Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual

276

Multi-Service IronWare Security Configuration Guide

53-1003035-02

Configuring multi-device port authentication

6

If a previous authentication attempt for a MAC address failed, and as a result the port was placed
in the restricted VLAN, but a subsequent authentication attempt was successful, the RADIUS
Access-Accept message may specify a VLAN for the port. By default, the device moves the port out
of the restricted VLAN and into the RADIUS-specified VLAN. You can optionally configure the device
to ignore the RADIUS-specified VLAN in the RADIUS Access-Accept message, and leave the port in
the restricted VLAN.

To do this, enter the following command.

Brocade(config)# mac-authentication no-override-restrict-vlan

Syntax: [no] mac-authentication no-override-restrict-vlan

NOTES:

•

For untagged ports, if the VLAN ID provided by the RADIUS server is valid, then the
port is removed from its current VLAN and moved to the RADIUS-specified VLAN as an
untagged port.

•

If you configure dynamic VLAN assignment on a multi-device port authentication
enabled interface, and the Access-Accept message returned by the RADIUS server
does not contain a Tunnel-Private-Group-ID attribute, then it is considered an
authentication failure, and the configured authentication failure action is performed
for the MAC address.

•

If the vlan-name string does not match either the name or the ID of a VLAN configured
on the device, then it is considered an authentication failure, and the configured
authentication failure action is performed for the MAC address.

•

If an untagged port had previously been assigned to a VLAN though dynamic VLAN
assignment, and then another MAC address is authenticated on the same port, but
the RADIUS Access-Accept message for the second MAC address specifies a different
VLAN, then it is considered an authentication failure for the second MAC address, and
the configured authentication failure action is performed. Note that this applies only if
the first MAC address has not yet aged out. If the first MAC address has aged out, then
dynamic VLAN assignment would work as expected for the second MAC address.

Specifying the VLAN to which a port is moved after the
RADIUS-specified VLAN assignment expires

When a port is dynamically assigned to a VLAN through the authentication of a MAC address, and
the MAC session for that address is deleted on the device, then by default the port is removed from
its RADIUS-assigned VLAN and placed back in the VLAN where it was originally assigned.

A port can be removed from its RADIUS-assigned VLAN when any of the following occur:

•

The link goes down for the port

•

The MAC session is manually deleted with the mac-authentication clear-mac-session
command

•

The MAC address that caused the port to be dynamically assigned to a VLAN ages out

For example, say port 1/1 is currently in VLAN 100, to which it was assigned when MAC address
0007.eaa1.e90f was authenticated by a RADIUS server. The port was originally configured to be in
VLAN 111. If the MAC session for address 0007.eaa1.e90f is deleted, then port 1/1 is moved from
VLAN 100 back into VLAN 111.