The dot1x port-control command sets the authorization state of an interface.
The undo dot1x port-control command restores the default authorization state of an interface.
By default, the authorization state of an interface is auto.
In the system view:
dot1x port-control { auto | authorized-force | unauthorized-force } interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>
undo dot1x port-control interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>
In the interface view:
dot1x port-control { auto | authorized-force | unauthorized-force }
undo dot1x port-control
Parameter |
Description |
Value |
|---|---|---|
auto |
Indicates the auto identification mode. In this mode, an interface is initially in Unauthorized state and only allows users to send and receive EAPOL packets. Users cannot access network resources. After the users are authenticated, the interface becomes authorized and allows the users to access network resources. |
- |
authorized-force |
Indicates the forcible authorization mode. In this mode, the interface is always in Authorized state, does not handle EAPOL packets, and allows users to access network resources without authentication or authorization. |
- |
unauthorized-force |
Indicates the forcible unauthorized mode. In this mode, the interface is always in Unauthorized state, does not handle EAPOL packets, and prohibits users from accessing network resources. |
- |
interface { interface-type interface-number1 [ to interface-number2 ] } |
Specifies the interface type and number.
|
- |
System view, Ethernet interface view, GE interface view, MultiGE interface view, XGE interface view, 25GE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, Port group view
Usage Scenario
The auto mode is recommended. Only authenticated users can access network resources. To trust all users on an interface without authentication, configure the authorized-force mode. To disable access rights of all users on an interface to ensure security, configure the unauthorized-force mode.
Prerequisites
802.1X authentication has been enabled globally and on an interface using the dot1x enable command.
Precautions
When there are online 802.1X users on an interface, the dot1x port-control command must not be run; otherwise, the system displays alarm information.
It is recommended that you set the authorization state of an interface in the early stage of network deployment. When the network is running properly, run the cut access-user command to disconnect all users from the interface before changing the authorization state.
# Set the authorization state of GE0/0/1 to unauthorized-force in the system view.
<HUAWEI> system-view [HUAWEI] dot1x port-control unauthorized-force interface gigabitethernet 0/0/1
# Set the authorization state of GE0/0/1 to unauthorized-force in the interface view.
<HUAWEI> system-view [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] dot1x port-control unauthorized-force