Dell PowerEdge VRTX User Manual

231

FILE LOCATION: C:\Users\gina\Desktop\Checkout_new\Dell Plasma\User

Guide\Plasma_UGSwitching_NetworkSecurity.fm

D E L L CO N F I D E N T I A L – P R E L I MI N A RY 4/ 1 8 /1 3 - F O R PR O O F O N LY

For a device to be authenticated and authorized at a DVA-enabled port:

• The RADIUS server must authenticate the device and dynamically assign

a VLAN to the device.

• The assigned VLAN must not be the default VLAN and must have been

created on the switch.

• The switch must not be configured to use both a DVA and a MAC-based

VLAN group.

• A RADIUS server must support DVA with RADIUS attributes tunnel-type

(64) = VLAN (13), tunnel-media-type (65) = 802 (6), and tunnel-private-

group-id = a VLAN ID.

Dynamic Policy/ACL Assignment

The Dynamic Policy/ACL Assignment feature enables specifying a user-

defined ACL or policy in the RADIUS server. After a successful

authentication, the user is assigned that ACL.

Authentication Methods

The possible authentication methods are:

• Dot1x — The switch supports this authentication mechanism, as

described in the standard, to authenticate and authorize Dot1x

supplicants.

•

MAC-based — The switch can be configured to use this method to

authenticate and authorize devices that do not support Dot1x. The switch

emulates the supplicant role on behalf of the non-Dot1x-capable devices,

and uses the MAC address of the devices as the username and password,

when communicating with the RADIUS servers. MAC addresses for

username and password must be entered in lower case and with no

delimiting characters (for example: aaccbb55ccff). To use MAC-based

authentication at a port:
–

A Guest VLAN must be defined.

–

The port must be Guest-VLAN-enabled.

–

The packets from the first supplicant, at the port before it is

authorized, must be untagged.