Network access (mac address authentication), Network access – Brocade Communications Systems Brocate Ethernet Access Switch 6910 User Manual
Page 889
Brocade 6910 Ethernet Access Switch Configuration Guide
839
53-1002581-01
Network Access (MAC Address Authentication)
41
Network Access (MAC Address Authentication)
Some devices connected to switch ports may not be able to support 802.1X authentication due to
hardware or software limitations. This is often true for devices such as network printers, IP phones,
and some wireless access points. The switch enables network access from these devices to be
controlled by authenticating device MAC addresses with a central RADIUS server.
NOTE
RADIUS authentication must be activated and configured properly for the MAC Address
authentication feature to work properly. (See
“Configuring Remote Logon Authentication Servers”
MAC authentication cannot be configured on trunk ports.
CLI References
•
“Network Access (MAC Address Authentication)”
Command Usage
•
MAC address authentication controls access to the network by authenticating the MAC address
of each host that attempts to connect to a switch port. Traffic received from a specific MAC
address is forwarded by the switch only if the source MAC address is successfully
authenticated by a central RADIUS server. While authentication for a MAC address is in
progress, all traffic is blocked until authentication is completed. On successful authentication,
the RADIUS server may optionally assign VLAN and quality of service settings for the switch
port.
•
When enabled on a port, the authentication process sends a Password Authentication Protocol
(PAP) request to a configured RADIUS server. The user name and password are both equal to
the MAC address being authenticated. On the RADIUS server, PAP user name and passwords
must be configured in the MAC address format XX-XX-XX-XX-XX-XX (all in upper case).
•
Authenticated MAC addresses are stored as dynamic entries in the switch secure MAC address
table and are removed when the aging time expires. The maximum number of secure MAC
addresses supported for the switch system is 1024.
•
Configured static MAC addresses are added to the secure address table when seen on a
switch port. Static addresses are treated as authenticated without sending a request to a
RADIUS server.
•
When port status changes to down, all MAC addresses mapped to that port are cleared from
the secure MAC address table. Static VLAN assignments are not restored.
•
The RADIUS server may optionally return a VLAN identifier list to be applied to the switch port.
The following attributes need to be configured on the RADIUS server.
•
Tunnel-Type = VLAN
•
Tunnel-Medium-Type = 802
•
Tunnel-Private-Group-ID = 1u,2t [VLAN ID list]
The VLAN identifier list is carried in the RADIUS “Tunnel-Private-Group-ID” attribute. The VLAN
list can contain multiple VLAN identifiers in the format “1u,2t,3u” where “u” indicates an
untagged VLAN and “t” a tagged VLAN.