Authentication-failure actions, Supported radius attributes, Dynamic vlan and acl assignments – Brocade BigIron RX Series Configuration Guide User Manual

1006

BigIron RX Series Configuration Guide

53-1002484-04

How multi-device port authentication works

32

traffic from this MAC address is encountered on a MAC-authentication-enabled interface, the
device sends the RADIUS server an Access-Request message with 0007e90feaa1 as both the
username and password. The format of the MAC address sent to the RADIUS server is configurable
through the CLI.

The request for authentication from the RADIUS server is successful only if the username and
password provided in the request matches an entry in the users database on the RADIUS server.
When this happens, the RADIUS server returns an Access-Accept message back to the device.
When the RADIUS server returns an Access-Accept message for a MAC address, that MAC address
is considered authenticated, and traffic from the MAC address is forwarded normally by the device.

Authentication-failure actions

If the MAC address does not match the username and password of an entry in the users database
on the RADIUS server, then the RADIUS server returns an Access-Reject message. When this
happens, it is considered an authentication failure for the MAC address. When an authentication
failure occurs, the device can either drop traffic from the MAC address in hardware (the default), or
move the port on which the traffic was received to a restricted VLAN.

BigIron RX Series support multi-device port authentication on both tagged and untagged ports.

Supported RADIUS attributes

The BigIron RX supports the following RADIUS attributes for multi-device port authentication:

•

Username (1) – RFC 2865

•

FilterId (11) – RFC 2865

•

Vendor-Specific Attributes (26) – RFC 2865

•

Tunnel-Type (64) – RFC 2868

•

Tunnel-Medium-Type (65) – RFC 2868

•

EAP Message (79) – RFC 2579

•

Tunnel-Private-Group-Id (81) – RFC 2868

Dynamic VLAN and ACL assignments

The multi-device port authentication feature supports dynamic VLAN assignment, where a port can
be placed in a VLAN based on the MAC address learned on that interface. When a MAC address is
successfully authenticated, the RADIUS server sends the device a RADIUS Access-Accept message
that allows the device to forward traffic from that MAC address. The RADIUS Access-Accept
message can also contain attributes set for the MAC address in its access profile on the RADIUS
server.

If one of the attributes in the Access-Accept message specifies a VLAN identifier, and this VLAN is
available on the device, the port is moved from its default VLAN to the specified VLAN.

If the Tunnel-Private-Group-ID attribute is empty or none of the attributes is specified in the
Access-Accept message, a tagged packet is authenticated only if the port is a member of packet
tag, whereas an untagged packet is authenticated against the port default VLAN ID (PVID), and the
traffic is forwarded normally.