beautypg.com

Mac address filters for eap frames – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 198

background image

You can specify from 1 - 65535 seconds. The default is 120 seconds.

Moving native VLAN mac-sessions to restrict VLAN

You can move the native VLAN mac-sessions to restrict VLAN on authentication failure. You can
configure the option of overriding the dual-mode port native untagged VLAN with restricted VLAN in
case 802.1x authentication fails and there is no RADIUS assigned VLAN. Use this command when
you configure multi-device port authentication and 802.1X authentication configuration with dynamic
VLAN assignment from RADIUS Server on the same port.

device(config-dot1x)# auth-fail-force-restrict

Syntax: [no] auth-fail-force-restrict

Clearing a dot1x-mac-session for a MAC address

You can clear the dot1x-mac-session for a specified MAC address, so that the Client with that MAC
address can be re-authenticated by the RADIUS server.

device#clear dot1x mac-session 0000.0034.abd4

Syntax: clear dot1x mac-session mac-address

MAC address filters for EAP frames

You can create MAC address filters to permit or deny EAP frames. To do this, you specify the Brocade
device 802.1X group MAC address as the destination address in a MAC address filter, then apply the
filter to an interface.

Creating MAC address filters for EAPS on most devices

For example, the following command creates a MAC address filter that denies frames with the
destination MAC address of 0000.0000.0003, which is the 802.1X group MAC address on the Brocade
device.

device(config)#mac filter 1 deny any 0000.0000.0003 ffff.ffff.ffff

The following commands apply this filter to interface e 3/1.

device(config)#interface e 3/11

device(config-if-3/1)#mac filter-group 1

Refer to the Defining MAC address filters section for more information.

Configuring VLAN access for non-EAP-capable clients

You can configure the Brocade device to grant "guest" or restricted VLAN access to clients that do not
support Extensible EAP. The restricted VLAN limits access to the network or applications, instead of
blocking access to these services altogether.

When the Brocade device receives the first packet (non-EAP packet) from a client, the device waits for
10 seconds or the amount of time specified with the timeout restrict-fwd-period command. If the
Brocade device does not receive subsequent packets after the timeout period, the device places the
client on the restricted VLAN.

MAC address filters for EAP frames

198

FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

See also other documents in the category Brocade Computer Accessories: