mode) Example	133
VTP version 2 Example	133
EtherChannel Load Balancing Example	134
Layer 2 EtherChannels Example	134
EtherChannel Load Balancing Example	134
Removing an EtherChannel Example	134
802.1x Authentication Examples	134
Enabling 802.1x Authentication Example	135
Configuring the Switch-to-RADIUS-Server Communication Example	135
Enabling Periodic Re-Authentication Example	135
Changing the Quiet Period Example	135
Changing the Switch-to-Client Retransmission Time Example	135
Setting the Switch-to-Client Frame-Retransmission Number Example	135
Enabling Multiple Hosts Example	135
Spanning Tree Examples	136
Spanning-Tree Interface and Spanning-Tree Port Priority Example	136
Spanning-Tree Port Cost Example	136
Bridge Priority of a VLAN	137
Hello Time Example	137
Forward-Delay Time for a VLAN Example	137
Maximum Aging Time for a VLAN Example	137
BackboneFast Example	138
Spanning Tree Examples	138
Spanning Tree Root Example	138
Mac Table Manipulation Examples	138
Cisco Discovery Protocol (CDP) Example	138
Switched Port Analyzer (SPAN) Source Examples	139
SPAN Source Configuration Example	139
SPAN Destinations Example	139
Removing Sources or Destinations from a SPAN Session Example	139
Network Security and ACL Configuration Examples	139
Creating Numbered Standard and Extended ACLs Example	139
Creating Named Standard and Extended ACLs Example	140
Including Comments About Entries in ACLs Example	141
Applying the ACL to an Interface Example	141
Displaying Standard and Extended ACLs Example	141
Displaying Access Groups Example	142
Compiling ACLs Example	143
QoS Configuration Examples	144
Classifying Traffic by Using ACL Example	144
Classifying Traffic by Using Class Maps Example	144
Classifying, Policing, and Marking Traffic by Using Policy Maps Example	144
Configuring the CoS-to-DSCP Map Example	145
Configuring the DSCP-to-CoS Map Example	145
Displaying QoS Information Example	145
IGMP Snooping Example	145
Storm-Control Example	147
Ethernet Switching Examples	148
Subnets for Voice and Data Example	148
Inter-VLAN Routing Example	148
Single Subnet Configuration Example	149
Ethernet Ports on IP Phones with Multiple Ports Example	149
Intrachassis Stacking Example	150
Flow Control on Gigabit Ethernet Ports Example	151
Configuring Layer 3 Interfaces Example	153
Fallback Bridging Example	155
Creating a Bridge Group Example	155
Preventing the Forwarding of Dynamically Learned Stations Example	155
Configuring the Bridge Table Aging Time Example	155
Filtering Frames by a Specific MAC Address Example	155
Adjusting Spanning-Tree Parameters Examples	155
Command Reference	157
aaa authentication dot1x	159
class	161
class-map	163
debug dot1x	165
debug eswilp	166
debug ip igmp snooping	167
debug spanning-tree	168
deny (access-list configuration)	170
dot1x default	173
dot1x max-req	174
dot1x multiple-hosts	175
dot1x port-control	176
dot1x re-authenticate	178
dot1x re-authentication	179
dot1x timeout quiet-period	180
dot1x timeout re-authperiod	181
dot1x timeout tx-period	182
ip access-group	183
ip access-list	185
ip igmp snooping	187
ip igmp snooping vlan	189
ip igmp snooping vlan immediate-leave	190
ip igmp snooping vlan mrouter	192
ip igmp snooping vlan static	194
match (class-map configuration)	196
mls qos cos	198
mls qos map	200
mls qos trust	202
permit (access-list configuration)	204
police	207
policy-map	209
service-policy	211
show access-lists	212
show class-map	214
show dot1x	216
show ip access-lists	220
show ip igmp snooping	222
show ip igmp snooping mrouter	224
show mls masks	225
show mls qos interface	227
show mls qos maps	228
show policy-map	230
show spanning-tree	232
show storm-control	235
spanning-tree backbonefast	237
storm-control	238
switchport	240

Match case Limit results 1 per page

16- and 36-Port Ethernet Switch Module for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series

Feature Overview

Cisco IOS Release 12.2(2)XT, 12.2(8)T, and 12.2(15)ZJ

Authentication Initiation and Message Exchange

The switch or the client can initiate authentication. If you enable authentication on a port by using the

dot1x port-control auto

interface configuration command, the switch must initiate authentication when

it determines that the port link state changes from down to up. It then sends an EAP-request/identity

frame to the client to request its identity (typically, the switch sends an initial identity/request frame

followed by one or more requests for authentication information). Upon receipt of the frame, the client

responds with an EAP-response/identity frame.

However, if during bootup, the client does not receive an EAP-request/identity frame from the switch,

the client can initiate authentication by sending an EAPOL-start frame, which prompts the switch to

request the client’s identity.

Note

If 802.1x is not enabled or supported on the network access device, any EAPOL frames from the

client are dropped. If the client does not receive an EAP-request/identity frame after three attempts

to start authentication, the client transmits frames as if the port is in the authorized state. A port in

the authorized state effectively means that the client has been successfully authenticated. For more

information, see the

“Ports in Authorized and Unauthorized States” section on page 11

When the client supplies its identity, the switch begins its role as the intermediary, passing EAP frames

between the client and the authentication server until authentication succeeds or fails. If the

authentication succeeds, the switch port becomes authorized. For more information, see the

“Ports in

Authorized and Unauthorized States” section on page 11

The specific exchange of EAP frames depends on the authentication method being used.

Figure 2

shows

a message exchange initiated by the client using the One-Time-Password (OTP) authentication method

with a RADIUS server.

Figure 2

Message Exchange

Client

Port Authorized

Port Unauthorized

EAPOL-Start

EAP-Request/Identity

EAP-Response/Identity

EAP-Request/OTP

EAP-Response/OTP

EAP-Success

RADIUS Access-Request

RADIUS Access-Challenge

RADIUS Access-Request

RADIUS Access-Accept

EAPOL-Logoff

Authentication

server

(RADIUS)

88851

Cisco router with

Ethernet switch

network module