Manuals / Brands / Computer Equipment / Switch / Brocade Communications Systems / Computer Equipment / Switch

Brocade Communications Systems 53-1001761-01 Configuring 802.1x Port Authentication

1 164

Download 164 pages, 1.09 Mb

Converged Enhanced Ethernet Administrator’s Guide 111

53-1001761-01

DRAFT: BROCADE CONFIDENTIAL

Chapter

10

Configuring 802.1x Port Authentication

In this chapter

•802.1x protocol overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

•802.1x configuration guidelines and restrictions. . . . . . . . . . . . . . . . . . . . 111

•802.1x authentication configuration tasks. . . . . . . . . . . . . . . . . . . . . . . . . 112

•Interface-specific administrative tasks for 802.1x . . . . . . . . . . . . . . . . . . . 112

802.1x protocol overview

The 802.1x protocol defines a port-based authentication algorithm involving network data

communication between client-based supplicant software, an authentication database on a server,

and the authenticator device. In this situation the authenticator device is the Brocade FCoE

hardware.

As the authenticator, the Brocade FCoE hardware prevents unauthorized network access. Upon

detection of the new supplicant, the Brocade FCoE hardware enables the port and marks it

“unauthorized”. In this state, only 802.1x traffic is allowed. All other traffic, such as DHCP and

HTTP, is blocked. The Brocade FCoE hardware transmits an EAP-request to the supplicant, which

responds with the EAP-response packet. The Brocade FCoE hardware, which then forwards the

EAP-response packet to the RADIUS authentication server. If the credentials are validated by the

RADIUS server database, the supplicant may access the protected network resources.

NOTE

802.1x port authentication is not supported by LAG (Link Aggregation Group) or interfaces that

participate in a LAG.

NOTE

The EAP-MD5, EAP-TLS, EAP-TTLS and PEAP-v0 protocols are supported by the RADIUS server and

are transparent to the authenticator switch.

When the supplicant logs off, it sends an EAP-logoff message to the Brocade FCoE hardware which

then sets the port back to the “unauthorized” state.

802.1x configuration guidelines and restrictions

Follow these 802.1x configuration guidelines and restrictions when configuring 802.1x:

•If you globally disable 802.1x, then all interface ports with 802.1x authentication enabled

automatically switch to force-authorized port-control mode.

