You are here: Home > CLI Commands > Just_CLI_Topics > show aaa authentication dot1x

show aaa authentication dot1x

show aaa authentication dot1x [<profile-name>|countermeasures]

Description

This command shows information for 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication profiles.

Syntax

Parameter

Description

<profile-name>

The name of an existing 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication profile.

countermeasures

Reports if WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption./WPA2Wi-Fi Protected Access 2. WPA2 is a certification program maintained by IEEE that oversees standards for security over wireless networks. WPA2 supports IEEE 802.1X/EAP authentication or PSK technology, but includes advanced encryption mechanism using CCMP that is referred to as AES. Countermeasures have been enabled for 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. profiles. If enabled, the AP scans for message integrity code (MIC) failures in traffic received from clients.

Usage Guidelines

Issue this command without the <profile-name> or countermeasures options to display the entire 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. Authentication profile list, including profile status and the number of references to each profile. Include a profile name to display detailed dot1x authentication configuration information for that profile. The countermeasures option indicates whether the 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. profiles have been configured for WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption./WPS2 countermeasures. If countermeasures have not been configured, the output for this command will be blank.

Examples

The following example lists all dot1x authentication profiles. The References column lists the number of other profiles with references to a 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication profile, and the Profile Status column indicates whether the profile is predefined. User-defined 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. profiles will not have an entry in the Profile Status column.

 

(host) #show aaa authentication dot1x

 

802.1X Authentication Profile List

----------------------------------

Name References Profile Status

---- ---------- --------------

default 2

default-psk 1 Predefined (editable)

dot1x 5

dot1xtest 0

 

Total:4

To display a complete list of parameters for an individual profile, include the <profile> parameter. The example below displays some of the profile details for the authentication profile pDotix.

 

(host) #show aaa authentication dot1x pDot1x

 

802.1X Authentication Profile "pDot1x"

--------------------------------------

Parameter Value

--------- -----

Max authentication failures 0

Enforce Machine Authentication Disabled

Machine Authentication: Default Machine Role guest

Machine Authentication Cache Timeout 24 hrs

Blacklist on Machine Authentication Failure Disabled

Machine Authentication: Default User Role guest

Interval between Identity Requests 30 sec

Quiet Period after Failed Authentication 30 sec

Reauthentication Interval 86400 sec

Use Server provided Reauthentication Interval Disabled

Multicast Key Rotation Time Interval 1800 sec

Unicast Key Rotation Time Interval 900 sec

...

The output of the show aaa authentication dot1xcommand includes the following parameters:

Parameter

Value

Max authentication failures

Number of times a user can try to login with wrong credentials after which the user is blacklisted as a security threat. Blacklisting is disabled if this parameter is set to 0.

Enforce Machine Authentication

Shows if machine authentication is enabled or disabled for Windows environments. If enabled, If enabled, either the machine-default-role or the user-default-role is assigned to the user, depending on which authentication is successful.

Machine Authentication: Default Machine Role

Default role assigned to the user after completing only machine authentication.

Machine Authentication Cache Timeout

The timeout period, in hours, for machine authentication. After this period passes, the use will have to re-authenticate.

Blacklist on Machine Authentication Failure

If enabled, the client is blacklisted if machine authentication fails.

Machine Authentication: Default User Role

Default role assigned to the user after 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication.

Interval between Identity Requests

Interval, in seconds, between identity request retries

Quiet Period after Failed Authentication

Interval, in seconds, following failed authentication.

Reauthentication Interval

Interval, in seconds, between reauthentication attempts.

Use Server provided Reauthentication Interval

If enabled, 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication will use the server-provided reauthentication period.

Multicast Key Rotation Time Interval

Interval, in seconds, between multicast key rotations.

 

Unicast Key Rotation Time Interval

Interval, in seconds, between unicast key rotations.

Authentication Server Retry Interval

Server group retry interval, in seconds.

Authentication Server Retry Count

The number of server group retries.

Framed MTU

Shows the framed MTUMaximum Transmission Unit. MTU is the largest size packet or frame specified in octets (eight-bit bytes) that can be sent in networks such as the Internet. attribute sent to the authentication server.

Number of times ID-Requests are retried

Maximum number of times ID requests are sent to the client.

Maximum Number of Reauthentication Attempts

Maximum number of reauthentication attempts.

Maximum number of times Held State can be bypassed

Number of consecutive authentication failures which, when reached, causes the controller to not respond to authentication requests from a client while the controller is in a held state after the authentication failure.

Dynamic WEP Key Message Retry Count

Number of times unicast/multicast EAPOL key messages are sent to the client.

Dynamic WEP Key Size

Dynamic WEPWired Equivalent Privacy. WEP is a security protocol that is specified in 802.11b and is designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN. key size, either 40 or 128 bits.

Interval between WPA/WPA2 Key Messages

Interval, in milliseconds, between each WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption. key exchange. The allowed range of values is 1000-5000 msecs, and the default value is 1000 msecs.

Delay between EAP-Success and WPA2 Unicast Key Exchange

Show the delay interval between EAPExtensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication. -Success and unicast key exchanges, in msec.

Range: 0-2000msec. Default: 0 (no delay).

