Brocade Communications Systems Brocade ICX 6650 6650 User Manual

Brocade ICX 6650 Security Configuration Guide

243

53-1002601-01

Multi-device port authentication configuration

Automatic removal of dynamic VLAN assignments
for MAC authenticated ports

By default, the Brocade device removes any association between a port and a
dynamically-assigned VLAN when all authenticated MAC sessions for that tagged or untagged VLAN
have expired on the port. Thus, RADIUS-specified VLAN assignments are not saved to the device
running-config file. When the show run command is issued during a session, dynamically-assigned
VLANs are not displayed, although they can be displayed with the show vlan, show
auth-mac-addresses detail, and show auth-mac-addresses authorized-mac commands.

You can optionally configure the Brocade device to save the RADIUS-specified VLAN assignments to
the device's running-config file. Refer to

“Saving dynamic VLAN assignments to the running-config

file”

, next.

Saving dynamic VLAN assignments to the running-config file

By default, dynamic VLAN assignments are not saved to the running-config file of the Brocade
device. However, you can configure the device to do so by entering the following command.

Brocade(config)# mac-authentication save-dynamicvlan-to-config

When the above command is applied, dynamic VLAN assignments are saved to the running-config
file and are displayed when the show run command is issued. Dynamic VLAN assignments can also
be displayed with the show vlan, show auth-mac-addresses detail, and show auth-mac-addresses
authorized-mac commands.

Syntax: [no] mac-authentication save-dynamicvlan-to-config

Dynamically applying IP ACLs to authenticated
MAC addresses

The Brocade multi-device port authentication implementation supports the assignment of a MAC
address to a specific ACL, based on the MAC address learned on the interface.

When a MAC address is successfully authenticated, the RADIUS server sends the Brocade device a
RADIUS Access-Accept message that allows the Brocade device to forward traffic from that MAC
address. The RADIUS Access-Accept message can also contain, among other attributes, the
Filter-ID (type 11) attribute for the MAC address. When the Access-Accept message containing the
Filter-ID (type 11) attribute is received by the Brocade device, it will use the information in these
attributes to apply an IP ACL on a per-MAC (per user) basis.

The dynamic IP ACL is active as long as the client is connected to the network. When the client
disconnects from the network, the IP ACL is no longer applied to the port. If an IP ACL had been
applied to the port prior to multi-device port authentication; it will be re-applied to the port.

NOTE

A dynamic IP ACL will take precedence over an IP ACL that is bound to a port (port ACL). When a client
authenticates with a dynamic IP ACL, the port ACL will not be applied. Also, future clients on the
same port will authenticate with a dynamic IP ACL or no IP ACL. If no clients on the port use dynamic
ACL, then the port ACL will be applied to all traffic.