Brocade Communications Systems 6650 Switch User Manual


  Open as PDF
of 332
 
236 Brocade ICX 6650 Security Configuration Guide
53-1002601-01
Multi-device port authentication configuration
If neither of these VSAs exist in a device profile on the RADIUS server, then by default the device is
subject to multi-device port authentication (if configured), then 802.1X authentication (if
configured). The RADIUS record can be used for both multi-device port authentication and 802.1X
authentication.
Configuration examples are shown in “Examples of multi-device port authentication and 802.1X
authentication configuration on the same port” on page 263.
Multi-device port authentication configuration
Configuring multi-device port authentication on the Brocade device consists of the following tasks:
Enabling multi-device port authentication globally and on individual interfaces
Specifying the format of the MAC addresses sent to the RADIUS server (optional)
Specifying the authentication-failure action (optional)
Enabling and disabling SNMP traps for multi-device port authentication
Defining MAC address filters (optional)
Configuring dynamic VLAN assignment (optional)
Dynamically Applying IP ACLs to authenticated MAC addresses
Enabling denial of service attack protection (optional)
TABLE 55 Brocade vendor-specific attributes for RADIUS
Attribute name Attribute ID Data type Description
Foundry-802_1x-enable 6 integer Specifies whether 802.1X authentication is
performed when multi-device port
authentication is successful for a device. This
attribute can be set to one of the following:
0 - Do not perform 802.1X authentication on
a device that passes multi-device port
authentication. Set the attribute to zero for
devices that do not support 802.1X
authentication.
1 - Perform 802.1X authentication when a
device passes multi-device port
authentication. Set the attribute to one for
devices that support 802.1X authentication.
Foundry-802_1x-valid 7 integer Specifies whether the RADIUS record is valid
only for multi-device port authentication, or
for both multi-device port authentication and
802.1X authentication.
This attribute can be set to one of the
following:
0 - The RADIUS record is valid only for
multi-device port authentication. Set this
attribute to zero to prevent a user from using
their MAC address as username and
password for 802.1X authentication
1 - The RADIUS record is valid for both
multi-device port authentication and 802.1X
authentication.
 previous next