970 BigIron RX Series Configuration Guide
53-1002253-01
802.1x port security and sFlow
33
• When a Client has been denied access to the network, its dot1x-mac-session is aged
out if no traffic is received from the Client’s MAC address over a fixed hardware aging
period (70 seconds), plus a configurable software aging period. You can optionally
change the software aging period for dot1x-mac-sessions or disable aging altogether.
After the denied Client’s dot1x-mac-session is aged out, traffic from that Client is no
longer blocked, and the Client can be re-authenticated.
802.1x port security and sFlow
sFlow is a system for observing traffic flow patterns and quantities within and among a set of the
BigIron RX devices. sFlow works by taking periodic samples of network data and exporting this
information to a collector.
When you enable sFlow forwarding on an 802.1x-enabled interface, the samples taken from the
interface include the user name string at the inbound or outbound port, if that information is
available.
Configuring 802.1x port security
Configuring 802.1x port security on a BigIron RX consists of the following tasks.
1. Configuring the BigIron RX device’s interaction with the Authentication Server:
• “Configuring an authentication method list for 802.1x” on page 971
• “Setting RADIUS parameters” on page 971
• “Configuring dynamic VLAN assignment for 802.1x ports” on page 972 (optional)
2. Configuring the BigIron RX’s role as the Authenticator:
• “Enabling 802.1x port security” on page 976
• “Initializing 802.1x on a port” on page 980 (optional)
3. Configuring the BigIron RX device’s interaction with Clients:
• “Configuring periodic re-authentication” on page 978 (optional)
• “Re-authenticating a port manually” on page 978 (optional)
• “Setting the quiet period” on page 979 (optional)
• “Setting the interval for retransmission of EAP-request/ identity frames” on page 979
(optional)
• “Specifying the number of EAP-request/identity frame retransmissions” on page 979
(optional)
• “Specifying a timeout for retransmission of EAP-request frames to the client” on page 980
(optional)
• “Allowing multiple 802.1x clients to authenticate” on page 980 (optional)
Multi-Device Port Authentication and 802.1x authentication can both be enabled on a port; however
only one of them can authenticate a MAC address/802.1x client.
To Next Page
Loading...
