beautypg.com

How 802.1x multiple client authentication works – Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual

Page 320

background image

302

Multi-Service IronWare Security Configuration Guide

53-1003035-02

How 802.1x port security works

8

By default, traffic from clients that cannot be authenticated by the RADIUS server is dropped in
hardware. You can optionally configure the device to assign the port to a “restricted” VLAN if
authentication of the client is unsuccessful.

How 802.1x multiple client authentication works

When multiple clients are connected to a single 802.1x-enabled port on a router (as in

Figure 6

),

802.1x authentication is performed in the following ways.

1. One of the 802.1x-enabled clients attempts to log into a network in which a device serves as

an Authenticator.

2. The device creates an internal session (called a dot1x-mac-session) for the client. A

dot1x-mac-session serves to associate a client’s MAC address and username with its
authentication status.

3. The device performs 802.1x authentication for the client. Messages are exchanged between

the device and the client, and between the device and the Authentication Server (RADIUS
server). The result of this process is that the client is either successfully authenticated or not
authenticated, based on the username and password supplied by the client.

4. If the client is successfully authenticated, the client’s dot1x-mac-session is set to

“access-is-allowed”. This means that traffic from the client can be forwarded normally.

5. If authentication for the client is unsuccessful the first time, multiple attempts to authenticate

the client will be made as determined by the attempts variable in the auth-fail-max-attempts
command.

Refer to

“Specifying the number of authentication attempts the device makes before

dropping packets”

for information on how to do this.

6. If authentication for the client is unsuccessful more than the number of times specified by the

attempts variable in the auth-fail-max-attempts command, an authentication-failure action is
taken. The authentication-failure action can be either to drop traffic from the client, or to place
the port in a “restricted” VLAN:

If the authentication-failure action is to drop traffic from the client, then the client’s
dot1x-mac-session is set to “access-denied”, causing traffic from the client to be dropped
in hardware.

If the authentication-failure action is to place the port in a “restricted” VLAN, If the client’s
dot1x-mac-session is set to “access-restricted” then the port is moved to the specified
restricted VLAN, and traffic from the client is forwarded normally.

7. When the client disconnects from the network, the device deletes the client’s

dot1x-mac-session. This does not affect the dot1x-mac-session or authentication status (if any)
of the other clients connected on the port.

NOTES:

The client’s dot1x-mac-session establishes a relationship between the username and
MAC address used for authentication. If a user attempts to gain access from different
clients (with different MAC addresses), he or she would need to be authenticated from
each client.

See also other documents in the category Brocade Computer Accessories: