112 | 802.1X
www.dell.com | support.dell.com
Important Points to Remember
• FTOS supports 802.1X with EAP-MD5, EAP-OTP, EAP-TLS, EAP-TTLS, PEAPv0, PEAPv1, and
MS-CHAPv2 with PEAP.
• All platforms support only RADIUS as the authentication server.
• On E-Series ExaScale, if the primary RADIUS server becomes unresponsive, the authenticator begins
using a secondary RADIUS server, if configured.
• 802.1X is not supported on port-channels or port-channel members.
• On the C-series and S-Series platforms:
• Traffic may be forwarded on an 802.1X-enabled port that is in an unauthorized state and
interoperates with a device through a MAC-authentication bypass (MAB) or the guest VLAN.
802.1X authentication on the port returns to normal operation only after a port flap or if you
disable and then re-enable 802.1X authentication on the port.
• If you enable multi-supplicant authorization on a port, configure a maximum number of
supplicants that can be authenticated, and enable periodic re-authentication, if some of the
supplicants fail re-authentication, these unauthorized supplicants are still counted in the total
number of supplicants that can access the port.
• Traffic may be transmitted on an 802.1X-enabled port before the port changes to an authorized
state.
• A MAB-authenticated port becomes unauthorized after an RPM failover.
Enabling 802.1X
802.1X must be enabled globally and at interface level.
Figure 7-4. Enabling 802.1X
Supplicant
Authenticator
Authenticati
Server
2/1
2/2
orce10(conf)#dot1x authentication
orce10(conf)#interface range gigabitethernet 2/1 - 2
orce10(conf-if-range-gi-2/1-2)#dot1x authentication
orce10(conf-if-range-gi-2/1-2)#show config
nterface GigabitEthernet 2/1
ip address 2.2.2.2/24
dot1x authentication
no shutdown
nterface GigabitEthernet 2/2
ip address 1.0.0.1/24
dot1x authentication
no shutdown
To Next Page
Loading...
