Send a failed dot1x client to a restricted vlan – Brocade TurboIron 24X Series Configuration Guide User Manual
Page 987
Brocade TurboIron 24X Series Configuration Guide
953
53-1003053-01
Configuring 802.1X port security
Syntax: [no] dot1x auth-timeout-action failure
Once the failure timeout action is enabled, use the no form of the command to reset the RADIUS
timeout behavior to retry.
NOTE
If restrict-vlan is configured along with auth-timeout-action failure, the user will be placed into a
VLAN with restricted or limited access.Refer to
“Allow user access to a restricted VLAN after a
Allow user access to a restricted VLAN after a RADIUS timeout
To set the RADIUS timeout behavior to bypass 802.1X authentication and place the user in a VLAN
with restricted or limited access, enter commands such as the following
TurboIron(config)#interface ethernet 1
TurboIron(config-if-e100-1)#dot1x auth-fail-action restrict-vlan 100
TurboIron(config-if-e100-1)#dot1x auth-timeout-action failure
Syntax: [no] dot1x auth-fail-action restrict-vlan [<vlan-id>]
Syntax: [no] dot1x auth-timeout-action failure
Send a failed Dot1X client to a restricted VLAN
In
, a VoIP phone sends both tagged and untagged traffic to dual-mode port e 3.
Assuming the VoIP phone is authenticated to a voice VLAN as tagged, a MAC session for the VoIP
phone is learned on the voice VLAN. In addition, since the phone sends untagged traffic, a MAC
session is also learned on the native untagged VLAN (based on the VLAN dual-mode configuration).
Use the auth-fail-force-restrict command to override the VoIP MAC session on the native VLAN, and
move the PVID for the port to the restricted VLAN. Future untagged traffic from both phone and
client establishes MAC sessions on the restricted VLAN, for restricted access.
This command is configured under the global dot1x-enable command as follows
TurboIron(config)#dot1x-enable
TurboIron(config-dot1x)#auth-fail-force-restrict