Disabled strict security mode, Disabling strict security mode globally – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual
Page 188
• Concurrent operation of MAC address filters and IP ACLs is not supported.
• A dynamic IP ACL will take precedence over an IP ACL that is bound to a port (port ACL). When a
client authenticates with a dynamic IP ACL, the port ACL will not be applied. Also, future clients on
the same port will authenticate with a dynamic IP ACL or no IP ACL. If no clients on the port use
dynamic ACL, then the port ACL will be applied to all traffic.
Disabling and enabling strict security mode for dynamic filter assignment
By default, 802.1X dynamic filter assignment operates in strict security mode. When strict security
mode is enabled, 802.1X authentication for a port fails if the Filter-ID attribute contains invalid
information, or if insufficient system resources are available to implement the per-user IP ACLs or
MAC address filters specified in the Vendor-Specific attribute.
When strict security mode is enabled:
• If the Filter-ID attribute in the Access-Accept message contains a value that does not refer to an
existing filter (that is, a MAC address filter or IP ACL configured on the device), then the port will not
be authenticated, regardless of any other information in the message (for example, if the Tunnel-
Private-Group-ID attribute specifies a VLAN on which to assign the port).
• If the Vendor-Specific attribute specifies the syntax for a filter, but there are insufficient system
resources to implement the filter, then the port will not be authenticated.
• If the device does not have the system resources available to dynamically apply a filter to a port,
then the port will not be authenticated.
NOTE
If the Access-Accept message contains values for both the Filter-ID and Vendor-Specific attributes,
then the value in the Vendor-Specific attribute (the per-user filter) takes precedence.
Also, if authentication for a port fails because the Filter-ID attribute referred to a non-existent filter, or
there were insufficient system resources to implement the filter, then a Syslog message is generated.
Disabled strict security mode
When strict security mode is disabled:
• If the Filter-ID attribute in the Access-Accept message contains a value that does not refer to an
existing filter (that is, a MAC address filter or IP ACL configured on the device), then the port is still
authenticated, but no filter is dynamically applied to it.
• If the Vendor-Specific attribute specifies the syntax for a filter, but there are insufficient system
resources to implement the filter, then the port is still authenticated, but the filter specified in the
Vendor-Specific attribute is not applied to the port.
By default, strict security mode is enabled for all 802.1X-enabled interfaces, but you can manually
disable or enable it, either globally or for specific interfaces.
Disabling strict security mode globally
To disable strict security mode globally, enter the following commands.
device(config)#dot1x-enable
device(config-dot1x)#no global-filter-strict-security
After you globally disable strict security mode, you can re-enable it by entering the following command.
device(config-dot1x)#global-filter-strict-security
Disabling and enabling strict security mode for dynamic filter assignment
188
FastIron Ethernet Switch Security Configuration Guide
53-1003088-03