2-486
Catalyst 6500 Series Switch Command Reference—Release8.4
OL-6244-01
Chapter2 Catalyst 6500 Series Switch and ROM Monitor Commands
set port dot1x
If you disable the multiple host feature, once a 802.1X port is authorized through a succe ssful
authentication of a supplicant, only that particular host (MAC address) is al lowed on that port. When the
system detects another host (different MAC address) on the authorized port, it shuts down the port and
displays a syslog message. This is the default system behavior.
If you enable the multiple host feature, once a 802.1X port is authorized through a successful
authentication of a supplicant, any host (any MAC address) is allowed to send or receive traffic on that
port.
If you enable reauthentication, you can set the reauthentication time period in seconds by entering the
set dot1x re-authperiod seconds command. The default for the reauthentication time period is
3600 seconds.
You can enable either multiple host mode or multiple authentication mode.
On an 802.1X-enabled port, an administratively configured VLA N c annot be e qua l to a n a ux ilia ry
VLAN.
To specify the number of seconds that a port is shut down after a security violation, enter the set dot1x
shutdown-timeout command. Then enter the set port dot1x mod/port shutdown-timeout enable
command to activate automatic reenabling of the port after the shutdown-timeout period has elapsed.
If you enter the set port dot1x mod/port port-control-direction in command, all incoming traffic is
dropped. If you enter the set port dot1x mod/port port-control-direction both command, all incoming
and outgoing traffic is dropped.
When you configure 802.1X unidirectional or bidirectional ports, fo llow thes e gu id eli nes:
Auxiliary VLANs—To support auxiliary VLANs on a port when you configure the port as a
unidirectional port, the auxiliary VLAN is moved to the spanning tree “forward ing” state to ensure
that the connected IP phone is operational immediately. To prevent any disturbance of the incoming
traffic, initially the port VLAN is also moved to the spanning tree “forwarding” sta te and then if an y
traffic is seen on the port VLAN, the port is moved to the spanning tree “blocking” state to drop all
additional traffic. The connected host is then requested to get authorized to send any traffic.
Guest VLANs—Guest VLANs are supported only on ports configured as bi dir ecti onal po rts. If a
guest VLAN is enabled on a port, that port cannot be configured as a unidi re ct io na l po rt a nd v i ce v er sa .
Port mode—The port mode (sing le-authentication mode, multiple-host mode, or
multiple-authentication mode) for a port configured as a unidirectional port must be
single-authentication mode (the default port mode).
You can provide limited access to an end host that does not have valid credentials for 802.1X
authentication. After three failed attempts at authentication, the end host will obtain network
connectivity through a VLAN that you configure for users that fail au the ntic ati on . To configure this
VLAN, enter the set port dot1x mod/port auth-fail-vlan vlan command. To disable this feature, enter
the set port dot1x mod/port auth-fail-vlan none command.
When configuring the authentication failure VLAN, follow these configuration guidelines and be aware
of these restrictions:
After three failed 802.1X authentication attempts by the supplicant, the port is moved to the
authentication failure VLAN where the supplicant can access the network. These three attempt s
introduce a delay of 3 minutes before the port is enabled in the authenticat ion failure VLAN and the
EAP success packet is sent to the supplicant (1 minute per failed attempt based on the default quiet
period of 60 seconds after each failed attempt).
The number of failed 802.1X authentication attempts is counted from the time of the linkup to the
point where the port is moved into the authentication failure VLAN. When the port moves into the
authentication failure VLAN, the failed-attempts counter is reset.
Only the authenticated-failed users are moved to the authentication failure VLAN.