beautypg.com

Brocade TurboIron 24X Series Configuration Guide User Manual

Page 1019

background image

Brocade TurboIron 24X Series Configuration Guide

985

53-1003053-01

Using multi-device port authentication and 802.1X security on the same port

When both of these features are enabled on the same port, multi-device port authentication is
performed prior to 802.1X authentication. If multi-device port authentication is successful, 802.1X
authentication may be performed, based on the configuration of a vendor-specific attribute (VSA) in
the profile for the MAC address on the RADIUS server.

When both features are configured on a port, a device connected to the port is authenticated as
follows.

1. Multi-device port authentication is performed on the device to authenticate the device MAC

address.

2. If multi-device port authentication is successful for the device, then the device checks whether

the RADIUS server included the Foundry-802_1x-enable VSA (described in

Table 153

) in the

Access-Accept message that authenticated the device.

3. If the Foundry-802_1x-enable VSA is not present in the Access-Accept message, or is present

and set to 1, then 802.1X authentication is performed for the device.

4. If the Foundry-802_1x-enable VSA is present in the Access-Accept message, and is set to 0,

then 802.1X authentication is skipped. The device is authenticated, and any dynamic VLANs
specified in the Access-Accept message returned during multi-device port authentication are
applied to the port.

5. If 802.1X authentication is performed on the device, and is successful, then dynamic VLANs or

ACLs specified in the Access-Accept message returned during 802.1X authentication are
applied to the port.

If multi-device port authentication fails for a device, then by default traffic from the device is either
blocked in hardware, or the device is placed in a restricted VLAN. You can optionally configure the
device to perform 802.1X authentication on a device when it fails multi-device port authentication.
Refer to

“Example 2”

on page 988 for a sample configuration where this is used.

Configuring Brocade-specific attributes on the RADIUS server

If the RADIUS authentication process is successful, the RADIUS server sends an Access-Accept
message to the device, authenticating the device. The Access-Accept message can include
Vendor-Specific Attributes (VSAs) that specify additional information about the device. If you are
configuring multi-device port authentication and 802.1X authentication on the same port, then you
can configure the Brocade VSAs listed in

Table 153

on the RADIUS server.

Add these Brocade vendor-specific attributes to your RADIUS server configuration, and configure
the attributes in the individual or group profiles of the devices that will be authenticated. The
Brocade Vendor-ID is 1991, with Vendor-Type 1.