Clearing a dot1x-mac-session for a mac address – Brocade TurboIron 24X Series Configuration Guide User Manual

968

Brocade TurboIron 24X Series Configuration Guide

53-1003053-01

Configuring 802.1X port security

As a shortcut, use the command [no] mac-session-aging to enable or disable aging for permitted
and denied sessions.

Specifying the aging time for blocked clients
When the device is configured to drop traffic from non-authenticated Clients, traffic from the
blocked Clients is dropped in hardware, without being sent to the CPU. A Layer 2 CAM entry is
created that drops traffic from the blocked Client MAC address in hardware. If no traffic is received
from the blocked Client MAC address for a certain amount of time, this Layer 2 CAM entry is aged
out. If traffic is subsequently received from the Client MAC address, then an attempt can be made
to authenticate the Client again.

Aging of the Layer 2 CAM entry for a blocked Client MAC address occurs in two phases, known as
hardware aging and software aging. The hardware aging period is fixed at 70 seconds and is
non-configurable. The software aging time is configurable through the CLI.

Once the device stops receiving traffic from a blocked Client MAC address, the hardware aging
begins and lasts for a fixed period of time. After the hardware aging period ends, the software
aging period begins. The software aging period lasts for a configurable amount of time (by default
120 seconds). After the software aging period ends, the blocked Client MAC address ages out, and
can be authenticated again if the device receives traffic from the Client MAC address.

Change the length of the software aging period for a blocked Client MAC address by entering a
command such as the following.

TurboIron(config)#mac-session-aging max-age 180

Syntax: [no] mac-session-aging max-age <seconds>

You can specify from 1 – 65535 seconds. The default is 120 seconds.

Clearing a dot1x-mac-session for a MAC address
You can clear the dot1x-mac-session for a specified MAC address, so that the Client with that MAC
address can be re-authenticated by the RADIUS server.

Example

TurboIron#clear dot1x mac-session 0000.0034.abd4

Syntax: clear dot1x mac-session <mac-address>

Configuring VLAN access for non-EAP-capable clients

You can configure the device to grant "guest" or restricted VLAN access to clients that do not
support Extensible EAP. The restricted VLAN limits access to the network or applications, instead of
blocking access to these services altogether.

When the device receives the first packet (non-EAP packet) from a client, the device waits for 10
seconds or the amount of time specified with the timeout restrict-fwd-period command. If the
device does not receive subsequent packets after the timeout period, the device places the client
on the restricted VLAN.

This feature is disabled by default. To enable this feature and change the timeout period, enter
commands such as the following.

TurboIron(config)#dot1x-enable

TurboIron(config-dot1x)#restrict-forward-non-dot1x

TurboIron(config-dot1x)#timeout restrict-fwd-period 15