Quick Reference Guide
PowerConnect B-Series TI24X Configuration Guide 941
53-1002269-02
Configuring 802.1X port security
28
• If the RADIUS Access-Accept message does not contain any VLAN information, the Client
dot1x-mac-session is set to “access-is-allowed”. If the port is already in a RADIUS-specified
VLAN, it remains in that VLAN.
Using dynamic VLAN assignment with the MAC port security feature
MAC port security allows the Dell device to learn a limited number of “secure” MAC addresses on
an interface. The interface forwards only packets with source MAC addresses that match these
secure addresses. If the interface receives a packet with a source MAC address that is different
from any of the secure addresses, it is considered a security violation, and subsequent packets
from the violating MAC address can be dropped, or the port can be disabled entirely.
If a port is disabled due to a MAC port security violation, 802.1X clients attempting to connect over
the port cannot be authorized. In addition, 802.1X clients connecting from non-secure MAC
addresses cannot be authorized.
To use 802.1X dynamic VLAN assignment with the MAC port security feature on an interface, you
must set the number of secure MAC addresses to two or more.
Example
PowerConnect(config)# int e 2
PowerConnect(config-if-e10000-2)# port security
PowerConnect(config-port-security-e10000-2)# maximum 2
PowerConnect(config-port-security-e10000-2)# exit
Refer to Chapter 29, “Using the MAC Port Security Feature” for more information.
Dynamically applying IP ACLs and MAC filters to
802.1X ports
The Dell 802.1X implementation supports dynamically applying an IP ACL or MAC address filter to a
port, based on information received from an Authentication Server.
When a client/supplicant successfully completes the EAP authentication process, the
Authentication Server (the RADIUS server) sends the Authenticator (the Dell device) a RADIUS
Access-Accept message that grants the client access to the network. The RADIUS Access-Accept
message contains attributes set for the user in the user's access profile on the RADIUS server.
If the Access-Accept message contains Filter-ID (type 11) or Vendor-Specific (type 26), or both
attributes, the Dell device can use information in these attributes to apply an IP ACL or MAC
address filter to the authenticated port. This IP ACL or MAC address filter applies to the port for as
long as the client is connected to the network. When the client disconnects from the network, the
IP ACL or MAC address filter is no longer applied to the port. If an IP ACL or MAC address filter had
been applied to the port prior to 802.1X authentication, it is then re-applied to the port.
The Dell device uses information in the Filter ID and Vendor-Specific attributes as follows:
• The Filter-ID attribute can specify the number of an existing IP ACL or MAC address filter
configured on the Dell device. In this case, the IP ACL or MAC address filter with the specified
number is applied to the port.
• The Vendor-Specific attribute can specify actual syntax for a Dell IP ACL or MAC address filter,
which is then applied to the authenticated port. Configuring a Vendor-Specific attribute in this
way allows you to create IP ACLs and MAC filters that apply to individual users; that is, per-user
IP ACLs or MAC address filters.