Reset Search



How to configure per-user IP ACLs filters in dot1x with FreeRadiusBrocade?

« Go Back


TitleHow to configure per-user IP ACLs filters in dot1x with FreeRadiusBrocade?

IP Ethernet Switches: FastIron Series

Note: FreeRADIUS is an open-source RADIUS server for UNIX systems.


The belowdescribes the configuration of FreeRADIUS to configure per-user IP ACLs filters.For a basic installation, three files must be edited: /etc/radd/clients.conf, /etc/raddb/users and /usr/share/freeradius/dictionary.foundry.

freeRADIUS version 2.1.7 in UNIX

The /etc/raddb/clients.conffilespecifies the list of clients that will be accessing the FreeRADIUS server.The list includes the IP addresses and the secret key for each client.In addition, thefilecontains a list of all the RADIUS clients that can query the FreeRADIUS server for AAA requests.The format for adding each RADIUS client is as follows:

client hostname-or-IP-address {
secret = encryption-key
shortname = hostname


Users canspecify the client either by host name or IP address.The encryption key for specifying the secret value should match the specified passwordfor the RADIUS Client on the Brocade switch.The shortname parameter is used to specify an alias for the host.The default /etc/raddb/clients.conf file only contains one entry for the localhost.Each additional client should be appended to the default file.Optionally, users can also specify a network address instead of a single client.The following sample snippet can be appended to the default /etc/raddb/ clients.conf file:

Note:In thefollowingexample, assume that the radius client (Brocade switch)should belong to the subnet network and radius client password is 'secret' which mustmatchthe configured one by CLI 'radius-server key' on Brocade switch.

client {
secret = secret
shortname = localhost


The /etc/raddb/usersfilespecifies the list of users, accompanied by the authentication and authorization parameters for each user.The/etc/raddb/users file is amaster file that references other dictionary files by using the following statement:.

(For 8021x with Per-user IP ACL)

Note: In thefollowingexample, the user "bob" has "test" set as the password. Multiple ACLs can be configured with a space, newline, semicolon, comma, or null characater.

bob Auth-Type :=EAP, Cleartext-Password:="test"
Foundry-Access-List=" udp any any; tcp any host eq http"


The /usr/share/freeradius/dictionary.foundryfilespecifies the list of dictionary files for each supported vendor.The server has separate dictionary files for each supported vendor that contain RADIUS attributes and values.

Below are attributes related to dot1x:


VALUE Foundry-Command-Exception-Flag Permit-Cmd-Str/Deny-Others 0
VALUE Foundry-Command-Exception-Flag Deny-Cmd-Str/Permit-Others 1

VALUE Foundry-MAC-Authent-Needs-802.1x Disable 0
VALUE Foundry-MAC-Authent-Needs-802.1x Enable 1

VALUE Foundry-802.1x-Valid-Lookup Disable 0
VALUE Foundry-802.1x-Valid-Lookup Enable 1

If users do not have the above statements inthe dictionary.foundry file,the usermay add the above statements.After the above isedited, users need to restart the RADIUS server.

Below is a configuration example for dot1x on FCX:

FCX624SHPOE Switch#sh run
Current configuration:
ver 07.2.02dT7f1
stack unit 1
module 1 fcx-24-poe-port-management-module
module 2 fcx-cx4-2-port-16g-module
vlan 1 name DEFAULT-VLAN by port
<-- To enable the802.1x on the device
enable ethe 1/1/1 to 1/1/2 <-- In this example, this enables 802.1X port security on interfaces 1/1/1 and 1/1/2
aaa authentication dot1x default radius
<-- To use RADIUS authentication with 802.1X port security
ip address
no ip dhcp-client enable
logging console
radius-server host auth-port 1812 acct-port 1813 defaultkeysecret
<-- To authenticate access to a Brocade switch
interface ethernet 1/1/1
dot1x port-control auto
<-- To activate authentication on an 802.1X-enabled interface and connect a client enabled 802.1x.
interface ethernet 1/1/2
dot1x port-control auto

FCX624SHPOE Switch#

Client enabled 802.1x ---------------- e1/1/1 FCX e1/1/24 ----------- Radius server

Note:Make sure that FCXhas IP connectivity to the Radius server.Users may do a ping command.

Show Commands:
Once the client is authenticated, check the following commands:

Note:The show dot1x mac-session command displays information about the dot1x-mac-sessions on each port on the device.The output also shows the authenticator PAE state.

FCX624SHPOE Switch#sh dot1 mac-s

Port MAC/IP(username) Vlan Auth ACL Age PAE
State State
1/1/1 000d.600f.c6b3 :bob 1 permit in Ena AUTHENTICATED
FCX624SHPOE Switch#

Auth State = 'permit' means that the Client has been successfully authenticated, and traffic from the Client is being forwarded normally.

PAE State means that the current status of the Authenticator PAE state machine. The 'AUTHENTICATED' meansPAE is in aauthenticated state.The client 000d.600f.c6b3 : bob is now able to forward and receive a traffic.To display the dynamically applied IP ACLs active on an interface, enterthe following command:

Note:In this example, two ACL clauses are set to a port 1/1/1 as Inbound ACL for the user, bob, which is corresponding to ACLs in the Radius server.

FCX624SHPOE Switch#sh dot1 ip-acl

Port : 1/1/1 (301), user : bob( 000d.600f.c6b3 ) (
Extended IP access list Port_1/1/1_bob_E_IN
permit udp any any
permit tcp any host eq http
FCX624SHPOE Switch#

Additional notes



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255