Brocade TurboIron 24X Series Configuration Guide User Manual

Page 991

Advertising
background image

Brocade TurboIron 24X Series Configuration Guide

957

53-1003053-01

Configuring 802.1X port security

By default, the dynamic VLAN assignments are not saved to the running-config file. Entering the
show running-config command does not display dynamic VLAN assignments, although they can be
displayed with the show vlan and show authenticated-mac-address detail commands.

NOTE

When this feature is enabled, issuing the command write mem will save any dynamic VLAN
assignments to the startup configuration file.

Considerations for dynamic VLAN assignment in an 802.1X multiple-host
configuration

The following considerations apply when a Client in a 802.1X multiple-host configuration is
successfully authenticated, and the RADIUS Access-Accept message specifies a VLAN for the port:

If the port is not already a member of a RADIUS-specified VLAN, and the RADIUS Access-Accept
message specifies the name or ID of a valid VLAN on the device, then the port is placed in that
VLAN.

If the port is already a member of a RADIUS-specified VLAN, and the RADIUS Access-Accept
message specifies the name or ID of a different VLAN, then it is considered an authentication
failure. The port VLAN membership is not changed.

If the port is already a member of a RADIUS-specified VLAN, and the RADIUS Access-Accept
message specifies the name or ID of that same VLAN, then traffic from the Client is forwarded
normally.

If the RADIUS Access-Accept message specifies the name or ID of a VLAN that does not exist
on the device, then it is considered an authentication failure.

If the port is a tagged or dual-mode port, and the RADIUS Access-Accept message specifies the
name or ID of a valid VLAN on the device, then the port is placed in that VLAN. If the port is
already a member of the RADIUS-specified VLAN, no further action is taken. Note that the
Client dot1x-mac-session is set to “access-is-allowed” for the RADIUS-specified VLAN only. If
traffic from the Client MAC address is received on any other VLAN, it is dropped.

If the RADIUS Access-Accept message does not contain any VLAN information, the Client
dot1x-mac-session is set to “access-is-allowed”. If the port is already in a RADIUS-specified
VLAN, it remains in that VLAN.

Using dynamic VLAN assignment with the MAC port security feature

MAC port security allows the device to learn a limited number of “secure” MAC addresses on an
interface. The interface forwards only packets with source MAC addresses that match these secure
addresses. If the interface receives a packet with a source MAC address that is different from any
of the secure addresses, it is considered a security violation, and subsequent packets from the
violating MAC address can be dropped, or the port can be disabled entirely.

If a port is disabled due to a MAC port security violation, 802.1X clients attempting to connect over
the port cannot be authorized. In addition, 802.1X clients connecting from non-secure MAC
addresses cannot be authorized.

To use 802.1X dynamic VLAN assignment with the MAC port security feature on an interface, you
must set the number of secure MAC addresses to two or more.

Advertising
See also other documents in the category Brocade Computer Accessories: