03-17-2015 09:41 AM
Does anybody know how to influence how many MAC authentication requests are sent to a RADIUS server during authentication. I am using Brocade ICX6610's running version 08.0.20 code.
MAC and 802.1x authentication is configured on the ports but the amount of MAC authentication requests sent before 802.1x is tried is around 10 and causes a massive delay in authentication. I believe on previous code versions there were timeout commands that could be entered to reduce this delay but nothing seems to be available since the flexible authentication implementation.
In addition, I am setting the Brocade VSA to tell the switch that 802.1x authentication should be used but as the RADIUS server is sending (correctly) RADIUS Access-Reject messages these attributes don't appear to be actioned.
03-18-2015 08:32 AM
Good morning, davidgearing. Quick question about your problem - do you need the MAC authentication on all ports? If not, the ports that only need 802.1X you could set the auth-order for the individual ports. Although in a large environment this would be a management nightmare.
I am running the same code version on ours, and with the re-ordering of the authentication area from 7.4.00x I don't see anywhere to set the max-fail attempts for MAC authentication. Based on your situation, it might be better to set your auth order on all ports to dot1x first, then try MAC second - maybe that will shorten the timeouts to roll over to the secondary method?
03-20-2015 08:49 AM
In the end I actually found a workaround on the RADIUS server (Clearpass Policy Manager).
There is a feature to accept (send a RADIUS Access-Accept) all MAC address authentication requests which gets around this problem.
I could not find a way to resolve this issue using the Brocade functionality.