Dropping packets, Disabling, Aging for dot1x-mac-sessions – Brocade Communications Systems Brocade ICX 6650 6650 User Manual

180

Brocade ICX 6650 Security Configuration Guide

53-1002601-01

802.1X port security configuration

To specify on an individual port that the authentication-failure action is to place the client port in
restricted VLAN 300, enter the following command at the interface configuration level.

Brocade(config-if-e10000-1/1/1)# dot1x auth-fail-action restrict-vlan 300

Syntax: [no] dot1x auth-fail-action restrict-vlan vlan-id

Specifying the number of authentication attempts the device makes before dropping packets
When the authentication-failure action is to drop traffic from the Client, and the initial
authentication attempt made by the device to authenticate the Client is unsuccessful, the Brocade
device immediately retries to authenticate the Client. After three unsuccessful authentication
attempts, the Client dot1x-mac-session is set to “access-denied”, causing traffic from the Client to
be dropped in hardware.

Optionally, you can configure the number of authentication attempts the device makes before
dropping traffic from the Client. To do so, enter a command such as the following.

Brocade(config-dot1x)# auth-fail-max-attempts 2

Syntax: [no] auth-fail-max-attempts attempts

By default, the device makes three attempts to authenticate a Client before dropping packets from
the Client. You can specify from 1 through 10 authentication attempts.

Disabling aging for dot1x-mac-sessions
The dot1x-mac-sessions for Clients authenticated or denied by a RADIUS server are aged out if no
traffic is received from the Client MAC address for a certain period of time. After a Client
dot1x-mac-session is aged out, the Client must be re-authenticated:

•

Permitted dot1x-mac-sessions, which are the dot1x-mac-sessions for authenticated Clients, as
well as for non-authenticated Clients whose ports have been placed in the restricted VLAN, are
aged out if no traffic is received from the Client MAC address over the normal MAC aging
interval on the Brocade device.

•

Denied dot1x-mac-sessions, which are the dot1x-mac-sessions for non-authenticated Clients
that are blocked by the Brocade device are aged out over a configurable software aging period.
(Refer to the next section for more information on configuring the software aging period).

You can optionally disable aging of the permitted or denied dot1x-mac-sessions, or both, on the
Brocade device.

To disable aging of the permitted dot1x-mac-sessions, enter the following command.

Brocade(config-dot1x)# mac-session-aging no-aging permitted-mac-only

Syntax: [no] mac-session-aging no-aging permitted-mac-only

To disable aging of the denied dot1x-mac-sessions, enter the following command.

Brocade(config-dot1x)# mac-session-aging no-aging denied-mac-only

Syntax: [no] mac-session-aging no-aging denied-mac-only

NOTE

This command enables aging of permitted sessions.