Brocade Communications Systems 6650 Switch User Manual


 
Brocade ICX 6650 Security Configuration Guide 241
53-1002601-01
Multi-device port authentication configuration
If an untagged port had previously been assigned to a VLAN through dynamic VLAN
assignment, and then another MAC address is authenticated on the same port, but the
RADIUS Access-Accept message for the second MAC address specifies a different VLAN, then it
is considered an authentication failure for the second MAC address, and the configured
authentication failure action is performed. Note that this applies only if the first MAC address
has not yet aged out. If the first MAC address has aged out, then dynamic VLAN assignment
would work as expected for the second MAC address.
For dual mode ports, if the RADIUS server returns T:vlan-name, the traffic will still be forwarded
in the statically assigned PVID. If the RADIUS server returns U:vlan-name, the traffic will not be
forwarded in the statically assigned PVID.
Configuring the RADIUS server to support
dynamic VLAN assignment
To specify VLAN identifiers on the RADIUS server, add the following attributes to the profile for the
MAC address on the RADIUS server, then enable dynamic VLAN assignment on multi-device port
authentication-enabled interfaces.
For information about the attributes, refer to “Dynamic VLAN assignment for 802.1X port
configuration” on page 166.
Also, refer to the example configuration of “Multi-device port authentication with dynamic VLAN
assignment” on page 260.
Enabling dynamic VLAN support for tagged packets on non-member VLAN ports
By default, the Brocade device drops tagged packets that are received on non-member VLAN ports.
This process is called ingress filtering. Since the MAC address of the packets are not learned,
authentication does not take place.
The Brocade device can authenticate clients that send tagged packets on non-member VLAN ports.
This enables the Brocade device to add the VLAN dynamically. To enable support, enter the
following command at the Interface level of the CLI.
Brocade(config)# interface ethernet 1/3/1
Brocade(config-if-e10000-1/3/1)# mac-authentication disable-ingress-filtering
If the client MAC address is successfully authenticated and the correct VLAN attribute is sent by the
RADIUS server, the MAC address will be successfully authenticated on the VLAN.
Syntax: mac-authentication disable-ingress-filtering
TABLE 56 Attributes for MAC address on RADIUS server
Attribute name Type Value
Tunnel-Type 064 13 (decimal) – VLAN
Tunnel-Medium-Type 065 6 (decimal) – 802
Tunnel-Private-Group-ID 081 vlan-name(string)
The vlan-name value can specify either the name or the number of
one or more VLANs configured on the Brocade device.