beautypg.com

Configuring the nac inclusion list – Brocade Mobility RFS7000-GR Controller System Reference Guide (Supporting software release 4.1.0.0-040GR and later) User Manual

Page 155

background image

Brocade Mobility RFS7000-GR Controller System Reference Guide

141

53-1001944-01

Viewing and configuring switch WLANs

4

5. Refer to the Status field for the current state of the requests made from applet. This field

displays error messages if something goes wrong in the transaction between the applet and
the switch.

6. Click OK to use the changes to the running configuration and close the dialog.

7. Click Cancel to close the dialog without committing updates to the running configuration.

Configuring the NAC inclusion list

Using NAC, the switch acts as an enforcement entity before allowing MU access to specific network
resources. NAC performs a MU host integrity check wherein a MU sends host integrity information
to the NAC server. The NAC server configuration is defined on the switch on a per WLAN basis. NAC
verifies a MU’s compliance with the NAC server’s security policy (not the switch).

For a NAC configuration example using the switch CLI, see

“NAC configuration examples using the

switch CLI”

on page 148.

An include list is a list of MAC addresses configured for a WLAN. During EAP authentication, the
EAP server (RADIUS or NAC server) is determined based on the MU’s MAC address.

All non-802.1x devices are partitioned into a WLAN (separate from a 802.1x enabled WLAN).

Communication between devices in a 802.1x supported WLAN and a non 802.1x supported
WLAN is achieved by merging the WLANs within the same VLAN.

The switch uses the include list to add devices that are NAC supported. The following explains how
authentication is achieved using 802.1x. The switch authenticates 802.1x enabled devices using
one of the following:

NAC Agent – NAC support is added in the switch to allow the switch to communicate with a LAN
enforcer (a laptop with a NAC agent installed).

No NAC Agent – NAC support is achieved using an exclude list. For more information, see

“Configuring the NAC exclusion list”

on page 145.

By default, a WLAN is NAC disabled. Each WLAN can be configured to:

Conduct a NAC check for MU's connecting to the WLAN as well as perform an additional
exclude function, by attaching an exclude list to the WLAN.

Do not perform NAC validation for MUs connecting to the WLAN.

Include a few MU’s for NAC validation and bypass the rest of the MU’s.

To view the attributes of a NAC Include list:

Max Retries

Define a maximum number of retries for each Access Category.

Use DSCP or 802.1p

Select the DSCP or 802.1p radio buttons to choose between DSCP and 802.1p.

See also other documents in the category Brocade Computer Accessories: