Quick Reference Guide
PowerConnect B-Series TI24X Configuration Guide 937
53-1002269-02
Configuring 802.1X port security
28
Syntax: [no] dot1x auth-fail-action restrict-vlan [<vlan-id>]
Syntax: [no] dot1x auth-timeout-action failure
Send a failed Dot1X client to a restricted VLAN
In Figure 122, a VoIP phone sends both tagged and untagged traffic to dual-mode port e 3.
Assuming the VoIP phone is authenticated to a voice VLAN as tagged, a MAC session for the VoIP
phone is learned on the voice VLAN. In addition, since the phone sends untagged traffic, a MAC
session is also learned on the native untagged VLAN (based on the VLAN dual-mode configuration).
Use the auth-fail-force-restrict command to override the VoIP MAC session on the native VLAN, and
move the PVID for the port to the restricted VLAN. Future untagged traffic from both phone and
client establishes MAC sessions on the restricted VLAN, for restricted access.
This command is configured under the global dot1x-enable command as follows
PowerConnect(config)# dot1x-enable
PowerConnect(config-dot1x)# auth-fail-force-restrict
Syntax: auth-fail-force-restrict
FIGURE 122 Redirecting clients to a restricted VLAN
RADIUS server
(Authenticator)
Switch
Port e3
Dual Mode
User 1 (IP Phone) Profile:
Authentication: RADIUS assigned to tagged VLAN A
MAC sessions exist on untagged native VLAN,
and VLAN A
User 2 (PC) Profile:
Authentication: failed
PVID moved to restricted VLAN
After authentication fails for User 2, and the PVID moves to the restricted VLAN,
there will be a total of 3 MAC sessions on port e 3:
- one tagged MAC session on VLAN A for the phone
- one untagged MAC session on the restricted VLAN for the phone
- one untagged MAC session on the restricted VLAN for the client