1x accounting, 1x port security configuration – Brocade Communications Systems Brocade ICX 6650 6650 User Manual

Page 183

background image

Brocade ICX 6650 Security Configuration Guide

163

53-1002601-01

802.1X port security configuration

802.1X accounting

When 802.1X port security is enabled on the Brocade device, you can enable 802.1X accounting.
This feature enables the Brocade device to log information on the RADIUS server about
authenticated 802.1X clients. The information logged on the RADIUS server includes the 802.1X
client session ID, MAC address, and authenticating physical port number.

802.1X accounting works as follows.

1. A RADIUS server successfully authenticates an 802.1X client.

2. If 802.1X accounting is enabled, the Brocade device sends an 802.1X Accounting Start packet

to the RADIUS server, indicating the start of a new session.

3. The RADIUS server acknowledges the Accounting Start packet.

4. The RADIUS server records information about the client.

5. When the session is concluded, the Brocade device sends an Accounting Stop packet to the

RADIUS server, indicating the end of the session.

6. The RADIUS server acknowledges the Accounting Stop packet.

To enable 802.1X accounting, refer to

“802.1X accounting configuration”

on page 182.

802.1X port security configuration

Configuring 802.1X port security on a Brocade device consists of the following tasks.

1. Configure the device interaction with the Authentication Server:

“Configuring an authentication method list for 802.1X”

on page 164

“Setting RADIUS parameters”

on page 164

“Dynamic VLAN assignment for 802.1X port configuration”

on page 166 (optional)

“Dynamically applying IP ACLs and MAC address filters to 802.1X ports”

on page 170

2. Configure the device role as the Authenticator:

“Enabling 802.1X port security”

on page 174

“Initializing 802.1X on a port”

on page 178 (optional)

3. Configure the device interaction with Clients:

“Configuring periodic re-authentication”

on page 175 (optional)

“Re-authenticating a port manually”

on page 176 (optional)

“Setting the quiet period”

on page 176 (optional)

“Setting the wait interval for EAP frame retransmissions”

on page 176 (optional)

“Setting the maximum number of EAP frame retransmissions”

on page 177 (optional)

“Specifying a timeout for retransmission of messages to the authentication server”

on

page 178 (optional)

“Allowing access to multiple hosts”

on page 179 (optional)

“MAC address filters for EAP frames”

on page 182 (optional)