The radius server – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 232

Advertising
background image

NOTE
MAC-based VLAN is not supported on trunk or LACP ports. Do not configure trunks on MAC-based
VLAN-enabled ports.

Using MAC-based VLANs and 802.1X securityon the same port

On Brocade devices, MAC-based VLANs and 802.1X security can be configured on the same port.
When both of these features are enabled on the same port, MAC-based VLAN is performed prior to
802.1X authentication. If MAC-based VLAN is successful, 802.1X authentication may be performed,
based on the configuration of a vendor-specific attribute (VSA) in the profile for the MAC address on
the RADIUS server.

When both features are configured on a port, a device connected to the port is authenticated as
follows.

1. MAC-based VLAN is performed on the device to authenticate the device MAC address.
2. If MAC-based VLAN is successful, the device then checks to see if the RADIUS server included the

Foundry-802_1x-enable VSA (described in the Brocade vendor-specific attributes for RADIUS
table) in the Access-Accept message that authenticated the device.

3. If the Foundry-802_1x-enable VSA is not present in the Access-Accept message, or is present and

set to 1, then 802.1X authentication is performed for the device.

4. If the Foundry-802_1x-enable VSA is present in the Access-Accept message, and is set to 0, then

802.1X authentication is skipped.

Configuring generic and Brocade vendor-specificattributes on the
RADIUS server

If the RADIUS authentication process is successful, the RADIUS server sends an Access-Accept
message to the Brocade device, authenticating the device. The Access-Accept message includes
Vendor-Specific Attributes (VSAs) that specify additional information about the device.

Add Brocade vendor-specific attributes to your RADIUS server configuration, and configure the
attributes in the individual or group profiles of the devices that will be authenticated. Brocade. vendor-
ID is 1991, vendor-type 1.

Generic RADIUS attributes

TABLE 26

Attribute name

Attribute ID Data type

Optional or
mandatory

Description

Tunnel-Type

64

13 decimalVLAN Mandatory

RFC 2868.

Tunnel-Medium-Type

65

6decimal802

Mandatory

RFC 2868.

Tunnel-Private-Group-
ID

81

decimal

Mandatory

RFC 2868. vlan-id or U:vlan -id -
a MAC-based VLAN ID
configured on the Brocade
device.

Using MAC-based VLANs and 802.1X securityon the same port

232

FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

Advertising
Popular Brands
Popular manuals