Filter
Top Products
1276 PowerConnect B-Series FCX Configuration Guide
53-1002266-01
Using multi-device port authentication and 802.1X security on the same port
36
Support for source guard protection
The Dell proprietary Source Guard Protection feature, a form of IP Source Guard, can be used in
conjunction with multi-device port authentication. For details, refer to “Enabling source guard
protection” on page 1286.
Using multi-device port authentication and 802.1X
security on the same port
On some Dell PowerConnect devices, multi-device port authentication and 802.1X security can be
configured on the same port, as long as the port is not a trunk port or an LACP port. When both of
these features are enabled on the same port, multi-device port authentication is performed prior to
802.1X authentication. If multi-device port authentication is successful, 802.1X authentication
may be performed, based on the configuration of a vendor-specific attribute (VSA) in the profile for
the MAC address on the RADIUS server.
NOTE
When multi-device port authentication and 802.1X security are configured together on the same
port, Dell recommends that dynamic VLANs and dynamic ACLs are done at the multi-device port
authentication level, and not at the 802.1X level.
When both features are configured on a port, a device connected to the port is authenticated as
follows.
1. Multi-device port authentication is performed on the device to authenticate the device MAC
address.
2. If multi-device port authentication is successful for the device, then the device checks whether
the RADIUS server included the Foundry-802_1x-enable VSA (described in Table 225) in the
Access-Accept message that authenticated the device.
3. If the Foundry-802_1x-enable VSA is not present in the Access-Accept message, or is present
and set to 1, then 802.1X authentication is performed for the device.
4. If the Foundry-802_1x-enable VSA is present in the Access-Accept message, and is set to 0,
then 802.1X authentication is skipped. The device is authenticated, and any dynamic VLANs
specified in the Access-Accept message returned during multi-device port authentication are
applied to the port.
5. If 802.1X authentication is performed on the device, and is successful, then dynamic VLANs or
ACLs specified in the Access-Accept message returned during 802.1X authentication are
applied to the port.
If multi-device port authentication fails for a device, then by default traffic from the device is either
blocked in hardware, or the device is placed in a restricted VLAN. You can optionally configure the
Dell PowerConnect device to perform 802.1X authentication on a device when it fails multi-device
port authentication. Refer to “Example 2” on page 1304 for a sample configuration where this is
used.