Port Authenticator

Port > Configure > PAE > Port Authenticator

The Port Access Entity (PAE) that performs authentication before allowing access to services available through that port is referred to as the authenticator PAE. In the authenticator role, the PAE is responsible for communicating with the supplicant and forwarding the information received from the supplicant to a suitable authentication server, in order to verify the credentials and determine the appropriate authorization state. Keep in mind that the functionality of the authenticator PAE is independent of the actual authentication method. It merely acts as an intermediary for the authentication exchange.

The Port Authenticator Configuration dialog box displays the following data:

State (dot1xAuthPaeState)

Backend Authentication  (dot1xAuthBackendAuthState)

Admin Control Directions (dot1xAuthAdminControlledDirections)

Operation Control Directions (dot1xAuthOperControlledDirections)

Port Status (dot1xAuthAuthControlledPortStatus)

Port Control (dot1xAuthAuthControlledPortControl)

Authentication (dot1xAuthReAuthEnabled)

Authentication Key (dot1xAuthKeyTxEnabled)

Auth-Bypass (cpaeMacAuthBypassPortEnabled)

Auth-Bypass Initialization (cpaeMacAuthBypassPortInitialize)

Reauthentication (cpaeMacAuthBypassPortReAuth)

Mac Address (cpaeMacAuthBypassPortMacAddress)

State (cpaeMacAuthBypassPortAuthState)

Web Authentication (cpaeWebAuthPortEnabled)

Web Auth Initialization (cpaeWebAuthPortInitialize)

Term Action (cpaeMacAuthBypassPortTermAction)

Time Left (cpaeMacAuthBypassSessionTimeLeft)

AAA Fail Policy (cpaeWebAuthPortAaaFailPolicy)


State (dot1xAuthPaeState)

Current value of the Authenticator PAE state machine.


Backend Authentication  (dot1xAuthBackendAuthState)

Current state of the Backend Authentication state machine.


Admin Control Directions (dot1xAuthAdminControlledDirections)

Current value of the administratively controlled directions parameter for this port.


Operation Control Directions (dot1xAuthOperControlledDirections)

Current value of the operationally controlled directions parameter for this port.


Port Status (dot1xAuthAuthControlledPortStatus)

Current value of the controlled port status parameter for this port.


Port Control (dot1xAuthAuthControlledPortControl)

Current value of the controlled port control parameter for this port.

Note: This object cannot be modified on a channeling port.


Authentication (dot1xAuthReAuthEnabled)

Enable/disable control used by the Reauthentication Timer state machine.


Authentication Key (dot1xAuthKeyTxEnabled)

Value of the Key Transmission–enabled constant currently in use by the Authenticator PAE state machine.


Auth-Bypass (cpaeMacAuthBypassPortEnabled)

Indicates whether MAC Auth-Bypass is enabled on this port.


Auth-Bypass Initialization (cpaeMacAuthBypassPortInitialize)

Initialization control setting for this port.

When this object is set to true, the MAC Auth-bypass state machine is initialized on this port.

When this object is set to false, nothing happens.

  Note: This object always returns the value false when read.


Reauthentication (cpaeMacAuthBypassPortReAuth)

Reauthentication control setting for this port.

When this object is set to true, the MAC address of the device connecting to this port is reauthenticated.

When this object is set to false, nothing happens.

  Note: This object always returns the value false when read.


Mac Address (cpaeMacAuthBypassPortMacAddress)

MAC address of the device connecting to this port.


State (cpaeMacAuthBypassPortAuthState)

Current state of the MAC Auth-Bypass state machine.

There are seven possible values:

other(1): Indicates an unknown state.

waiting(2): The state machine is waiting to receive the MAC address that needs to be authenticated.

authenticating(3): In authentication process.

authenticated(4): MAC address of the device connecting to this port has been authenticated.

fail(5): MAC Auth-bypass authentication failed.

  If there are no other authentication features available in the system, this port waits for a period of time before moving to the waiting state.

finished(6): MAC Auth-bypass authentication failed.

  This port has been authenticated by another authentication feature.

aaaFail(7): The AAA server is not reachable after either the authentication request is sent or after the reauthentication timeout expires (with Inaccessible Authentication Bypass (IAB) enabled on the port).


Web Authentication (cpaeWebAuthPortEnabled)

Specifies whether web proxy authentication is enabled on this port.


Web Auth Initialization (cpaeWebAuthPortInitialize)

Initialization control setting for this port.

When this object is set to true, the web proxy authentication state machine is initialized for all hosts connecting to this port.

When this object is set to false, nothing happens.

  Note: This object always returns the value false when read.


Term Action (cpaeMacAuthBypassPortTermAction)

The termination action received from a RADIUS server that will be applied on the port when the current session timeout expires. There are three possible values:

other: none of the following

init: the current session will be terminated and a new authentication process will be initiated

reauth: reauthentication will be applied without terminating the current session


Time Left (cpaeMacAuthBypassSessionTimeLeft)

Indicates the amount of time remaining in the current MAC Auth-Bypass session on this port.


AAA Fail Policy (cpaeWebAuthPortAaaFailPolicy)

The policy name to be applied on the port when the value of the corresponding cpaeWebAuthHostState is aaaFail. The specified policy name must either be an existing entry in cpgPolicyTable (defined in CISCO-POLICY-GROUP-MIB) or an empty string, which indicates that there will be no policy name applied on the port when the value of the corresponding cpaeWebAuthHostState is aaaFail.