beautypg.com

Initializing 802.1x on a port, Allowing access to multiple hosts, Configuring 802.1x multiple-host authentication – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 195: Authentication server

background image

Specifying a timeout for retransmission of messages to the
authentication server

When performing authentication, the Brocade device receives EAPOL frames from the Client and
passes the messages on to the RADIUS server. The device expects a response from the RADIUS
server within 30 seconds. If the RADIUS server does not send a response within 30 seconds, the
Brocade device retransmits the message to the RADIUS server. The time constraint for retransmission
of messages to the Authentication Server can be between 0 - 4294967295 seconds.

For example, to configure the device to retransmit a message if the Authentication Server does not
respond within 45 seconds, enter the following command.

device(config-dot1x)#servertimeout 45

Syntax: servertimeout seconds

Initializing 802.1X on a port

To initialize 802.1X port security on a port, enter a command such as the following.

device#dot1x initialize e 3/1

Syntax: dot1x initialize ethernet port

Allowing access to multiple hosts

Brocade devices support 802.1X authentication for ports with more than one host connected to them. If
there are multiple hosts connected to a single 802.1X-enabled port, the Brocade device authenticates
each of them individually.

Configuring 802.1X multiple-host authentication

When multiple hosts are connected to the same 802.1X-enabled port, the functionality described in

How

802.1X host authentication works

on page 177 is enabled by default. You can optionally do the

following:

• Specify the authentication-failure action
• Specify the number of authentication attempts the device makes before dropping packets
• Disabling aging for dot1x-mac-sessions
• Configure aging time for blocked clients
• Moving native VLAN mac-sessions to restrict VLAN
• Clear the dot1x-mac-session for a MAC address

Specifying the authentication-failure action

In an 802.1X multiple-host configuration, if RADIUS authentication for a client is unsuccessful, either
traffic from that client is dropped in hardware (the default), or the client port is placed in a "restricted"
VLAN. You can specify which of these authentication-failure actions to use. When you enable 802.1X,
the default authentication-failure action is to drop client traffic.

If you configure the authentication-failure action to place the client port in a restricted VLAN, you can
specify the ID of the restricted VLAN. If you do not specify a VLAN ID, the default VLAN is used.

Specifying a timeout for retransmission of messages to the authentication server

FastIron Ethernet Switch Security Configuration Guide

195

53-1003088-03

See also other documents in the category Brocade Computer Accessories: