Support for dynamic vlan assignment, Support for dynamic acls – Brocade TurboIron 24X Series Configuration Guide User Manual

Page 1035

Advertising
background image

Brocade TurboIron 24X Series Configuration Guide

1001

53-1003053-01

Using multi-device port authentication and 802.1X security on the same port

Support for dynamic VLAN assignment

The multi-device port authentication feature supports dynamic VLAN assignment, where a port can
be placed in one or more VLANs based on the MAC address learned on that interface. For details
about this feature, refer to

“Configuring the RADIUS server to support dynamic VLAN assignment”

on page 1007.

Support for dynamic ACLs

The multi-device port authentication implementation supports the assignment of a MAC address to
a specific ACL, based on the MAC address learned on the interface. For details about this feature,
refer to

“Dynamically applying IP ACLs to authenticated MAC addresses”

on page 1008.

Support for authenticating multiple MAC addresses
on an interface

The multi-device port authentication feature allows multiple MAC addresses to be authenticated or
denied authentication on each interface. The maximum number of MAC addresses that can be
authenticated on each interface is limited only by the amount of system resources available on the
device.

Using multi-device port authentication and
802.1X security on the same port

Multi-device port authentication and 802.1X security can be configured on the same port. When
both of these features are enabled on the same port, multi-device port authentication is performed
prior to 802.1X authentication. If multi-device port authentication is successful, 802.1X
authentication may be performed, based on the configuration of a vendor-specific attribute (VSA) in
the profile for the MAC address on the RADIUS server.

NOTE

When multi-device port authentication and 802.1X security are configured together on the same
port, Brocade recommends that dynamic VLANs and dynamic ACLs are done at the multi-device port
authentication level, and not at the 802.1X level.

When both features are configured on a port, a device connected to the port is authenticated as
follows.

1. Multi-device port authentication is performed on the device to authenticate the device MAC

address.

2. If multi-device port authentication is successful for the device, then the device checks whether

the RADIUS server included the Foundry-802_1x-enable VSA (described in

Table 158

) in the

Access-Accept message that authenticated the device.

3. If the Foundry-802_1x-enable VSA is not present in the Access-Accept message, or is present

and set to 1, then 802.1X authentication is performed for the device.

Advertising
Popular Brands
Popular manuals