beautypg.com

Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 186

background image

In this example, the port is added to VLANs 12 and 20 or VLANs 12 and the VLAN named
"marketing". When a tagged packet is authenticated, and a list of VLANs is specified on the RADIUS
server for the MAC address, then the packet tag must match one of the VLANs in the list in order for
the Client to be successfully authenticated. If authentication is successful, then the port is added to all
of the VLANs specified in the list.

Unlike with a RADIUS-specified untagged VLAN, if the dot1x-mac-session for the Client ages out, the
port membership in RADIUS-specified tagged VLANs is not changed. In addition, if multi-device port
authentication specifies a different list of tagged VLANs, then the port is added to the specified list of
VLANs. Membership in the VLANs specified through 802.1X authentication is not changed.

Specifying an untagged VLAN and multiple tagged VLANs

To specify an untagged VLAN and multiple tagged VLANs, use the following.

"U:10;T:12;T:marketing"

When the RADIUS server returns a value specifying both untagged and tagged VLAN IDs, the port
becomes a dual-mode port, accepting and transmitting both tagged traffic and untagged traffic at the
same time. A dual-mode port transmits only untagged traffic on its default VLAN (PVID) and only
tagged traffic on all other VLANs.

In this example, the port VLAN configuration is changed so that it transmits untagged traffic on VLAN
10, and transmits tagged traffic on VLAN 12 and the VLAN named "marketing".

For a configuration example, refer to

802.1X Authentication with dynamic VLAN assignment

on page

214.

Saving dynamic VLAN assignments to the running-config file

You can configure the Brocade device to save the RADIUS-specified VLAN assignments to the
device's running-config file. Enter commands such as the following.

device(config)#dot1x-enable

device(config-dot1x)#save-dynamicvlan-to-config

Syntax: save-dynamicvlan-to-config

By default, the dynamic VLAN assignments are not saved to the running-config file. Entering the show
running-config command does not display dynamic VLAN assignments, although they can be
displayed with the show vlan and show authenticated-mac-address detail commands.

NOTE
When this feature is enabled, issuing the command write mem will save any dynamic VLAN
assignments to the startup configuration file.

Considerations for dynamic VLAN assignment in an 802.1X multiple-host configuration

The following considerations apply when a Client in a 802.1X multiple-host configuration is
successfully authenticated, and the RADIUS Access-Accept message specifies a VLAN for the port:

Saving dynamic VLAN assignments to the running-config file

186

FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

See also other documents in the category Brocade Computer Accessories: