Configuration Guide User guide

ManualsBrandsBrocade ManualsComputer AccessoriesFastIron

1921

FastIron Configuration Guide 1863

53-1002494-02

Multi-device port authentication configuration

• The RADIUS Filter ID (type 11) attribute is supported. The Vendor-Specific (type 26) attribute is

not supported.

• The dynamic ACL must be an extended ACL. Standard ACLs are not supported.

• Multi-device port authentication and 802.1x can be used together on the same port. However,

Brocade does not recommend the use of multi-device port authentication and 802.1X with

dynamic ACLs together on the same port. If a single supplicant requires both 802.1x and

multi-device port authentication, and if both 802.1x and multi-device port authentication try to

install different dynamic ACLs for the same supplicant, the supplicant will fail authentication.

• Dynamically assigned IP ACLs are subject to the same configuration restrictions as

non-dynamically assigned IP ACLs. One caveat is that ports with VE interfaces cannot have

assigned user-defined ACLs. For example, a user-defined ACL bound to a VE or a port on a VE

is not allowed. There are no restrictions on ports that do not have VE interfaces.

• Dynamic ACL filters are supported only for the inbound direction. Dynamic outbound ACL filters

are not supported.

• Dynamic ACL assignment with multi-device port authentication is not supported in conjunction

with any of the following features:

• IP source guard

• Rate limiting

• Protection against ICMP or TCP Denial-of-Service (DoS) attacks

• Policy-based routing

• 802.1X dynamic filter

Configuring the RADIUS server to support dynamic IP ACLs

When a port is authenticated using multi-device port authentication, an IP ACL filter that exists in

the running-config file on the Brocade device can be dynamically applied to the port. To do this, you

configure the Filter-ID (type 11) attribute on the RADIUS server. The Filter-ID attribute specifies the

name or number of the Brocade IP ACL.

The following is the syntax for configuring the Filter-ID attribute on the RADIUS server to refer to a

Brocade IP ACL.

The following table lists examples of values you can assign to the Filter-ID attribute on the RADIUS

server to refer to IP ACLs configured on a Brocade device.

Value Description

ip.<number>.in

1. The ACL must be an extended ACL. Standard ACLs are not supported.

Applies the specified numbered ACL to the authenticated port in the inbound direction.

ip.<name>.in

2. The <name> in the Filter ID attribute is case-sensitive

Applies the specified named ACL to the authenticated port in the inbound direction.

Possible values for the filter ID attribute on the

RADIUS server

ACLs configured on the Brocade device

ip.102.in access-list 102 permit ip 36.0.0.0 0.255.255.255 any

ip.fdry_filter.in ip access-list standard fdry_filter

permit host 36.48.0.3