Configuring dynamic vlan assignment – Brocade BigIron RX Series Configuration Guide User Manual
Page 1089
BigIron RX Series Configuration Guide
1011
53-1002484-04
Configuring multi-device port authentication
32
Configuring dynamic VLAN assignment
An interface can be dynamically assigned to a VLAN based on the MAC address learned on that
interface. When a MAC address is successfully authenticated, the RADIUS server sends the device
a RADIUS Access-Accept message that allows the device to forward traffic from that MAC address.
The RADIUS Access-Accept message can also contain attributes set for the MAC address in its
access profile on the RADIUS server.
If one of the attributes in the Access-Accept message specifies a VLAN identifier, and this VLAN is
available on the device, the port is moved from its default VLAN to the specified VLAN.
To enable dynamic VLAN assignment for authenticated MAC addresses, you must add the following
attributes to the profile for the MAC address on the RADIUS server (dynamic VLAN assignment on
multi-device port authentication-enabled interfaces is enabled by default and can be disabled).
Refer to
“Dynamic VLAN and ACL assignments”
on page 1006 for a list of the attributes that must
be set on the RADIUS server
Dynamic VLAN assignment on a multi-device port authentication-enabled interface is enabled by
default. If it is disabled, enter commands such as the following command to enable it.
BigIron RX(config)# interface e 3/1
BigIron RX(config-if-e100-3/1)# mac-authentication enable-dynamic-vlan
Syntax: [no] mac-authentication enable-dynamic-vlan
Dynamic multiple VLAN assignment for Multi-device port authentication
When you add attributes to a user profile on the RADIUS server, the <vlan-name> value for the
Tunnel-Private-Group-ID attribute can specify the name or number of one or more VLANs configured
on the Brocade device.
For example, to specify an untagged VLAN, use the following.
"U:10" or "U:marketing"
When the RADIUS server specifies an untagged VLAN ID, the port default VLAN ID (PVID) is
changed from the system DEFAULT-VLAN (VLAN 1) to the specified VLAN ID. The port transmits only
untagged traffic on its PVID. In this example, the port PVID is changed from VLAN 1 (the
DEFAULT-VLAN) to VLAN 10 or the VLAN named "marketing".
The PVID for a port can be changed only once through RADIUS authentication. For example, if
RADIUS authentication for a Client causes a port PVID to be changed from 1 to 10, and then
RADIUS authentication for another Client on the same port specifies that the port PVID be moved
to 20, then the second PVID assignment from the RADIUS server is ignored.
If the link goes down, or the dot1x-mac-session for the Client that caused the initial PVID
assignment ages out, then the port reverts back to its original (non-RADIUS-specified) PVID, and
subsequent RADIUS authentication can change the PVID assignment for the port.
If a port PVID is assigned through the multi-device port authentication feature, and 802.1X
authentication subsequently specifies a different PVID, then the PVID specified through 802.1X
authentication overrides the PVID specified through multi-device port authentication.
To specify tagged VLANs, use the following.
"T:12;T:20" or "T:12;T:marketing"