Brocade Communications Systems Brocade ICX 6650 6650 User Manual
Page 255
Brocade ICX 6650 Security Configuration Guide
235
53-1002601-01
Multi-device port authentication and 802.1X security on the same port
4. If the Foundry-802_1x-enable VSA is present in the Access-Accept message, and is set to 0,
then 802.1X authentication is skipped. The device is authenticated, and any dynamic VLANs
specified in the Access-Accept message returned during multi-device port authentication are
applied to the port.
5. If 802.1X authentication is performed on the device, and is successful, then dynamic VLANs or
ACLs specified in the Access-Accept message returned during 802.1X authentication are
applied to the port.
If multi-device port authentication fails for a device, then by default traffic from the device is either
blocked in hardware, or the device is placed in a restricted VLAN. You can optionally configure the
Brocade device to perform 802.1X authentication on a device when it fails multi-device port
authentication. Refer to
“Example 2 — Creating a profile on the RADIUS server for each MAC
on page 265 for a sample configuration where this is used.
Configuring Brocade-specific attributes on the
RADIUS server
If the RADIUS authentication process is successful, the RADIUS server sends an Access-Accept
message to the Brocade device, authenticating the device. The Access-Accept message can
include Vendor-Specific Attributes (VSAs) that specify additional information about the device. If
you are configuring multi-device port authentication and 802.1X authentication on the same port,
then you can configure the Brocade VSAs listed in
on the RADIUS server.
You add these Brocade vendor-specific attributes to your RADIUS server configuration, and
configure the attributes in the individual or group profiles of the devices that will be authenticated.
The Brocade Vendor-ID is 1991, with Vendor-Type 1.