Configuration Guide User guide

ManualsBrandsBrocade ManualsComputer AccessoriesFastIron

1861

FastIron Configuration Guide 1803

53-1002494-02

802.1X port security configuration

NOTE

This feature is supported on port-based VLANs only. This feature cannot be used to place an

802.1X-enabled port into a Layer 3 protocol VLAN.

Automatic removal of dynamic VLAN assignments for 802.1X ports

For increased security, this feature removes any association between a port and a

dynamically-assigned VLAN when all 802.1x sessions for that VLAN have expired on the port.

NOTE

When a show run command is issued during a session, the dynamically-assigned VLAN is not

displayed.

Enable 802.1X VLAN ID support by adding the following attributes to a user profile on the RADIUS

server.

The device reads the attributes as follows:

• If the Tunnel-Type or the Tunnel-Medium-Type attributes in the Access-Accept message do not

have the values specified above, the Brocade device ignores the three Attribute-Value pairs.

The client becomes authorized, but the client port is not dynamically placed in a VLAN.

• If the Tunnel-Type or the Tunnel-Medium-Type attributes in the Access-Accept message do have

the values specified above, but there is no value specified for the Tunnel-Private-Group-ID

attribute, the client will not become authorized.

• When the Brocade device receives the value specified for the Tunnel-Private-Group-ID

attribute, it checks whether the <vlan-name> string matches the name of a VLAN configured

on the device. If there is a VLAN on the device whose name matches the <vlan-name> string,

then the client port is placed in the VLAN whose ID corresponds to the VLAN name.

• If the <vlan-name> string does not match the name of a VLAN, the Brocade device checks

whether the string, when converted to a number, matches the ID of a VLAN configured on the

device. If it does, then the client port is placed in the VLAN with that ID.

• If the <vlan-name> string does not match either the name or the ID of a VLAN configured on

the device, then the client will not become authorized.

The show interface command displays the VLAN to which an 802.1X-enabled port has been

dynamically assigned, as well as the port from which it was moved (that is, the port default

VLAN).Refer to “Displaying dynamically-assigned VLAN information” on page 1825 for sample

output indicating the port dynamically assigned VLAN.

Dynamic multiple VLAN assignment for 802.1X ports

When you add attributes to a user profile on the RADIUS server, the <vlan-name> value for the

Tunnel-Private-Group-ID attribute can specify the name or number of one or more VLANs configured

on the Brocade device.

Attribute name Type Value

Tunnel-Type 064 13 (decimal) – VLAN

Tunnel-Medium-Type 065 6 (decimal) – 802

Tunnel-Private-Group-ID 081 <vlan-name> (string) – either the name or the number of a VLAN

configured on the Brocade device.