beautypg.com

How 802.1x multiple-host authentication works – Brocade TurboIron 24X Series Configuration Guide User Manual

Page 982

background image

948

Brocade TurboIron 24X Series Configuration Guide

53-1003053-01

How 802.1X port security works

How 802.1X Multiple-host authentication works

When multiple hosts are connected to a single 802.1X-enabled port on a device (as in

Figure 118

),

802.1X authentication is performed in the following way.

1. One of the 802.1X-enabled Clients attempts to log into a network in which a device serves as

an Authenticator.

2. The device creates an internal session (called a dot1x-mac-session) for the Client. A

dot1x-mac-session serves to associate a Client MAC address and username with its
authentication status.

3. The device performs 802.1X authentication for the Client. Messages are exchanged between

the device and the Client, and between the device and the Authentication Server (RADIUS
server). The result of this process is that the Client is either successfully authenticated or not
authenticated, based on the username and password supplied by the client.

4. If the Client is successfully authenticated, the Client dot1x-mac-session is set to

“access-is-allowed”. This means that traffic from the Client can be forwarded normally.

5. If authentication for the Client is unsuccessful the first time, multiple attempts to authenticate

the client will be made as determined by the attempts variable in the auth-fail-max-attempts
command.

Refer to

“Specifying the number of authentication attempts the device makes before

dropping packets”

on page 967 for information on how to do this.

6. If authentication for the Client is unsuccessful more than the number of times specified by the

attempts variable in the auth-fail-max-attempts command, an authentication-failure action is
taken. The authentication-failure action can be either to drop traffic from the Client, or to place
the port in a “restricted” VLAN:

If the authentication-failure action is to drop traffic from the Client, then the Client
dot1x-mac-session is set to “access-denied”, causing traffic from the Client to be dropped
in hardware.

If the authentication-failure action is to place the port in a “restricted” VLAN, If the Client
dot1x-mac-session is set to “access-restricted” then the port is moved to the specified
restricted VLAN, and traffic from the Client is forwarded normally.

7. When the Client disconnects from the network, the device deletes the Client

dot1x-mac-session. This does not affect the dot1x-mac-session or authentication status (if
any) of the other hosts connected on the port.

Configuration notes

The Client dot1x-mac-session establishes a relationship between the username and MAC
address used for authentication. If a user attempts to gain access from different Clients (with
different MAC addresses), he or she would need to be authenticated from each Client.

If a Client has been denied access to the network (that is, the Client dot1x-mac-session is set
to “access-denied”), then you can cause the Client to be re-authenticated by manually
disconnecting the Client from the network, or by using the clear dot1x mac-session
command.Refer to

“Clearing a dot1x-mac-session for a MAC address”

on page 968 for

information on this command.

See also other documents in the category Brocade Computer Accessories: