Configuration Guide User guide
FastIron Configuration Guide 1815
53-1002494-02
802.1X port security configuration
• ICX devices – slotnum/portnum
• FESX compact switches – portnum
Allowing access to multiple hosts
Brocade devices support 802.1X authentication for ports with more than one host connected to
them. If there are multiple hosts connected to a single 802.1X-enabled port, the Brocade device
authenticates each of them individually. Refer to “Configuring 802.1X multiple-host authentication”
on page 1815.
Configuring 802.1X multiple-host authentication
When multiple hosts are connected to the same 802.1X-enabled port, the functionality described
in “How 802.1X multiple-host authentication works” on page 1796 is enabled by default. You can
optionally do the following:
• Specify the authentication-failure action
• Specify the number of authentication attempts the device makes before dropping packets
• Disabling aging for dot1x-mac-sessions
• Configure aging time for blocked clients
• Moving native VLAN mac-sesions to restrict VLAN
• Clear the dot1x-mac-session for a MAC address
Specifying the authentication-failure action
In an 802.1X multiple-host configuration, if RADIUS authentication for a client is unsuccessful,
either traffic from that client is dropped in hardware (the default), or the client port is placed in a
“restricted” VLAN. You can specify which of these authentication-failure actions to use. When you
enable 802.1X, the default authentication-failure action is to drop client traffic.
If you configure the authentication-failure action to place the client port in a restricted VLAN, you
can specify the ID of the restricted VLAN. If you do not specify a VLAN ID, the default VLAN is used.
You can configure the authentication-failure action using one of the following methods:
• Configure the same authentication-failure action for all ports on the device (globally).
• Configure an authentication-failure action on individual ports.
NOTE
You cannot configure the authentication-failure action globally and per-port at the same time.
To configure the authentication-failure action for all ports on the device to place the client port in a
restricted VLAN, enter the following commands.
Brocade(config)# dot1x-enable
Brocade(config-dot1x)#auth-fail-action restricted-vlan
Syntax: [no] auth-fail-action restricted-vlan
To specify VLAN 300 as the restricted VLAN for all ports on the device, enter the auth-fail-vlanid
<num> command.
Brocade(config-dot1x)# auth-fail-vlanid 300
Syntax: [no] auth-fail-vlanid <vlan-id>