Enabling 802.1x port security – Brocade TurboIron 24X Series Configuration Guide User Manual

Page 995

Advertising
background image

Brocade TurboIron 24X Series Configuration Guide

961

53-1003053-01

Configuring 802.1X port security

Dynamically assigned IP ACLs and MAC address filters are subject to the same configuration
restrictions as non-dynamically assigned IP ACLs and MAC address filters.

Configuring per-user IP ACLs or MAC address filters

Per-user IP ACLs and MAC address filters make use of the Vendor-Specific (type 26) attribute to
dynamically apply filters to ports. Defined in the Vendor-Specific attribute are Brocade ACL or MAC
address filter statements. When the RADIUS server returns the Access-Accept message granting a
client access to the network, the device reads the statements in the Vendor-Specific attribute and
applies these IP ACLs or MAC address filters to the client port. When the client disconnects from
the network, the dynamically applied filters are no longer applied to the port. If any filters had been
applied to the port previous to the client connecting, then those filters are reapplied to the port.

NOTE

Dynamic IP ACL filters and MAC address filters are not supported on the same port at the same time.

The following table shows the syntax for configuring the Brocade Vendor-Specific attributes with
ACL or MAC address filter statements.

The following table shows examples of IP ACLs and MAC address filters configured in the Brocade
Vendor-Specific attribute on a RADIUS server. These IP ACLs and MAC address filters follow the
same syntax as other Brocade ACLs and MAC address filters. Refer to the related chapters in this
book for information on syntax.

The RADIUS server allows one instance of the Vendor-Specific attribute to be sent in an
Access-Accept message.

Enabling 802.1X port security

By default, 802.1X port security is disabled on devices. To enable the feature on the device and
enter the dot1x configuration level, enter the following command.

TurboIron(config)#dot1x-enable

TurboIron(config-dot1x)#

Syntax: [no] dot1x-enable

At the dot1x configuration level, you can enable 802.1X port security on all interfaces at once, on
individual interfaces, or on a range of interfaces.

Table 8:

Value

Description

ipACL.e.in=<extended-ACL-entries>

Applies the specified extended ACL entries to the 802.1X
authenticated port in the inbound direction.

macfilter.in=<mac-filter-entries>

Applies the specified MAC address filter entries to the 802.1X
authenticated port in the inbound direction.

Table 9:

ACL or MAC address filter

Vendor-specific attribute on RADIUS server

MAC address filter with one entry

macfilter.in= deny any any

MAC address filter with two entries

macfilter.in= permit 0000.0000.3333 ffff.ffff.0000 any,
macfilter.in= permit 0000.0000.4444 ffff.ffff.0000 any

Advertising
Popular Brands
Popular manuals