Brocade FastIron Ethernet Switch Security Configuration Guide User Manual
Page 262
To enable dynamic VLAN assignment for authenticated MAC addresses, you must add attributes to
the profile for the MAC address on the RADIUS server, then enable dynamic VLAN assignment on
multi-device port authentication-enabled interfaces. Refer to
Configuring the RADIUS server to support
on page 263 for a list of the attributes that must be set on the RADIUS
server.
To enable dynamic VLAN assignment on a multi-device port authentication-enabled interface, enter
commands such as the following.
device(config)#interface e 3/1
device(config-if-e1000-3/1)#mac-authentication enable-dynamic-vlan
Syntax: [no] mac-authentication enable-dynamic-vlan
Configuring a port to remain in the restricted VLAN after a successful authentication attempt
If a previous authentication attempt for a MAC address failed, and as a result the port was placed in
the restricted VLAN, but a subsequent authentication attempt was successful, the RADIUS Access-
Accept message may specify a VLAN for the port. By default, the Brocade device moves the port out
of the restricted VLAN and into the RADIUS-specified VLAN. You can optionally configure the device
to leave the port in the restricted VLAN. To do this, enter the following command.
device(config-if-e1000-3/1)# mac-authentication no-override-restrict-vlan
When the above command is applied, if the RADIUS-specified VLAN configuration is tagged (e.g., T:
1024) and the VLAN is valid, then the port is placed in the RADIUS-specified VLAN as a tagged port
and left in the restricted VLAN. If the RADIUS-specified VLAN configuration is untagged (e.g., U:
1024), the configuration from the RADIUS server is ignored, and the port is left in the restricted VLAN.
Syntax: [no] mac-authentication no-override-restrict-vlan
Configuration notes for configuring a port to remain in the restricted VLAN
• If you configure dynamic VLAN assignment on a multi-device port authentication enabled interface,
and the Access-Accept message returned by the RADIUS server contains a Tunnel-Type and
Tunnel-Medium-Type, but does not contain a Tunnel-Private-Group-ID attribute, then it is
considered an authentication failure, and the configured authentication failure action is performed
for the MAC address.
• If the vlan-name string does not match either the name or the ID of a VLAN configured on the
device, then it is considered an authentication failure, and the configured authentication failure
action is performed for the MAC address.
• For tagged or dual-mode ports, if the VLAN ID provided by the RADIUS server does not match the
VLAN ID in the tagged packet that contains the authenticated MAC address as its source address,
then it is considered an authentication failure, and the configured authentication failure action is
performed for the MAC address.
• If an untagged port had previously been assigned to a VLAN through dynamic VLAN assignment,
and then another MAC address is authenticated on the same port, but the RADIUS Access-Accept
message for the second MAC address specifies a different VLAN, then it is considered an
authentication failure for the second MAC address, and the configured authentication failure action
is performed. Note that this applies only if the first MAC address has not yet aged out. If the first
MAC address has aged out, then dynamic VLAN assignment would work as expected for the
second MAC address.
• For dual mode ports, if the RADIUS server returns T:vlan-name , the traffic will still be forwarded in
the statically assigned PVID. If the RADIUS server returns U:vlan-name , the traffic will not be
forwarded in the statically assigned PVID.
Configuring a port to remain in the restricted VLAN after a successful authentication attempt
262
FastIron Ethernet Switch Security Configuration Guide
53-1003088-03