Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

FIGURE 13 802.1X Authentication is performed when a device fails multi-device port authentication

Multi-device port authentication is initially performed for both devices. The IP phone MAC address has
a profile on the RADIUS server. This profile indicates that 802.1X authentication should be skipped for
this device, and that the device port be placed into the VLAN named "IP-Phone-VLAN".

Since there is no profile for the PC MAC address on the RADIUS server, multi-device port
authentication for this MAC address fails. Ordinarily, this would mean that the PVID for the port would
be changed to that of the restricted VLAN, or traffic from this MAC would be blocked in hardware.
However, the device is configured to perform 802.1X authentication when a device fails multi-device
port authentication, so when User 1 attempts to connect to the network from the PC, he is subject to
802.1X authentication. If User 1 is successfully authenticated, the PVID for port e 1/4 is changed to the
VLAN named "User-VLAN".

NOTE
This example assumes that the IP phone initially transmits untagged packets (for example, CDP or
DHCP packets), which trigger the authentication process on the Brocade device and client lookup on
the RADIUS server. If the phone sends only tagged packets and the port (e 1/4) is not a member of
that VLAN, authentication would not occur"User-VLAN"n this case, port e 1/4 must be added to that
VLAN prior to authentication.

Multi-Device Port Authentication

288

FastIron Ethernet Switch Security Configuration Guide

53-1003088-03