Users Guide
Security Commands 1064
to be able to identify the short-comings in the configuration of a 802.1x
authentication on the switch without affecting the network access to the
users of the switch.
There are three important aspects to this feature after activation:
1
To allow successful authentications using the returned information from
authentication server.
2
To provide a mechanism to report unsuccessful authentications without
negative repercussions to the user due to operator errors or failure cases
from the Authentication server or supplicants.
3
To accurately report the data received from the successful and
unsuccessful operations so that the operator can make the appropriate
changes or learn where the problem areas are.
The monitor mode can be configured globally on a switch. If the switch fails
to authenticate the user for any reason (say RADIUS access reject from
RADIUS server, RADIUS time-out, or the client itself is 802.1x unaware), the
client is authenticated and is undisturbed by the failure condition(s). The
reasons for failure are logged and buffered into the local logging database such
that the operator can track the failure conditions. Clients authenticated when
monitor mode is enabled are always assigned to the default port PVID if no
VLAN is supplied from the RADIUS server, and clients are assigned to
RADIUS VLAN if filter-ID is a mismatch.
dot1x eapolflood
This command enables the flooding of received IEEE 802.1x frames in the
VLAN. Use the no form of the command to return the processing of EAPOL
frames to the default.
Syntax
dot1x eapolflood
no dot1x eapolflood
Default Configuration
By default, the switch does not forward received IEEE 802.1x frames, even if
802.1x is not enabled on the switch. This is the default behavior required by
IEEE 802.1x-2010.