Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation
Table of Contents
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    show dot1x

    Syntax

    show dot1x<brief | detail><interface interface-name>

    Release Information

    Command introduced in Junos OS Release 9.0 for EX Series switches.

    Description

    Display the current operational state of all ports with the list of connected users.

    This command displays the list of connected supplicants received from the RADIUS authentication server regardless of the session state—that is, for both authenticated supplicants and for supplicants that attempted authentication.

    Options

    none

    Display information for all authenticator ports.

    brief | detail

    (Optional) Display the specified level of output.

    interface interface-name

    Display information for the specified port with a list of connected supplicants.

    Required Privilege Level

    view

     

    Related Documentation

     

    List of Sample Output

    show dot1x interface brief
    show dot1x interface detail

    Output Fields

    Table 1 lists the output fields for the show dot1x command. Output fields are listed in the approximate order in which they appear.

    Table 1: show dot1x Output Fields

    Field Name

    Field Description

    Level of Output

    Interface

    Name of a port.

    All levels

    MAC address

    The MAC address of the connected supplicant on the port.

    All levels

    Role

    The 802.1X authentication role of the interface. When 802.1X is enabled on an interface, the role is Authenticator. As Authenticator, the interface blocks LAN access until a supplicant is authenticated through 802.1X or MAC RADIUS authentication.

    brief, detail

    State

    The state of the port:

    • Authenticated—The supplicant has been authenticated through the RADIUS server or has been permitted access through server fail fallback.
    • Authenticating—The supplicant is authenticating through the RADIUS server.
    • Held—An action has been triggered through server fail fallback during a RADIUS server timeout. A supplicant is denied access, permitted access through a specified VLAN, or maintains the authenticated state granted to it before the RADIUS server timeout occurred.

    brief

    User

    The user name of the connected supplicant

    brief

    Administrative state

    The administrative state of the port:

    • auto—Traffic is allowed through the port based on the authentication result. (Default)
    • force-authorize—All traffic flows through the port irrespective of the authentication result. This state is not allowed on an interface whose VLAN membership has been set to dynamic.
    • force-unauthorize—All traffic drops on the port irrespective of the authentication result. This state is not allowed on an interface whose VLAN membership has been set to dynamic.

    detail

    Supplicant

    The mode for the supplicant:

    • single—Authenticates only the first supplicant. All other supplicants who connect later to the port are allowed full access without any further authentication. They effectively “piggyback” on the first supplicant’s authentication.
    • single-secure—Allows only one supplicant to connect to the port. No other supplicant is allowed to connect until the first supplicant logs out.
    • multiple—Allows multiple supplicants to connect to the port. Each supplicant is authenticated individually.

    detail

    Quiet period

    The number of seconds the port remains in the wait state following a failed authentication exchange with the supplicant before reattempting the authentication. The default value is 60 seconds. The range is 0 through 65,535 seconds.

    detail

    Transmit period

    The number of seconds the port waits before retransmitting the initial EAPOL PDUs to the supplicant. The default value is 30 seconds. The range is 1 through 65,535 seconds.

    detail

    MAC radius

    MAC RADIUS authentication:

    • enabled—The switch sends an EAPOL request to the connecting host to attempt 802.1X authentication and if the connecting host is unresponsive, the switch tries to authenticate using the MAC address.
    • disabled—The default. The switch will not attempt to authenticate the MAC address of the connecting host.

    detail

    MAC radius restrict

    The authentication method is restricted to MAC RADIUS only. 802.1X authentication is not enabled.

    detail

    Reauthentication

    The reauthentication state:

    • disable—Periodic reauthentication of the client is disabled.
    • interval—Sets the periodic reauthentication time interval. The default value is 3600 seconds. The range is 1 through 65,535 seconds.

    detail

    Supplicant timeout

    The number of seconds the port waits for a response when relaying a request from the authentication server to the supplicant before resending the request. The default value is 30 seconds. The range is 1 through 60 seconds.

