Support User Manuals

Brocade Communications Systems 6650 Switch User Manual

Open as PDF

of 332

166 Brocade ICX 6650 Security Configuration Guide

53-1002601-01

802.1X port security configuration

Re-authenticate a user

To configure RADIUS timeout behavior to bypass multi-device port authentication and permit user

access to the network, enter commands similar to the following

Brocade(config)# interface ethernet 1/3/1

Brocade(config-if-e10000-1/3/1)# dot1x re-auth-timeout-success 60

Syntax: [no] dot1x re-auth-timeout- success seconds

The seconds parameter specifies the number of seconds the device will wait to re-authenticate a

user after a timeout. The minimum value is 10 seconds. The maximum value is 2

16

-1 (maximum

unsigned 16-bit value).

Deny user access to the network after a RADIUS timeout

To set the RADIUS timeout behavior to bypass 802.1X authentication and block user access to the

network, enter commands such as the following

Brocade(config)# interface ethernet 1/3/1

Brocade(config-if-e10000-1/3/1)# dot1x auth-timeout-action failure

Syntax: [no] dot1x auth-timeout-action failure

Once the failure timeout action is enabled, use the no form of the command to reset the RADIUS

timeout behavior to retry.

NOTE

If restrict-vlan is configured along with auth-timeout-action failure, the user will be placed into a

VLAN with restricted or limited access.Refer to “Allow user access to a restricted VLAN after a

RADIUS timeout” on page 166.

Allow user access to a restricted VLAN after a RADIUS timeout

To set the RADIUS timeout behavior to bypass 802.1X authentication and place the user in a VLAN

with restricted or limited access, enter commands such as the following

Brocade(config)# interface ethernet 1/3/1

Brocade(config-if-e10000-1/3/1)# dot1x auth-timeout-action failure

Syntax: [no] dot1x auth-timeout-action failure

NOTE

The commands auth-fail-action restrict-vlan and auth-fail-vlanid are supported in the global dot1x

mode and are not supported at the port-level. The failure action of dot1x auth-timeout-action failure

will follow the auth-fail-action defined at the global dot1x level.

Dynamic VLAN assignment for 802.1X port configuration

When a client successfully completes the EAP authentication process, the Authentication Server

(the RADIUS server) sends the Authenticator (the Brocade device) a RADIUS Access-Accept

message that grants the client access to the network. The RADIUS Access-Accept message

contains attributes set for the user in the user's access profile on the RADIUS server.

previous next