Brocade TurboIron 24X Series Configuration Guide User Manual

984

Brocade TurboIron 24X Series Configuration Guide

53-1003053-01

Using multi-device port authentication and 802.1X security on the same port

In this example, the PVID for port e2 would be changed based on the first host to be successfully
authenticated. If User 1 is authenticated first, then the PVID for port e2 is changed to VLAN 3. If
User 2 is authenticated first, then the PVID for port e2 is changed to VLAN 20. Since a PVID cannot
be changed by RADIUS authentication after it has been dynamically assigned, if User 2 is
authenticated after the port PVID was changed to VLAN 3, then User 2 would not be able to gain
access to the network.

If there were only one device connected to the port, and authentication failed for that device, it
could be placed into the restricted VLAN, where it could gain access to the network.

The part of the running-config related to 802.1X authentication would be as follows.

dot1x-enable

re-authentication

servertimeout 10

timeout re-authperiod 10

auth-fail-action restricted-vlan

auth-fail-vlanid 1023

mac-session-aging no-aging permitted-mac-only

enable ethe 2 to 4

!

!

!

interface ethernet 2

dot1x port-control auto

dual-mode

If User 1 is successfully authenticated before User 2, the PVID for port e2 would be changed from
the default VLAN to VLAN 3.

Had User 2 been the first to be successfully authenticated, the PVID would be changed to 20, and
User 1 would not be able to gain access to the network. If there were only one device connected to
the port that was sending untagged traffic, and 802.1X authentication failed for that device, it
would be placed in the restricted VLAN 1023, and would be able to gain access to the network.

Using multi-device port authentication and 802.1X security
on the same port

You can configure the device to use multi-device port authentication and 802.1X security on the
same port:

•

The multi-device port authentication feature allows you to configure a device to forward or
block traffic from a MAC address based on information received from a RADIUS server.
Incoming traffic originating from a given MAC address is switched or forwarded by the device
only if the source MAC address is successfully authenticated by a RADIUS server. The MAC
address itself is used as the username and password for RADIUS authentication. A connecting
user does not need to provide a specific username and password to gain access to the
network.

•

The IEEE 802.1X standard is a means for authenticating devices attached to LAN ports. Using
802.1X port security, you can configure a device to grant access to a port based on information
supplied by a client to an authentication server.

For information on configuring the multi-device port authentication feature and 802.1X security on
devices, Refer to the related chapters in this book.