Dell PowerConnect B-FCXs - Defining MAC Address Filters for EAP Frames; Configuring VLAN Access for Non-EAP-Capable Clients

To Next Page

To Previous Page

PowerConnect B-Series FCX Configuration Guide 1245

53-1002266-01

Configuring 802.1X port security

Clearing a dot1x-mac-session for a MAC address

You can clear the dot1x-mac-session for a specified MAC address, so that the Client with that MAC

address can be re-authenticated by the RADIUS server.

Example

PowerConnect#clear dot1x mac-session 00e0.1234.abd4

Syntax: clear dot1x mac-session <mac-address>

Defining MAC address filters for EAP frames

You can create MAC address filters to permit or deny EAP frames. To do this, you specify the Dell

PowerConnect device 802.1X group MAC address as the destination address in a MAC address

filter, then apply the filter to an interface.

MAC address filters for EAPS on most devices

For example, the following command creates a MAC address filter that denies frames with the

destination MAC address of 0180.c200.0003, which is the 802.1X group MAC address on the Dell

PowerConnect device.

PowerConnect(config)#mac filter 1 deny any 0180.c200.0003 ffff.ffff.ffff

The following commands apply this filter to interface e 3/1.

PowerConnect(config)#interface e 3/11

PowerConnect(config-if-3/1)#mac filter-group 1

Refer to “Defining MAC address filters” on page 1280 for more information.

Configuring VLAN access for non-EAP-capable clients

You can configure the Dell PowerConnect device to grant "guest" or restricted VLAN access to

clients that do not support Extensible EAP. The restricted VLAN limits access to the network or

applications, instead of blocking access to these services altogether.

When the Dell PowerConnect device receives the first packet (non-EAP packet) from a client, the

device waits for 10 seconds or the amount of time specified with the timeout restrict-fwd-period

command. If the Dell PowerConnect device does not receive subsequent packets after the timeout

period, the device places the client on the restricted VLAN.

This feature is disabled by default. To enable this feature and change the timeout period, enter

commands such as the following.

PowerConnect(config)#dot1x-enable

PowerConnect(config-dot1x)#restrict-forward-non-dot1x

PowerConnect(config-dot1x)#timeout restrict-fwd-period 15

Once the success timeout action is enabled, use the no form of the command to reset the RADIUS

timeout behavior to retry.

Syntax: timeout restrict-fwd-period <num>

The <num> parameter is a value from 0 to 4294967295. The default value is 10.

Other manuals for Dell PowerConnect B-FCXs