Reference Guide

Table Of Contents
Dell PowerConnect W-Series ArubaOS 6.1 CLI | Reference Guide aaa authentication dot1x | 21
countermeasures Scans for message integrity code (MIC) failures in traffic received
from clients. If there are more than 2 MIC failures within 60 seconds,
the AP is shut down for 60 seconds. This option is intended to slow
down an attacker who is making a large number of forgery attempts
in a short time.
disabled
ca-cert
<certificate>
CA certificate for client authentication. The CA certificate needs to be
loaded in the controller.
——
cert-cn-lookup If you use client certificates for user authentication, enable this
option to verify that the certificate's common name exists in the
server. This parameter is disabled by default.
——
eapol-logoff Enables handling of EAPOL-LOGOFF messages. disabled
enforce-suite-b-
128
Configure Suite-B 128 bit or more security level
authentication enforcement
disabled
enforce-suite-b-
192
Configure Suite-B 192 bit or more security level
authentication enforcement
disabled
framed-mtu <MTU> Sets the framed MTU attribute sent to the authentication server. 500-1500 1100
heldstate-
bypass-counter
<number>
(This parameter is applicable when 802.1x authentication is
terminated on the controller, also known as AAA FastConnect.)
Number of consecutive authentication failures which, when reached,
causes the controller to not respond to authentication requests from
a client while the controller is in a held state after the authentication
failure. Until this number is reached, the controller responds to
authentication requests from the client even while the controller is in
its held state.
0-3 0
ignore-eap-id-
match
Ignore EAP ID during negotiation. disabled
ignore-eapol
start-
afterauthenticat
ion
Ignores EAPOL-START messages after authentication. disabled
machine-
authentication
(For Windows environments only) These parameters set machine
authentication:
NOTE: This parameter requires the PEFNG license.
blacklist-on-
failure
Blacklists the client if machine authentication fails. disabled
cache-timeout
<hours>
The timeout, in hours, for machine authentication. 1-1000 24 hours (1
day)
enable Select this option to enforce machine authentication before user
authentication. If selected, either the machine-default-role or the
user-default-role is assigned to the user, depending on which
authentication is successful.
disabled
machine-
default-role
<role>
Default role assigned to the user after completing only machine
authentication.
guest
user-default-
role <role>
Default role assigned to the user after 802.1x authentication. guest
Parameter Description Range Default