Eap pass-through support – Brocade Communications Systems Brocade ICX 6650 6650 User Manual

Page 179

Advertising
background image

Brocade ICX 6650 Security Configuration Guide

159

53-1002601-01

How 802.1X port security works

Brocade(config)# ip mtu 1500

Syntax: [no] ip mtu num

The num parameter specifies the MTU. Ethernet II packets can hold IP packets from 576–1500
bytes long. If jumbo mode is enabled, Ethernet II packets can hold IP packets from 576–10,222
bytes long. Ethernet SNAP packets can hold IP packets from 576–1492 bytes long. If jumbo mode
is enabled, SNAP packets can hold IP packets from 576 to 10,214 bytes long. The default MTU is
1500 for Ethernet II packets and 1492 for SNAP packets.

EAP pass-through support

EAP pass-through is supported on Brocade ICX 6650 devices that have 802.1X enabled. EAP
pass-through support is fully compliant with RFC 3748, in which, by default, compliant pass-through
authenticator implementations forward EAP challenge request packets of any type, including those
listed in the previous section.

Configuration notes for setting the IP MTU size
If the 802.1X supplicant or authentication server will be sending packets that are greater than
1500 MTU, you should configure the device to accommodate a larger buffer size, in order to reduce
problems during initial setup. Refer to Brocade ICX 6650 Layer 3 Routing Configuration Guide.

Support for RADIUS user-name attribute in access-accept messages

Brocade 802.1X-enabled ports support the RADIUS user-name (type 1) attribute in the
Access-Accept message returned during 802.1X authentication.

This feature is useful when the client/supplicant does not provide its user-name in the
EAP-response/identity frame, and the username is key to providing useful information. For
example, when the user-name attribute is sent in the Access-Accept message, it is then available
for display in sFlow sample messages sent to a collector, and in the output of some show dot1x CLI
commands, such as show dot1x mac-sessions.

This same information is sent as the “user-name” attribute of RADIUS accounting messages, and is
sent to the RADIUS accounting servers.

To enable this feature, add the following attribute on the RADIUS server.

Authenticating multiple hosts connected to the same port

Brocade devices support 802.1X authentication for ports with more than one host connected to
them.

Figure 5

illustrates a sample configuration where multiple hosts are connected to a single

802.1X port.

TABLE 25

RADIUS attributes

Attribute name

Type

Value

user-name

1

name (string)

Advertising
Popular Brands
Popular manuals