beautypg.com

Dynamic multiple vlan assignment for 802.1x ports, Dynamic multiple vlan, Assignment for 802.1x ports – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 185

background image

• When the Brocade device receives the value specified for the Tunnel-Private-Group-ID attribute, it

checks whether the vlan-name string matches the name of a VLAN configured on the device. If there
is a VLAN on the device whose name matches the vlan-name string, then the client port is placed in
the VLAN whose ID corresponds to the VLAN name.

• If the vlan-name string does not match the name of a VLAN, the Brocade device checks whether the

string, when converted to a number, matches the ID of a VLAN configured on the device. If it does,
then the client port is placed in the VLAN with that ID.

• If the vlan-name string does not match either the name or the ID of a VLAN configured on the device,

then the client will not become authorized.

The show interface command displays the VLAN to which an 802.1X-enabled port has been
dynamically assigned, as well as the port from which it was moved (that is, the port default VLAN).Refer
to

Displaying dynamically-assigned VLAN information

on page 206 for sample output indicating the port

dynamically assigned VLAN.

Dynamic multiple VLAN assignment for 802.1X ports

When you add attributes to a user profile on the RADIUS server, the vlan-name value for the Tunnel-
Private-Group-ID attribute can specify the name or number of one or more VLANs configured on the
Brocade device.

For example, to specify one VLAN, configure the following for the vlan-name value in the Tunnel-
Private-Group-ID attribute on the RADIUS server.

"10" or "marketing"

In this example, the port on which the Client is authenticated is assigned to VLAN 10 or the VLAN
named "marketing". The VLAN to which the port is assigned must have previously been configured on
the Brocade device.

Specifying an untagged VLAN

To specify an untagged VLAN, use the following.

"U:10" or "U:marketing"'

When the RADIUS server specifies an untagged VLAN ID, the port default VLAN ID (or PVID) is
changed from the system DEFAULT-VLAN (VLAN 1) to the specified VLAN ID. The port transmits only
untagged traffic on its PVID. In this example, the port PVID is changed from VLAN 1 (the DEFAULT-
VLAN) to VLAN 10 or the VLAN named "marketing".

The PVID for a port can be changed only once through RADIUS authentication. For example, if
RADIUS authentication for a Client causes a port PVID to be changed from 1 to 10, and then RADIUS
authentication for another Client on the same port specifies that the port PVID be moved to 20, then the
second PVID assignment from the RADIUS server is ignored.

If the link goes down, or the dot1x-mac-session for the Client that caused the initial PVID assignment
ages out, then the port reverts back to its original (non-RADIUS-specified) PVID, and subsequent
RADIUS authentication can change the PVID assignment for the port.

If a port PVID is assigned through the multi-device port authentication feature, and 802.1X
authentication subsequently specifies a different PVID, then the PVID specified through 802.1X
authentication overrides the PVID specified through multi-device port authentication.

Specifying a tagged VLAN

To specify a tagged VLAN, use the following.

"T:12;T:20" or "T:12;T:marketing"

Dynamic multiple VLAN assignment for 802.1X ports

FastIron Ethernet Switch Security Configuration Guide

185

53-1003088-03

See also other documents in the category Brocade Computer Accessories: