176 MES3000 Ethernet switch series
port (multiple sessions mode). If the port fails authentication in multiple hosts mode, the access to
network resources will be denied for every connected host. Also, advanced settings include administration
of guest VLANs, accessed by users who failed the authentication.
Access port (Access) cannot be the member of the unauthenticated VLAN. Trunk port native
VLAN (Trunk) cannot be the unauthenticated VLAN. But for the port in General PVID mode
it can be the unauthenticated VLAN (only tagged packets can be received in unauthorized
state).
Global configuration mode commands
Command line request in global configuration mode appears as follows:
console(config)#
Table 5.205 —Global configuration mode commands
dot1x bpdu {filtering |
bridging}
Define IEEE 802.1x BPDU port security processing when IEEE 802.1x
disabled globally.
- filtering—filter IEEE 802.1x BPDU packets
- bridging—transfer IEEE 802.1x BPDU packets like regular data
packets
This function works only when IEEE 802.1x authentication
mode is disabled on the switch. To disable IEEE 802.1x
authentication, use the following command: no dot1x system-
auth-control.
Restore the default value.
dot1x guest-vlan timeout
timeout
Define the timeout between IEEE 802.1x authentication mode
activation (or port activation) and adding port to guest VLAN.
no dot1x guest-vlan
timeout
Restore the default value.
dot1x traps mac-
authentication success
Enable trap message transmission when the client successfully
passes the MAC address authentication based on IEEE 802.1x
standard.
no dot1x traps mac-
authentication success
Restore the default value.
dot1x traps mac-
authentication failure
Enable trap message transmission when the client fails the MAC
address authentication based on IEEE 802.1x standard.
no dot1x traps mac-
authentication failure
Restore the default value.
dot1x radius-attributes
errors filter-id resource
{accept | reject}
Define the error processing for RADIUS attributes:
- accept—user will be accepted if the filtering by ID is unavailable
due to resource distribution. If the filtering by ID is unavailable due
to other reasons, the user will be rejected.
- reject—If the filtering by ID cannot be defined, the user will be
rejected.
no dot1x radius-attributes
errors filter-id resources
Restore the default value.
dot1x radius-attributes
nas-port format-type
{default | human}
Sets the port enumeration format in NAS-Port attribute during IEEE
802.1x authentication:
- default—default value, enumeration is consistent with internal
ifIndexes.
- human—port enumeration begins with 1 (as on the front panel).
no dot1x radius-attributes
nas-port format-type
Restore the default value.
Ethernet interface configuration mode commands
Command line request in Ethernet interface configuration mode appears as follows:
To Next Page
Loading...
