Quick Reference Guide

ManualsBrandsDell ManualsComputer equipmentPowerConnect B-TI24x

981

982

983

984

985

986

987

988

989

990

952 PowerConnect B-Series TI24X Configuration Guide

53-1002269-02

Configuring 802.1X port security

Configuring VLAN access for non-EAP-capable clients

You can configure the Dell device to grant "guest" or restricted VLAN access to clients that do not

support Extensible EAP. The restricted VLAN limits access to the network or applications, instead of

blocking access to these services altogether.

When the Dell device receives the first packet (non-EAP packet) from a client, the device waits for

10 seconds or the amount of time specified with the timeout restrict-fwd-period command. If the

Dell device does not receive subsequent packets after the timeout period, the device places the

client on the restricted VLAN.

This feature is disabled by default. To enable this feature and change the timeout period, enter

commands such as the following.

PowerConnect(config)# dot1x-enable

PowerConnect(config-dot1x)# restrict-forward-non-dot1x

PowerConnect(config-dot1x)# timeout restrict-fwd-period 15

Once the success timeout action is enabled, use the no form of the command to reset the RADIUS

timeout behavior to retry.

Syntax: timeout restrict-fwd-period <num>

The <num> parameter is a value from 0 to 32767. The default value is 10.

Configuring a timeout action to cancel 802.1X authentication for Non-802.1x

clients

Normally, the Dell-specific attribute obtained from the RADIUS server identifies a client as not

802.1X-capable and tells the switch not to perform 802.1X authentication for this client.

However, if you configure an auth-timeout-action at the global level, the Dell-specific attribute from

the RADIUS server is no longer required to cancel 802.1X authentication for a non-802.1X user. To

configure the timeout action, enter commands similar to the following at the global level.

PowerConnect(config)# dot1x-enable

PowerConnect(config-dot1x)# restrict-forward-non-dot1x auth-timeout-action

Syntax: restrict-forward-non-dot1x [auth-timeout-action]

To set the RADIUS timeout behavior to bypass dot.1X authentication and permit client access to the

network, enter commands similar to the following (at the interface level).

PowerConnect(config)# interface ethernet 1

PowerConnect(config-if-e100-1)# dot1x auth-timeout-action success

To set the RADIUS timeout behavior to bypass 802.1X authentication and return a failure, which

limits access to the network and moves the client to the restricted VLAN, enter commands similar

to the following (at the interface level).

PowerConnect(config)# interface ethernet 1

PowerConnect(config-if-e100-1)# dot1x auth-timeout-action failure

Syntax: [no] dot1x auth-timeout-action success

Syntax: [no] dot1x auth-timeout-action failure

NOTE

The success or failure of multi-device port authentication can change the effect of these commands.