Brocade Communications Systems 6650 Switch User Manual


 
Brocade ICX 6650 Security Configuration Guide 159
53-1002601-01
How 802.1X port security works
Brocade(config)# ip mtu 1500
Syntax: [no] ip mtu num
The num parameter specifies the MTU. Ethernet II packets can hold IP packets from 576–1500
bytes long. If jumbo mode is enabled, Ethernet II packets can hold IP packets from 576–10,222
bytes long. Ethernet SNAP packets can hold IP packets from 576–1492 bytes long. If jumbo mode
is enabled, SNAP packets can hold IP packets from 576 to 10,214 bytes long. The default MTU is
1500 for Ethernet II packets and 1492 for SNAP packets.
EAP pass-through support
EAP pass-through is supported on Brocade ICX 6650 devices that have 802.1X enabled. EAP
pass-through support is fully compliant with RFC 3748, in which, by default, compliant pass-through
authenticator implementations forward EAP challenge request packets of any type, including those
listed in the previous section.
Configuration notes for setting the IP MTU size
If the 802.1X supplicant or authentication server will be sending packets that are greater than
1500 MTU, you should configure the device to accommodate a larger buffer size, in order to reduce
problems during initial setup. Refer to Brocade ICX 6650 Layer 3 Routing Configuration Guide.
Support for RADIUS user-name attribute in access-accept messages
Brocade 802.1X-enabled ports support the RADIUS user-name (type 1) attribute in the
Access-Accept message returned during 802.1X authentication.
This feature is useful when the client/supplicant does not provide its user-name in the
EAP-response/identity frame, and the username is key to providing useful information. For
example, when the user-name attribute is sent in the Access-Accept message, it is then available
for display in sFlow sample messages sent to a collector, and in the output of some show dot1x CLI
commands, such as show dot1x mac-sessions.
This same information is sent as the “user-name” attribute of RADIUS accounting messages, and is
sent to the RADIUS accounting servers.
To enable this feature, add the following attribute on the RADIUS server.
Authenticating multiple hosts connected to the same port
Brocade devices support 802.1X authentication for ports with more than one host connected to
them. Figure 5 illustrates a sample configuration where multiple hosts are connected to a single
802.1X port.
TABLE 25 RADIUS attributes
Attribute name Type Value
user-name 1 name (string)