Brocade TurboIron 24X Series Configuration Guide User Manual
Page 983
Brocade TurboIron 24X Series Configuration Guide
949
53-1003053-01
How 802.1X port security works
•
When a Client has been denied access to the network, its dot1x-mac-session is aged out if no
traffic is received from the Client MAC address over a fixed hardware aging period (70
seconds), plus a configurable software aging period. You can optionally change the software
aging period for dot1x-mac-sessions or disable aging altogether. After the denied Client
dot1x-mac-session is aged out, traffic from that Client is no longer blocked, and the Client can
be re-authenticated.
In addition, you can configure disable aging for the dot1x-mac-session of Clients that have
been granted either full access to the network, or have been placed in a restricted VLAN. After
a Client dot1x-mac-session ages out, the Client must be re-authenticated.Refer to
on page 967 for more information.
•
Dynamic IP ACL and MAC address filter assignment is supported in an 802.1X multiple-host
configuration. Refer to
“Dynamically applying IP ACLs and MAC filters to 802.1X ports”
•
802.1X multiple-host authentication has the following additions:
•
Configurable hardware aging period for denied client dot1x-mac-sessions. Refer to
“Configurable hardware aging period for denied client dot1x-mac-sessions”
•
Dynamic ACL and MAC address filter assignment in 802.1X multiple-host configurations.
Refer to
“Dynamically applying IP ACLs and MAC filters to 802.1X ports”
•
Dynamic multiple VLAN assignment for 802.1X ports. Refer
•
Configure a restriction to forward authenticated and unauthenticated tagged and
untagged clients to a restricted VLAN.
•
Configure an override to send failed dot1x and non-dot1x clients to a restricted VLAN.
•
Configure VLAN assignments for clients attempting to gain access through dual-mode
ports.
•
Enhancements to some show commands.
•
Differences in command syntax for saving dynamic VLAN assignments to the
startup-config file.
Configurable hardware aging period for denied client dot1x-mac-sessions
When one of the 802.1X-enabled Clients in a multiple-host configuration attempts to log into a
network in which a device serves as an Authenticator, the device creates a dot1x-mac-session for
the Client.
When a Client has been denied access to the network, its dot1x-mac-session is aged out if no
traffic is received from the Client MAC address over a period of time. After a denied Client
dot1x-mac-session ages out, the Client can be re-authenticated. Aging of a denied Client's
dot1x-mac-session occurs in two phases, known as hardware aging and software aging.
The hardware aging period for a denied Client's dot1x-mac-session is not fixed at 70 seconds. The
hardware aging period for a denied Client's dot1x-mac-session is equal to the length of time
specified with the dot1x timeout quiet-period command. By default, the hardware aging time is 60
seconds. Once the hardware aging period ends, the software aging period begins. When the
software aging period ends, the denied Client's dot1x-mac-session ages out, and the Client can be
authenticated again.