Table 158 – Brocade TurboIron 24X Series Configuration Guide User Manual

1002

Brocade TurboIron 24X Series Configuration Guide

53-1003053-01

Using multi-device port authentication and 802.1X security on the same port

4. If the Foundry-802_1x-enable VSA is present in the Access-Accept message, and is set to 0,

then 802.1X authentication is skipped. The device is authenticated, and any dynamic VLANs
specified in the Access-Accept message returned during multi-device port authentication are
applied to the port.

5. If 802.1X authentication is performed on the device, and is successful, then dynamic VLANs or

ACLs specified in the Access-Accept message returned during 802.1X authentication are
applied to the port.

If multi-device port authentication fails for a device, then by default traffic from the device is either
blocked in hardware, or the device is placed in a restricted VLAN. You can optionally configure the
device to perform 802.1X authentication on a device when it fails multi-device port authentication.

Configuring Brocade-specific attributes on the RADIUS server

If the RADIUS authentication process is successful, the RADIUS server sends an Access-Accept
message to the device, authenticating the device. The Access-Accept message can include
Vendor-Specific Attributes (VSAs) that specify additional information about the device. If you are
configuring multi-device port authentication and 802.1X authentication on the same port, then you
can configure the Brocade VSAs listed in

Table 158

on the RADIUS server.

You add these Brocade vendor-specific attributes to your RADIUS server configuration, and
configure the attributes in the individual or group profiles of the devices that will be authenticated.
The Brocade Vendor-ID is 1991, with Vendor-Type 1.

TABLE 158

Brocade vendor-specific attributes for RADIUS

Attribute name

Attribute ID

Data type

Description

Foundry-802_1x-enable

6

integer

Specifies whether 802.1X authentication is
performed when multi-device port
authentication is successful for a device. This
attribute can be set to one of the following:
0 - Do not perform 802.1X authentication on
a device that passes multi-device port
authentication. Set the attribute to zero for
devices that do not support 802.1X
authentication.
1 - Perform 802.1X authentication when a
device passes multi-device port
authentication. Set the attribute to one for
devices that support 802.1X authentication.

Foundry-802_1x-valid

7

integer

Specifies whether the RADIUS record is valid
only for multi-device port authentication, or
for both multi-device port authentication and
802.1X authentication.
This attribute can be set to one of the
following:
0 - The RADIUS record is valid only for
multi-device port authentication. Set this
attribute to zero to prevent a user from using
their MAC address as username and
password for 802.1X authentication
1 - The RADIUS record is valid for both
multi-device port authentication and 802.1X
authentication.