    detail

    Server timeout

    The number of seconds the port waits for a reply when relaying a response from the supplicant to the authentication server before timing out. The default value is 30 seconds. The range is 1 through 60 seconds.

    detail

    Maximum EAPOL requests

    The maximum number of retransmission times of an EAPOL request packet to the supplicant before the authentication session times out. The default value is 2. The range is 1 through 10.

    detail

    Number of clients bypassed because of authentication

    The number of non-802.1X clients granted access to the LAN by means of static MAC bypass. The following fields are displayed:

    • Client—MAC address of the client.
    • vlan —The name of the VLAN to which the client is connected.

    detail

    Guest VLAN member

    The VLAN to which a supplicant is connected when the supplicant is authenticated using a guest VLAN. If a guest VLAN is not configured on the interface, this field displays <not configured>.

    detail

    Number of connected supplicants

    The number of supplicants connected to a port.

    detail

    Supplicant

    The user name and MAC address of the connected supplicant.

    detail

    Authentication method

    The 802.1X authentication method used for a supplicant:

    • Guest VLAN—A supplicant is connected to the LAN through the guest VLAN.
    • MAC Radius—A nonresponsive host is authenticated based on its MAC address. The MAC address is configured as permitted on the RADIUS server, the RADIUS server lets the switch know that the MAC address is a permitted address, and the switch opens LAN access to the nonresponsive host on the interface to which it is connected.
    • Radius—A supplicant is configured on the RADIUS server, the RADIUS server communicates this to the switch, and the switch opens LAN access on the interface to which the supplicant is connected.
    • Server-fail deny—If the RADIUS servers time out, all supplicants are denied access to the LAN, preventing traffic from flowing from the supplicant through the interface. This is the default.
    • Server-fail permit—When the RADIUS server is unavailable, a supplicant is still permitted access to the LAN as if the supplicant had been successfully authenticated by the RADIUS server.
    • Server-fail use-cache—If the RADIUS servers time out during reauthentication, previously authenticated supplicants are reauthenticated, but new supplicants are denied LAN access.
    • Server-fail VLAN—A supplicant is configured to be moved to a specified VLAN if the RADIUS server is unavailable to reauthenticate the supplicant. (The VLAN must already exist on the switch.)

    detail

    Authenticated VLAN

    The VLAN to which the supplicant is connected.

    detail

    Dynamic filter

    User policy filter sent by the RADIUS server.

    detail

    Session Reauth interval

    The configured reauthentication interval.

    detail

    Reauthentication due in

    The number of seconds in which reauthentication will occur again for the connected supplicant.

    detail

    Sample Output

    show dot1x interface brief

    user@switch> show dot1x interface brief 
    802.1X Information:
Interface     Role           State           MAC address          User
ge-0/0/1      Authenticator  Authenticated   00:a0:d2:18:1a:c8    user1
ge-0/0/2      Authenticator  Connecting
ge-0/0/3      Authenticator  Held            00:a6:55:f2:94:ae    user3

    show dot1x interface detail

    user@switch> show dot1x interface ge-0/0/16.0 detail 
     ge-0/0/16.0
  Role: Authenticator
  Administrative state: Auto
  Supplicant mode: Single
  Number of retries: 3
  Quiet period: 60 seconds
  Transmit period: 30 seconds
  Mac Radius: Enabled
  Mac Radius Strict: Disabled
  Reauthentication: Enabled 
  Configured Reauthentication interval: 40 seconds
  Supplicant timeout: 30 seconds
  Server timeout: 30 seconds
  Maximum EAPOL requests: 1
  Guest VLAN member: <not configured>
  Number of connected supplicants: 1
    Supplicant: abc, 00:30:48:8C:66:BD
      Operational state: Authenticated
      Authentication method: Radius
      Authenticated VLAN: v200
      Reauthentication due in 17 seconds

    Published: 2012-12-06

    Previous Page Next Page