DOT1X

Port-based network access control allows a network administrator to restrict the use of IEEE 802 LAN service access points (ports) to secure communication between authenticated and authorized devices. This standard specifies a common architecture, functional elements, and protocols that support mutual authentication between the clients of ports attached to the same LAN and that secure communication between the ports, including the media access method independent protocols that are used to discover and establish the security associations used by IEEE 802.1AE MAC Security.

DOT1X OpEN API

This document provides a brief description of the DOT1X OpEN APIs. It provides the following services:

• Get/Set the dot1x global administrative mode on switch.
  
• Get/Set the dot1x default authentication method on switch.
  
• Get the dot1x port PAE state on switch.
  
• Get/Set dot1x eapol flood mode on switch.
  
• Get/Set dot1x quiet period on the specified port on switch.
  
• Get/Set dot1x transmit period on the specified port on switch.
  
• Get/Set dot1x max reauth request-identity retries count on the specified port.
  
• Get/Set dot1x max requests on the specified port.
  
• Get/Set dot1x supplicant timeout on the specified port.
  
• Get/Set dot1x Authentiation server timeout on the specified port.
  
• Get/Set port's dot1x PAE capability.
  
• Get dot1x protocol version on the specified port.
  

All 'Set' operations would affect the Switch behavior and configuration.

Example C Application dot1x_example

Initialization

In the main function, the sample application initializes the OpEN API RPC service by calling openapiClientRegister() and waits for the RPC service in switchdrvr to start. A Client Handle is returned by openapiClientRegister() which is used while invoking the OpEN APIs. The application then exercises the associated OpEN APIs and logs informational and/or error messages on the console. The example application runs to its completion and exits.

dot1x_example

dot1x_example.c is a sample application that demonstrates the use of the DOT1X OpEN API. dot1x_example is started from the command line. It then exercises all the DOT1X OpEN APIs one by one with appropriate arguments to manage the DOT1X component in the ICOS main process (switchdrvr).

Sample Output (LiNe/LinuxHost platform)

# ./dot1x_example

Usage: dot1x_example <test#> <arg1> <arg2> ...
Test 0: Get 802.1x configured global operating control mode.: dot1x_example 0
Test 1: Set 802.1x configured global operating control mode.: dot1x_example 1 <mode>
Test 2: Get 802.1x default authentication method.: dot1x_example 2
Test 3: Set 802.1x default authentication method.: dot1x_example 3 <method>
Test 4: Get 802.1x port PAE state.: dot1x_example 12 <interface>
Test 5: Set 802.1x eapol flood mode.: dot1x_example 6 <mode>
Test 6: Get 802.1x eapol flood mode.: dot1x_example 7
Test 7: Set 802.1x quiet period on the specified port.: dot1x_example 8 <interface><quietPeriod>
Test 8: Get 802.1x quiet period on the specified port.: dot1x_example 9 <interface>
Test 9: Set 802.1x transmit period on the specified port.: dot1x_example 10 <interface><txPeriod>
Test 10: Get 802.1x transmit period on the specified port.: dot1x_example 11 <interface>
Test 11: Set 802.1x max reauth request-identity retries count on the specified port: dot1x_example 12 <intIfNum><maxReAuthReqIndentity>
Test 12: Get the configured 802.1x max reauth request-identity retries count on the specified port: dot1x_example 13 <intIfNum>
Test 13: Run API sanity checks: dot1x_example 14
Test 14: Sets the dot1x max requests on the specified port: dot1x_example 15 <intIfNum> <maxReq>
Test 15: Gets dot1x max requests on the specified port: dot1x_example 16 <intIfNum>
Test 16: Sets the dot1x supplicant timeout on the specified port: dot1x_example 17 <intIfNum> <suppTimeout>
Test 17: Gets dot1x supplicant timeout on the specified port: dot1x_example 18 <intIfNum>
Test 18: Sets the dot1x Authentiation server timeout on the specified port: dot1x_example 19 <intIfNum> <serverTimeout>
Test 19: Gets dot1x Authentiation Server timeout on the specified port: dot1x_example 20 <intIfNum>
Test 20: Sets the port's dot1x capabilities (Supplicant or Authenticator): dot1x_example 21 <intIfNum> <paeCapability>
Test 21: Gets dot1x PAE capabilities on the specified port: dot1x_example 22 <intIfNum>
Test 22: Gets dot1x protocol version on the specified port: dot1x_example 23 <intIfNum>



DOT1X CLI/API Cross Reference

CLI Command	OpEN API Reference
(Config)# [no]dot1x system-auth-control	openapiDot1xSystemAuthControlModeSet() openapiDot1xSystemAuthControlModeGet()
(Config)# [no]aaa authentication dot1x default {ias | local | none| radius}	openapiDot1xDefaultAuthenMethodSet() openapiDot1xDefaultAuthenMethodGet()
(Interface-Config Mode)# [no]authentication port-control {auto | force-authorized | force-unauthorized}	openapiDot1xPortControlModeSet() openapiDot1xPortControlModeGet()
(Interface-Config Mode)# [no]mab	openapiDot1xPortMabEnabledSet() openapiDot1xPortMabEnabledGet()
(Interface-Config Mode)# [no]authentication event fail action authorize vlan <vlan-id>	openapiDot1xPortGuestVlanSet() openapiDot1xPortGuestVlanGet()
(Priv-User Mode)# show authentication interface {<interface> | all}	openapiDot1xPortOperatingControlModeGet() openapiDot1xPortStatusGet() openapiDot1xPortPaeStateGet() openapiDot1xPortOperationalMabModeGet() openapiDot1xPortVlanAssignedReasonGet() openapiDot1xPortControlModeGet() openapiDot1xPortGuestVlanGet() openapiDot1xPortMabEnabledGet()
(Priv-User Mode)# show authentication client {<interface> | all}	openapiDot1xPortVlanAssignedGet() openapiDot1xPortVlanAssignedReasonGet() openapiDot1xLogicalPortSupplicantMacAddrGet() openapiDot1xLogicalPortVlanAssignmentGet()
(Config)# [no]dot1x eapolflood	openapiDot1xEapolFloodModeSet() openapiDot1xEapolFloodModeGet()
(Interface-Config Mode)# [no] dot1x timeout quiet-period	openapiDot1xPortQuietPeriodSet() openapiDot1xPortQuietPeriodGet()
(Interface-Config Mode)# [no] dot1x timeout timeout tx-period	openapiDot1xPortTxPeriodSet() openapiDot1xPortTxPeriodGet()
(Interface-Config Mode)# [no]dot1x max-reauth-req	openapiDot1xPortMaxReAuthReqIdentitySet()
(Priv-User Mode)# show dot1x detail <slot/port>	openapiDot1xPortMaxReAuthReqIdentityGet() openapiDot1xPortMaxReqGet() openapiDot1xPortSuppTimeoutGet() openapiDot1xPortServerTimeoutGet() openapiDot1xPortPaeCapabilitiesGet() openapiDot1xPortProtocolVersionGet()
(Interface-Config Mode)# [no]dot1x max-req	openapiDot1xPortMaxReqSet()
(Interface-Config Mode)# [no]dot1x timeout supp-timeout	openapiDot1xPortSuppTimeoutSet()
(Interface-Config Mode)# [no]dot1x timeout server-timeout	openapiDot1xPortServerTimeoutSet()
(Interface-Config Mode)# [no]dot1x pae authenticator	openapiDot1xPortPaeCapabilitiesSet()