Brocade BigIron RX Series Configuration Guide User Manual
Page 1090
1012
BigIron RX Series Configuration Guide
53-1002484-04
Configuring multi-device port authentication
32
In this example, the port is added to VLANs 12 or 20 or VLANs 12 or the VLAN named "marketing".
When a tagged packet is authenticated, and a list of VLANs is specified on the RADIUS server for
the MAC address, then the packet tag must match one of the VLANs in the list in order for the Client
to be successfully authenticated. If authentication is successful, then the port is added to the
packet VLAN specified in the list.
Unlike with a RADIUS-specified untagged VLAN, if the dot1x-mac-session for the Client ages out, the
port membership in RADIUS-specified tagged VLANs is not changed. In addition, if multi-device
port authentication specifies a different list of tagged VLANs, then the port is added to the
specified list of VLANs. Membership in the VLANs specified through 802.1X authentication is not
changed.
To specify an untagged VLAN and multiple tagged VLANs, use the following.
"U:10;T:12;T:marketing"
When the RADIUS server returns a value specifying both untagged and tagged VLAN IDs, the port
becomes a dual-mode port, accepting and transmitting both tagged traffic and untagged traffic at
the same time. A dual-mode port transmits only untagged traffic on its default VLAN (PVID) and
only tagged traffic on all other VLANs.
In this example, the port VLAN configuration is changed so that it transmits untagged traffic on
VLAN 10, and transmits tagged traffic on VLAN 12 and the VLAN named "marketing".
When the RADIUS server returns a value specifying multiple untagged VLAN IDs, the profile is
treated as invalid. This is an authentication failure and the client is blocked.
For a configuration example, refer to
“Configuring dynamic VLAN assignment for 802.1x ports”
Configuring a port to remain in the restricted VLAN after a successful
authentication attempt
If a previous authentication attempt for a MAC address failed, and as a result the port was placed
in the restricted VLAN, but a subsequent authentication attempt was successful, the RADIUS
Access-Accept message may specify a VLAN for the port. By default, the Brocade device moves the
port out of the restricted VLAN and into the RADIUS-specified VLAN. You can optionally configure
the device to leave the port in the restricted VLAN. To do this, enter the following command.
BigIron RX(config)# mac-authentication no-override-restrict-vlan
Syntax: [no] mac-authentication no-override-restrict-vlan
When the above command is applied, if the RADIUS-specified VLAN configuration is tagged (e.g.,
T:1024) and the VLAN is valid, then the port is placed in the RADIUS-specified VLAN as a tagged
port and left in the restricted VLAN. If the RADIUS-specified VLAN configuration is untagged (e.g.,
U:1024), the configuration from the RADIUS server is ignored, and the port is left in the restricted
VLAN.
Notes:
•
If you configure dynamic VLAN assignment on a multi-device port authentication enabled
interface, and the Access-Accept message returned by the RADIUS server does not contain a
Tunnel-Private-Group-ID attribute, then it is considered an authentication failure, and the
configured authentication failure action is performed for the MAC address.