beautypg.com

Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual

Page 325

background image

Multi-Service IronWare Security Configuration Guide

307

53-1003035-02

Configuring 802.1x port security

8

When strict security mode is enabled:

If the Filter-ID attribute in the Access-Accept message contains a value that does not refer to
an existing filter (that is, a MAC address filter or IP ACL configured on the device), then the
client will not be authenticated, regardless of any other information in the message (for
example, if the Tunnel-Private-Group-ID attribute specifies a VLAN to which to assign the port).

If the Vendor-Specific attribute specifies the syntax for a filter, but there are insufficient system
resources to implement the filter, then the port will not be authenticated.

If the device does not have the system resources available to dynamically apply a filter to a
port, then the port will not be authenticated.

NOTE

If the Access-Accept message contains values for both the Filter-ID and Vendor-Specific attributes,
then the value in the Vendor-Specific attribute (the per-user filter) takes precedence.
Also, if authentication for a port fails because the Filter-ID attribute referred to a non-existent filter,
or there were insufficient system resources to implement the filter, then a Syslog message is
generated.

When strict security mode is disabled:

If the Filter-ID attribute in the Access-Accept message contains a value that does not refer to
an existing filter (that is, a MAC address filter or IP ACL configured on the device), then the port
is still authenticated, but no filter is dynamically applied to it.

If the Vendor-Specific attribute specifies the syntax for a filter, but there are insufficient system
resources to implement the filter, then the port is still authenticated, but the filter specified in
the Vendor-Specific attribute is not applied to the port.

By default, strict security mode is enabled for all 802.1x-enabled interfaces, but you can manually
disable or enable it, either globally or for specific interfaces.

To disable strict security mode globally, enter the following commands.

Brocade(config)# dot1x-enable

Brocade(config-dot1x)# no global-filter-strict-security

After you have globally disabled strict security mode on the device, you can re-enable it by entering
the following command.

Brocade(config-dot1x)# global-filter-strict-security

Syntax: [no] global-filter-strict-security

To disable strict security mode for a specific interface, enter commands such as the following.

Brocade(config)# interface e 1

Brocade(config-if-e10000-1)# no dot1x filter-strict-security

To re-enable strict security mode for an interface, enter the following command.

Brocade(config-if-e10000-1)# dot1x filter-strict-security

Syntax: [no] dot1x filter-strict-security

The output of the show dot1x and show dot1x config commands has been enhanced to indicate
whether strict security mode is enabled or disabled globally and on an interface.

See also other documents in the category Brocade Computer Accessories: