Initializing 802.1x on a port, Allowing multiple 802.1x clients to authenticate, Packets – Brocade BigIron RX Series Configuration Guide User Manual

Page 1141: Specifying the authentication-failure action

Advertising
background image

BigIron RX Series Configuration Guide

1063

53-1002484-04

Configuring 802.1x port security

34

Initializing 802.1x on a port

To initialize 802.1x port security on a port, or to flush all of its information on that port and start
again, enter a command such as the following.

BigIron RX# dot1x initialize e 3/1

Syntax: dot1x initialize <portnum>

Allowing multiple 802.1x clients to authenticate

If there are multiple clients connected to a single 802.1x-enabled port, the BigIron RX
authenticates each of them individually. When multiple clients are connected to the same
802.1x-enabled port, the functionality described in

“How 802.1x multiple client authentication

works”

on page 1051 is enabled by default. You can optionally do the following:

Specify the authentication-failure action

Specify the number of authentication attempts the device makes before dropping packets

Disabling aging for dot1x-mac-sessions

Configure aging time for blocked Clients

Clear the dot1x-mac-session for a MAC address

Specifying the authentication-failure action

In an 802.1x multiple client configuration, if RADIUS authentication for a Client is unsuccessful,
traffic from that Client is either dropped in hardware (the default), or the Client’s port is placed in a
“restricted” VLAN. You can specify which of these two authentication-failure actions is to be used.
If the authentication-failure action is to place the port in a restricted VLAN, you can specify the ID of
the restricted VLAN.

To specify that the authentication-failure action is to place the Client’s port in a restricted VLAN,
enter the following command.

BigIron RX(config)# dot1x-enable

BigIron RX(config-dot1x)# auth-fail-action restricted-vlan

Syntax: [no] auth-fail-action restricted-vlan

To specify the ID of the restricted VLAN as VLAN 300, enter the following command.

BigIron RX(config-dot1x)# auth-fail-vlanid 300

Syntax: [no] auth-fail-vlanid <vlan-id>

Specifying the number of authentication attempts the device
makes before dropping packets

When the authentication-failure action is to drop traffic from the Client, and the initial
authentication attempt made by the device to authenticate the Client is unsuccessful, the BigIron
RX immediately retries to authenticate the Client. After three unsuccessful authentication
attempts, the Client’s dot1x-mac-session is set to “access-denied”, causing traffic from the Client
to be dropped in hardware.

You can optionally configure the number of authentication attempts the device makes before
dropping traffic from the Client. To do so, enter a command such as the following.

Advertising
Popular Brands
Popular manuals