Filter
Top Products
PowerConnect B-Series FCX Configuration Guide 1225
53-1002266-01
How 802.1X port security works
34
5. If authentication for the Client is unsuccessful the first time, multiple attempts to authenticate
the client will be made as determined by the attempts variable in the auth-fail-max-attempts
command.
• Refer to “Specifying the number of authentication attempts the device makes before
dropping packets” on page 1243 for information on how to do this.
6. If authentication for the Client is unsuccessful more than the number of times specified by the
attempts variable in the auth-fail-max-attempts command, an authentication-failure action is
taken. The authentication-failure action can be either to drop traffic from the Client, or to place
the port in a “restricted” VLAN:
• If the authentication-failure action is to drop traffic from the Client, then the Client
dot1x-mac-session is set to “access-denied”, causing traffic from the Client to be dropped
in hardware.
• If the authentication-failure action is to place the port in a “restricted” VLAN, If the Client
dot1x-mac-session is set to “access-restricted” then the port is moved to the specified
restricted VLAN, and traffic from the Client is forwarded normally.
7. When the Client disconnects from the network, the Dell PowerConnect device deletes the
Client dot1x-mac-session. This does not affect the dot1x-mac-session or authentication status
(if any) of the other hosts connected on the port.
Configuration notes
• The Client dot1x-mac-session establishes a relationship between the username and MAC
address used for authentication. If a user attempts to gain access from different Clients (with
different MAC addresses), he or she would need to be authenticated from each Client.
• If a Client has been denied access to the network (that is, the Client dot1x-mac-session is set
to “access-denied”), then you can cause the Client to be re-authenticated by manually
disconnecting the Client from the network, or by using the clear dot1x mac-session command.
Refer to “Clearing a dot1x-mac-session for a MAC address” on page 1245 for information on
this command.
• When a Client has been denied access to the network, its dot1x-mac-session is aged out if no
traffic is received from the Client MAC address over a fixed hardware aging period (70
seconds), plus a configurable software aging period. You can optionally change the software
aging period for dot1x-mac-sessions or disable aging altogether. After the denied Client
dot1x-mac-session is aged out, traffic from that Client is no longer blocked, and the Client can
be re-authenticated.
In addition, you can configure disable aging for the dot1x-mac-session of Clients that have
been granted either full access to the network, or have been placed in a restricted VLAN. After
a Client dot1x-mac-session ages out, the Client must be re-authenticated.Refer to “Disabling
aging for dot1x-mac-sessions” on page 1243 for more information.
• Dynamic IP ACL and MAC address filter assignment is supported in an 802.1X multiple-host
configuration. Refer to “Dynamically applying IP ACLs and MAC address filters to 802.1X ports”
on page 1234.
• 802.1X multiple-host authentication has the following additions:
• Configurable hardware aging period for denied client dot1x-mac-sessions. Refer to
“Configurable hardware aging period for denied client dot1x-mac-sessions” on page 1226.
• Dynamic ACL and MAC address filter assignment in 802.1X multiple-host configurations.
Refer to “Dynamically applying IP ACLs and MAC address filters to 802.1X ports” on
page 1234.