beautypg.com

Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 263

background image

Configuring the RADIUS server to support dynamic VLAN assignment

To specify VLAN identifiers on the RADIUS server, add the following attributes to the profile for the
MAC address on the RADIUS server, then enable dynamic VLAN assignment on multi-device port
authentication-enabled interfaces.

Attribute name

Type Value

Tunnel-Type

064

13 (decimal) - VLAN

Tunnel-Medium-Type

065

6 (decimal) - 802

Tunnel-Private-Group-ID 081

vlan-name (string)

The vlan-name value can specify either the name or the number of one or more
VLANs configured on the Brocade device.

For information about the attributes, refer to the Dynamic multiple VLAN assignment for 802.1X ports
section.

Also, refer to the example configuration of

Multi-device port authentication with dynamicVLAN

assignment

on page 281.

Enabling dynamic VLAN support for tagged packets on non-member VLAN ports

NOTE
This feature is not supported on ICX 6610 and FCX devices.

By default, the Brocade device drops tagged packets that are received on non-member VLAN ports.
This process is called ingress filtering. Since the MAC address of the packets are not learned,
authentication does not take place.

The Brocade device can authenticate clients that send tagged packets on non-member VLAN ports.
This enables the Brocade device to add the VLAN dynamically. To enable support, enter the following
command at the Interface level of the CLI.

device(config)#interface e 3/1

device(config-if-e1000-3/1)#mac-authentication disable-ingress-filtering

If the client MAC address is successfully authenticated and the correct VLAN attribute is sent by the
RADIUS server, the MAC address will be successfully authenticated on the VLAN.

Syntax: mac-authentication disable-ingress-filtering

Configuration notes and limitations:

• This feature works in conjunction with multi-device port authentication with dynamic VLAN

assignment only. If this feature is not enabled, authentication works as in

Example 2 -- multi-device

port authentication with dynamic VLAN assignment

on page 283.

• The port on which ingress filtering is disabled must be tagged to a VLAN.
• If a host sends both tagged and untagged traffic, and ingress filtering is disabled on the port, the port

must be configured as a dual-mode port.

Configuring the RADIUS server to support dynamic VLAN assignment

FastIron Ethernet Switch Security Configuration Guide

263

53-1003088-03

See also other documents in the category Brocade Computer Accessories: