beautypg.com

Allowing access to multiple hosts, Configuring 802.1x multiple-host authentication – Brocade Communications Systems Brocade ICX 6650 6650 User Manual

Page 199

background image

Brocade ICX 6650 Security Configuration Guide

179

53-1002601-01

802.1X port security configuration

Allowing access to multiple hosts

Brocade devices support 802.1X authentication for ports with more than one host connected to
them. If there are multiple hosts connected to a single 802.1X-enabled port, the Brocade device
authenticates each of them individually. Refer to

“Configuring 802.1X multiple-host authentication”

on page 179.

Configuring 802.1X multiple-host authentication

When multiple hosts are connected to the same 802.1X-enabled port, the functionality described
in

“How 802.1X multiple-host authentication works”

on page 160 is enabled by default. You can

optionally do the following:

Specify the authentication-failure action

Specify the number of authentication attempts the device makes before dropping packets

Disabling aging for dot1x-mac-sessions

Configure aging time for blocked clients

Moving native VLAN mac-sesions to restrict VLAN

Clear the dot1x-mac-session for a MAC address

Specifying the authentication-failure action
In an 802.1X multiple-host configuration, if RADIUS authentication for a client is unsuccessful,
either traffic from that client is dropped in hardware (the default), or the client port is placed in a
“restricted” VLAN. You can specify which of these authentication-failure actions to use. When you
enable 802.1X, the default authentication-failure action is to drop client traffic.

If you configure the authentication-failure action to place the client port in a restricted VLAN, you
can specify the ID of the restricted VLAN. If you do not specify a VLAN ID, the default VLAN is used.

You can configure the authentication-failure action using one of the following methods:

Configure the same authentication-failure action for all ports on the device (globally).

Configure an authentication-failure action on individual ports.

NOTE

You cannot configure the authentication-failure action globally and per-port at the same time.

To configure the authentication-failure action for all ports on the device to place the client port in a
restricted VLAN, enter the following commands.

Brocade(config)# dot1x-enable
Brocade(config-dot1x)# auth-fail-action restricted-vlan

Syntax: [no] auth-fail-action restricted-vlan

To specify VLAN 300 as the restricted VLAN for all ports on the device, enter the auth-fail-vlanid
num command.

Brocade(config-dot1x)# auth-fail-vlanid 300

Syntax: [no] auth-fail-vlanid vlan-id

See also other documents in the category Brocade Communications Systems Computer Accessories: