Chapter 10
Configuring IEEE 802.1x Port-Based Authentication
This example shows how to enable VLAN 2 as an IEEE 802.1x restricted VLAN:
Switch(config)# interface gigabitethernet1/2
Switch(config-if)# dot1x auth-fail vlan 2
You can configure the maximum number of authentication attempts allowed before a user is assigned to
the restricted VLAN by using the dot1x auth-fail max-attempts interface configuration command. The
range of allowable authentication attempts is 1 to 3. The default is 3 attempts.
Beginning in privileged EXEC mode, follow these steps to configure the maximum number of allowed
authentication attempts. This procedure is optional.
Command
Step 1
configure terminal
Step 2
interface interface-id
Step 3
switchport mode access
Step 4
dot1x port-control auto
Step 5
dot1x auth-fail vlan vlan-id
Step 6
dot1x auth-fail max-attempts max
attempts
Step 7
end
Step 8
show dot1x interface interface-id
Step 9
copy running-config startup-config
To return to the default value, use the no dot1x auth-fail max-attempts interface configuration
command.
This example shows how to set 2 as the number of authentication attempts allowed before the port moves
to the restricted VLAN:
Switch(config-if)# dot1x auth-fail max-attempts 2
OL-13018-01
Purpose
Enter global configuration mode.
Specify the port to be configured, and enter interface configuration mode.
For the supported port types, see the
Configuration Guidelines" section on page
Set the port to access mode.
Enable IEEE 802.1x authentication on the port.
Specify an active VLAN as an IEEE 802.1x restricted VLAN. The range
is 1 to 4094.
You can configure any active VLAN except an RSPAN VLAN or a voice
VLAN as an IEEE 802.1x restricted VLAN.
Specify a number of authentication attempts to allow before a port moves
to the restricted VLAN. The range is 1 to 3, and the default is 3.
Return to privileged EXEC mode.
(Optional) Verify your entries.
(Optional) Save your entries in the configuration file.
Cisco IE 3000 Switch Software Configuration Guide
Configuring IEEE 802.1x Authentication
"IEEE 802.1x Authentication
10-20.
10-33