Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 184

Advertising
background image

NOTE
The commands auth-fail-action restrict-vlan and auth-fail-vlanid are supported in the global dot1x
mode and are not supported at the port-level. The failure action of dot1x auth-timeout-action failure
will follow the auth-fail-action defined at the global dot1x level.

Dynamic VLAN assignment for 802.1X port configuration

When a client successfully completes the EAP authentication process, the Authentication Server (the
RADIUS server) sends the Authenticator (the Brocade device) a RADIUS Access-Accept message
that grants the client access to the network. The RADIUS Access-Accept message contains attributes
set for the user in the user's access profile on the RADIUS server.

If one of the attributes in the Access-Accept message specifies a VLAN identifier, and if this VLAN is
available on the Brocade device, the client port is moved from its default VLAN to this specified VLAN.

NOTE
This feature is supported on port-based VLANs only. This feature cannot be used to place an 802.1X-
enabled port into a Layer 3 protocol VLAN.

Automatic removal of dynamic VLAN assignments for 802.1X ports

For increased security, this feature removes any association between a port and a dynamically-
assigned VLAN when all 802.1x sessions for that VLAN have expired on the port.

NOTE
When a show run command is issued during a session, the dynamically-assigned VLAN is not
displayed.

Enable 802.1X VLAN ID support by adding the following attributes to a user profile on the RADIUS
server.

Attribute name

Type Value

Tunnel-Type

064

13 (decimal) - VLAN

Tunnel-Medium-Type

065

6 (decimal) - 802

Tunnel-Private-Group-ID 081

vlan-name (string) - either the name or the number of a VLAN configured on the
Brocade device.

The device reads the attributes as follows:

• If the Tunnel-Type or the Tunnel-Medium-Type attributes in the Access-Accept message do not

have the values specified above, the Brocade device ignores the three Attribute-Value pairs. The
client becomes authorized, but the client port is not dynamically placed in a VLAN.

• If the Tunnel-Type or the Tunnel-Medium-Type attributes in the Access-Accept message do have

the values specified above, but there is no value specified for the Tunnel-Private-Group-ID attribute,
the client will not become authorized.

Dynamic VLAN assignment for 802.1X port configuration

184

FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

Advertising
Popular Brands
Popular manuals