Specifying the radius timeout action – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

configurable through the CLI, with the mac-authentication max-age command. Once the hardware
aging period ends, the software aging period begins. When the software aging period ends, the blocked
MAC address ages out, and can be authenticated again if the Brocade device receives traffic from the
MAC address.

On FastIron X Series devices, the hardware aging period for blocked MAC addresses is not fixed at 70
seconds. The hardware aging period for blocked MAC addresses is equal to the length of time specified
with the mac-age command. As on FastIron devices, once the hardware aging period ends, the
software aging period begins. When the software aging period ends, the blocked MAC address ages
out, and can be authenticated again if the device receives traffic from the MAC address.

To change the hardware aging period for blocked MAC addresses, enter a command such as the
following.

device(config)#mac-authentication hw-deny-age 10

Syntax: [no] mac-authentication hw-deny-age num

The num parameter is a value from 1 to 65535 seconds. The default is 70 seconds.

Specifying the aging time for blocked MAC addresses

When the Brocade device is configured to drop traffic from non-authenticated MAC addresses, traffic
from the blocked MAC addresses is dropped in hardware, without being sent to the CPU. A Layer 2
CAM entry is created that drops traffic from the blocked MAC address in hardware. If no traffic is
received from the blocked MAC address for a certain amount of time, this Layer 2 CAM entry is aged
out. If traffic is subsequently received from the MAC address, then an attempt can be made to
authenticate the MAC address again.

Aging of the Layer 2 CAM entry for a blocked MAC address occurs in two phases, known as hardware
aging and software aging. The hardware aging period is fixed at 70 seconds and is non-configurable.
The software aging time is configurable through the CLI.

Once the Brocade device stops receiving traffic from a blocked MAC address, the hardware aging
begins and lasts for a fixed period of time. After the hardware aging period ends, the software aging
period begins. The software aging period lasts for a configurable amount of time (by default 120
seconds). After the software aging period ends, the blocked MAC address ages out, and can be
authenticated again if the Brocade device receives traffic from the MAC address.

To change the length of the software aging period for blocked MAC addresses, enter a command such
as the following.

device(config)#mac-authentication max-age 180

Syntax: [no] mac-authentication max-age seconds

You can specify from 1 - 65535 seconds. The default is 120 seconds.

Specifying the RADIUS timeout action

A RADIUS timeout occurs when the Brocade device does not receive a response from a RADIUS
server within a specified time limit and after a certain number of retries. The time limit and number of
retries can be manually configured using the CLI commands radius-server timeout and radius-server
retransmit , respectively. If the parameters are not manually configured, the Brocade device applies the
default value of three seconds with a maximum of three retries.

You can better control port behavior when a RADIUS timeout occurs by configuring a port on the
Brocade device to automatically pass or fail user authentication. A pass essentially bypasses the
authentication process and permits user access to the network. A fail bypasses the authentication

Specifying the aging time for blocked MAC addresses

FastIron Ethernet Switch Security Configuration Guide

271

53-1003088-03