Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Disabling aging for dot1x-mac-sessions

The dot1x-mac-sessions for Clients authenticated or denied by a RADIUS server are aged out if no
traffic is received from the Client MAC address for a certain period of time. After a Client dot1x-mac-
session is aged out, the Client must be re-authenticated:

• Permitted dot1x-mac-sessions, which are the dot1x-mac-sessions for authenticated Clients, as well

as for non-authenticated Clients whose ports have been placed in the restricted VLAN, are aged out
if no traffic is received from the Client MAC address over the normal MAC aging interval on the
Brocade device.

• Denied dot1x-mac-sessions, which are the dot1x-mac-sessions for non-authenticated Clients that are

blocked by the Brocade device are aged out over a configurable software aging period. (Refer to the
next section for more information on configuring the software aging period).

You can optionally disable aging of the permitted or denied dot1x-mac-sessions, or both, on the
Brocade device.

To disable aging of the permitted dot1x-mac-sessions, enter the following command.

device(config-dot1x)#mac-session-aging no-aging permitted-mac-only

Syntax: [no] mac-session-aging no-aging permitted-mac-only

To disable aging of the denied dot1x-mac-sessions, enter the following command.

device(config-dot1x)#mac-session-aging no-aging denied-mac-only

Syntax: [no] mac-session-aging no-aging denied-mac-only

NOTE
This command enables aging of permitted sessions.

As a shortcut, use the command [no] mac-session-aging to enable or disable aging for permitted and
denied sessions.

Specifying the aging time for blocked clients

When the Brocade device is configured to drop traffic from non-authenticated Clients, traffic from the
blocked Clients is dropped in hardware, without being sent to the CPU. A Layer 2 CAM entry is created
that drops traffic from the blocked Client MAC address in hardware. If no traffic is received from the
blocked Client MAC address for a certain amount of time, this Layer 2 CAM entry is aged out. If traffic is
subsequently received from the Client MAC address, then an attempt can be made to authenticate the
Client again.

Aging of the Layer 2 CAM entry for a blocked Client MAC address occurs in two phases, known as
hardware aging and software aging. The hardware aging period is fixed at 70 seconds and is non-
configurable. The software aging time is configurable through the CLI.

Once the Brocade device stops receiving traffic from a blocked Client MAC address, the hardware
aging begins and lasts for a fixed period of time. After the hardware aging period ends, the software
aging period begins. The software aging period lasts for a configurable amount of time (by default 120
seconds). After the software aging period ends, the blocked Client MAC address ages out, and can be
authenticated again if the Brocade device receives traffic from the Client MAC address.

Change the length of the software aging period for a blocked Client MAC address by entering the mac-
age-timenum command.

device(config-dot1x)#mac-age-time 180

Syntax: [no] mac-age-time seconds

802.1X Port Security

FastIron Ethernet Switch Security Configuration Guide

197

53-1003088-03