232 Brocade ICX 6650 Security Configuration Guide
53-1002601-01
How multi-device port authentication works
The multi-device port authentication feature is a mechanism by which incoming traffic originating
from a specific MAC address is switched or forwarded by the device only if the source MAC address
is successfully authenticated by a RADIUS server. The MAC address itself is used as the username
and password for RADIUS authentication; the user does not need to provide a specific username
and password to gain access to the network. If RADIUS authentication for the MAC address is
successful, traffic from the MAC address is forwarded in hardware.
If the RADIUS server cannot validate the user's MAC address, then it is considered an
authentication failure, and a specified authentication-failure action can be taken. The default
authentication-failure action is to drop traffic from the non-authenticated MAC address in
hardware. You can also configure the device to move the port on which the non-authenticated MAC
address was learned into a restricted or “guest” VLAN, which may have limited access to the
network.
RADIUS authentication
The multi-device port authentication feature communicates with the RADIUS server to authenticate
a newly found MAC address. The Brocade device supports multiple RADIUS servers; if
communication with one of the RADIUS servers times out, the others are tried in sequential order. If
a response from a RADIUS server is not received within a specified time (by default, 3 seconds) the
RADIUS session times out, and the device retries the request up to three times. If no response is
received, the next RADIUS server is chosen, and the request is sent for authentication.
The RADIUS server is configured with the usernames and passwords of authenticated users. For
multi-device port authentication, the username and password is the MAC address itself; that is, the
device uses the MAC address for both the username and the password in the request sent to the
RADIUS server. For example, given a MAC address of 0007e90feaa1, the users file on the RADIUS
server would be configured with a username and password both set to 0007e90feaa1. When
traffic from this MAC address is encountered on a MAC-authentication-enabled interface, the
device sends the RADIUS server an Access-Request message with 0007e90feaa1 as both the
username and password. The format of the MAC address sent to the RADIUS server is configurable
through the CLI.
The request for authentication from the RADIUS server is successful only if the username and
password provided in the request matches an entry in the users database on the RADIUS server.
When this happens, the RADIUS server returns an Access-Accept message back to the Brocade
device. When the RADIUS server returns an Access-Accept message for a MAC address, that MAC
address is considered authenticated, and traffic from the MAC address is forwarded normally by
the Brocade device.
Authentication-failure actions
If the MAC address does not match the username and password of an entry in the users database
on the RADIUS server, then the RADIUS server returns an Access-Reject message. When this
happens, it is considered an authentication failure for the MAC address. When an authentication
failure occurs, the Brocade device can either drop traffic from the MAC address in hardware (the
default), or move the port on which the traffic was received to a restricted VLAN.
Supported RADIUS attributes
Brocade devices support the following RADIUS attributes for multi-device port authentication: