Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

2 is authenticated first, then the PVID for port e2 is changed to VLAN 20. Since a PVID cannot be
changed by RADIUS authentication after it has been dynamically assigned, if User 2 is authenticated
after the port PVID was changed to VLAN 3, then User 2 would not be able to gain access to the
network.

If there were only one device connected to the port, and authentication failed for that device, it could be
placed into the restricted VLAN, where it could gain access to the network.

The portion of the running-config related to 802.1X authentication is as follows.

dot1x-enable

re-authentication

servertimeout 10

timeout re-authperiod 10

auth-fail-action restricted-vlan

auth-fail-vlanid 1023

mac-session-aging no-aging permitted-mac-only

enable ethe 2 to 4

!

!

!

interface ethernet 2

dot1x port-control auto

dual-mode

If User 1 is successfully authenticated before User 2, the PVID for port e2 would be changed from the
default VLAN to VLAN 3.

Had User 2 been the first to be successfully authenticated, the PVID would be changed to 20, and User
1 would not be able to gain access to the network. If User 1 authentication failed first, the PVID for port
e2 would be changed from the default VLAN to restricted VLAN 1023 in this example and would be able
to gain access to the limited network. Then, if User 2 is successfully authenticated, the PVID would be
changed to 20 and User2 would be able to gain access to the network and User1 is moved out of the
restricted VLAN and will be blocked.

Multi-device port authentication and 802.1Xsecurity on the same
port

You can configure the Brocade device to use multi-device port authentication and 802.1X security on
the same port:

• The multi-device port authentication feature allows you to configure a Brocade device to forward or

block traffic from a MAC address based on information received from a RADIUS server. Incoming
traffic originating from a given MAC address is switched or forwarded by the device only if the source
MAC address is successfully authenticated by a RADIUS server. The MAC address itself is used as
the username and password for RADIUS authentication. A connecting user does not need to provide
a specific username and password to gain access to the network.

• The IEEE 802.1X standard is a means for authenticating devices attached to LAN ports. Using

802.1X port security, you can configure a Brocade device to grant access to a port based on
information supplied by a client to an authentication server.

When both of these features are enabled on the same port, multi-device port authentication is
performed prior to 802.1X authentication. If multi-device port authentication is successful, 802.1X
authentication may be performed, based on the configuration of a vendor-specific attribute (VSA) in the
profile for the MAC address on the RADIUS server.

For more information, including configuration examples, see

Multi-device port authentication and

802.1Xsecurity on the same port

.

Multi-device port authentication and 802.1Xsecurity on the same port

FastIron Ethernet Switch Security Configuration Guide

215

53-1003088-03