Enabling Multiple 802.1X Authentications - Cisco WS-C6506 Software Manual

Configuring 802.1X Authentication on the Switch
If the authentication server goes down after a host has already been authenticated through the normal
authentication process, the switch checks if the port is a critical port. If the switch determines that the port is
a critical port, the normal reauthentication process is temporarily disabled for the port and the port is given
network access until the authentication server becomes active and restarts the authentication process.
To specify a port as a critical port, perform this task in privileged mode:
Task
Step 1
Specify a port as a critical port.
Step 2 Verify the 802.1X configuration.
This example shows how to specify a port as a critical port:
Console> (enable) set port dot1x 5/48 critical enable
Port 5/48 critical-port option is enabled
Console> (enable)
This example shows how to verify the 802.1X configuration:
Console> (enable) show port dot1x 5/48
Port
----- ------------------- ---------- ------------------- -------------
5/48 -
Port
----- ------------- -----------------
5/48 SingleAuth
Port
----- ------------- -------- ------------------ ---------------
5/48 -
Console> (enable)

Enabling Multiple 802.1X Authentications

You can specify multiple authentications so that more than one host can gain access to an 802.1X port.
Cisco-proprietary multiple authentication allows multiple dot1x-hosts on a port; every host is
authenticated separately. Use these guidelines when enabling multiple 802.1X authentications:
•
•
•
•
•
•
•
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
40-16
Auth-State
Port-Mode Re-authentication
disabled
Posture-Token Critical Termination action Session-timeout
YES
The traffic from the non-802.1X hosts on multiple authenticated ports is blocked.
You cannot enable a guest VLAN on multiple authenticated ports.
You cannot enable multiple authentication on a MVAP.
Multiple authenticated ports go into the port VLAN and will not go into a RADIUS-assigned VLAN.
You need to enable port security on a port before you can enable multiple authentications on the port.
You cannot disable port security on a multiple authenticated port.
The port security timers are used on multiple authenticated ports. The reauthentication timers are
not used on multiple authenticated ports.
Command
set port dot1x mod/port critical {enable |
disable}
show port dot1x mod/port
BEnd-State Port-Control
- force-authorized
Shutdown-timeout
----------------
disabled
- -
Chapter 40 Configuring 802.1X Authentication
Port-Status
-
Control-Mode
admin oper
---------------
Both -
OL-8978-04