Configuration Guide User guide

ManualsBrandsBrocade ManualsComputer AccessoriesFastIron

1911

FastIron Configuration Guide 1859

53-1002494-02

Multi-device port authentication configuration

• If the <vlan-name> string does not match either the name or the ID of a VLAN configured on

the device, then it is considered an authentication failure, and the configured authentication

failure action is performed for the MAC address.

• For tagged or dual-mode ports, if the VLAN ID provided by the RADIUS server does not match

the VLAN ID in the tagged packet that contains the authenticated MAC address as its source

address, then it is considered an authentication failure, and the configured authentication

failure action is performed for the MAC address.

• If an untagged port had previously been assigned to a VLAN through dynamic VLAN

assignment, and then another MAC address is authenticated on the same port, but the

RADIUS Access-Accept message for the second MAC address specifies a different VLAN, then it

is considered an authentication failure for the second MAC address, and the configured

authentication failure action is performed. Note that this applies only if the first MAC address

has not yet aged out. If the first MAC address has aged out, then dynamic VLAN assignment

would work as expected for the second MAC address.

• For dual mode ports, if the RADIUS server returns T:<vlan-name>, the traffic will still be

forwarded in the statically assigned PVID. If the RADIUS server returns U:<vlan-name>, the

traffic will not be forwarded in the statically assigned PVID.

Configuring the RADIUS server to support

dynamic VLAN assignment

To specify VLAN identifiers on the RADIUS server, add the following attributes to the profile for the

MAC address on the RADIUS server, then enable dynamic VLAN assignment on multi-device port

authentication-enabled interfaces.

For information about the attributes, refer to “Dynamic multiple VLAN assignment for 802.1X ports”

on page 1803.

Also, refer to the example configuration of “Multi-device port authentication with dynamic VLAN

assignment” on page 1879.

Enabling dynamic VLAN support for tagged packets on non-member VLAN ports

NOTE

This feature is not supported on FWS and FCX devices.

By default, the Brocade device drops tagged packets that are received on non-member VLAN ports.

This process is called ingress filtering. Since the MAC address of the packets are not learned,

authentication does not take place.

The Brocade device can authenticate clients that send tagged packets on non-member VLAN ports.

This enables the Brocade device to add the VLAN dynamically. To enable support, enter the

following command at the Interface level of the CLI.

Attribute name Type Value

Tunnel-Type 064 13 (decimal) – VLAN

Tunnel-Medium-Type 065 6 (decimal) – 802

Tunnel-Private-Group-ID 081 <vlan-name> (string)

The <vlan-name> value can specify either the name or the number of

one or more VLANs configured on the Brocade device.