13-43
Cisco IE 2000 Switch Software Configuration Guide
OL-25866-01
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication
How to Configure IEEE 802.1x Port-Based Authentication
Configuring a Restricted VLAN
When you configure a restricted VLAN on a switch, clients that are 802.1x-compliant are moved into
the restricted VLAN when the authentication server does not receive a valid username and password.
The switch supports restricted VLANs only in single-host mode.
Configuring the Maximum Number of Authentication Attempts
Command Purpose
Step 1 configure terminal Enters global configuration mode.
Step 2 interface interface-id Specifies the port to be configured, and enters interface configuration
mode.
Step 3 switchport mode access
or
switchport mode private-vlan host
Sets the port to access mode,
or
Configures the Layer 2 port as a private-VLAN host port.
Step 4 authentication port-control auto Enables 802.1x authentication on the port.
Step 5 authentication event fail action
authorize vlan-id
Specifies an active VLAN as an 802.1x restricted VLAN. The rang e is
1 to 4096.
You can configure any active VLAN except an internal VLAN (routed
port), an RSPAN VLAN, a primary private VLAN, or a voice VLAN as
an 802.1x restricted VLAN.
Step 6 end Returns to privileged EXEC mode.
Step 7 show authentication interface
interface-id
(Optional) Verifies your entries.
Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Command Purpose
Step 1 configure terminal Enters global configuration mode.
Step 2 interface interface-id Specifies the port to be configured, and enters interface configuration
mode.
Step 3 switchport mode access
or
switchport mode private-vlan host
Sets the port to access mode,
or
Configures the Layer 2 port as a private-VLAN host port.
Step 4 authentication port-control auto Enables 802.1x authentication on the port.
Step 5 authentication event fail action
authorize vlan-id
Specifies an active VLAN as an 802.1x restricted VLAN. The rang e is
1 to 4096.
You can configure any active VLAN except an internal VLAN (routed
port), an RSPAN VLAN, a primary private VLAN, or a voice VLAN as
an 802.1x restricted VLAN.
Step 6 authentication event retry retry count Specifies a number of authentication attempts to allow before a port
moves to the restricted VLAN. The range is 1 to 3, and the default is 3.