Brocade Communications Systems 6650 Switch User Manual


 
234 Brocade ICX 6650 Security Configuration Guide
53-1002601-01
Multi-device port authentication and 802.1X security on the same port
DAI is supported together with multi-device port authentication as long as ACL-per-port-per-vlan is
enabled. Otherwise, you do not need to perform any extra configuration steps to enable support
with dynamic ACLs. When these features are enabled on the same port/VLAN, support is
automatically enabled.
Support for DHCP snooping with dynamic ACLs
Multi-device port authentication and DHCP snooping are supported in conjunction with dynamic
ACLs. Support is available in the Layer 3 software images only.
DHCP Snooping is supported together with multi-device port authentication as long as
ACL-per-port-per-vlan is enabled. Otherwise, you do not need to perform any extra configuration
steps to enable support with dynamic ACLs. When these features are enabled on the same
port/VLAN, support is automatically enabled.
Support for source guard protection
The Brocade proprietary Source Guard Protection feature, a form of IP Source Guard, can be used
in conjunction with multi-device port authentication. For details, refer to “Enabling source guard
protection” on page 246.
Multi-device port authentication and 802.1X
security on the same port
On Brocade ICX 6650, multi-device port authentication and 802.1X security can be configured on
the same port, as long as the port is not a trunk port or an LACP port. When both of these features
are enabled on the same port, multi-device port authentication is performed prior to 802.1X
authentication. If multi-device port authentication is successful, 802.1X authentication may be
performed, based on the configuration of a vendor-specific attribute (VSA) in the profile for the MAC
address on the RADIUS server.
NOTE
When multi-device port authentication and 802.1X security are configured together on the same
port, Brocade recommends that dynamic VLANs and dynamic ACLs are done at the multi-device port
authentication level, and not at the 802.1X level.
When both features are configured on a port, a device connected to the port is authenticated as
follows.
1. Multi-device port authentication is performed on the device to authenticate the device MAC
address.
2. If multi-device port authentication is successful for the device, then the device checks whether
the RADIUS server included the Foundry-802_1x-enable VSA (described in Table 55) in the
Access-Accept message that authenticated the device.
3. If the Foundry-802_1x-enable VSA is not present in the Access-Accept message, or is present
and set to 1, then 802.1X authentication is performed for the device.