Multi-device port authentication password override – Brocade Communications Systems Brocade ICX 6650 6650 User Manual
Page 271
Brocade ICX 6650 Security Configuration Guide
251
53-1002601-01
Multi-device port authentication configuration
Once the success timeout action is enabled, use the no form of the command to reset the RADIUS
timeout behavior to retry.
Deny user access to the network after a RADIUS timeout
To set the RADIUS timeout behavior to bypass multi-device port authentication and block user
access to the network, enter commands such as the following.
Brocade(config)# interface ethernet 1/1/3
Brocade(config-if-e10000-1/1/3)# mac-authentication auth-timeout-action failure
Syntax: [no] mac-authentication auth-timeout-action failure
After the failure timeout action is enabled, use the no form of the command to reset the RADIUS
timeout behavior to retry.
NOTE
If restrict-vlan is configured along with auth-timeout-action failure, the user will be placed into a
VLAN with restricted or limited access. Refer to
“Allow user access to a restricted VLAN after a
Allow user access to a restricted VLAN after a RADIUS timeout
To set the RADIUS timeout behavior to bypass multi-device port authentication and place the user
in a VLAN with restricted or limited access, enter commands such as the following.
Brocade(config)# interface ethernet 1/1/3
Brocade(config-if-e10000-1/1/3)# mac-authentication auth-fail-action
restrict-vlan 100
Brocade(config-if-e10000-1/1/3)# mac-authentication auth-timeout-action failure
Syntax: [no] mac-authentication auth-fail-action restrict-vlan [vlan-id]
Syntax: [no] mac-authentication auth-timeout-action failure
Multi-device port authentication password override
The multi-device port authentication feature communicates with the RADIUS server to authenticate
a newly found MAC address. The RADIUS server is configured with the usernames and passwords
of authenticated users. For multi-device port authentication, the username and password is the
MAC address itself; that is, the device uses the MAC address for both the username and the
password in the request sent to the RADIUS server. For example, given a MAC address of
0000000feaa1, the users file on the RADIUS server would be configured with a username and
password both set to 0000000feaa1. When traffic from this MAC address is encountered on a
MAC-authentication-enabled interface, the device sends the RADIUS server an Access-Request
message with 0000000feaa1 as both the username and password.
The MAC address is the default password for multi-device port authentication, and you can
optionally configure the device to use a different password. Note that the MAC address is still the
username and cannot be changed.
To change the password for multi-device port authentication, enter a command such as the
following at the GLOBAL Config Level of the CLI.