beautypg.com

Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 196

background image

You can configure the authentication-failure action using one of the following methods:

• Configure the same authentication-failure action for all ports on the device (globally).
• Configure an authentication-failure action on individual ports.

If a previous authentication failed, and as a result the port was placed in the restricted VLAN, but a
subsequent authentication attempt was successful, the RADIUS Access-Accept message may specify
a VLAN for the port. The device moves the port out of the restricted VLAN and into the RADIUS-
specified VLAN.

If a previous authentication was successful and the RADIUS Access-Accept message specifies a
VLAN for the port and then the device moves into the RADIUS-specified VLAN. But a subsequent
authentication failed, the port will not be placed in the restricted VLAN. But the non-authenticated
client will be blocked.

NOTE
You cannot configure the authentication-failure action globally and per-port at the same time.

To configure the authentication-failure action for all ports on the device to place the client port in a
restricted VLAN, enter the following commands.

device(config)# dot1x-enable

device(config-dot1x)#auth-fail-action restricted-vlan

Syntax: [no] auth-fail-action restricted-vlan

To specify VLAN 300 as the restricted VLAN for all ports on the device, enter the auth-fail-vlanid
num command.

device(config-dot1x)# auth-fail-vlanid 300

Syntax: [no] auth-fail-vlanid vlan-id

To specify on an individual port that the authentication-failure action is to place the client port in
restricted VLAN 300, enter the following command at the interface configuration level.

device(config-if-e1000-1/1/1)# dot1x auth-fail-action restrict-vlan 300

Syntax: [no] dot1x auth-fail-action restrict-vlan vlan-id

Specifying the number of authentication attempts the device makes before dropping

packets

When the authentication-failure action is to drop traffic from the Client, and the initial authentication
attempt made by the device to authenticate the Client is unsuccessful, the Brocade device
immediately retries to authenticate the Client. After three unsuccessful authentication attempts, the
Client dot1x-mac-session is set to "access-denied", causing traffic from the Client to be dropped in
hardware.

Optionally, you can configure the number of authentication attempts the device makes before dropping
traffic from the Client. To do so, enter a command such as the following.

device(config-dot1x)# auth-fail-max-attempts 2

Syntax: [no] auth-fail-max-attempts attempts

By default, the device makes three attempts to authenticate a Client before dropping packets from the
Client. You can specify from 1 through 10 authentication attempts.

802.1X Port Security

196

FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

See also other documents in the category Brocade Computer Accessories: