Brocade TurboIron 24X Series Configuration Guide User Manual

Page 1042

Advertising
background image

1008

Brocade TurboIron 24X Series Configuration Guide

53-1003053-01

Configuring multi-device port authentication

You can optionally specify an alternate VLAN to which to move the port when the MAC session for
the address is deleted. For example, to place the port in the restricted VLAN, enter commands such
as the following.

TurboIron(config)#interface e 1

TurboIron(config-if-e10000-1)#mac-auth move-back-to-old-vlan port-restrict-vlan

Syntax: [no] mac-authentication move-back-to-old-vlan disable | port-configured-vlan |

system-default-vlan

The disable keyword disables moving the port back to its original VLAN. The port would stay in its
RADIUS-assigned VLAN.

The port-configured-vlan keyword removes the port from its RADIUS-assigned VLAN and places it
back in the VLAN where it was originally assigned. This is the default.

The port-restrict-vlan keyword removes the port from its RADIUS-assigned VLAN and places it in the
restricted VLAN.

The system-default-vlan keyword removes the port from its RADIUS-assigned VLAN and places it in
the DEFAULT-VLAN.

NOTE

When a MAC session is deleted, if the port is moved back to a VLAN that is different than the running-
config file, the system will update the running-config file to reflect the changes. This will occur even
if mac-authentication save-dynamicvlan-to-config" is not configured.

Saving dynamic VLAN assignments to the running-config file

By default, dynamic VLAN assignments are not saved to the running-config file of the device.
However, you can configure the device to do so by entering the following command.

TurboIron(config)#mac-authentication save-dynamicvlan-to-config

When the above command is applied, dynamic VLAN assignments are saved to the running-config
file and are displayed when the show run command is issued. Dynamic VLAN assignments can
also be displayed with the show vlan, show auth-mac-addresses detail, and show
auth-mac-addresses authorized-mac commands.

Syntax: [no] mac-authentication save-dynamicvlan-to-config

Dynamically applying IP ACLs to authenticated MAC
addresses

The multi-device port authentication implementation supports the assignment of a MAC address to
a specific ACL, based on the MAC address learned on the interface.

When a MAC address is successfully authenticated, the RADIUS server sends the device a RADIUS
Access-Accept message that allows the device to forward traffic from that MAC address. The
RADIUS Access-Accept message can also contain, among other attributes, the Filter-ID (type 11)
attribute for the MAC address. When the Access-Accept message containing the Filter-ID (type 11)
attribute is received by the device, it will use the information in these attributes to apply an IP ACL
on a per-MAC (per user) basis.

Advertising
Popular Brands
Popular manuals