Brocade TurboIron 24X Series Configuration Guide User Manual

Brocade TurboIron 24X Series Configuration Guide

989

53-1003053-01

Using multi-device port authentication and 802.1X security on the same port

Multi-device port authentication is initially performed for both devices. The IP phone MAC address
has a profile on the RADIUS server. This profile indicates that 802.1X authentication should be
skipped for this device, and that the device port be placed into the VLAN named “IP-Phone-VLAN”.

Since there is no profile for the PC MAC address on the RADIUS server, multi-device port
authentication for this MAC address fails. Ordinarily, this would mean that the PVID for the port
would be changed to that of the restricted VLAN, or traffic from this MAC would be blocked in
hardware.

NOTE

This example assumes that the IP phone initially transmits untagged packets (for example, CDP or
DHCP packets), which trigger the authentication process on the device and client lookup on the
RADIUS server. If the phone sends only tagged packets and the port (e 4) is not a member of that
VLAN, authentication would not occur. In this case, port e 4 must be added to that VLAN prior to
authentication.

To configure the device to perform 802.1X authentication when a device fails multi-device port
authentication, enter the following command.

TurboIron(config)#mac-authentication auth-fail-dot1x-override

Syntax: [no] mac-authentication auth-fail-dot1x-override