Brocade Communications Systems Brocade ICX 6650 6650 User Manual

170

Brocade ICX 6650 Security Configuration Guide

53-1002601-01

802.1X port security configuration

Dynamically applying IP ACLs and MAC address filters
to 802.1X ports

The Brocade 802.1X implementation supports dynamically applying an IP ACL or MAC address filter
to a port, based on information received from an Authentication Server.

When a client/supplicant successfully completes the EAP authentication process, the
Authentication Server (the RADIUS server) sends the Authenticator (the Brocade device) a RADIUS
Access-Accept message that grants the client access to the network. The RADIUS Access-Accept
message contains attributes set for the user in the user's access profile on the RADIUS server.

If the Access-Accept message contains Filter-ID (type 11) or Vendor-Specific (type 26), or both
attributes, the Brocade device can use information in these attributes to apply an IP ACL or MAC
address filter to the authenticated port. This IP ACL or MAC address filter applies to the port for as
long as the client is connected to the network. When the client disconnects from the network, the
IP ACL or MAC address filter is no longer applied to the port. If an IP ACL or MAC address filter had
been applied to the port prior to 802.1X authentication, it is then re-applied to the port.

The Brocade device uses information in the Filter ID and Vendor-Specific attributes as follows:

•

The Filter-ID attribute can specify the number of an existing IP ACL or MAC address filter
configured on the Brocade device. In this case, the IP ACL or MAC address filter with the
specified number is applied to the port.

•

The Vendor-Specific attribute can specify actual syntax for a Brocade IP ACL or MAC address
filter, which is then applied to the authenticated port. Configuring a Vendor-Specific attribute in
this way allows you to create IP ACLs and MAC address filters that apply to individual users;
that is, per-user IP ACLs or MAC address filters.

Configuration considerations for applying IP ACLs
and MAC address filters to 802.1x ports

The following restrictions apply to dynamic IP ACLs or MAC address filters:

•

Inbound dynamic IP ACLs are supported. Outbound dynamic ACLs are not supported.

•

Inbound Vendor-Specific attributes are supported. Outbound Vendor-Specific attributes are
not supported.

•

A maximum of one IP ACL can be configured in the inbound direction on an interface.

•

802.1X with dynamic MAC filter will work for one client at a time on a port. If a second client
tries to authenticate with 802.1X and dynamic MAC filter, the second client will be rejected.

•

MAC address filters cannot be configured in the outbound direction on an interface.

•

Concurrent operation of MAC address filters and IP ACLs is not supported.

•

A dynamic IP ACL will take precedence over an IP ACL that is bound to a port (port ACL). When
a client authenticates with a dynamic IP ACL, the port ACL will not be applied. Also, future
clients on the same port will authenticate with a dynamic IP ACL or no IP ACL. If no clients on
the port use dynamic ACL, then the port ACL will be applied to all traffic.