How Flexible authentication works for multiple clients

When multiple hosts are connected to a port on an ICX device, Flexible authentication is performed in the following way.
  1. One of the 802.1X-enabled clients attempts to log in to a network in which an ICX device serves as an authenticator.
  2. The ICX device creates an internal session for the client. The session serves to associate a client MAC address and username with its authentication status. Users trying to gain access from different clients (with different MAC addresses) must be authenticated from each client.
  3. The ICX device performs 802.1X or MAC authentication for the client. Messages are exchanged between the ICX device and the client and between the ICX device and the authentication (RADIUS) server. The result of this process is that the client is either successfully authenticated or not authenticated, based on the access policy configured on the RADIUS server.
  4. If the client is successfully authenticated, the client session is set to "access-allowed." This means that traffic from the client can be forwarded normally.
  5. If authentication for the client is unsuccessful, an authentication failure action is applied. The authentication failure action can be either to drop traffic from the client or to place the client in a restricted VLAN:
    • If the authentication failure action is to drop traffic from the client, the client session is set to "access-denied." This causes traffic from the client to be dropped in hardware.
    • If the authentication failure action is to place the port in a restricted VLAN, the client session is set to "access-restrict.” The port is moved to the specified restricted VLAN, and traffic from the client is forwarded normally.
  6. The previous steps are repeated for all clients.
  7. When the client disconnects from the network, the ICX device deletes the client session. This does not affect the session or authentication status (if any) of the other hosts connected on the port.
  8. If any of the clients have IP ACLs sent by the RADIUS server, all such user ACLs are applied to the respective client sessions.