Dell FCX624-E Laptop User Manual


  Open as PDF
of 1494
 
PowerConnect B-Series FCX Configuration Guide 1233
53-1002266-01
Configuring 802.1X port security
34
Syntax: save-dynamicvlan-to-config
By default, the dynamic VLAN assignments are not saved to the running-config file. Entering the
show running-config command does not display dynamic VLAN assignments, although they can be
displayed with the show vlan and show authenticated-mac-address detail commands.
NOTE
When this feature is enabled, issuing the command write mem will save any dynamic VLAN
assignments to the startup configuration file.
Considerations for dynamic VLAN assignment in an 802.1X multiple-host
configuration
The following considerations apply when a Client in a 802.1X multiple-host configuration is
successfully authenticated, and the RADIUS Access-Accept message specifies a VLAN for the port:
If the port is not already a member of a RADIUS-specified VLAN, and the RADIUS Access-Accept
message specifies the name or ID of a valid VLAN on the Dell PowerConnect device, then the
port is placed in that VLAN.
If the port is already a member of a RADIUS-specified VLAN, and the RADIUS Access-Accept
message specifies the name or ID of a different VLAN, then it is considered an authentication
failure. The port VLAN membership is not changed.
If the port is already a member of a RADIUS-specified VLAN, and the RADIUS Access-Accept
message specifies the name or ID of that same VLAN, then traffic from the Client is forwarded
normally.
If the RADIUS Access-Accept message specifies the name or ID of a VLAN that does not exist
on the Dell PowerConnect device, then it is considered an authentication failure.
If the port is a tagged or dual-mode port, and the RADIUS Access-Accept message specifies the
name or ID of a valid VLAN on the Dell PowerConnect device, then the port is placed in that
VLAN. If the port is already a member of the RADIUS-specified VLAN, no further action is taken.
If the RADIUS Access-Accept message does not contain any VLAN information, the Client
dot1x-mac-session is set to “access-is-allowed”. If the port is already in a RADIUS-specified
VLAN, it remains in that VLAN.
Using dynamic VLAN assignment with the MAC port security feature
MAC port security allows the Dell PowerConnect device to learn a limited number of “secure” MAC
addresses on an interface. The interface forwards only packets with source MAC addresses that
match these secure addresses. If the interface receives a packet with a source MAC address that is
different from any of the secure addresses, it is considered a security violation, and subsequent
packets from the violating MAC address can be dropped, or the port can be disabled entirely.
If a port is disabled due to a MAC port security violation, 802.1X clients attempting to connect over
the port cannot be authorized. In addition, 802.1X clients connecting from non-secure MAC
addresses cannot be authorized.
To use 802.1X dynamic VLAN assignment with the MAC port security feature on an interface, you
must set the number of secure MAC addresses to two or more.