Brocade BigIron RX Series Configuration Guide User Manual

Page 1091

Advertising
background image

BigIron RX Series Configuration Guide

1013

53-1002484-04

Configuring multi-device port authentication

32

If the <vlan-name> string does not match either the name or the ID of a VLAN configured on
the device, then it is considered an authentication failure, and the configured authentication
failure action is performed for the MAC address.

For untagged ports, if the VLAN ID provided by the RADIUS server is valid, then the port is
removed from its current VLAN and moved to the RADIUS-specified VLAN as an untagged port.

For tagged or dual-mode ports, if the VLAN ID provided by the RADIUS server does not match
the VLAN ID in the tagged packet that contains the authenticated MAC address as its source
address, then it is considered an authentication failure, and the configured authentication
failure action is performed for the MAC address.

If an untagged port had previously been assigned to a VLAN though dynamic VLAN assignment,
and then another MAC address is authenticated on the same port, but the RADIUS
Access-Accept message for the second MAC address specifies a different VLAN, then it is
considered an authentication failure for the second MAC address, and the configured
authentication failure action is performed. Note that this applies only if the first MAC address
has not yet aged out. If the first MAC address has aged out, then dynamic VLAN assignment
would work as expected for the second MAC address. "

For dual mode ports, if the RADIUS server returns T:<vlan-name>, the traffic will still be
forwarded in the statically assigned PVID. If the RADIUS server returns U:<vlan-name>, the
traffic will not be forwarded in the statically assigned PVID.

Enabling dynamic VLAN support for tagged packets on non-member VLAN ports

By default, the Brocade device drops tagged packets that are received on non-member VLAN ports.
This process is called ingress filtering. Since the MAC address of the packets are not learned,
authentication does not take place.

The Brocade device can authenticate clients that send tagged packets on non-member VLAN
ports.This enables the Brocade device to add the VLAN dynamically. To enable support, enter the
following command at the Interface level of the CLI.

BigIron RX(config)# interface e 3/1

BigIron RX(config-if-e100-3/1)# mac-authentication disable-ingress-filtering

If the client MAC address is successfully authenticated and the correct VLAN attribute is sent by the
RADIUS server, the MAC address will be successfully authenticated on the VLAN.

Syntax: [no] mac-authentication disable-ingress-filtering

Configuration notes and limitations:

This feature works in conjunction with multi-device port authentication with dynamic VLAN
assignment only.

The port on which ingress filtering is disabled must be tagged to a VLAN.

If a host sends both tagged and untagged traffic, and ingress filtering is disabled on the port,
the port must be configured as a dual-mode port.

Advertising
See also other documents in the category Brocade Computer Accessories: