Alcatel-Lucent 6850-48 Guida Di Rete

802.1X Overview

Configuring 802.1X

page 37-6

OmniSwitch AOS Release 6 Network Configuration Guide

• If the authentication server does not return a VLAN ID or authentication fails, then the supplicant is 

classified according to any device classification policies that are configured for the port. See 

 for more information.

• If the authentication server does not return a VLAN ID and there are no user-configured device classi-

fication policies for the port, Group Mobility is used to classify the supplicant. If Group Mobility is 
unable to classify the supplicant, the supplicant is assigned to the default VLAN for the 802.1X port. 

• If the authentication fails and there are no user-configured devicee classification policies for the port, 

the supplicant is blocked. 

Note that multiple supplicants can be authenticated on a given 802.1X port. Each supplicant MAC address 
received on the port is authenticated, learned, and classified separately, as described above.

The global configuration of this feature is controlled by the 

 command. This 

command enables 802.1X for the switch and identifies the primary and backup authentication servers. See 

 for more information about configuring this command.

Using the 

 command, an administrator may force an 802.1X port to always accept any frames on 

the port (therefore not requiring a device to first authenticate on the port); or an administrator may force 
the port to never accept any frames on the port. See 

.

DHCP requests on an 802.1X port are treated as any other traffic on the 802.1X port.

When the port is in an unauthorized state (which means no device has authenticated on the port), the port 
is blocked from receiving any traffic except 802.1X packets. This means that DHCP requests will be 
blocked as well.

When the port is in a forced unauthorized state (the port is manually set to unauthorized), the port is 
blocked from receiving all traffic, including 802.1X packets and DHCP requests. 

If the port is in a forced authorized state (manually set to authorized), any traffic, including DHCP, is 
allowed on the port.

If the port is in an authorized state because a device has authenticated on the port, only traffic with an 
authenticated MAC address is allowed on the port. DHCP requests from the authenticated MAC address 
are allowed; any others are blocked.

After a supplicant has successfully authenticated through an 802.1X port, the switch may be configured to 
periodically re-authenticate the supplicant (re-authentication is disabled by default). In addition, the 
supplicant may be manually re-authenticated (see 

The re-authentication process is transparent to a user connected to the authorized port. The process is used 
for security and allows the authenticator (the OmniSwitch) to maintain the 802.1X connection.

Note. If the MAC address of the supplicant has aged out during the authentication session, the 802.1X 
software in the switch will alert the source learning software in the switch to re-learn the address. 

802.1X ports may also be initialized if there a problem on the port. Initializing a port drops connectivity to 
the port and requires the port to be re-authenticated. See 

.