Quick Reference Guide

ManualsBrandsDell ManualsComputer equipmentPowerConnect B-TI24x

971

972

973

974

975

976

977

978

979

980

942 PowerConnect B-Series TI24X Configuration Guide

53-1002269-02

Configuring 802.1X port security

Configuration considerations

The following restrictions apply to dynamic IP ACLs or MAC address filters:

• Inbound dynamic IP ACLs are supported. Outbound dynamic ACLs are not supported.

• Inbound Vendor-Specific attributes are supported. Outbound Vendor-Specific attributes are

not supported.

• A maximum of one IP ACL can be configured in the inbound direction on an interface.

• MAC address filters cannot be configured in the outbound direction on an interface.

• Concurrent operation of MAC address filters and IP ACLs is not supported.

Disabling and enabling strict security mode for dynamic filter assignment

By default, 802.1X dynamic filter assignment operates in strict security mode. When strict security

mode is enabled, 802.1X authentication for a port fails if the Filter-ID attribute contains invalid

information, or if insufficient system resources are available to implement the per-user IP ACLs or

MAC address filters specified in the Vendor-Specific attribute.

When strict security mode is enabled:

• If the Filter-ID attribute in the Access-Accept message contains a value that does not refer to

an existing filter (that is, a MAC address filter or IP ACL configured on the device), then the port

will not be authenticated, regardless of any other information in the message (for example, if

the Tunnel-Private-Group-ID attribute specifies a VLAN on which to assign the port).

• If the Vendor-Specific attribute specifies the syntax for a filter, but there are insufficient system

resources to implement the filter, then the port will not be authenticated.

• If the device does not have the system resources available to dynamically apply a filter to a

port, then the port will not be authenticated.

NOTE

If the Access-Accept message contains values for both the Filter-ID and Vendor-Specific

attributes, then the value in the Vendor-Specific attribute (the per-user filter) takes

precedence.

Also, if authentication for a port fails because the Filter-ID attribute referred to a non-existent

filter, or there were insufficient system resources to implement the filter, then a Syslog

message is generated.

When strict security mode is disabled:

• If the Filter-ID attribute in the Access-Accept message contains a value that does not refer to

an existing filter (that is, a MAC address filter or IP ACL configured on the device), then the port

is still authenticated, but no filter is dynamically applied to it.

• If the Vendor-Specific attribute specifies the syntax for a filter, but there are insufficient system

resources to implement the filter, then the port is still authenticated, but the filter specified in

the Vendor-Specific attribute is not applied to the port.

By default, strict security mode is enabled for all 802.1X-enabled interfaces, but you can manually

disable or enable it, either globally or for specific interfaces.

To disable strict security mode globally, enter the following commands.

PowerConnect(config)# dot1x-enable

PowerConnect(config-dot1x)# no global-filter-strict-security