Contents

Main Brocade Communications Systems, Incorporated Document History Title Publication number Summary of changes Date Contents About This Document Chapter 1 Introducing FCoE Chapter 2 Using the CEE CLI Chapter 3 Standard CEE Integrations and Configurations Chapter 4 Configuring VLANs Using the CEE CLI Chapter 5 Configuring STP, RSTP, and MSTP using the CEE CLI Chapter 6 Configuring Link Aggregation using the CEE CLI Chapter 7 Configuring LLDP using the CEE CLI Chapter 8 Configuring ACLs using the CEE CLI Chapter 9 Configuring QoS using the CEE CLI Chapter 10 Configuring 802.1x Port Authentication Chapter 11 Configuring IGMP Chapter 12 Configuring RMON using the CEE CLI Chapter 13 FCoE configuration using the Fabric OS CLI Chapter 14 CEE configuration management Page Figures Page Tables Page About This Document How this document is organized Supported hardware and software Whats new in this document Document conventions Text formatting Command syntax conventions Notes, cautions, and warnings ATTENTION Key terms Notice to the reader Additional information Brocade resources Other industry resources Getting technical help Document feedback Page Page Introducing FCoE FCoE terminology FCoE overview TABLE 1 FCoE hardware Layer 2 Ethernet overview FIGURE 1 Layer 2 forwarding VLAN tagging Loop-free network environment Frame classification (incoming) Congestion control and queuing - - - - Access control Trunking Flow Control FCoE Initialization Protocol FIP discovery FIP login FIP logout FCoE login FCoE logout Logincfg Name server FC zoning Registered State Change Notification (RSCN) FCoE queuing Using the CEE CLI Management Tools CEE Command Line Interface Saving your configuration changes Saving configuration changes with the copy command Saving configuration changes with the write command CEE CLI RBAC permissions Accessing the CEE CLI through the console or Telnet Accessing the CEE CLI from the Fabric OS shell CEE CLI command modes FIGURE 2 CEE Command Line Interface CEE Command Line Interface 2 CEE CLI keyboard shortcuts Table 4 lists CEE CLI keyboard shortcuts. TABLE 3 Command mode Using the do command as a shortcut Displaying CEE CLI commands and command syntax CEE CLI command completion CEE CLI command output modifiers TABLE 5 Page Standard CEE Integrations and Configurations Overview of standard CEE integrations SAN Integration Integrating a Brocade 8000 switch on a SAN CEE and LAN integration FIGURE 3 About CEE map attributes Creating the CEE map FIGURE 4 Configuring DCBX Configuring Spanning Tree Protocol Configuring VLAN Membership Configuring the CEE Interfaces Page Server connections to the Brocade 8000 switch FIGURE 5 Fibre Channel configuration for the CNA Ethernet configuration for the CNA Minimum CEE configuration to allow FCoE traffic flow Page Configuring VLANs Using the CEE CLI VLAN overview Ingress VLAN filtering - - - - VLAN configuration guidelines and restrictions Default VLAN configuration VLAN configuration and management Enabling and disabling an interface port Configuring the MTU on an interface port Creating a VLAN interface Enabling STP on a VLAN Disabling STP on a VLAN Configuring a VLAN interface to forward FCoE traffic Configuring an interface port as a Layer 2 switch port Configuring an interface port as an access interface Configuring an interface port as a trunk interface Disabling a VLAN on a trunk interface Configuring an interface port as a converged interface Disabling a VLAN on a converged interface Configuring protocol-based VLAN classifier rules Configuring a VLAN classifier rule Configuring MAC address-based VLAN classifier rules Deleting a VLAN classifier rule Creating a VLAN classifier group and adding rules Activating a VLAN classifier group with an interface port Clearing VLAN counter statistics Displaying VLAN information Configuring the MAC address table Specifying or disabling the aging time for MAC addresses Adding static addresses to the MAC address table Page Configuring STP, RSTP, and MSTP using the CEE CLI STP overview Configuring STP on Brocade FCoE hardware RSTP overview TABLE 7 Configuring RSTP on Brocade FCoE hardware MSTP overview Configuring MSTP on Brocade FCoE hardware STP, RSTP, and MSTP configuration guidelines and restrictions Default STP, RSTP, and MSTP configuration Default STP, RSTP, and MSTP configuration Table 8 lists the default STP, RSTP, and MSTP configuration. Table 9 lists the switch defaults that apply only to MSTP configurations. TABLE 8 TABLE 9 STP, RSTP, and MSTP configuration and management Enabling STP, RSTP, or MSTP Disabling STP, RSTP, or MSTP Shutting down STP, RSTP, or MSTP globally Specifying the bridge priority Specifying the bridge forward delay Specifying the bridge maximum aging time Enabling the error disable timeout timer Specifying the error disable timeout interval Specifying the port-channel path cost Specifying the bridge hello time (STP and RSTP) Specifying the transmit hold count (RSTP and MSTP) Enabling Cisco interoperability (MSTP) Disabling Cisco interoperability (MSTP) Mapping a VLAN to an MSTP instance Specifying the maximum number of hops for a BPDU (MSTP) Specifying a name for an MSTP region Specifying a revision number for an MSTP configuration Flushing MAC addresses (RSTP and MSTP) Clearing spanning tree counters Clearing spanning tree-detected protocols Displaying STP, RSTP, and MSTP-related information Configuring STP, RSTP, or MSTP on CEE interface ports Enabling automatic edge detection Configuring the path cost Enabling a port (interface) as an edge port Enabling the guard root Specifying the MSTP hello time Specifying restrictions for an MSTP instance Specifying a link type Enabling port fast (STP) Specifying the port priority Restricting the port from becoming a root port Restricting the topology change notification Enabling spanning tree Disabling spanning tree Page Configuring Link Aggregation using the CEE CLI Link aggregation overview Link Aggregation Group configuration Page Link aggregation overview 6 Converged Enhanced Ethernet Administrators Guide 67 53-1001761-01 FIGURE 7 FIGURE 8 Link Aggregation Control Protocol Dynamic link aggregation Static link aggregation Brocade-proprietary aggregation LAG distribution process LACP configuration guidelines and restrictions Default LACP configuration LACP configuration and management Enabling LACP on a CEE interface Configuring the LACP system priority Configuring the LACP timeout period on a CEE interface Clearing LACP counter statistics on a LAG Clearing LACP counter statistics on all LAG groups Displaying LACP information LACP troubleshooting tips Page Configuring LLDP using the CEE CLI LLDP overview Layer 2 topology mapping - Page DCBX overview Enhanced Transmission Selection (ETS) TABLE 12 Priority Flow Control (PFC) DCBX interaction with other vendor devices LLDP configuration guidelines and restrictions Default LLDP configuration LLDP configuration and management Enabling LLDP globally Disabling and resetting LLDP globally TABLE 13 Configuring LLDP global command options Specifying a system name for the Brocade FCoE hardware Specifying an LLDP system description for the Brocade FCoE hardware Specifying a user description for LLDP Enabling and disabling the receiving and transmitting of LLDP frames Configuring the transmit frequency of LLDP frames Configuring the hold time for receiving devices Advertising the optional LLDP TLVs Configuring the advertisement of LLDP DCBX -related TLVs Configuring FCoE priority bits Configuring LLDP profiles Configuring LLDP interface-level command options Clearing LLDP-related information Displaying LLDP-related information Configuring ACLs using the CEE CLI ACL overview Default ACL configuration ACL configuration guidelines and restrictions ACL configuration and management Creating a standard MAC ACL and adding rules TABLE 14 Creating an extended MAC ACL and adding rules Modifying MAC ACL rules Removing a MAC ACL Reordering the sequence numbers in a MAC ACL Applying a MAC ACL to a CEE interface Applying a MAC ACL to a VLAN interface Page Configuring QoS using the CEE CLI QoS overview Rewriting Queueing User-priority mapping Default user-priority mappings for untrusted interfaces Configuring the QoS trust mode TABLE 15 TABLE 16 Configuring user-priority mappings Creating a CoS-to-CoS mutation QoS map Applying a CoS-to-CoS mutation QoS map Traffic class mapping Unicast traffic Multicast traffic TABLE 17 TABLE 18 Mapping CoS-to-Traffic-Class Activating a mapping CoS-to-Traffic-Class Verifying a mapping CoS-to-Traffic-Class Congestion control Tail drop FIGURE 9 Changing the Tail Drop threshold Ethernet pause Enabling Ethernet Pause Ethernet Priority Flow Control Multicast rate limiting Creating a receive queue multicast rate-limit Scheduling Strict priority scheduling FIGURE 10 Deficit weighted round robin scheduling FIGURE 11 Traffic class scheduling policy FIGURE 12 Scheduling the QoS queue TABLE 19 Multicast queue scheduling Scheduling the QoS multicast queue TABLE 20 Converged Enhanced Ethernet map configuration TABLE 21 Creating a CEE map Defining a priority group table TABLE 22 Converged Enhanced Ethernet map configuration Example of defining a CEE map with a Priority Group Table. Defining a priority-table map 2. Specify the name of the CEE map to define. In this example test is used. 3. Define the map. Example of defining a CEE map with a Priority -to-Priority Group Table PGID PG% PFC Description Page Applying a CEE provisioning map to an interface Verifying the CEE maps Configuring 802.1x Port Authentication 802.1x protocol overview 802.1x configuration guidelines and restrictions 802.1x authentication configuration tasks Configure authentication between the switch and CNA or NIC Interface-specific administrative tasks for 802.1x Configuring 802.1x on specific interface ports Configuring 802.1x timeouts on specific interface ports Configuring 802.1x re-authentication on specific interface ports Disabling 802.1x on specific interface ports Configuring IGMP About IGMP Active IGMP snooping Multicast routing Configuring IGMP Configuring IGMP snooping querier Monitoring IGMP Page Configuring RMON using the CEE CLI RMON overview RMON configuration and management Default RMON configuration Configuring RMON events Configuring RMON Ethernet group statistics collection Page Page FCoE configuration using the Fabric OS CLI FCoE configuration guidelines and restrictions Managing and displaying the FCoE configuration Enabling or disabling an FCoE port Configuring FCMAP values for a VLAN Configuring FIP multicast advertisement intervals Managing and displaying the FCoE login configuration 13 Managing and displaying the FCoE login configuration Another important task in administrating FCoE is configuring the FCoE login information. Enabling or disabling FCoE login configuration management Displaying or aborting the current configuration transaction Cleaning up login groups and VN_port mappings Creating and managing the FCoE login group configuration 13 Displaying the FCoE login configuration The FCoE login group enables you to configure login policies. Creating and managing the FCoE login group configuration Another important task in administrating FCoE is configuring the FCoE login information. Creating an FCoE login group Creating and managing the FCoE login group configuration Perform the following task to create an FCoE login group. Modifying the FCoE login group device list Perform the following tasks to add or remove VN_port devices from the FCoE login group. Deleting an FCoE login group Renaming an FCoE login group Perform the following task to rename an FCoE login group. Page CEE configuration management CEE configuration management guidelines and restrictions CEE configuration management tasks Display the running configuration file Saving the running configuration file Loading the startup configuration file Erasing the startup configuration file. Archiving the running configuration file Restore an archived running configuration file Archiving the startup configuration file Restore an archived startup configuration file Archive a startup configuration from Flash Restore a startup configuration file from Flash Flash file management commands TABLE 23 TABLE 24 Debugging and logging commands TABLE 24 TABLE 25 Page Index Symbols Numerics A B C D E F G H I K L M N O P Q R S T U V W Z