How 802.1x multiple client authentication works – Brocade BigIron RX Series Configuration Guide User Manual

BigIron RX Series Configuration Guide

1051

53-1002484-04

How 802.1x port security works

34

By default, traffic from clients that cannot be authenticated by the RADIUS server is dropped in
hardware. You can optionally configure the BigIron RX to assign the port to a “restricted” VLAN if
authentication of the Client is unsuccessful.

How 802.1x multiple client authentication works

When multiple clients are connected to a single 802.1x-enabled port on a BigIron RX (as in

Figure 138

), 802.1x authentication is performed in the following way.

1. One of the 802.1x-enabled Clients attempts to log into a network in which a BigIron RX serves

as an Authenticator.

2. The BigIron RX creates an internal session (called a dot1x-mac-session) for the Client. A

dot1x-mac-session serves to associate a Client’s MAC address and username with its
authentication status.

3. The BigIron RX performs 802.1x authentication for the Client. Messages are exchanged

between the BigIron RX and the Client, and between the device and the Authentication Server
(RADIUS server). The result of this process is that the Client is either successfully
authenticated or not authenticated, based on the username and password supplied by the
client.

4. If the Client is successfully authenticated, the Client’s dot1x-mac-session is set to

“access-is-allowed”. This means that traffic from the Client can be forwarded normally.

5. If authentication for the Client is unsuccessful the first time, multiple attempts to authenticate

the client will be made as determined by the attempts variable in the auth-fail-max-attempts
command.

Refer to

“Specifying the number of authentication attempts the device makes before dropping

packets”

on page 1063 for information on how to do this.

6. If authentication for the Client is unsuccessful more than the number of times specified by the

attempts variable in the auth-fail-max-attempts command, an authentication-failure action is
taken. The authentication-failure action can be either to drop traffic from the Client, or to place
the port in a “restricted” VLAN:

•

If the authentication-failure action is to drop traffic from the Client, then the Client’s
dot1x-mac-session is set to “access-denied”, causing traffic from the Client to be dropped
in hardware.

•

If the authentication-failure action is to place the port in a “restricted” VLAN, If the Client’s
dot1x-mac-session is set to “access-restricted” then the port is moved to the specified
restricted VLAN, and traffic from the Client is forwarded normally.

7. When the Client disconnects from the network, the BigIron RX deletes the Client’s

dot1x-mac-session. This does not affect the dot1x-mac-session or authentication status (if any)
of the other clients connected on the port.

NOTE:

•

The Client’s dot1x-mac-session establishes a relationship between the username and
MAC address used for authentication. If a user attempts to gain access from different
Clients (with different MAC addresses), he or she would need to be authenticated from
each Client.