show port-access config
command, as shown in the following example.NOTE: When configuring a RADIUS server to assign a VLAN, you can use either the VLAN’s name or VID. For example, if a VLAN configured in the switch has a VID of 100 and is named vlan100, you could configure the RADIUS server to use either “100” or “vlan100” to specify the VLAN. |
aaa port-access mac-based password password-value
[no]
form of the command disables the feature.NOTE: The password value is listed in an exported config file when include-credentials is enabled. |
aaa port-access mac-based addr-format
<no-delimiter
| single-dash
multi-dash
| multi-colon
| no-delimiter-uppercase
| single-dash-uppercase
multi-dash-uppercase
| multi-colon-uppercase>
no-delimiter
no-delimiter
: specifies an aabbccddeeff format.single-dash
: specifies an aabbcc-ddeeff format.multi-dash
: specifies an aa-bb-cc-dd-ee-ff format.multi-colon
: specifies an aa:bb:cc:dd:ee:ff format.no-delimiter-uppercase
: specifies an AABBCCDDEEFF format.single-dash-uppercase
: specifies an AABBCC-DDEEFF formatmulti-dash-uppercase
: specifies an AA-BB-CC-DD-EE-FF formatmulti-colon-uppercase
: specifies an AA:BB:CC:DD:EE:FF format.aaa port-access mac-based
[e
] port-list
[addr-limit
1-256
]1
NOTE: On switches where MAC authenticated and 802.1X operate concurrently, this limit includes the total number of clients authenticated through both methods. |
no
] aaa port-access mac-based
[e
] port-list
[addr-moves
]no
form of the command to disable MAC address moves between ports under MAC authenticated control.aaa port-access mac-based
[e
] port-list
[auth-vid
vid
]no aaa port-access mac-based
[e
] port-list
[auth-vid
]auth-vid
is 0
, no VLAN changes occur unless the RADIUS server supplies one.no
form of the command to set the auth-vid
to 0
.0
no
]aaa port-access mac-based
[e
] port-list
[logoff-period
] 60-9999999
300 seconds
no
]aaa port-access mac-based
[e
] port-list
[ max-requests
1-10
]no
]aaa port-access mac-based
[e
] port-list
[ quiet-period
1-65535
]no
]aaa port-access mac-based
[e
] port-list
[ reauth-period
0-9999999
]0
, re-authentication is disabled.no
]aaa port-access mac-based
[e
] port-list
[ reauthenticate
]no
]aaa port-access mac-based
[e
] port-list
[ server-timeout
1-300
]max-requests
value, the switch sends a new attempt or ends the authentication session.no
]aaa port-access mac-based
[e
] port-list
[ unauth-vid
vid
]no
]aaa port-access mac-based
[e
] port-list
[ unauth-vid
]unauth-vid
is 0
, no VLAN changes occur. Use the no
form of the command to set the unauth-vid
to 0
.[no]aaa port-access web-based access-denied-message
<<access-denied-str>
| radius-response>
[no]
form of the command means that no message is displayed upon failure to authenticate.unauth-vod
is configured.show running-config
command displays the client’s information, including the configured access denied message.NOTE: The HTTP redirect feature cannot be enabled if web-based authentication is enabled on any port, and conversely, if HTTP redirect is enabled, web-based authentication cannot be enabled on any port. The web/registration server software is not included with this feature. |
unauth-redirect
option must be configured with the registration server’s URL as a parameter before HTTP redirect operations can begin. The full URL must be used.[no]aaa port-access mac-based unauth-redirect
<redirect-URL-str>
NOTE: The entire URL must be used, including the “http://” or “https://” portion. |
[restrictive-filter]
[timeout <seconds>]
CAUTION: Rogue clients can attempt to access any webpages on the web/registration server via interface ports configured for MAC authentication. |
show
command displays the HTTP redirect configuration.mac-addr
specifies single client reauthentication. If the reauthenticate
parameter is entered without the mac-addr
keyword and MAC address, the command is executed as port reauthentication — all clients on a port are reauthenticated.