Brocade FastIron Ethernet Switch Security Configuration Guide User Manual
Page 178
1. One of the 802.1X-enabled Clients attempts to log into a network in which a Brocade device serves
as an Authenticator.
2. The Brocade device creates an internal session (called a dot1x-mac-session) for the Client. A
dot1x-mac-session serves to associate a Client MAC address and username with its authentication
status.
3. The Brocade device performs 802.1X authentication for the Client. Messages are exchanged
between the Brocade device and the Client, and between the device and the Authentication Server
(RADIUS server). The result of this process is that the Client is either successfully authenticated or
not authenticated, based on the username and password supplied by the client.
4. If the Client is successfully authenticated, the Client dot1x-mac-session is set to "access-is-
allowed". This means that traffic from the Client can be forwarded normally.
5. If authentication for the Client is unsuccessful the first time, multiple attempts to authenticate the
client will be made as determined by the attempts variable in the auth-fail-max-attempts
command.
• Refer to the Specifying the number of authentication attempts the device makes before dropping
packets section for information on how to do this.
6. If authentication for the Client is unsuccessful more than the number of times specified by the
attempts variable in the auth-fail-max-attempts command, an authentication-failure action is taken.
The authentication-failure action can be either to drop traffic from the Client, or to place the port in a
"restricted" VLAN:
• If the authentication-failure action is to drop traffic from the Client, then the Client dot1x-mac-
session is set to "access-denied", causing traffic from the Client to be dropped in hardware.
• If the authentication-failure action is to place the port in a "restricted" VLAN, If the Client dot1x-
mac-session is set to "access-restricted" then the port is moved to the specified restricted VLAN,
and traffic from the Client is forwarded normally.
7. When the Client disconnects from the network, the Brocade device deletes the Client dot1x-mac-
session. This does not affect the dot1x-mac-session or authentication status (if any) of the other
hosts connected on the port.
Configuration notes for 802.1x multiple-host authentication
• The Client dot1x-mac-session establishes a relationship between the username and MAC address
used for authentication. If a user attempts to gain access from different Clients (with different MAC
addresses), he or she would need to be authenticated from each Client.
• If a Client has been denied access to the network (that is, the Client dot1x-mac-session is set to
"access-denied"), then you can cause the Client to be re-authenticated by manually disconnecting
the Client from the network, or by using the clear dot1x mac-session command. Refer to the
Clearing a dot1x-mac-session for a MAC address section for information on this command.
• When a Client has been denied access to the network, its dot1x-mac-session is aged out if no traffic
is received from the Client MAC address over a fixed hardware aging period (70 seconds), plus a
configurable software aging period. You can optionally change the software aging period for dot1x-
mac-sessions or disable aging altogether. After the denied Client dot1x-mac-session is aged out,
traffic from that Client is no longer blocked, and the Client can be re-authenticated.
In addition, you can configure disable aging for the dot1x-mac-session of Clients that have been
granted either full access to the network, or have been placed in a restricted VLAN. After a Client
dot1x-mac-session ages out, the Client must be re-authenticated.Refer to the Disabling aging for
dot1x-mac-sessions section for more information.
• Dynamic IP ACL and MAC address filter assignment is supported in an 802.1X multiple-host
Dynamically applying IP ACLs and MAC address filtersto 802.1X ports
on
page 187.
• 802.1X multiple-host authentication has the following additions:
802.1X Port Security
178
FastIron Ethernet Switch Security Configuration Guide
53-1003088-03