Brocade Communications Systems Brocade ICX 6650 6650 User Manual
182
Brocade ICX 6650 Security Configuration Guide
53-1002601-01
802.1X accounting configuration
MAC address filters for EAP frames
You can create MAC address filters to permit or deny EAP frames. To do this, you specify the
Brocade device 802.1X group MAC address as the destination address in a MAC address filter, then
apply the filter to an interface.
Brocade device 802.1X group MAC address as the destination address in a MAC address filter, then
apply the filter to an interface.
Creating MAC address filters for EAP on most devices
For example, the following command creates a MAC address filter that denies frames with the
destination MAC address of 0000.00c2.0003, which is the 802.1X group MAC address on the
Brocade device.
destination MAC address of 0000.00c2.0003, which is the 802.1X group MAC address on the
Brocade device.
Brocade(config)# mac filter 1 deny any 0000.00c2.0003 ffff.ffff.ffff
The following commands apply this filter to interface e1/ 3/1.
Brocade(config)# interface e 1/3/11
Brocade(config-if-e10000-1/3/1)# mac filter-group 1
Brocade(config-if-e10000-1/3/1)# mac filter-group 1
on page 239 for more information.
Configuring VLAN access for non-EAP-capable clients
You can configure the Brocade device to grant "guest" or restricted VLAN access to clients that do
not support Extensible EAP. The restricted VLAN limits access to the network or applications,
instead of blocking access to these services altogether.
not support Extensible EAP. The restricted VLAN limits access to the network or applications,
instead of blocking access to these services altogether.
When the Brocade device receives the first packet (non-EAP packet) from a client, the device waits
for 10 seconds or the amount of time specified with the timeout restrict-fwd-period command. If
the Brocade device does not receive subsequent packets after the timeout period, the device
places the client on the restricted VLAN.
for 10 seconds or the amount of time specified with the timeout restrict-fwd-period command. If
the Brocade device does not receive subsequent packets after the timeout period, the device
places the client on the restricted VLAN.
This feature is disabled by default. To enable this feature and change the timeout period, enter
commands such as the following.
commands such as the following.
Brocade(config)# dot1x-enable
Brocade(config-dot1x)# restrict-forward-non-dot1x
Brocade(config-dot1x)# timeout restrict-fwd-period 15
Brocade(config-dot1x)# restrict-forward-non-dot1x
Brocade(config-dot1x)# timeout restrict-fwd-period 15
Once the success timeout action is enabled, use the no form of the command to reset the RADIUS
timeout behavior to retry.
timeout behavior to retry.
Syntax: timeout restrict-fwd-period num
The num parameter is a value from 0 to 4294967295. The default value is 10.
802.1X accounting configuration
802.1X accounting enables the recording of information about 802.1X clients who were
successfully authenticated and allowed access to the network. When 802.1X accounting is
enabled on the Brocade device, it sends the following information to a RADIUS server whenever an
authenticated 802.1X client (user) logs into or out of the Brocade device:
successfully authenticated and allowed access to the network. When 802.1X accounting is
enabled on the Brocade device, it sends the following information to a RADIUS server whenever an
authenticated 802.1X client (user) logs into or out of the Brocade device:
•
The user name
•
The session ID