Brocade Communications Systems Brocade ICX 6650 6650 User Manual

Page 181

background image

Brocade ICX 6650 Security Configuration Guide

161

53-1002601-01

How 802.1X port security works

5. If authentication for the Client is unsuccessful the first time, multiple attempts to authenticate

the client will be made as determined by the attempts variable in the auth-fail-max-attempts
command.

Refer to

“Specifying the number of authentication attempts the device makes before

dropping packets”

on page 180 for information on how to do this.

6. If authentication for the Client is unsuccessful more than the number of times specified by the

attempts variable in the auth-fail-max-attempts command, an authentication-failure action is
taken. The authentication-failure action can be either to drop traffic from the Client, or to place
the port in a “restricted” VLAN:

If the authentication-failure action is to drop traffic from the Client, then the Client
dot1x-mac-session is set to “access-denied”, causing traffic from the Client to be dropped
in hardware.

If the authentication-failure action is to place the port in a “restricted” VLAN, If the Client
dot1x-mac-session is set to “access-restricted” then the port is moved to the specified
restricted VLAN, and traffic from the Client is forwarded normally.

7. When the Client disconnects from the network, the Brocade device deletes the Client

dot1x-mac-session. This does not affect the dot1x-mac-session or authentication status (if any)
of the other hosts connected on the port.

Configuration notes for 802.1x multiple-host authentication

The Client dot1x-mac-session establishes a relationship between the username and MAC
address used for authentication. If a user attempts to gain access from different Clients (with
different MAC addresses), he or she would need to be authenticated from each Client.

If a Client has been denied access to the network (that is, the Client dot1x-mac-session is set
to “access-denied”), then you can cause the Client to be re-authenticated by manually
disconnecting the Client from the network, or by using the clear dot1x mac-session command.
Refer to

“Clearing a dot1x-mac-session for a MAC address”

on page 181 for information on this

command.

When a Client has been denied access to the network, its dot1x-mac-session is aged out if no
traffic is received from the Client MAC address over a fixed hardware aging period (70
seconds), plus a configurable software aging period. You can optionally change the software
aging period for dot1x-mac-sessions or disable aging altogether. After the denied Client
dot1x-mac-session is aged out, traffic from that Client is no longer blocked, and the Client can
be re-authenticated.
In addition, you can configure disable aging for the dot1x-mac-session of Clients that have
been granted either full access to the network, or have been placed in a restricted VLAN. After
a Client dot1x-mac-session ages out, the Client must be re-authenticated.Refer to

“Disabling

aging for dot1x-mac-sessions”

on page 180 for more information.

Dynamic IP ACL and MAC address filter assignment is supported in an 802.1X multiple-host
configuration. Refer to

“Dynamically applying IP ACLs and MAC address filters to 802.1X ports”

on page 170.