DELL S50V User Manual
112
|
802.1X
www.dell.com | support.dell.com
Important Points to Remember
•
FTOS supports 802.1X with EAP-MD5, EAP-OTP, EAP-TLS, EAP-TTLS, PEAPv0, PEAPv1, and
MS-CHAPv2 with PEAP.
MS-CHAPv2 with PEAP.
•
All platforms support only RADIUS as the authentication server.
•
On E-Series ExaScale, if the primary RADIUS server becomes unresponsive, the authenticator begins
using a secondary RADIUS server, if configured.
using a secondary RADIUS server, if configured.
•
802.1X is not supported on port-channels or port-channel members.
•
On the C-series and S-Series platforms:
•
Traffic may be forwarded on an 802.1X-enabled port that is in an unauthorized state and
interoperates with a device through a MAC-authentication bypass (MAB) or the guest VLAN.
802.1X authentication on the port returns to normal operation only after a port flap or if you
disable and then re-enable 802.1X authentication on the port.
interoperates with a device through a MAC-authentication bypass (MAB) or the guest VLAN.
802.1X authentication on the port returns to normal operation only after a port flap or if you
disable and then re-enable 802.1X authentication on the port.
•
If you enable multi-supplicant authorization on a port, configure a maximum number of
supplicants that can be authenticated, and enable periodic re-authentication, if some of the
supplicants fail re-authentication, these unauthorized supplicants are still counted in the total
number of supplicants that can access the port.
supplicants that can be authenticated, and enable periodic re-authentication, if some of the
supplicants fail re-authentication, these unauthorized supplicants are still counted in the total
number of supplicants that can access the port.
•
Traffic may be transmitted on an 802.1X-enabled port before the port changes to an authorized
state.
state.
•
A MAB-authenticated port becomes unauthorized after an RPM failover.
Enabling 802.1X
802.1X must be enabled globally and at interface level.
Figure 7-4. Enabling 802.1X
Supplicant
Authenticator
Authentication
Server
Server
2/1
2/2
Force10(conf )#dot1x authentication
Force10(conf )#interface range gigabitethernet 2/1 - 2
Force10(conf-if-range-gi-2/1-2)#dot1x authentication
Force10(conf-if-range-gi-2/1-2)#show config
!
interface GigabitEthernet 2/1
ip address 2.2.2.2/24
dot1x authentication
no shutdown
!
interface GigabitEthernet 2/2
ip address 1.0.0.1/24
dot1x authentication
no shutdown
Force10(conf )#interface range gigabitethernet 2/1 - 2
Force10(conf-if-range-gi-2/1-2)#dot1x authentication
Force10(conf-if-range-gi-2/1-2)#show config
!
interface GigabitEthernet 2/1
ip address 2.2.2.2/24
dot1x authentication
no shutdown
!
interface GigabitEthernet 2/2
ip address 1.0.0.1/24
dot1x authentication
no shutdown