Configuration considerations – Brocade TurboIron 24X Series Configuration Guide User Manual

Page 992

Advertising
background image

958

Brocade TurboIron 24X Series Configuration Guide

53-1003053-01

Configuring 802.1X port security

Example

TurboIron(config)#int e 2

TurboIron(config-if-e10000-2)#port security

TurboIron(config-port-security-e10000-2)#maximum 2

TurboIron(config-port-security-e10000-2)#exit

Refer to

Chapter 31, “Using the MAC Port Security Feature”

for more information.

Dynamically applying IP ACLs and MAC filters to
802.1X ports

The Brocade 802.1X implementation supports dynamically applying an IP ACL or MAC address filter
to a port, based on information received from an Authentication Server.

When a client/supplicant successfully completes the EAP authentication process, the
Authentication Server (the RADIUS server) sends the Authenticator (the TurboIron X Series device)
a RADIUS Access-Accept message that grants the client access to the network. The RADIUS
Access-Accept message contains attributes set for the user in the user's access profile on the
RADIUS server.

If the Access-Accept message contains Filter-ID (type 11) or Vendor-Specific (type 26), or both
attributes, the device can use information in these attributes to apply an IP ACL or MAC address
filter to the authenticated port. This IP ACL or MAC address filter applies to the port for as long as
the client is connected to the network. When the client disconnects from the network, the IP ACL or
MAC address filter is no longer applied to the port. If an IP ACL or MAC address filter had been
applied to the port prior to 802.1X authentication, it is then re-applied to the port.

The device uses information in the Filter ID and Vendor-Specific attributes as follows:

The Filter-ID attribute can specify the number of an existing IP ACL or MAC address filter
configured on the device. In this case, the IP ACL or MAC address filter with the specified
number is applied to the port.

The Vendor-Specific attribute can specify actual syntax for an Brocade IP ACL or MAC address
filter, which is then applied to the authenticated port. Configuring a Vendor-Specific attribute in
this way allows you to create IP ACLs and MAC filters that apply to individual users; that is,
per-user IP ACLs or MAC address filters.

Configuration considerations

The following restrictions apply to dynamic IP ACLs or MAC address filters:

Inbound dynamic IP ACLs are supported. Outbound dynamic ACLs are not supported.

Inbound Vendor-Specific attributes are supported. Outbound Vendor-Specific attributes are
not supported.

A maximum of one IP ACL can be configured in the inbound direction on an interface.

MAC address filters cannot be configured in the outbound direction on an interface.

Concurrent operation of MAC address filters and IP ACLs is not supported.

Advertising
Popular Brands
Popular manuals