User's Manual
13-43
Cisco IE 2000 Switch Software Configuration Guide
OL-25866-01
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication
How to Configure IEEE 802.1x Port-Based Authentication
Configuring a Restricted VLAN
When you configure a restricted VLAN on a switch, clients that are 802.1x-compliant are moved into 
the restricted VLAN when the authentication server does not receive a valid username and password. 
The switch supports restricted VLANs only in single-host mode.
Configuring the Maximum Number of Authentication Attempts
Command Purpose
Step 1
configure terminal Enters global configuration mode.
Step 2
interface interface-id Specifies the port to be configured, and enters interface configuration 
mode. 
Step 3
switchport mode access
or 
switchport mode private-vlan host
Sets the port to access mode, 
or 
Configures the Layer 2 port as a private-VLAN host port.
Step 4
authentication port-control auto Enables 802.1x authentication on the port.
Step 5
authentication event fail action 
authorize vlan-id
Specifies an active VLAN as an 802.1x restricted VLAN. The range is 
1
 to 4096.
You can configure any active VLAN except an internal VLAN (routed 
port), an RSPAN VLAN, a primary private VLAN, or a voice VLAN as 
an 802.1x restricted VLAN.
Step 6
end Returns to privileged EXEC mode.
Step 7
show authentication interface 
interface-id
(Optional) Verifies your entries.
Step 8
copy running-config startup-config (Optional) Saves your entries in the configuration file.
Command Purpose
Step 1
configure terminal Enters global configuration mode.
Step 2
interface interface-id Specifies the port to be configured, and enters interface configuration 
mode.
Step 3
switchport mode access
or 
switchport mode private-vlan host
Sets the port to access mode, 
or
Configures the Layer 2 port as a private-VLAN host port.
Step 4
authentication port-control auto Enables 802.1x authentication on the port.
Step 5
authentication event fail action 
authorize vlan-id
Specifies an active VLAN as an 802.1x restricted VLAN. The range is 
1
 to 4096.
You can configure any active VLAN except an internal VLAN (routed 
port), an RSPAN VLAN, a primary private VLAN, or a voice VLAN as 
an 802.1x restricted VLAN.
Step 6
authentication event retry retry count Specifies a number of authentication attempts to allow before a port 
moves to the restricted VLAN. The range is 1
 to 3, and the default is 3.










