Example 2 – Brocade TurboIron 24X Series Configuration Guide User Manual

Page 1022

Advertising
background image

988

Brocade TurboIron 24X Series Configuration Guide

53-1003053-01

Using multi-device port authentication and 802.1X security on the same port

When the PC MAC address is authenticated, the Access-Accept message from the RADIUS server
specifies that the PVID for the PC port be changed to the VLAN named “Login-VLAN”, which is VLAN
1024. The Foundry-802_1x-enable attribute is set to 1, meaning that 802.1X authentication is
required for this MAC address. The PVID of the port 3 is temporarily changed to VLAN 1024,
pending 802.1X authentication.

When User 1 attempts to connect to the network from the PC, he is subject to 802.1X
authentication. If User 1 is successfully authenticated, the Access-Accept message from the
RADIUS server specifies that the PVID for User 1 port be changed to the VLAN named “User-VLAN”,
which is VLAN 3. If 802.1X authentication for User 1 is unsuccessful, the PVID for port 3 is
changed to that of the restricted VLAN, which is 1023, or untagged traffic from port e 3 can be
blocked in hardware.

The part of the running-config related to port e 3 would be as follows.

interface ethernet 3

dot1x port-control auto

mac-authentication enable

dual-mode

When the PC is authenticated using multi-device port authentication, the port PVID is changed to
“Login-VLAN”, which is VLAN 1024 in this example.

When User 1 is authenticated using 802.1X authentication, the port PVID is changed to
“User-VLAN”, which is VLAN 3 in this example.

Example 2

The configuration in

Figure 123

requires that you create a profile on the RADIUS server for each

MAC address to which a device or user can connect to the network. In a large network, this can be
difficult to implement and maintain.

As an alternative, you can create MAC address profiles only for those devices that do not support
802.1X authentication, such as IP phones and printers, and configure the device to perform
802.1X authentication for the other devices that do not have MAC address profiles, such as user
PCs. To do this, you configure the device to perform 802.1X authentication when a device fails
multi-device port authentication.

Figure 124

shows a configuration where multi-device port authentication is performed for an IP

phone, and 802.1X authentication is performed for a user PC. There is a profile on the RADIUS
server for the IP phone MAC address, but not for the PC MAC address.

FIGURE 124

802.1X Authentication is performed when a device fails multi-device port
authentication

Advertising
See also other documents in the category Brocade Computer Accessories: