X Ports And Dhcp; Re-Authentication - Alcatel-Lucent OmniSwitch 6850-48 Network Configuration Manual
Software release 6
Hide thumbs
Also See for OmniSwitch 6850-48:
- Cli reference manual (3706 pages) ,
- Management manual (312 pages) ,
- Hardware user's manual (188 pages)
Table of Contents
Advertisement
802.1X Overview
•
If the authentication server does not return a VLAN ID or authentication fails, then the supplicant is
classified according to any device classification policies that are configured for the port. See
Chapter 34, "Configuring Access Guardian,"
•
If the authentication server does not return a VLAN ID and there are no user-configured device classi-
fication policies for the port, Group Mobility is used to classify the supplicant. If Group Mobility is
unable to classify the supplicant, the supplicant is assigned to the default VLAN for the 802.1X port.
•
If the authentication fails and there are no user-configured devicee classification policies for the port,
the supplicant is blocked.
Note that multiple supplicants can be authenticated on a given 802.1X port. Each supplicant MAC address
received on the port is authenticated, learned, and classified separately, as described above.
The global configuration of this feature is controlled by the
command enables 802.1X for the switch and identifies the primary and backup authentication servers. See
"Setting 802.1X Switch Parameters" on page 37-8
Using the
802.1x
command, an administrator may force an 802.1X port to always accept any frames on
the port (therefore not requiring a device to first authenticate on the port); or an administrator may force
the port to never accept any frames on the port. See
802.1X Ports and DHCP
DHCP requests on an 802.1X port are treated as any other traffic on the 802.1X port.
When the port is in an unauthorized state (which means no device has authenticated on the port), the port
is blocked from receiving any traffic except 802.1X packets. This means that DHCP requests will be
blocked as well.
When the port is in a forced unauthorized state (the port is manually set to unauthorized), the port is
blocked from receiving all traffic, including 802.1X packets and DHCP requests.
If the port is in a forced authorized state (manually set to authorized), any traffic, including DHCP, is
allowed on the port.
If the port is in an authorized state because a device has authenticated on the port, only traffic with an
authenticated MAC address is allowed on the port. DHCP requests from the authenticated MAC address
are allowed; any others are blocked.
Re-authentication
After a supplicant has successfully authenticated through an 802.1X port, the switch may be configured to
periodically re-authenticate the supplicant (re-authentication is disabled by default). In addition, the
supplicant may be manually re-authenticated (see
The re-authentication process is transparent to a user connected to the authorized port. The process is used
for security and allows the authenticator (the OmniSwitch) to maintain the 802.1X connection.
Note. If the MAC address of the supplicant has aged out during the authentication session, the 802.1X
software in the switch will alert the source learning software in the switch to re-learn the address.
802.1X ports may also be initialized if there a problem on the port. Initializing a port drops connectivity to
the port and requires the port to be re-authenticated. See
page 37-6
for more information.
for more information about configuring this command.
"Configuring the Port Authorization" on page
"Re-authenticating an 802.1X Port" on page
"Initializing an 802.1X Port" on page
OmniSwitch AOS Release 6 Network Configuration Guide
aaa authentication 802.1x
Configuring 802.1X
command. This
37-9.
37-10).
37-11.
September 2009
Hide quick links:
Advertisement
Table of Contents
