Dell PowerConnect B-RX Configuration Manual page 1045
Bigiron rx series configuration guide v02.8.00
Hide thumbs
Also See for PowerConnect B-RX:
- Configuration manual (1436 pages) ,
- Getting started manual (32 pages) ,
- Installation manual (240 pages)
Table of Contents
Advertisement
How 802.1x multiple client authentication works
When multiple clients are connected to a single 802.1x-enabled port on a BigIron RX (as in
Figure
1. One of the 802.1x-enabled Clients attempts to log into a network in which a BigIron RX serves
2. The BigIron RX creates an internal session (called a dot1x-mac-session) for the Client. A
3. The BigIron RX performs 802.1x authentication for the Client. Messages are exchanged
4. If the Client is successfully authenticated, the Client's dot1x-mac-session is set to
5. If authentication for the Client is unsuccessful the first time, multiple attempts to authenticate
6. If authentication for the Client is unsuccessful more than the number of times specified by the
7.
NOTES:
BigIron RX Series Configuration Guide
53-1002253-01
128), 802.1x authentication is performed in the following way.
as an Authenticator.
dot1x-mac-session serves to associate a Client's MAC address and username with its
authentication status.
between the BigIron RX and the Client, and between the device and the Authentication Server
(RADIUS server). The result of this process is that the Client is either successfully
authenticated or not authenticated, based on the username and password supplied by the
client.
"access-is-allowed". This means that traffic from the Client can be forwarded normally.
the client will be made as determined by the attempts variable in the auth-fail-max-attempts
command.
Refer to
"Specifying the number of authentication attempts the device makes before dropping
packets"
on page 981 for information on how to do this.
attempts variable in the auth-fail-max-attempts command, an authentication-failure action is
taken. The authentication-failure action can be either to drop traffic from the Client, or to place
the port in a "restricted" VLAN:
•
If the authentication-failure action is to drop traffic from the Client, then the Client's
dot1x-mac-session is set to "access-denied", causing traffic from the Client to be dropped
in hardware.
•
If the authentication-failure action is to place the port in a "restricted" VLAN, If the Client's
dot1x-mac-session is set to "access-restricted" then the port is moved to the specified
restricted VLAN, and traffic from the Client is forwarded normally.
When the Client disconnects from the network, the BigIron RX deletes the Client's
dot1x-mac-session. This does not affect the dot1x-mac-session or authentication status (if any)
of the other clients connected on the port.
•
The Client's dot1x-mac-session establishes a relationship between the username and
MAC address used for authentication. If a user attempts to gain access from different
Clients (with different MAC addresses), he or she would need to be authenticated from
each Client.
•
If a Client has been denied access to the network (that is, the Client's
dot1x-mac-session is set to "access-denied"), then you can cause the Client to be
re-authenticated by manually disconnecting the Client from the network, or by using
the clear dot1x mac-session command. Refer to
MAC address"
on page 982 for information on this command.
How 802.1x port security works
"Clearing a dot1x-mac-session for a
33
969
Advertisement
Table of Contents
