Mac address filters for eap frames, 1x accounting configuration – Brocade Communications Systems Brocade ICX 6650 6650 User Manual

Page 202

Advertising
background image

182

Brocade ICX 6650 Security Configuration Guide

53-1002601-01

802.1X accounting configuration

MAC address filters for EAP frames

You can create MAC address filters to permit or deny EAP frames. To do this, you specify the
Brocade device 802.1X group MAC address as the destination address in a MAC address filter, then
apply the filter to an interface.

Creating MAC address filters for EAP on most devices

For example, the following command creates a MAC address filter that denies frames with the
destination MAC address of 0000.00c2.0003, which is the 802.1X group MAC address on the
Brocade device.

Brocade(config)# mac filter 1 deny any 0000.00c2.0003 ffff.ffff.ffff

The following commands apply this filter to interface e1/ 3/1.

Brocade(config)# interface e 1/3/11
Brocade(config-if-e10000-1/3/1)# mac filter-group 1

Refer to

“Defining MAC address filters”

on page 239 for more information.

Configuring VLAN access for non-EAP-capable clients

You can configure the Brocade device to grant "guest" or restricted VLAN access to clients that do
not support Extensible EAP. The restricted VLAN limits access to the network or applications,
instead of blocking access to these services altogether.

When the Brocade device receives the first packet (non-EAP packet) from a client, the device waits
for 10 seconds or the amount of time specified with the timeout restrict-fwd-period command. If
the Brocade device does not receive subsequent packets after the timeout period, the device
places the client on the restricted VLAN.

This feature is disabled by default. To enable this feature and change the timeout period, enter
commands such as the following.

Brocade(config)# dot1x-enable
Brocade(config-dot1x)# restrict-forward-non-dot1x
Brocade(config-dot1x)# timeout restrict-fwd-period 15

Once the success timeout action is enabled, use the no form of the command to reset the RADIUS
timeout behavior to retry.

Syntax: timeout restrict-fwd-period num

The num parameter is a value from 0 to 4294967295. The default value is 10.

802.1X accounting configuration

802.1X accounting enables the recording of information about 802.1X clients who were
successfully authenticated and allowed access to the network. When 802.1X accounting is
enabled on the Brocade device, it sends the following information to a RADIUS server whenever an
authenticated 802.1X client (user) logs into or out of the Brocade device:

The user name

The session ID

Advertising
Popular Brands
Popular manuals