beautypg.com

Supported radius attributes, Dynamic vlan and acl assignments – Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual

Page 289

background image

Multi-Service IronWare Security Configuration Guide

271

53-1003035-02

How multi-device port authentication works

6

Supported RADIUS attributes

The Brocade devices support the following RADIUS attributes for multi-device port authentication:

Username (1) – RFC 2865

FilterId (11) – RFC 2865

Vendor-Specific Attributes (26) – RFC 2865

Tunnel-Type (64) – RFC 2868

Tunnel-Medium-Type (65) – RFC 2868

EAP Message (79) – RFC 3579

Tunnel-Private-Group-Id (81) – RFC 2868

Dynamic VLAN and ACL assignments

The multi-device port authentication feature supports dynamic VLAN assignment, where a port can
be placed in a VLAN based on the MAC address learned on that interface. When a MAC address is
successfully authenticated, the RADIUS server sends the device a RADIUS Access-Accept message
that allows the device to forward traffic from that MAC address. The RADIUS Access-Accept
message can also contain attributes set for the MAC address in its access profile on the RADIUS
server.

If one of the attributes in the Access-Accept message specifies a VLAN identifier, and this VLAN is
available on the device, the port is moved from its default VLAN to the specified VLAN.

To enable dynamic VLAN assignment for authenticated MAC addresses, you must add the following
attributes to the profile for the MAC address on the RADIUS server. Dynamic VLAN assignment on
multi-device port authentication-enabled interfaces is enabled by default.

In addition to dynamic VLAN assignment, Brocade devices also support dynamic ACL assignment
as is the case with 802.1x port security.

Support for authenticating multiple MAC addresses on an interface

The multi-device port authentication feature allows multiple MAC addresses to be authenticated or
denied authentication on each interface. The maximum number of MAC addresses that can be
authenticated on each interface is 256. The default is 32.

Attribute name

Type

Value

Tunnel-Type

064

13 (decimal) – VLAN

Tunnel-Medium-Type

065

6 (decimal) – 802

Tunnel-Private-Group-ID

081

vlan-name (string) – either the name or the number of
a VLAN configured on the device.

See also other documents in the category Brocade Computer Accessories: