How 802.1X port security works

802.1X multiple-host authentication has the following additions:

-Configurable hardware aging period for denied client dot1x-mac-sessions. Refer to “Configurable hardware aging period for denied client dot1x-mac-sessions”on page 162.

-Dynamic ACL and MAC address filter assignment in 802.1X multiple-host configurations. Refer to “Dynamically applying IP ACLs and MAC address filters to 802.1X ports” on page 170.

-Dynamic multiple VLAN assignment for 802.1X ports. Refer “Dynamic multiple VLAN assignment for 802.1X ports” on page 168.

-Configure a restriction to forward authenticated and unauthenticated tagged and untagged clients to a restricted VLAN.

-Configure an override to send failed dot1x and non-dot1x clients to a restricted VLAN.

-Configure VLAN assignments for clients attempting to gain access through dual-mode ports.

-Enhancements to some show commands.

-Differences in command syntax for saving dynamic VLAN assignments to the startup-config file.

Configurable hardware aging period for denied client dot1x-mac-sessions

When one of the 802.1X-enabled Clients in a multiple-host configuration attempts to log into a network in which a Brocade device serves as an Authenticator, the device creates a dot1x-mac-session for the Client.

When a Client has been denied access to the network, its dot1x-mac-session is aged out if no traffic is received from the Client MAC address over a period of time. After a denied Client dot1x-mac-session ages out, the Client can be re-authenticated. Aging of a denied Client's dot1x-mac-session occurs in two phases, known as hardware aging and software aging.

The hardware aging period for a denied Client's dot1x-mac-session is not fixed at 70 seconds. The hardware aging period for a denied Client's dot1x-mac-session is equal to the length of time specified with the dot1x timeout quiet-periodcommand. By default, the hardware aging time is 60 seconds. Once the hardware aging period ends, the software aging period begins. When the software aging period ends, the denied Client's dot1x-mac-session ages out, and the Client can be authenticated again.

802.1X port security and sFlow

sFlow is a standards-based protocol that allows network traffic to be sampled at a user-defined rate for the purpose of monitoring traffic flow patterns and identifying packet transfer rates on user-specified interfaces.

When you enable sFlow forwarding on an 802.1X-enabled interface, the samples taken from the interface include the user name string at the inbound or outbound port, or both, if that information is available.

For more information on sFlow, refer to the Brocade ICX 6650 Administration Guide.

162

Brocade ICX 6650 Security Configuration Guide

 

53-1002601-01

Page 182
Image 182
Brocade Communications Systems 6650 manual 802.1X port security and sFlow