HP ProCurve 9304M Security Manual page 101

• Specify the authentication-failure action
• Specify the number of authentication attempts the device makes before dropping packets
• Disabling aging for dot1x-mac-sessions
• Configure aging time for blocked Clients
• Clear the dot1x-mac-session for a MAC address
Specifying the Authentication-Failure Action
In an 802.1X multiple-host configuration, if RADIUS authentication for a Client is unsuccessful, traffic from that
Client is either dropped in hardware (the default), or the Client's port is placed in a "restricted" VLAN. You can
specify which of these two authentication-failure actions is to be used. If the authentication-failure action is to
place the port in a restricted VLAN, you can specify the ID of the restricted VLAN.
To specify that the authentication-failure action is to place the Client's port in a restricted VLAN, enter the following
command:
ProCurveRS(config)# dot1x-enable
ProCurveRS(config-dot1x)# auth-fail-action restricted-vlan
Syntax: [no] auth-fail-action restricted-vlan
To specify the ID of the restricted VLAN as VLAN 300, enter the following command:
ProCurveRS(config-dot1x)# auth-fail-vlanid 300
Syntax: [no] auth-fail-vlanid <vlan-id>
Specifying the Number of Authentication Attempts the Device Makes Before Dropping Packets
When the authentication-failure action is to drop traffic from the Client, and the initial authentication attempt made
by the device to authenticate the Client is unsuccessful, then the HP device waits for a specified amount of time
(defined with the timeout quiet-period command, by default 60 seconds), then attempts to authenticate the Client
again. After three unsuccessful authentication attempts, the Client's dot1x-mac-session is set to "access-denied",
causing traffic from the Client to be dropped in hardware.
You can optionally configure the number of authentication attempts the device makes before dropping traffic from
the Client. To do so, enter a command such as the following:
ProCurveRS(config-dot1x)# auth-fail-max-attempts 2
Syntax: [no] auth-fail-max-attempts <attempts>
By default, the device makes 3 attempts to authenticate a Client before dropping packets from the Client. You can
specify between 1 – 10 authentication attempts.
Disabling Aging for dot1x-mac-sessions
The dot1x-mac-sessions for Clients authenticated or denied by a RADIUS server are aged out if no traffic is
received from the Client's MAC address for a certain period of time. After a Client's dot1x-mac-session is aged
out, the Client must be re-authenticated.
• Permitted dot1x-mac-sessions, which are the dot1x-mac-sessions for authenticated Clients, as well as for
non-authenticated Clients whose ports have been placed in the restricted VLAN, are aged out if no traffic is
received from the Client's MAC address over the HP device's normal MAC aging interval.
• Denied dot1x-mac-sessions, which are the dot1x-mac-sessions for non-authenticated Clients that are
blocked by the HP device are aged out if no traffic is received from the Client's MAC address over a fixed
hardware aging period (70 seconds), plus a configurable software aging period. (See the next section for
more information on configuring the software aging period).
You can optionally disable aging of the permitted and/or denied dot1x-mac-sessions on the HP device.
To disable aging of the permitted dot1x-mac-sessions, enter the following command:
ProCurveRS(config-dot1x)# mac-session-aging no-aging permitted-mac-only
Syntax: [no] mac-session-aging no-aging permitted-mac-only
June 2005
Configuring 802.1X Port Security
4 - 15