Quick Reference Guide
950 PowerConnect B-Series TI24X Configuration Guide
53-1002269-02
Configuring 802.1X port security
28
• Specify the authentication-failure action
• Specify the number of authentication attempts the device makes before dropping packets
• Disabling aging for dot1x-mac-sessions
• Configure aging time for blocked Clients
• Clear the dot1x-mac-session for a MAC address
Specifying the authentication-failure action
In an 802.1X multiple-host configuration, if RADIUS authentication for a Client is unsuccessful,
traffic from that Client is either dropped in hardware (the default), or the Client port is placed in a
“restricted” VLAN. You can specify which of these two authentication-failure actions is to be used.
If the authentication-failure action is to place the port in a restricted VLAN, you can specify the ID of
the restricted VLAN.
To specify that the authentication-failure action is to place the Client port in a restricted VLAN, enter
the following command.
PowerConnect(config)# dot1x-enable
PowerConnect(config-dot1x)# auth-fail-action restricted-vlan
Syntax: [no] auth-fail-action restricted-vlan
To specify the ID of the restricted VLAN as VLAN 300, enter the following command.
PowerConnect(config-dot1x)# auth-fail-vlanid 300
Syntax: [no] auth-fail-vlanid <vlan-id>
Specifying the number of authentication attempts the device makes before dropping packets
When the authentication-failure action is to drop traffic from the Client, and the initial
authentication attempt made by the device to authenticate the Client is unsuccessful, the Dell
device immediately retries to authenticate the Client. After three unsuccessful authentication
attempts, the Client dot1x-mac-session is set to “access-denied”, causing traffic from the Client to
be dropped in hardware.
You can optionally configure the number of authentication attempts the device makes before
dropping traffic from the Client. To do so, enter a command such as the following.
PowerConnect(config-dot1x)# auth-fail-max-attempts 2
Syntax: [no] auth-fail-max-attempts <attempts>
By default, the device makes 3 attempts to authenticate a Client before dropping packets from the
Client. You can specify between 1 – 10 authentication attempts.
Disabling aging for dot1x-mac-sessions
The dot1x-mac-sessions for Clients authenticated or denied by a RADIUS server are aged out if no
traffic is received from the Client MAC address for a certain period of time. After a Client
dot1x-mac-session is aged out, the Client must be re-authenticated:
• Permitted dot1x-mac-sessions, which are the dot1x-mac-sessions for authenticated Clients, as
well as for non-authenticated Clients whose ports have been placed in the restricted VLAN, are
aged out if no traffic is received from the Client MAC address over the normal MAC aging
interval on the Dell device.
• Denied dot1x-mac-sessions, which are the dot1x-mac-sessions for non-authenticated Clients
that are blocked by the Dell device are aged out over a configurable software aging period.
(Refer to the next section for more information on configuring the software aging period).