Dell FCX624-E Laptop User Manual


  Open as PDF
of 1494
 
PowerConnect B-Series FCX Configuration Guide 1283
53-1002266-01
Configuring multi-device port authentication
36
You can optionally specify an alternate VLAN to which to move the port when the MAC session for
the address is deleted. For example, to place the port in the restricted VLAN, enter commands such
as the following.
PowerConnect(config)#interface e 3/1
PowerConnect(config-if-e1000-3/1)#mac-auth move-back-to-old-vlan
port-restrict-vlan
Syntax: [no] mac-authentication move-back-to-old-vlan disable | port-configured-vlan |
system-default-vlan
The disable keyword disables moving the port back to its original VLAN. The port would stay in its
RADIUS-assigned VLAN.
The port-configured-vlan keyword removes the port from its RADIUS-assigned VLAN and places it
back in the VLAN where it was originally assigned. This is the default.
The port-restrict-vlan keyword removes the port from its RADIUS-assigned VLAN and places it in the
restricted VLAN.
The system-default-vlan keyword removes the port from its RADIUS-assigned VLAN and places it in
the DEFAULT-VLAN.
NOTE
When a MAC session is deleted, if the port is moved back to a VLAN that is different than the running-
config file, the system will update the running-config file to reflect the changes. This will occur even
if mac-authentication save-dynamicvlan-to-config" is not configured.
Saving dynamic VLAN assignments to the running-config file
By default, dynamic VLAN assignments are not saved to the running-config file of the Dell
PowerConnect device. However, you can configure the device to do so by entering the following
command.
PowerConnect(config)#mac-authentication save-dynamicvlan-to-config
When the above command is applied, dynamic VLAN assignments are saved to the running-config
file and are displayed when the show run command is issued. Dynamic VLAN assignments can
also be displayed with the show vlan, show auth-mac-addresses detail, and show
auth-mac-addresses authorized-mac commands.
Syntax: [no] mac-authentication save-dynamicvlan-to-config
Dynamically applying IP ACLs to authenticated
MAC addresses
The Dell multi-device port authentication implementation supports the assignment of a MAC
address to a specific ACL, based on the MAC address learned on the interface.
When a MAC address is successfully authenticated, the RADIUS server sends the Dell
PowerConnect device a RADIUS Access-Accept message that allows the Dell PowerConnect device
to forward traffic from that MAC address. The RADIUS Access-Accept message can also contain,
among other attributes, the Filter-ID (type 11) attribute for the MAC address. When the
Access-Accept message containing the Filter-ID (type 11) attribute is received by the Dell
PowerConnect device, it will use the information in these attributes to apply an IP ACL on a per-MAC
(per user) basis.