802.1X Ports And Dhcp; Re-Authentication; 802.1X Accounting - Alcatel OmniSwitch 6624 Network Configuration Manual

802.1X Overview
Using the 802.1x command, an administrator may force an 802.1X port to always accept any frames on
the port (therefore not requiring a device to first authenticate on the port); or an administrator may force
the port to never accept any frames on the port. See
Note that there cannot be more than one supplicant authenticated on a given 802.1X port. Any 802.1X
frames from a MAC address different from the supplicant will be dropped, even if the aaa authentication
802.1x command is configured for open-global.

802.1X Ports and DHCP

DHCP requests on an 802.1X port are treated as any other traffic on the 802.1X port.
When the port is in an unauthorized state (which means no device has authenticated on the port), or a
forced unauthorized state (the port is manually set to unauthorized), the port is blocked from receiving any
traffic except 802.1X packets. This means DHCP requests will be blocked as well.
If the port is in a forced authorized state (manually set to authorized), any traffic, including DHCP, is
allowed on the port.
If the port is in an authorized state because a device has authenticated on the port, the type of traffic
allowed on the port depends on the global 802.1X setting:
If the switch is set to open-global, all traffic is allowed on the port.
•
If the switch is set to open-unique, only traffic with the authenticated MAC address is allowed on the
•
port. DHCP requests from the authenticated MAC address are allowed; any others are blocked.

Re-authentication

After a supplicant has successfully authenticated through an 802.1X port, the switch may be configured to
periodically re-authenticate the supplicant (re-authentication is disabled by default). In addition, the
supplicant may be manually re-authenticated (see
The re-authentication process is transparent to a user connected to the authorized port. The process is used
for security and allows the authenticator (the OmniSwitch) to maintain the 802.1X connection.
Note. If the MAC address of the supplicant has aged out during the authentication session, the 802.1X
software in the switch will alert the source learning software in the switch to re-learn the address.
802.1X ports may also be initialized if there a problem on the port. Initializing a port drops connectivity to
the port and requires the port to be re-authenticated. See

802.1X Accounting

802.1X authentication sessions may be logged if servers are set up for 802.1X accounting. Accounting
may also be done through the local Switch Logging feature. For information about setting up accounting
for 802.1X, see "Configuring Accounting for 802.1X" on page
page 19-6
"Configuring the Port Authorization" on page
"Re-authenticating an 802.1X Port" on page
"Initializing an 802.1X Port" on page
19-11.
OmniSwitch 6624/6648 Network Configuration Guide
Configuring 802.1X
19-9.
19-10).
19-11.
April 2004