Radius authentication, Authentication-failure actions, Unauthenticated port behavior – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

the device to move the port on which the non-authenticated MAC address was learned into a restricted
or "guest" VLAN, which may have limited access to the network.

RADIUS authentication

The multi-device port authentication feature communicates with the RADIUS server to authenticate a
newly found MAC address. The Brocade device supports multiple RADIUS servers; if communication
with one of the RADIUS servers times out, the others are tried in sequential order. If a response from a
RADIUS server is not received within a specified time (by default, 3 seconds) the RADIUS session
times out, and the device retries the request up to three times. If no response is received, the next
RADIUS server is chosen, and the request is sent for authentication.

The RADIUS server is configured with the user names and passwords of authenticated users. For multi-
device port authentication, the username and password is the MAC address itself; that is, the device
uses the MAC address for both the username and the password in the request sent to the RADIUS
server. For example, given a MAC address of 0000000feaa1, the users file on the RADIUS server
would be configured with a username and password both set to 0000000feaa1. When traffic from this
MAC address is encountered on a MAC-authentication-enabled interface, the device sends the RADIUS
server an Access-Request message with 0000000feaa1 as both the username and password. The
format of the MAC address sent to the RADIUS server is configurable through the CLI.

The request for authentication from the RADIUS server is successful only if the username and
password provided in the request matches an entry in the users database on the RADIUS server. When
this happens, the RADIUS server returns an Access-Accept message back to the Brocade device.
When the RADIUS server returns an Access-Accept message for a MAC address, that MAC address is
considered authenticated, and traffic from the MAC address is forwarded normally by the Brocade
device.

Authentication-failure actions

If the MAC address does not match the username and password of an entry in the users database on
the RADIUS server, then the RADIUS server returns an Access-Reject message. When this happens, it
is considered an authentication failure for the MAC address. When an authentication failure occurs, the
Brocade device can either drop traffic from the MAC address in hardware (the default), or move the port
on which the traffic was received to a restricted VLAN.

Unauthenticated port behavior

Incoming traffic on unauthenticated ports is blocked by Brocade devices, while allowing for outgoing
broadcasts and multicasts to account for waking connected devices that are in a sleep state. This is the
default behavior and there is no configuration option.

Supported RADIUS attributes

Brocade devices support the following RADIUS attributes for multi-device port authentication:

• Username (1) - RFC 2865
• NAS-IP-Address (4) - RFC 2865
• NAS-Port (5) - RFC 2865
• Service-Type (6) - RFC 2865
• FilterId (11) - RFC 2865
• Framed-MTU (12) - RFC 2865
• State (24) - RFC 2865

RADIUS authentication

FastIron Ethernet Switch Security Configuration Guide

255

53-1003088-03