Support User Manuals

Brocade Communications Systems 6650 Switch User Manual

Open as PDF

of 332

Brocade ICX 6650 Security Configuration Guide 159

53-1002601-01

How 802.1X port security works

Brocade(config)# ip mtu 1500

Syntax: [no] ip mtu num

The num parameter specifies the MTU. Ethernet II packets can hold IP packets from 576–1500

bytes long. If jumbo mode is enabled, Ethernet II packets can hold IP packets from 576–10,222

bytes long. Ethernet SNAP packets can hold IP packets from 576–1492 bytes long. If jumbo mode

is enabled, SNAP packets can hold IP packets from 576 to 10,214 bytes long. The default MTU is

1500 for Ethernet II packets and 1492 for SNAP packets.

EAP pass-through support

EAP pass-through is supported on Brocade ICX 6650 devices that have 802.1X enabled. EAP

pass-through support is fully compliant with RFC 3748, in which, by default, compliant pass-through

authenticator implementations forward EAP challenge request packets of any type, including those

listed in the previous section.

Configuration notes for setting the IP MTU size

If the 802.1X supplicant or authentication server will be sending packets that are greater than

1500 MTU, you should configure the device to accommodate a larger buffer size, in order to reduce

problems during initial setup. Refer to Brocade ICX 6650 Layer 3 Routing Configuration Guide.

Support for RADIUS user-name attribute in access-accept messages

Brocade 802.1X-enabled ports support the RADIUS user-name (type 1) attribute in the

Access-Accept message returned during 802.1X authentication.

This feature is useful when the client/supplicant does not provide its user-name in the

EAP-response/identity frame, and the username is key to providing useful information. For

example, when the user-name attribute is sent in the Access-Accept message, it is then available

for display in sFlow sample messages sent to a collector, and in the output of some show dot1x CLI

commands, such as show dot1x mac-sessions.

This same information is sent as the “user-name” attribute of RADIUS accounting messages, and is

sent to the RADIUS accounting servers.

To enable this feature, add the following attribute on the RADIUS server.

Authenticating multiple hosts connected to the same port

Brocade devices support 802.1X authentication for ports with more than one host connected to

them. Figure 5 illustrates a sample configuration where multiple hosts are connected to a single

802.1X port.

TABLE 25 RADIUS attributes

Attribute name Type Value

user-name 1 name (string)

previous next