Filter
Top Products
1234 PowerConnect B-Series FCX Configuration Guide
53-1002266-01
Configuring 802.1X port security
34
Example
PowerConnect(config)#int e 3/2
PowerConnect(config-if-e1000-3/2)#port security
PowerConnect(config-port-security-e1000-3/2)#maximum 2
PowerConnect(config-port-security-e1000-3/2)#exit
Refer to Chapter 35, “Using the MAC Port Security Feature” for more information.
Dynamically applying IP ACLs and MAC address filters
to 802.1X ports
The 802.1X implementation supports dynamically applying an IP ACL or MAC address filter to a
port, based on information received from an Authentication Server.
When a client/supplicant successfully completes the EAP authentication process, the
Authentication Server (the RADIUS server) sends the Authenticator (the Dell PowerConnect device)
a RADIUS Access-Accept message that grants the client access to the network. The RADIUS
Access-Accept message contains attributes set for the user in the user's access profile on the
RADIUS server.
If the Access-Accept message contains Filter-ID (type 11) or Vendor-Specific (type 26), or both
attributes, the Dell PowerConnect device can use information in these attributes to apply an IP ACL
or MAC address filter to the authenticated port. This IP ACL or MAC address filter applies to the
port for as long as the client is connected to the network. When the client disconnects from the
network, the IP ACL or MAC address filter is no longer applied to the port. If an IP ACL or MAC
address filter had been applied to the port prior to 802.1X authentication, it is then re-applied to
the port.
The Dell PowerConnect device uses information in the Filter ID and Vendor-Specific attributes as
follows:
• The Filter-ID attribute can specify the number of an existing IP ACL or MAC address filter
configured on the Dell PowerConnect device. In this case, the IP ACL or MAC address filter with
the specified number is applied to the port.
• The Vendor-Specific attribute can specify actual syntax for a Dell PowerConnect IP ACL or MAC
address filter, which is then applied to the authenticated port. Configuring a Vendor-Specific
attribute in this way allows you to create IP ACLs and MAC address filters that apply to
individual users; that is, per-user IP ACLs or MAC address filters.
Configuration considerations
The following restrictions apply to dynamic IP ACLs or MAC address filters:
• Inbound dynamic IP ACLs are supported. Outbound dynamic ACLs are not supported.
• Inbound Vendor-Specific attributes are supported. Outbound Vendor-Specific attributes are
not supported.
• A maximum of one IP ACL can be configured in the inbound direction on an interface.
• 802.1X with dynamic MAC filter will work for one client at a time on a port. If a second client
tries to authenticate with 802.1X and dynamic MAC filter, the second client will be rejected.
• MAC address filters cannot be configured in the outbound direction on an interface.
• Concurrent operation of MAC address filters and IP ACLs is not supported.