Figure 119 – Brocade TurboIron 24X Series Configuration Guide User Manual

954

Brocade TurboIron 24X Series Configuration Guide

53-1003053-01

Configuring 802.1X port security

Syntax: auth-fail-force-restrict

FIGURE 119

Redirecting clients to a restricted VLAN

Configuring dynamic VLAN assignment for 802.1X ports

When a client successfully completes the EAP authentication process, the Authentication Server
(the RADIUS server) sends the Authenticator (the TurboIron X Series device) a RADIUS
Access-Accept message that grants the client access to the network. The RADIUS Access-Accept
message contains attributes set for the user in the user's access profile on the RADIUS server.

If one of the attributes in the Access-Accept message specifies a VLAN identifier, and if this VLAN is
available on the device, the client port is moved from its default VLAN to this specified VLAN.

NOTE

This feature is supported on port-based VLANs only. This feature cannot be used to place an
802.1X-enabled port into a Layer 3 protocol VLAN.

Automatic removal of dynamic VLAN assignments for 802.1X ports

For increased security, this feature removes any association between a port and a
dynamically-assigned VLAN when all 802.1x sessions for that VLAN have expired on the port.

NOTE

When a show run command is issued during a session, the dynamically-assigned VLAN is not
displayed.

RADIUS server

(Authenticator)

Switch

Port e3
Dual Mode

User 1 (IP Phone) Profile:
Authentication: RADIUS assigned to tagged VLAN A
MAC sessions exist on untagged native VLAN,
and VLAN A

User 2 (PC) Profile:
Authentication: failed
PVID moved to restricted VLAN

After authentication fails for User 2, and the PVID moves to the restricted VLAN,
there will be a total of 3 MAC sessions on port e 3:
- one tagged MAC session on VLAN A for the phone
- one untagged MAC session on the restricted VLAN for the phone
- one untagged MAC session on the restricted VLAN for the client