Configuration Guide User guide

ManualsBrandsBrocade ManualsComputer AccessoriesFastIron

1911

FastIron Configuration Guide 1861

53-1002494-02

Multi-device port authentication configuration

NOTE

When a MAC session is deleted, if the port is moved back to a VLAN that is different than the running-

config file, the system will update the running-config file to reflect the changes. This will occur even

if mac-authentication save-dynamicvlan-to-config" is not configured.

Automatic removal of dynamic VLAN assignments

for MAC authenticated ports

NOTE

This feature is not supported on FWS and FCX devices.

By default, the Brocade device removes any association between a port and a

dynamically-assigned VLAN when all authenticated MAC sessions for that tagged or untagged VLAN

have expired on the port. Thus, RADIUS-specified VLAN assignments are not saved to the device

running-config file. When the show run command is issued during a session, dynamically-assigned

VLANs are not displayed, although they can be displayed with the show vlan, show

auth-mac-addresses detail, and show auth-mac-addresses authorized-mac commands.

You can optionally configure the Brocade device to save the RADIUS-specified VLAN assignments to

the device's running-config file. Refer to “Saving dynamic VLAN assignments to the running-config

file”, next.

Saving dynamic VLAN assignments to the running-config file

By default, dynamic VLAN assignments are not saved to the running-config file of the Brocade

device. However, you can configure the device to do so by entering the following command.

Brocade(config)#mac-authentication save-dynamicvlan-to-config

When the above command is applied, dynamic VLAN assignments are saved to the running-config

file and are displayed when the show run command is issued. Dynamic VLAN assignments can

also be displayed with the show vlan, show auth-mac-addresses detail, and show

auth-mac-addresses authorized-mac commands.

Syntax: [no] mac-authentication save-dynamicvlan-to-config

Dynamically applying IP ACLs to authenticated

MAC addresses

The Brocade multi-device port authentication implementation supports the assignment of a MAC

address to a specific ACL, based on the MAC address learned on the interface.

When a MAC address is successfully authenticated, the RADIUS server sends the Brocade device a

RADIUS Access-Accept message that allows the Brocade device to forward traffic from that MAC

address. The RADIUS Access-Accept message can also contain, among other attributes, the

Filter-ID (type 11) attribute for the MAC address. When the Access-Accept message containing the

Filter-ID (type 11) attribute is received by the Brocade device, it will use the information in these

attributes to apply an IP ACL on a per-MAC (per user) basis.

The dynamic IP ACL is active as long as the client is connected to the network. When the client

disconnects from the network, the IP ACL is no longer applied to the port. If an IP ACL had been

applied to the port prior to multi-device port authentication; it will be re-applied to the port.