Configuration considerations and guidelines – Brocade TurboIron 24X Series Configuration Guide User Manual
Page 1043
Brocade TurboIron 24X Series Configuration Guide
1009
53-1003053-01
Configuring multi-device port authentication
The dynamic IP ACL is active as long as the client is connected to the network. When the client
disconnects from the network, the IP ACL is no longer applied to the port. If an IP ACL had been
applied to the port prior to multi-device port authentication; it will be re-applied to the port.
The device uses information in the Filter ID to apply an IP ACL on a per-user basis. The Filter-ID
attribute can specify the number of an existing IP ACL configured on the device. If the Filter-ID is an
ACL number, the specified IP ACL is applied on a per-user basis.
Configuration considerations and guidelines
•
Dynamic IP ACLs with multi-device port authentication are supported. Dynamic MAC filters
with multi-device port authentication are not supported.
•
In the Layer 2 switch code, dynamic IP ACLs are not supported when ACL-per-port-per-vlan is
enabled on a global-basis.
•
The RADIUS Filter ID (type 11) attribute is supported. The Vendor-Specific (type 26) attribute is
not supported.
•
The dynamic ACL must be an extended ACL. Standard ACLs are not supported.
•
Multi-device port authentication and 802.1x can be used together on the same port. However,
Brocade does not recommend the use of multi-device port authentication and 802.1x with
dynamic ACLs together on the same port. If a single supplicant requires both 802.1x and
multi-device port authentication, and if both 802.1x and multi-device port authentication try to
install different dynamic ACLs for the same supplicant, the supplicant will fail authentication.
•
Dynamically assigned IP ACLs are subject to the same configuration restrictions as
non-dynamically assigned IP ACLs. One caveat is that ports with VE interfaces cannot have
assigned user-defined ACLs. For example, a user-defined ACL bound to a VE or a port on a VE
is not allowed. There are no restrictions on ports that do not have VE interfaces.
•
Dynamic ACL filters are supported only for the inbound direction. Dynamic outbound ACL filters
are not supported.
•
Dynamic ACL assignment with multi-device port authentication is not supported in conjunction
with any of the following features:
•
IP source guard
•
Rate limiting
•
Protection against ICMP or TCP Denial-of-Service (DoS) attacks
•
Policy-based routing
•
802.1X dynamic filter
•
The dynamic ACLs are not supported on ports that have 802.1x and MAC authentication
enabled along with the auth-fail-dot1x-override option enabled.
•
MAC authentication and 802.1X authentication can be configured on the same port. When
both of these features are enabled on the same port, MAC authentication is performed prior to
802.1X authentication. If MAC authentication is successful, 802.1X authentication may be
performed. If 802.1X authentication is successful, dynamic VLAN and ACL filters for 802.1X
are applied.
•
Devices authenticate devices attached to VLAN ports. The MAC address is used as the
username and password for port authentication. The 802.1X authentication uses the
username and password for port authentication.