Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

FIGURE 12 Using multi-device port authentication and 802.1X authentication on the same port

When the devices attempt to connect to the network, they are first subject to multi-device port
authentication.

When the MAC address of the IP phone is authenticated, the Access-Accept message from the
RADIUS server specifies that the IP phone port be placed into the VLAN named "IP-Phone-VLAN".
which is VLAN 7. The Foundry-802_1x-enable attribute is set to 0, meaning that 802.1X authentication
is skipped for this MAC address. Port e 1/3 is placed in VLAN 7 as a tagged port. No further
authentication is performed.

When the PC MAC address is authenticated, the Access-Accept message from the RADIUS server
specifies that the PVID for the PC port be changed to the VLAN named "Login-VLAN", which is VLAN
1024. The Foundry-802_1x-enable attribute is set to 1, meaning that 802.1X authentication is required
for this MAC address. The PVID of the port e 1/3 is temporarily changed to VLAN 1024, pending
802.1X authentication.

When User 1 attempts to connect to the network from the PC, he is subject to 802.1X authentication. If
User 1 is successfully authenticated, the Access-Accept message from the RADIUS server specifies

Multi-Device Port Authentication

286

FastIron Ethernet Switch Security Configuration Guide

53-1003088-03