Support User Manuals

Brocade Communications Systems 6650 Switch User Manual

Open as PDF

of 332

182 Brocade ICX 6650 Security Configuration Guide

53-1002601-01

802.1X accounting configuration

MAC address filters for EAP frames

You can create MAC address filters to permit or deny EAP frames. To do this, you specify the

Brocade device 802.1X group MAC address as the destination address in a MAC address filter, then

apply the filter to an interface.

Creating MAC address filters for EAP on most devices

For example, the following command creates a MAC address filter that denies frames with the

destination MAC address of 0000.00c2.0003, which is the 802.1X group MAC address on the

Brocade device.

Brocade(config)# mac filter 1 deny any 0000.00c2.0003 ffff.ffff.ffff

The following commands apply this filter to interface e1/ 3/1.

Brocade(config)# interface e 1/3/11

Brocade(config-if-e10000-1/3/1)# mac filter-group 1

Refer to “Defining MAC address filters” on page 239 for more information.

Configuring VLAN access for non-EAP-capable clients

You can configure the Brocade device to grant "guest" or restricted VLAN access to clients that do

not support Extensible EAP. The restricted VLAN limits access to the network or applications,

instead of blocking access to these services altogether.

When the Brocade device receives the first packet (non-EAP packet) from a client, the device waits

for 10 seconds or the amount of time specified with the timeout restrict-fwd-period command. If

the Brocade device does not receive subsequent packets after the timeout period, the device

places the client on the restricted VLAN.

This feature is disabled by default. To enable this feature and change the timeout period, enter

commands such as the following.

Brocade(config)# dot1x-enable

Brocade(config-dot1x)# restrict-forward-non-dot1x

Brocade(config-dot1x)# timeout restrict-fwd-period 15

Once the success timeout action is enabled, use the no form of the command to reset the RADIUS

timeout behavior to retry.

Syntax: timeout restrict-fwd-period num

The num parameter is a value from 0 to 4294967295. The default value is 10.

802.1X accounting configuration

802.1X accounting enables the recording of information about 802.1X clients who were

successfully authenticated and allowed access to the network. When 802.1X accounting is

enabled on the Brocade device, it sends the following information to a RADIUS server whenever an

authenticated 802.1X client (user) logs into or out of the Brocade device:

• The user name

• The session ID

previous next