Alcatel-Lucent 6600 Switch User Manual


 
802.1X Overview Configuring 802.1X
page 22-6 OmniSwitch 6600 Family Network Configuration Guide April 2006
If the authentication server does not return a VLAN ID, then the supplicant is classified according to
any device classification policies that are configured for the port. See “Using Access Guardian Poli-
cies” on page 22-8 for more information.
If the authentication server does not return a VLAN ID and there are no user-configured device classi-
fication policies for the port, then by default Group Mobility is used to classify the supplicant. If Group
Mobility is unable to classify the supplicant, then the supplicant is assigned to the default VLAN for
the 802.1X port.
If the authentication server returns a VLAN ID that does not exist or authentication fails, the suppli-
cant is blocked.
Note that multiple supplicants can be authenticated on a given 802.1X port. Each supplicant MAC address
received on the port is authenticated and learned separately. Only those that authenticate successfully are
allowed on the port, as described above. Those that fail authentication are blocked on the 802.1X port.
The global configuration of this feature is controlled by the aaa authentication 802.1x command. This
command enables 802.1X for the switch and identifies the primary and backup authentication servers.. See
“Setting 802.1X Switch Parameters” on page 22-10 for more information about configuring this command.
Using the 802.1x command, an administrator may force an 802.1X port to always accept any frames on
the port (therefore not requiring a device to first authenticate on the port); or an administrator may force
the port to never accept any frames on the port. See “Configuring the Port Authorization” on page 22-11.
802.1X Ports and DHCP
DHCP requests on an 802.1X port are treated as any other traffic on the 802.1X port.
When the port is in an unauthorized state (which means no device has authenticated on the port), the port
is blocked from receiving any traffic except 802.1X packets. This means that DHCP requests will be
blocked as well.
When the port is in a forced unauthorized state (the port is manually set to unauthorized), the port is
blocked from receiving all traffic, including 802.1X packets and DHCP requests.
If the port is in a forced authorized state (manually set to authorized), any traffic, including DHCP, is
allowed on the port.
If the port is in an authorized state because a device has authenticated on the port, only traffic with an
authenticated MAC address is allowed on the port. DHCP requests from the authenticated MAC address
are allowed; any others are blocked.
Re-authentication
After a supplicant has successfully authenticated through an 802.1X port, the switch may be configured to
periodically re-authenticate the supplicant (re-authentication is disabled by default). In addition, the
supplicant may be manually re-authenticated (see “Re-authenticating an 802.1X Port” on page 22-12).
The re-authentication process is transparent to a user connected to the authorized port. The process is used
for security and allows the authenticator (the OmniSwitch) to maintain the 802.1X connection.
Note. If the MAC address of the supplicant has aged out during the authentication session, the 802.1X
software in the switch will alert the source learning software in the switch to re-learn the address.