Brocade FastIron Ethernet Switch Security Configuration Guide User Manual
Page 179
‐
Configurable hardware aging period for denied client dot1x-mac-sessions. Refer to
Configurable hardware aging period for denied client dot1x-mac-sessions
on page 179.
‐
Dynamic ACL and MAC address filter assignment in 802.1X multiple-host configurations.
Refer to
Dynamically applying IP ACLs and MAC address filtersto 802.1X ports
on page
187.
‐
Dynamic multiple VLAN assignment for 802.1X ports. Refer
‐
Configure a restriction to forward authenticated and unauthenticated tagged and untagged
clients to a restricted VLAN.
‐
Configure an override to send failed dot1x and non-dot1x clients to a restricted VLAN.
‐
Configure VLAN assignments for clients attempting to gain access through dual-mode ports.
‐
Enhancements to some show commands.
‐
Differences in command syntax for saving dynamic VLAN assignments to the startup-config
file.
How 802.1x host authentication works for multiple clients
Authenticating devices on a port involves assigning VLAN IDs, dynamically or otherwise.
Authentication of multiple 802.1x-enabled clients on a single 802.1X-enabled port on a Brocade device
is performed in the following way.
• The first 802.1x-enabled client logs on to the network in which a Brocade device serves as an
authenticator. If a VLAN ID or name is included in a Radius Access-Accept message, Port is moved
to that VLAN and Port's operation VLAN is changed to that of Radius-assigned VLAN.
• Subsequent 802.1x-enabled clients log on the network and are authorized with a VLAN ID that
matches the VLAN ID or name provided by the Radius Access-Accept message for the first host. If
an 802.1x-enabled client gets a different VLAN ID or name in the Radius Access-Accept message, it
is an authentication failure. If a restricted VLAN is configured as an action for failed authentication, all
the hosts, including the successfully authenticated clients, are placed in the restricted VLAN. If the
failure action is to block the client's MAC, only the failed client is blocked.
• Even if subsequent 802.1x-enabled clients do not receive VLAN information from Radius, clients
authorized later still use the operational VLAN of the port. See the Dynamic multiple VLAN
assignment for 802.1X ports section for more information on restrictions for dynamic VLAN
assignment.
• However, ACLs received in Radius Access-Accept messages are applied to each 802.1x-enabled
clients separately. In a multi-host scenario some clients might have a dynamic ACL and some not. If
there are dynamic ACL for any clients, access control is applied only to clients with dynamic ACLs
See the Dynamically applying IP ACLs and MAC address filters to 802.1X ports section for more
information on restrictions on dynamic IP ACLs or MAC address filters.
Configurable hardware aging period for denied client dot1x-mac-sessions
When one of the 802.1X-enabled Clients in a multiple-host configuration attempts to log into a network
in which a Brocade device serves as an Authenticator, the device creates a dot1x-mac-session for the
Client.
When a Client has been denied access to the network, its dot1x-mac-session is aged out if no traffic is
received from the Client MAC address over a period of time. After a denied Client dot1x-mac-session
ages out, the Client can be re-authenticated. Aging of a denied Client's dot1x-mac-session occurs in
two phases, known as hardware aging and software aging.
The hardware aging period for a denied Client's dot1x-mac-session is not fixed at 70 seconds. The
hardware aging period for a denied Client's dot1x-mac-session is equal to the length of time specified
with the dot1x timeout quiet-period command. By default, the hardware aging time is 60 seconds.
Once the hardware aging period ends, the software aging period begins. When the software aging
How 802.1x host authentication works for multiple clients
FastIron Ethernet Switch Security Configuration Guide
179
53-1003088-03