Delay between WPA/WPA2 Unicast Key and Group Key Exchange

Interval, in milliseconds, between unicast and multicast key exchanges.

Time interval after which the PMKSA will be deleted

Show the PMKSA cache interval. Time interval in Hours. Range: 1-2000. Default: 8 hrs.

Delete Keycache upon user deletion Enabled If enabled, the controller deletes the key cache entry when the user entry is deleted.

WPA/WPA2 Key Message Retry Count

Number of times WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption./WPA2Wi-Fi Protected Access 2. WPA2 is a certification program maintained by IEEE that oversees standards for security over wireless networks. WPA2 supports IEEE 802.1X/EAP authentication or PSK technology, but includes advanced encryption mechanism using CCMP that is referred to as AES. key messages are retried.

Multicast Key Rotation

Shows if multicast key rotation is enabled or disabled.

Unicast Key Rotation

Shows if unicast key rotation is enabled or disabled.

Reauthentication

If enabled, this option forces the client to do a 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. reauthentication after the expiration of the default timer for reauthentication. (The default value of the timer is 24 hours.)

Opportunistic Key Caching

If enabled, a cached pairwise master key (PMKPairwise Master Key. PMK is a shared secret key that is generated after PSK or 802.1X authentication. ) is derived with a client and an associated AP and used when the client roams to a new AP.

Validate PMKID

Shows if the Validate PMKID feature is enabled or disabled. When this option is enabled, the client must send a PMKID in the associate or reassociate frame to indicate that it supports OKCOpportunistic Key Caching. OKC is a technique available for authentication between multiple APs in a network where those APs are under common administrative control. Using OKC, a station roaming to any AP in the network will not have to complete a full authentication exchange, but will instead just perform the 4-way handshake to establish transient encryption keys. ; otherwise, full 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication takes place. (This feature is optional, since most clients that support OKCOpportunistic Key Caching. OKC is a technique available for authentication between multiple APs in a network where those APs are under common administrative control. Using OKC, a station roaming to any AP in the network will not have to complete a full authentication exchange, but will instead just perform the 4-way handshake to establish transient encryption keys. do not send the PMKID in their association request.)

Use Session Key

If enabled, the controller will use a RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  session key as the unicast WEPWired Equivalent Privacy. WEP is a security protocol that is specified in 802.11b and is designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN. key.

Use Static Key

If enabled, the controller will use a static key as the unicast/multicast WEPWired Equivalent Privacy. WEP is a security protocol that is specified in 802.11b and is designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN. key.

xSec MTU

Shows the size of the MTUMaximum Transmission Unit. MTU is the largest size packet or frame specified in octets (eight-bit bytes) that can be sent in networks such as the Internet. for xSec.

Termination

Shows if 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. termination is enabled or disabled on the controller.

Termination EAP-Type

Shows the current Extensible Authentication Protocol (EAPExtensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication. ) method, either EAP-PEAPEAP–Protected EAP. A widely used protocol for securely transporting authentication data across a network (tunneled). or EAP-TLSEAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216..

Termination Inner EAP-Type

When EAP-PEAPEAP–Protected EAP. A widely used protocol for securely transporting authentication data across a network (tunneled). is the EAPExtensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  method, this parameter displays the inner EAPExtensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  type.

Enforce Suite-B 128 bit or more security level Authentication

Shows if Suite-B 128 bit or more security level authentication enforcement is enabled or disabled.

Enforce Suite-B 192 bit security level Authentication

Shows if Suite-B 192 bit or more security level authentication enforcement is enabled or disabled.

Token Caching

If this feature enabled (and EAP-GTCEAP – Generic Token Card. (non-tunneled). is configured as the inner EAPExtensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  method), token caching allows the controller to cache the username and password of each authenticated user.

Token Caching Period

Timeout period, in hours, for the cached information.

CA-Certificate

Name of the CACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate for client authentication loaded in the controller.

Server-Certificate

Name of the Server certificate used by the controller to authenticate itself to the client.

TLS Guest Access

Shows if guest access for valid EAP-TLSEAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216. users is enabled or disabled.

TLS Guest Role

User role assigned to EAP-TLSEAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216. guest.

Ignore EAPOL-START after authentication

If enabled, the controller ignores EAPOL-START messages after authentication.

Handle EAPOL-Logoff

Shows if handling of EAPOL-LOGOFF messages is enabled or disabled.

Ignore EAP ID during negotiation

If enabled, the controller will Ignore EAPExtensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  IDs during negotiation.

WPA-Fast-Handover

Shows if WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption.-fast-handover is enabled or disabled. This feature is only applicable for phones that support WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption..

Disable rekey and reauthentication for clients on call

Shows if the rekey and reauthentication features for voice-over-WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. clients has been enabled or disabled.

Check certificate common name against AAA server

If enabled, this parameter verifies that the certificate's common name exists in the server. This parameter is disabled by default dot1x profiles.

Related Commands

Command

Description

aaa authentication dot1x

This command configures the 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication profile.

Command History

Version

Modification

ArubaOS 8.0.0.0

Command introduced.

Command Information

Platforms

Licensing

Command Mode

All platforms

Base operating system.

Enable and Config mode on Mobility Master.

/*]]>*/