Dell FCX648-I Laptop User Manual


  Open as PDF
of 1494
 
PowerConnect B-Series FCX Configuration Guide 1243
53-1002266-01
Configuring 802.1X port security
34
Configuring 802.1X multiple-host authentication
When multiple hosts are connected to the same 802.1X-enabled port, the functionality described
in “How 802.1X Multiple-host authentication works” on page 1224 is enabled by default. You can
optionally do the following:
Specify the authentication-failure action
Specify the number of authentication attempts the device makes before dropping packets
Disabling aging for dot1x-mac-sessions
Configure aging time for blocked Clients
Clear the dot1x-mac-session for a MAC address
Specifying the authentication-failure action
In an 802.1X multiple-host configuration, if RADIUS authentication for a Client is unsuccessful,
traffic from that Client is either dropped in hardware (the default), or the Client port is placed in a
“restricted” VLAN. You can specify which of these two authentication-failure actions is to be used.
If the authentication-failure action is to place the port in a restricted VLAN, you can specify the ID of
the restricted VLAN.
To specify that the authentication-failure action is to place the Client port in a restricted VLAN, enter
the following command.
PowerConnect(config)#dot1x-enable
PowerConnect(config-dot1x)#auth-fail-action restricted-vlan
Syntax: [no] auth-fail-action restricted-vlan
To specify the ID of the restricted VLAN as VLAN 300, enter the following command.
PowerConnect(config-dot1x)#auth-fail-vlanid 300
Syntax: [no] auth-fail-vlanid <vlan-id>
Specifying the number of authentication attempts the device makes before dropping packets
When the authentication-failure action is to drop traffic from the Client, and the initial
authentication attempt made by the device to authenticate the Client is unsuccessful, the Dell
PowerConnect device immediately retries to authenticate the Client. After three unsuccessful
authentication attempts, the Client dot1x-mac-session is set to “access-denied”, causing traffic
from the Client to be dropped in hardware.
You can optionally configure the number of authentication attempts the device makes before
dropping traffic from the Client. To do so, enter a command such as the following.
PowerConnect(config-dot1x)#auth-fail-max-attempts 2
Syntax: [no] auth-fail-max-attempts <attempts>
By default, the device makes 3 attempts to authenticate a Client before dropping packets from the
Client. You can specify between 1 – 10 authentication attempts.
Disabling aging for dot1x-mac-sessions
The dot1x-mac-sessions for Clients authenticated or denied by a RADIUS server are aged out if no
traffic is received from the Client MAC address for a certain period of time. After a Client
dot1x-mac-session is aged out, the Client must be re-authenticated: