Assignment, Configuring the radius server to, Support dynamic vlan assignment – Brocade Communications Systems Brocade ICX 6650 6650 User Manual

Brocade ICX 6650 Security Configuration Guide

241

53-1002601-01

Multi-device port authentication configuration

•

If an untagged port had previously been assigned to a VLAN through dynamic VLAN
assignment, and then another MAC address is authenticated on the same port, but the
RADIUS Access-Accept message for the second MAC address specifies a different VLAN, then it
is considered an authentication failure for the second MAC address, and the configured
authentication failure action is performed. Note that this applies only if the first MAC address
has not yet aged out. If the first MAC address has aged out, then dynamic VLAN assignment
would work as expected for the second MAC address.

•

For dual mode ports, if the RADIUS server returns T:vlan-name, the traffic will still be forwarded
in the statically assigned PVID. If the RADIUS server returns U:vlan-name, the traffic will not be
forwarded in the statically assigned PVID.

Configuring the RADIUS server to support
dynamic VLAN assignment

To specify VLAN identifiers on the RADIUS server, add the following attributes to the profile for the
MAC address on the RADIUS server, then enable dynamic VLAN assignment on multi-device port
authentication-enabled interfaces.

For information about the attributes, refer to

“Dynamic VLAN assignment for 802.1X port

configuration”

on page 166.

Also, refer to the example configuration of

“Multi-device port authentication with dynamic VLAN

assignment”

on page 260.

Enabling dynamic VLAN support for tagged packets on non-member VLAN ports

By default, the Brocade device drops tagged packets that are received on non-member VLAN ports.
This process is called ingress filtering. Since the MAC address of the packets are not learned,
authentication does not take place.

The Brocade device can authenticate clients that send tagged packets on non-member VLAN ports.
This enables the Brocade device to add the VLAN dynamically. To enable support, enter the
following command at the Interface level of the CLI.

Brocade(config)# interface ethernet 1/3/1
Brocade(config-if-e10000-1/3/1)# mac-authentication disable-ingress-filtering

If the client MAC address is successfully authenticated and the correct VLAN attribute is sent by the
RADIUS server, the MAC address will be successfully authenticated on the VLAN.

Syntax: mac-authentication disable-ingress-filtering

TABLE 56

Attributes for MAC address on RADIUS server

Attribute name

Type

Value

Tunnel-Type

064

13 (decimal) – VLAN

Tunnel-Medium-Type

065

6 (decimal) – 802

Tunnel-Private-Group-ID

081

vlan-name(string)
The vlan-name value can specify either the name or the number of
one or more VLANs configured on the Brocade device.