Ports, Refer to – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual
Page 187
• If the port is not already a member of a RADIUS-specified VLAN, and the RADIUS Access-Accept
message specifies the name or ID of a valid VLAN on the Brocade device, then the port is placed in
that VLAN.
• If the port is already a member of a RADIUS-specified VLAN, and the RADIUS Access-Accept
message specifies the name or ID of a different VLAN, then it is considered an authentication failure.
The port VLAN membership is not changed.
• If the port is already a member of a RADIUS-specified VLAN, and the RADIUS Access-Accept
message specifies the name or ID of that same VLAN, then traffic from the Client is forwarded
normally.
• If the RADIUS Access-Accept message specifies the name or ID of a VLAN that does not exist on
the Brocade device, then it is considered an authentication failure.
• If the port is a tagged or dual-mode port, and the RADIUS Access-Accept message specifies the
name or ID of a valid VLAN on the Brocade device, then the port is placed in that VLAN. If the port is
already a member of the RADIUS-specified VLAN, no further action is taken.
• If the RADIUS Access-Accept message does not contain any VLAN information, the Client dot1x-
mac-session is set to "access-is-allowed". If the port is already in a RADIUS-specified VLAN, it
remains in that VLAN.
Dynamically applying IP ACLs and MAC address filtersto 802.1X ports
The Brocade 802.1X implementation supports dynamically applying an IP ACL or MAC address filter to
a port, based on information received from an Authentication Server.
When a client/supplicant successfully completes the EAP authentication process, the Authentication
Server (the RADIUS server) sends the Authenticator (the Brocade device) a RADIUS Access-Accept
message that grants the client access to the network. The RADIUS Access-Accept message contains
attributes set for the user in the user's access profile on the RADIUS server.
If the Access-Accept message contains Filter-ID (type 11) or Vendor-Specific (type 26), or both
attributes, the Brocade device can use information in these attributes to apply an IP ACL or MAC
address filter to the authenticated port. This IP ACL or MAC address filter applies to the port for as long
as the client is connected to the network. When the client disconnects from the network, the IP ACL or
MAC address filter is no longer applied to the port. If an IP ACL or MAC address filter had been applied
to the port prior to 802.1X authentication, it is then re-applied to the port.
The Brocade device uses information in the Filter ID and Vendor-Specific attributes as follows:
• The Filter-ID attribute can specify the number of an existing IP ACL or MAC address filter configured
on the Brocade device. In this case, the IP ACL or MAC address filter with the specified number is
applied to the port.
• The Vendor-Specific attribute can specify actual syntax for a Brocade IP ACL or MAC address filter,
which is then applied to the authenticated port. Configuring a Vendor-Specific attribute in this way
allows you to create IP ACLs and MAC address filters that apply to individual users; that is, per-user
IP ACLs or MAC address filters.
Configuration considerations for applying IP ACLs and MAC address filters to 802.1x ports
The following restrictions apply to dynamic IP ACLs or MAC address filters:
• Inbound dynamic IP ACLs are supported. Outbound dynamic ACLs are not supported.
• Inbound Vendor-Specific attributes are supported. Outbound Vendor-Specific attributes are not
supported.
• A maximum of one IP ACL can be configured in the inbound direction on an interface.
• 802.1X with dynamic MAC filter will work for one client at a time on a port. If a second client tries to
authenticate with 802.1X and dynamic MAC filter, the second client will be rejected.
• MAC address filters cannot be configured in the outbound direction on an interface.
Dynamically applying IP ACLs and MAC address filtersto 802.1X ports
FastIron Ethernet Switch Security Configuration Guide
187
53-1003088-03