Initializing 802.1x on a port, Allowing access to multiple hosts, Configuring 802.1x multiple-host authentication – Brocade TurboIron 24X Series Configuration Guide User Manual
Page 1000
966
Brocade TurboIron 24X Series Configuration Guide
53-1003053-01
Configuring 802.1X port security
Specifying a timeout for retransmission of messages to the
authentication server
When performing authentication, the device receives EAPOL frames from the Client and passes the
messages on to the RADIUS server. The device expects a response from the RADIUS server within
30 seconds. If the RADIUS server does not send a response within 30 seconds, the device
retransmits the message to the RADIUS server. The time constraint for retransmission of messages
to the Authentication Server can be between 0 – 4294967295 seconds.
For example, to configure the device to retransmit a message if the Authentication Server does not
respond within 45 seconds, enter the following command.
TurboIron(config-dot1x)#servertimeout 45
Syntax: servertimeout <seconds>
Initializing 802.1X on a port
To initialize 802.1X port security on a port, enter a command such as the following.
TurboIron#dot1x initialize e 1
Syntax: dot1x initialize ethernet <portnum>
The <portnum> parameter is a valid port number.
Allowing access to multiple hosts
Devices support 802.1X authentication for ports with more than one host connected to them. If
there are multiple hosts connected to a single 802.1X-enabled port, the device authenticates each
of them individually. Refer to
“Configuring 802.1X multiple-host authentication”
Configuring 802.1X multiple-host authentication
When multiple hosts are connected to the same 802.1X-enabled port, the functionality described
in
“How 802.1X Multiple-host authentication works”
on page 948 is enabled by default. You can
optionally do the following:
•
Specify the authentication-failure action
•
Specify the number of authentication attempts the device makes before dropping packets
•
Disabling aging for dot1x-mac-sessions
•
Configure aging time for blocked Clients
•
Clear the dot1x-mac-session for a MAC address
Specifying the authentication-failure action
In an 802.1X multiple-host configuration, if RADIUS authentication for a Client is unsuccessful,
traffic from that Client is either dropped in hardware (the default), or the Client port is placed in a
“restricted” VLAN. You can specify which of these two authentication-failure actions is to be used.
If the authentication-failure action is to place the port in a restricted VLAN, you can specify the ID of
the restricted VLAN.
To specify that the authentication-failure action is to place the Client port in a restricted VLAN, enter
the following command.