Dropping packets, Disabling, Aging for dot1x-mac-sessions – Brocade TurboIron 24X Series Configuration Guide User Manual
Page 1001
Brocade TurboIron 24X Series Configuration Guide
967
53-1003053-01
Configuring 802.1X port security
TurboIron(config)#dot1x-enable
TurboIron(config-dot1x)#auth-fail-action restricted-vlan
Syntax: [no] auth-fail-action restricted-vlan
To specify the ID of the restricted VLAN as VLAN 300, enter the following command.
TurboIron(config-dot1x)#auth-fail-vlanid 300
Syntax: [no] auth-fail-vlanid <vlan-id>
Specifying the number of authentication attempts the device makes before dropping packets
When the authentication-failure action is to drop traffic from the Client, and the initial
authentication attempt made by the device to authenticate the Client is unsuccessful, the device
immediately retries to authenticate the Client. After three unsuccessful authentication attempts,
the Client dot1x-mac-session is set to “access-denied”, causing traffic from the Client to be
dropped in hardware.
You can optionally configure the number of authentication attempts the device makes before
dropping traffic from the Client. To do so, enter a command such as the following.
TurboIron(config-dot1x)#auth-fail-max-attempts 2
Syntax: [no] auth-fail-max-attempts <attempts>
By default, the device makes 3 attempts to authenticate a Client before dropping packets from the
Client. You can specify between 1 – 10 authentication attempts.
Disabling aging for dot1x-mac-sessions
The dot1x-mac-sessions for Clients authenticated or denied by a RADIUS server are aged out if no
traffic is received from the Client MAC address for a certain period of time. After a Client
dot1x-mac-session is aged out, the Client must be re-authenticated:
•
Permitted dot1x-mac-sessions, which are the dot1x-mac-sessions for authenticated Clients, as
well as for non-authenticated Clients whose ports have been placed in the restricted VLAN, are
aged out if no traffic is received from the Client MAC address over the normal MAC aging
interval on the device.
•
Denied dot1x-mac-sessions, which are the dot1x-mac-sessions for non-authenticated Clients
that are blocked by the device are aged out over a configurable software aging period. (Refer to
the next section for more information on configuring the software aging period).
You can optionally disable aging of the permitted or denied dot1x-mac-sessions, or both, on the
device.
To disable aging of the permitted dot1x-mac-sessions, enter the following command.
TurboIron(config-dot1x)#mac-session-aging no-aging permitted-mac-only
Syntax: [no] mac-session-aging no-aging permitted-mac-only
To disable aging of the denied dot1x-mac-sessions, enter the following command.
TurboIron(config-dot1x)#mac-session-aging no-aging denied-mac-only
Syntax: [no] mac-session-aging no-aging denied-mac-only
NOTE
This command enables aging of permitted sessions.