Brocade FastIron Ethernet Switch Security Configuration Guide User Manual
Page 265
displayed, although they can be displayed with the show vlan , show auth-mac-addresses detail ,
and show auth-mac-addresses authorized-mac commands.
You can optionally configure the Brocade device to save the RADIUS-specified VLAN assignments to
the device's running-config file. Refer to
Saving dynamic VLAN assignments to the running-config file
on
page 265, next.
Saving dynamic VLAN assignments to the running-config file
By default, dynamic VLAN assignments are not saved to the running-config file of the Brocade device.
However, you can configure the device to do so by entering the following command.
device(config)#mac-authentication save-dynamicvlan-to-config
When the above command is applied, dynamic VLAN assignments are saved to the running-config file
and are displayed when the show run command is issued. Dynamic VLAN assignments can also be
displayed with the show vlan , show auth-mac-addresses detail , and show auth-mac-addresses
authorized-mac commands.
Syntax: [no] mac-authentication save-dynamicvlan-to-config
Dynamically applying IP ACLs to authenticated MAC addresses
The Brocade multi-device port authentication implementation supports the assignment of a MAC
address to a specific ACL, based on the MAC address learned on the interface.
When a MAC address is successfully authenticated, the RADIUS server sends the Brocade device a
RADIUS Access-Accept message that allows the Brocade device to forward traffic from that MAC
address. The RADIUS Access-Accept message can also contain, among other attributes, the Filter-ID
(type 11) attribute for the MAC address. When the Access-Accept message containing the Filter-ID
(type 11) attribute is received by the Brocade device, it will use the information in these attributes to
apply an IP ACL on a per-MAC (per user) basis.
The dynamic IP ACL is active as long as the client is connected to the network. When the client
disconnects from the network, the IP ACL is no longer applied to the port. If an IP ACL had been
applied to the port prior to multi-device port authentication; it will be re-applied to the port.
NOTE
A dynamic IP ACL will take precedence over an IP ACL that is bound to a port (port ACL). When a client
authenticates with a dynamic IP ACL, the port ACL will not be applied. Also, future clients on the same
port will authenticate with a dynamic IP ACL or no IP ACL. If no clients on the port use dynamic ACL,
then the port ACL will be applied to all traffic.
The Brocade device uses information in the Filter ID to apply an IP ACL on a per-user basis. The Filter-
ID attribute can specify the number of an existing IP ACL configured on the Brocade device. If the Filter-
ID is an ACL number, the specified IP ACL is applied on a per-user basis.
Multi-device port authentication with dynamic IP ACLs and ACL-per-port-per-VLAN
The following features are supported:
• FastIron X Series devices support multi-device port authentication and dynamic ACLs together with
ACL-per-port-per-vlan (ACL filtering based on VLAN membership or VE port membership).
• Multi-device port authentication and dynamic ACLs are supported on tagged, dual-mode, and
untagged ports, with or without virtual Interfaces.
Saving dynamic VLAN assignments to the running-config file
FastIron Ethernet Switch Security Configuration Guide
265
53-1003088-03