Initializing 802.1x on a port, Allowing multiple 802.1x clients to authenticate, Dropping packets – Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual

Page 332: Optional), Specifying the authentication-failure action

Advertising
background image

314

Multi-Service IronWare Security Configuration Guide

53-1003035-02

Configuring 802.1x port security

8

Initializing 802.1x on a port

To initialize 802.1x port security on a port, or to flush all of its information on that port and start
again, enter a command such as the following.

Brocade# dot1x initialize e 3/1

Syntax: dot1x initialize portnum

Allowing multiple 802.1x clients to authenticate

If there are multiple clients connected to a single 802.1x-enabled port, the device authenticates
each of them individually. When multiple clients are connected to the same 802.1x-enabled port,
the functionality described in

“How 802.1x multiple client authentication works”

is enabled by

default. You can optionally do the following:

Specify the authentication-failure action

Specify the number of authentication attempts the device makes before dropping packets

Disabling aging for dot1x-mac-sessions

Configure aging time for blocked clients

Clear the dot1x-mac-session for a MAC address

Specifying the authentication-failure action

In an 802.1x multiple client configuration, if RADIUS authentication for a client is unsuccessful,
traffic from that client is either dropped in hardware (the default), or the client’s port is placed in a
“restricted” VLAN. You can specify which of these two authentication-failure actions is to be used. If
the authentication-failure action is to place the port in a restricted VLAN, you can specify the ID of
the restricted VLAN.

To specify that the authentication-failure action is to place the client’s port in a restricted VLAN,
enter the following command.

Brocade(config)# dot1x-enable

Brocade(config-dot1x)# auth-fail-action restricted-vlan

Syntax: [no] auth-fail-action restricted-vlan

To specify the ID of the restricted VLAN as VLAN 300, enter the following command.

Brocade(config-dot1x)# auth-fail-vlanid 300

Syntax: [no] auth-fail-vlanid vlan-id

Specifying the number of authentication attempts the
device makes before dropping packets

When the initial authentication attempt made by the device to authenticate the client is
unsuccessful, the device immediately retries to authenticate the client. After three unsuccessful
authentication attempts, the client’s802.1x MAC authentication session is set to either
“access-denied” or the port is moved to restricted VLAN.

You can optionally configure the number of authentication attempts the device makes. To do so,
enter a command such as the following.

Advertising
Popular Brands
Popular manuals