Multi-device port authentication configuration

Syntax: [no] mac-authentication auth-fail-action block-traffic

Dropping traffic from non-authenticated MAC addresses is the default behavior when multi-device port authentication is enabled.

Generating traps for multi-device port authentication

You can enable and disable SNMP traps for multi-device port authentication. SNMP traps are enabled by default.

To enable SNMP traps for multi-device port authentication after they have been disabled, enter the following command.

Brocade(config)# snmp-server enable traps mac-authentication

Syntax: [no] snmp-server enable traps mac-authentication

Use the no form of the command to disable SNMP traps for multi-device port authentication.

Defining MAC address filters

You can specify MAC addresses that do not have to go through multi-device port authentication. These MAC addresses are considered pre-authenticated, and are not subject to RADIUS authentication. To do this, you can define MAC address filters that specify the MAC addresses to exclude from multi-device port authentication.

You should use a MAC address filter when the RADIUS server itself is connected to an interface where multi-device port authentication is enabled. If a MAC address filter is not defined for the MAC address of the RADIUS server and applied on the interface, the RADIUS authentication process would fail since the device would drop all packets from the RADIUS server itself.

For example, the following command defines a MAC address filter for address 0000.0058.aca4.

Brocade(config)# mac-authentication mac-filter 1 0000.0058.aca4

Syntax: [no] mac-authentication mac-filter filter

The following commands apply the MAC address filter on an interface so that address 0000.0058.aca4 is excluded from multi-device port authentication.

Brocade(config)# interface ethernet 1/3/1 Brocade(config-if-e10000-1/3/1)# mac-authentication apply-mac-auth-filter 1

Syntax: [no] mac-authentication apply-mac-auth-filter filter-id

Configuring dynamic VLAN assignment

An interface can be dynamically assigned to one or more VLANs based on the MAC address learned on that interface. When a MAC address is successfully authenticated, the RADIUS server sends the Brocade device a RADIUS Access-Accept message that allows the Brocade device to forward traffic from that MAC address. The RADIUS Access-Accept message can also contain attributes set for the MAC address in its access profile on the RADIUS server.

Brocade ICX 6650 Security Configuration Guide

239

53-1002601-01

 

Page 259
Image 259
Brocade Communications Systems 6650 Generating traps for multi-device port authentication, Defining MAC address filters