Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/switch/help/en-us/index.html?contextId=cli-network-services-PNAC

PNAC

dot1x system-auth-control

Command Objective: This command enables dot1x in the switch. The dot1x is an authentication mechanism. It acts as mediator between the authentication server and the supplicant (client). If the client accesses the protected resources, it contacts the authenticator with EAPOL frames.

Syntax:

  • dot1x system-auth-control
  • no dot1x system-auth-control

Mode: Global Configuration Mode.

dot1x auth-mode

Command Objective: Sets dot1x authentication mode.

Syntax: dot1x auth-mode {port-based | mac-based}

Mode: Interface configuration mode.

shutdown dot1x

Command Objective: This command shuts down dot1x feature. By shutting down the dot1x feature, the supplicant-authenticator-authentication server architecture is dissolved. The data transport and authentication are directly governed by the authentication server/server. When shutdown, all resources acquired by dot1x module are released to the system.

Syntax:

  • shutdown dot1x
  • no shutdown dot1x

Mode: Global Configuration Mode.

dot1x clear statistics

Command Objective: This command clears dot1x counters for all the ports on the switch.

Syntax: dot1x clear statistics {interface <iftype> <ifnum> | all}

Parameter Description:

  • interface: Displays all static multicast MAC address entries for the specified interface.

    • gigabitethernet: A version of LAN standard architecture that supports data transfer up to 1 Gigabit per second.

Mode: Global Configuration Mode.

dot1x guest-vlan

Command Objective: This command configures Dot1x Guest VLAN ID.

Syntax:

  • dot1x guest-vlan <short (1-4094)>
  • no dot1x guest-vlan

Parameter Description:

  • <vlan-id>: This is a unique value that represents the specific VLAN. This value ranges between 1 and 4094.

Mode: Global Configuration Mode.

dot1x default

Command Objective: This command configures dot1x with default values for this port.

The previous configurations on this port are reset to the default values. These details are not displayed but are the basic settings for a port.

Syntax: dot1x default

Mode: Interface Configuration Mode

dot1x maxx-host

Command Objective: Configures the maximum hosts that can be authenticated on the port when using multi-host mode.

Syntax: dot1x max-host <integer(1-10)>

Mode: Interface configuration mode.

dot1x max-req

Command Objective: This command sets the maximum number of EAP (Extensible Authentication Protocol) retries to the client by the authenticator before restarting authentication process. The count value ranges between 1 and 10.

Syntax:

  • dot1x max-req <count(1-10)>
  • no dot1x max-req

Mode: Interface Configuration Mode.

dot1x max-start

Command Objective: This command sets the maximum number of EAPOL retries to the authenticator.The value range is 1 to 65535.

Syntax:

  • dot1x max-start <count(1-65535)>
  • no dot1x max-start

Mode: Interface Configuration Mode.

dot1x reauthentication

Command Objective: This command enables periodic re-authentication from authenticator to client. The periodic re-authentication is requested to ensure if the same supplicant is accessing the protected resources. The amount of time between periodic re-authentication attempts can be configured manually.

Syntax:

  • dot1x reauthentication
  • no dot1x reauthentication

Mode: Interface Configuration Mode.

dot1x timeout

Command Objective: This command sets the dot1x timers. The timer module manages timers, creates memory pool for timers, creates timer list, starts and stops timer. It provides handlers to respective expired timers.

Syntax:

  • dot1x timeout {quiet-period <short(0-65535)> | {reauth-period | server-timeout | supp-timeout | tx-period | start-period | held-period | auth-period} <short(1-65535)>}
  • no dot1x timeout {quiet-period | reauth-period | server-timeout | supp-timeout | tx-period | start-period | held-period | auth-period}

Parameter Description:

  • quiet-period <value (0-65535)>: Configures the quiet- period. Number of seconds that the switch remains in the quiet state following a failed authentication exchange with the client.
  • reauth-period: Configures the reath-period. Number of seconds between re-authentication attempts.
  • server-timeout: Configures the number of seconds that the switch waits for the retransmission of packets to the authentication server.
  • supp-timeout: Configures the number of seconds that the switch waits for the retransmission of packets to the client.
  • tx-period: Configures the number of seconds that the switch waits for a response to an EAP-request/identity frame, from the client before retransmitting the request.
  • start-period: Configures the number of seconds that the supplicant waits between successive retries to the authenticator.
  • held-period: Configures the number of seconds that the supplicant waits before trying to acquire the authenticator.
  • auth-period <value(1-65535)>: Configures the number of seconds that the supplicant waits before timing-out the authenticator.

Mode: Interface Configuration Mode.

dot1x port-control

Command Objective: This command configures the authenticator port control parameter. The dot1x exercises port based authentication to increase the security of the network. The different Modes employed to the ports offer varied access levels. The 802.1x protocol is supported on both Layer 2 static-access ports and Layer 3 routed ports.

Syntax:

  • dot1x port-control {auto|force-authorized|force-unauthorized}
  • no dot1x port-control

Parameter Description:

  • auto: Configures the 802.1x authentication process in this port. Causes the port to begin the unauthorized state, allowing only EAPOL frames to be sent and received through the port. The authentication process begins when the link state of the port transitions from down to up or when an EAPOL-start frame is received. The switch requests the identity of the client and begins relaying authentication messages between the client and the authentication server. The switch can uniquely identify each client attempting to access the network by the client\'s MAC address.
  • force-authorized: Configures the port to allow all the traffic through this port. Disables 802.1X authentication and causes the port to transit to the authorized state without requiring authentication exchange. The port transmits and receives normal traffic without 802.1X-based authentication of the client.
  • force-unauthorized: Configures the port to block all the traffic through this port. Causes the port to remain in the unauthorized state, ignoring all attempts by the client to authenticate. The switch cannot provide authentication services to the client through the interface.

Mode: Interface Configuration Mode.

dot1x guest-vlan enable

Command Objective: This command enables/disables guest-vlan feature.

Syntax:

  • dot1x guest-vlan enable
  • no dot1x guest-vlan enable

Mode: Interface Configuration Mode.

show dot1x

Command Objective: This command displays dot1x information. The configured information can be viewed by running this show command. When there is any change in the configuration to ensure that the port is configured as desired, the show command is used.

Syntax: show dot1x [{interface <interface-type> <interface-id> | statistics interface <interface-type> <interface-id> | supplicant-statistics interface <interface-type> <interface-id> | local-database | mac-info [address <aa.aa.aa.aa.aa.aa>] | mac-statistics [address <aa.aa.aa.aa.aa.aa>] | all }]

Parameter Description:

  • interface <interface-type> <interface-id>: Displays dot1x parameters for the switch or the specified interface.
  • statistics interface <interface-type> <interface-id>: Displays dot1x authenticator port statistics parameters for the switch or the specified interface.
  • supplicant-statistics interface <interface-type> <interface-id>: Displays dot1x supplicant statistics parameters for the switch or the specified interface.
  • local-database: Displays dot1x authentication server database with user name and password.
  • mac-info [address <aa.aa.aa.aa.aa.aa>]: Displays dot1x dot1x information for all MAC session or the specified MAC address.
  • mac-statistics [address <aa.aa.aa.aa.aa.aa>]: Displays dot1x MAC statistic for all MAC session or the specified MAC address.
  • all: Displays dot1x status for all interfaces.

Mode: Privileged EXEC Mode.

show dot1x guest-vlan

Command Objective: Displays dot1x Guest Vlan information.

Syntax: show dot1x guest-vlan

Mode: Privileged EXEC Mode.

show dot1x dynamic-vlan

Command Objective: This command displays dot1x dynamic VLAN assignment information.

Syntax: show dot1x dynamic-vlan

Mode: Privileged EXEC Mode.

show dot1x authenticated host

Command Objective: This command displays dot1x authenticated host status.

Syntax: show dot1x authenticated host

Mode: Privileged EXEC Mode.

dotx mab

Command Objective:This command configures MAC based authentication (MAB) on the specified interface.

Syntax: dot1x mab {mab_mode | hybrid_mode | disable}

Parameter Description:

  • mab_mode: Turn on MAB mode as the only authentication method.
  • hybrid_mode: Turn on MAB mode as fall-back authentication. After three failed attempts, Sophos switch uses MAB instead.
  • disable: Turn off MAB authentication.

Mode: Interface configuration mode.

dot1x re-authenticate

Command Objective: This command initiates re-authentication of all dot1x-enabled ports or the specified dot1x-enabled port. This initializes the state machines and sets up the environment for fresh authentication.

Re-authentication is manually configured if periodic re-authentication is not enabled. Re-authentication is requested by the authentication server to the supplicant to furnish the identity without waiting for the configured number of seconds (re- authperiod). If no interface is specified, re-authentication is initiated on all dot1x ports.

Syntax: dot1x re-authenticate [interface <interface-type> <interface-id>]

Parameter Description:

  • <interface type>: Configures the specified type of interface.
  • <interface id>: Configures the specified interface identifier. This is a unique value that represents the specific interface. This value is a combination of slot number and port number separated by a slash. For Example, 0/1 represents that the slot number is 0 and port number is 1.

Mode: Privileged EXEC Mode.

dot1x radius-vlan-assignment

Command Objective: This command enabled radius vlan assignment function on port.

Syntax: dot1x radius-vlan-assignment enable no dot1x radius-vlan-assignment

Mode: Interface Configuration Mode.