Dynamic multiple vlan, Assignment for 802.1x ports, Dynamic multiple vlan assignment for 802.1x ports – Brocade Communications Systems Brocade ICX 6650 6650 User Manual

168

Brocade ICX 6650 Security Configuration Guide

53-1002601-01

802.1X port security configuration

Dynamic multiple VLAN assignment for 802.1X ports

When you add attributes to a user profile on the RADIUS server, the vlan-name value for the
Tunnel-Private-Group-ID attribute can specify the name or number of one or more VLANs configured
on the Brocade device.

For example, to specify one VLAN, configure the following for the vlan-name value in the
Tunnel-Private-Group-ID attribute on the RADIUS server.

"10" or "marketing"

In this example, the port on which the Client is authenticated is assigned to VLAN 10 or the VLAN
named "marketing". The VLAN to which the port is assigned must have previously been configured
on the Brocade device.

Specifying an untagged VLAN
To specify an untagged VLAN, use the following.

"U:10" or "U:marketing"

When the RADIUS server specifies an untagged VLAN ID, the port default VLAN ID (or PVID) is
changed from the system DEFAULT-VLAN (VLAN 1) to the specified VLAN ID. The port transmits only
untagged traffic on its PVID. In this example, the port PVID is changed from VLAN 1 (the
DEFAULT-VLAN) to VLAN 10 or the VLAN named “marketing”.

The PVID for a port can be changed only once through RADIUS authentication. For example, if
RADIUS authentication for a Client causes a port PVID to be changed from 1 to 10, and then
RADIUS authentication for another Client on the same port specifies that the port PVID be moved
to 20, then the second PVID assignment from the RADIUS server is ignored.

If the link goes down, or the dot1x-mac-session for the Client that caused the initial PVID
assignment ages out, then the port reverts back to its original (non-RADIUS-specified) PVID, and
subsequent RADIUS authentication can change the PVID assignment for the port.

If a port PVID is assigned through the multi-device port authentication feature, and 802.1X
authentication subsequently specifies a different PVID, then the PVID specified through 802.1X
authentication overrides the PVID specified through multi-device port authentication.

Specifying a tagged VLAN
To specify a tagged VLAN, use the following.

"T:12;T:20" or "T:12;T:marketing"

In this example, the port is added to VLANs 12 and 20 or VLANs 12 and the VLAN named
"marketing". When a tagged packet is authenticated, and a list of VLANs is specified on the RADIUS
server for the MAC address, then the packet tag must match one of the VLANs in the list in order for
the Client to be successfully authenticated. If authentication is successful, then the port is added
to all of the VLANs specified in the list.

Unlike with a RADIUS-specified untagged VLAN, if the dot1x-mac-session for the Client ages out, the
port membership in RADIUS-specified tagged VLANs is not changed. In addition, if multi-device port
authentication specifies a different list of tagged VLANs, then the port is added to the specified list
of VLANs. Membership in the VLANs specified through 802.1X authentication is not changed.

Specifying an untagged VLAN and multiple tagged VLANs
To specify an untagged VLAN and multiple tagged VLANs, use the following.

"U:10;T:12;T:marketing"