RADIUS security

RADIUS servers 10.10.10.105 and 10.10.10.106 will be used to authenticate users on ports to which no RADIUS servers are mapped. For example, port e 9, to which no RADIUS servers are mapped, will send a RADIUS request to the first configured RADIUS server, 10.10.10.105. If the request fails, it will go to the second configured RADIUS server, 10.10.10.106. It will not send requests to 10.10.10.103 or 10.10.10.104, since these servers are configured as port servers.

Syntax: radius-server host ip-addrserver-name[auth-port number] [acct-port number] [default key string dot1x] [port-only]

The host ip-addris the IPv4 address.

The auth-portnumber parameter is the Authentication port number; it is an optional parameter. The default is 1645.

The acct-portnumber parameter is the Accounting port number; it is an optional parameter. The default is 1646.

The default key string dot1x parameter indicates that this RADIUS server supports the 802.1X standard. A RADIUS server that supports the 802.1X standard can also be used to authenticate non-802.1X authentication requests.

The port-onlyparameter is optional and specifies that the server will be used only to authenticate users on ports to which it is mapped.

RADIUS server to individual ports mapping

You can map up to eight RADIUS servers to each port on the Brocade device. The port will authenticate users using only the RADIUS servers to which the port is mapped. If there are no RADIUS servers mapped to a port, it will use the “global” servers for authentication.

As in previous releases, a port goes through the list of servers in the order in which it was mapped or configured, until a server that can perform the requested function is found, or until every server in the list has been tried.

RADIUS server-to-ports configuration notes

This feature works with 802.1X and multi-device port authentication only.

You can map a RADIUS server to a physical port only. You cannot map a RADIUS server to a VE.

RADIUS server-to-ports configuration example and command syntax

To map a RADIUS server to a port, enter commands such as the following.

Brocade(config)# int e 3

Brocade(config-if-e1000-3)# dot1x port-control auto

Brocade(config-if-e1000-3)# use-radius-server 10.10.10.103

Brocade(config-if-e1000-3)# use-radius-server 10.10.10.110

With the above configuration, port e 3 would send a RADIUS request to 10.10.10.103 first, since it is the first server mapped to the port. If it fails, it will go to 10.10.10.110.

Syntax: use-radius-server ip-addr

The host ip-addris an IPv4 address.

Brocade ICX 6650 Security Configuration Guide

49

53-1002601-01

 

Page 69
Image 69
Brocade Communications Systems 6650 Radius server to individual ports mapping, Radius server-to-ports configuration notes