Multi-device port authentication configuration

Dynamic ACL filters are supported only for the inbound direction. Dynamic outbound ACL filters are not supported.

Dynamic ACL assignment with multi-device port authentication is not supported in conjunction with any of the following features:

-IP source guard

-Rate limiting

-Protection against ICMP or TCP Denial-of-Service (DoS) attacks

-Policy-based routing

-802.1X dynamic filter

Configuring the RADIUS server to support dynamic IP ACLs

When a port is authenticated using multi-device port authentication, an IP ACL filter that exists in the running-config file on the Brocade device can be dynamically applied to the port. To do this, you configure the Filter-ID (type 11) attribute on the RADIUS server. The Filter-ID attribute specifies the name or number of the Brocade IP ACL.

The following is the syntax for configuring the Filter-ID attribute on the RADIUS server to refer to a Brocade IP ACL.

TABLE 57 Syntax for configuring the Filter-ID attribute

ValueDescription

ip.number.in1

Applies the specified numbered ACL to the authenticated port in the inbound direction.

ip.name.in1,2

Applies the specified named ACL to the authenticated port in the inbound direction.

1.The ACL must be an extended ACL. Standard ACLs are not supported.

2.The name in the Filter ID attribute is case-sensitive

The following table lists examples of values you can assign to the Filter-ID attribute on the RADIUS server to refer to IP ACLs configured on a Brocade device.

TABLE 58

Filter-ID values

 

 

 

Possible values for the filter ID attribute on the

ACLs configured on the Brocade device

RADIUS server

 

 

 

 

 

ip.102.in

 

access-list 102 permit ip 36.0.0.0 0.255.255.255 any

 

 

ip.fdry_filter.in

ip access-list standard fdry_filter

 

 

permit host 36.48.0.3

 

 

 

Enabling denial of service attack protection

The Brocade device does not start forwarding traffic from an authenticated MAC address in hardware until the RADIUS server authenticates the MAC address; traffic from the non-authenticated MAC addresses is sent to the CPU. A denial of service (DoS) attack could be launched against the device where a high volume of new source MAC addresses is sent to the device, causing the CPU to be overwhelmed with performing RADIUS authentication for these MAC addresses. In addition, the high CPU usage in such an attack could prevent the RADIUS response from reaching the CPU in time, causing the device to make additional authentication attempts.

Brocade ICX 6650 Security Configuration Guide

245

53-1002601-01

 

Page 265
Image 265
Brocade Communications Systems 6650 Enabling denial of service attack protection, ACLs configured on the Brocade device