Specifying the radius timeout action – Brocade TurboIron 24X Series Configuration Guide User Manual

Brocade TurboIron 24X Series Configuration Guide

1013

53-1003053-01

Configuring multi-device port authentication

Specifying the aging time for blocked MAC addresses

When the device is configured to drop traffic from non-authenticated MAC addresses, traffic from
the blocked MAC addresses is dropped in hardware, without being sent to the CPU. A Layer 2 CAM
entry is created that drops traffic from the blocked MAC address in hardware. If no traffic is
received from the blocked MAC address for a certain amount of time, this Layer 2 CAM entry is
aged out. If traffic is subsequently received from the MAC address, then an attempt can be made to
authenticate the MAC address again.

Aging of the Layer 2 CAM entry for a blocked MAC address occurs in two phases, known as
hardware aging and software aging. The hardware aging period is fixed at 70 seconds and is
non-configurable. The software aging time is configurable through the CLI.

Once the device stops receiving traffic from a blocked MAC address, the hardware aging begins
and lasts for a fixed period of time. After the hardware aging period ends, the software aging
period begins. The software aging period lasts for a configurable amount of time (by default 120
seconds). After the software aging period ends, the blocked MAC address ages out, and can be
authenticated again if the device receives traffic from the MAC address.

To change the length of the software aging period for blocked MAC addresses, enter a command
such as the following.

TurboIron(config)#mac-authentication max-age 180

Syntax: [no] mac-authentication max-age <seconds>

You can specify from 1 – 65535 seconds. The default is 120 seconds.

Specifying the RADIUS timeout action

A RADIUS timeout occurs when the device does not receive a response from a RADIUS server
within a specified time limit and after a certain number of retries. The time limit and number of
retries can be manually configured using the CLI commands radius-server timeout and
radius-server retransmit, respectively. If the parameters are not manually configured, the device
applies the default value of three seconds with a maximum of three retries.

You can better control port behavior when a RADIUS timeout occurs by configuring a port on the
device to automatically pass or fail user authentication. A pass essentially bypasses the
authentication process and permits user access to the network. A fail bypasses the authentication
process and blocks user access to the network, unless restrict-vlan is configured, in which case,
the user is placed into a VLAN with restricted or limited access. By default, the device will reset the
authentication process and retry to authenticate the user.

Specify the RADIUS timeout action at the Interface level of the CLI.

Permit User access to the network after a RADIUS timeout

To set the RADIUS timeout behavior to bypass multi-device port authentication and permit user
access to the network, enter commands such as the following.

TurboIron(config)#interface ethernet 3

TurboIron(config-if-e100-3)#mac-authentication auth-timeout-action success

Syntax: [no] mac-authentication auth-timeout-action success

Once the success timeout action is enabled, use the no form of the command to reset the RADIUS
timeout behavior to retry.