Brocade Communications Systems RFS6000 System Reference Manual page 150

4
Viewing and configuring controller WLANs
Configuring the User Login Sources
The following recommended Radius Server user login sources specify the location
(ssh/telnet/console/Web) from which users are allowed controller access. If login access
permissions are not defined (restricted), users will be allowed to login from each interface. To
define login source access locations:
1. Set the attribute number to 100 and its type as "integer."
2. Define the following possible decimal values for login sources:
3. Specify multiple access sources by using different values. The privilege values can be ORed
Configuring NAC server support
There is an increasing proliferation of insecure devices (laptops, mobile computers, PDA,
smart-phones) accessing WiFi networks. These devices often lack proper anti-virus software and
can potentially infect the network they access. Device compliance per an organization's security
policy must be enforced using NAC. A typical security compliance check entails verifying the right
operating system patches, anti-virus software etc.
NAC is a continuous process for evaluating Client credentials, mitigating security issues, admitting
Clients to the network and monitoring Clients for compliance with globally-maintained standards
and policies. If a Client is not in compliance, network access is restricted by quarantining the Client.
Using NAC, the controller hardware and software grants access to specific network devices. NAC
performs a user and Client authorization check for devices without a NAC agent. NAC verifies a
Client's compliance with the controller's security policy. The controller supports only EAP/802.1x
NAC. However, the controller provides a mean to bypass NAC authentication for Client's without
NAC 802.1x support (printers, phones, PDAs etc.).
For a NAC configuration example using the controller CLI, see
on page 156 or
•
•
•
To configure NAC Server support:
136
NOTE
If user privilege attributes are not defined for the Radius Server, users will be authenticated
with a default privilege role of 1 (Monitor read-only access).
a. Set the Console Access value to 128 (user is allowed login privileges only from console).
b. Set the Telnet Access value to 64 (user is allowed login privileges only from a Telnet
session).
c. Set the SSH Access value to 32 (user is allowed login privileges only from ssh session).
d. Set the Web Access value to 16 (user is allowed login privileges only from Web/applet).
and specified once. For example, if a user needs access from both the console and Web,
configure the Radius Server with the 100 attribute twice, once with value 128 for console and
next with value 16 for Web access.
"Configuring the NAC exclusion list"
None – NAC disabled, no NAC is conducted. A Client can only be authenticated by a Radius
server.
Do NAC except exclude list – A Client NAC check is conducted except for those in the
exclude-list. Devices in the exclude-list will not have any NAC checks.
Bypass NAC except include list – A Client NAC check is conducted only for those Clients in the
include-list.
"Configuring the NAC inclusion list"
on page 160.
Brocade Mobility RFS6000 and RFS7000 System Reference Guide
53-1001858-01