beautypg.com

Configuring authentication, Enabling an 802.1x readiness check – Brocade Network OS Administrator’s Guide v4.1.1 User Manual

Page 520

background image

Configuring authentication

The radius-server command attempts to connect to the first RADIUS server. If the RADIUS server is
not reachable, the next RADIUS server is contacted. However, if the RADIUS server is contacted and
the authentication fails, the authentication process does not check for the next server in the sequence.

Perform the following steps to configure authentication.

1. Enter the configure terminal command to change to global configuration mode.

switch# configure terminal

2. Use the radius-server command to add RADIUS to the switch as the authentication server. This

command can be repeated for additional servers. However, this command moves the new RADIUS
server to the top of the access list.

switch(config)# radius-server host 10.0.0.5

3. Enable 802.1x authentication globally

switch(config)# dot1x enable

4. Use the interface command to select the interface port to modify.

The gigabitethernet rbridge-id/slot/port operand is used only for the Brocade VDX 6710, Brocade
VDX 8770-4, and Brocade VDX 8770-8. The prompt for these ports is in the following format:
switch(config-if-gi-22/0/1)#.

switch(config)# interface tengigabitethernet 1/12

5. Use the dot1x authentication command to enable 802.1x authentication.

switch(conf-if-te-1/12)# dot1x authentication

6. Return to privileged EXEC mode.

switch(conf-if-te-1/12)# end

7. Enter the copy command to save the running-config file to the startup-config file.

switch# copy running-config startup-config

Configuring interface-specific administrative features for 802.1x

It is essential to configure the 802.1x port authentication protocol globally on the Brocade VDX
hardware, and then enable 802.1x and make customized changes for each interface port. Because
802.1x is enabled and configured in

Configuring 802.1x authentication

on page 519, use the

administrative tasks in this section to make any necessary customizations to specific interface port
settings.

Enabling an 802.1x readiness check

The 802.1x readiness check monitors 802.1x activity on all the switch ports and displays information
about the devices connected to the ports that support 802.1x. You can use this feature to determine if
the devices connected to the switch ports are 802.1x-capable.

The 802.1x readiness check is allowed on all ports that can be configured for 802.1x. The readiness
check is not available on a port that is configured by the dot1x force-unauthorized command.

When you configure the dot1x test eapol-capable command on an 802.1x-enabled port, and the link
comes up, the port queries the connected client about its 802.1x capability. When the client responds
with a notification packet, it is 802.1x-capable. A RASLog message is generated if the client responds
within the timeout period. If the client does not respond to the query, the client is not 802.1x-capable,
and a syslog message is generated saying the client is not EAPOL-capable.

Follow these guidelines to enable the readiness check on the switch:

• The readiness check is typically used before 802.1x is enabled on the switch.
• 802.1x authentication cannot be initiated while the 802.1x readiness test is in progress.
• The 802.1x readiness test cannot be initiated while 802.1x authentication is active.

Configuring authentication

520

Network OS Administrator’s Guide

53-1003225-04

See also other documents in the category Brocade Computer Accessories: