Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

If multi-device port authentication fails for a device, then by default traffic from the device is either
blocked in hardware, or the device is placed in a restricted VLAN. You can optionally configure the
Brocade device to perform 802.1X authentication on a device when it fails multi-device port
authentication. Refer to

Example 2 -- Creating a profile on the RADIUS server for each MAC

address

on page 287 for a sample configuration where this is used.

Configuring Brocade-specific attributes on theRADIUS server

If the RADIUS authentication process is successful, the RADIUS server sends an Access-Accept
message to the Brocade device, authenticating the device. The Access-Accept message can include
Vendor-Specific Attributes (VSAs) that specify additional information about the device. If you are
configuring multi-device port authentication and 802.1X authentication on the same port, then you can
configure the Brocade VSAs listed in following table on the RADIUS server.

You add these Brocade vendor-specific attributes to your RADIUS server configuration, and configure
the attributes in the individual or group profiles of the devices that will be authenticated. The Brocade
Vendor-ID is 1991, with Vendor-Type 1.

Brocade vendor-specific attributes for RADIUS

TABLE 28

Attribute name

Attribute ID Data type Description

Foundry-802_1x-
enable

6

integer

Specifies whether 802.1X authentication is performed when
multi-device port authentication is successful for a device. This
attribute can be set to one of the following:

0 - Do not perform 802.1X authentication on a device that
passes multi-device port authentication. Set the attribute to zero
for devices that do not support 802.1X authentication.

1 - Perform 802.1X authentication when a device passes multi-
device port authentication. Set the attribute to one for devices
that support 802.1X authentication.

Foundry-802_1x-valid 7

integer

Specifies whether the RADIUS record is valid only for multi-
device port authentication, or for both multi-device port
authentication and 802.1X authentication.

This attribute can be set to one of the following:

0 - The RADIUS record is valid only for multi-device port
authentication. Set this attribute to zero to prevent a user from
using their MAC address as username and password for
802.1X authentication

1 - The RADIUS record is valid for both multi-device port
authentication and 802.1X authentication.

If neither of these VSAs exist in a device profile on the RADIUS server, then by default the device is
subject to multi-device port authentication (if configured), then 802.1X authentication (if configured).
The RADIUS record can be used for both multi-device port authentication and 802.1X authentication.

Configuration examples are shown in

Examples of multi-device port authentication and 802.1X

authentication configuration on the same port

on page 285.

Configuring Brocade-specific attributes on theRADIUS server

258

FastIron Ethernet Switch Security Configuration Guide

53-1003088-03