Configuring dynamic vlan assignment – Brocade TurboIron 24X Series Configuration Guide User Manual

1006

Brocade TurboIron 24X Series Configuration Guide

53-1003053-01

Configuring multi-device port authentication

Configuring dynamic VLAN assignment

An interface can be dynamically assigned to one or more VLANs based on the MAC address learned
on that interface. When a MAC address is successfully authenticated, the RADIUS server sends the
device a RADIUS Access-Accept message that allows the device to forward traffic from that MAC
address. The RADIUS Access-Accept message can also contain attributes set for the MAC address
in its access profile on the RADIUS server.

If one of the attributes in the Access-Accept message specifies one or more VLAN identifiers, and
the VLAN is available on the device, the port is moved from its default VLAN to the specified VLAN.

To enable dynamic VLAN assignment for authenticated MAC addresses, you must add attributes to
the profile for the MAC address on the RADIUS server, then enable dynamic VLAN assignment on
multi-device port authentication-enabled interfaces. Refer to

“Configuring the RADIUS server to

support dynamic VLAN assignment”

on page 1007 for a list of the attributes that must be set on

the RADIUS server.

To enable dynamic VLAN assignment on a multi-device port authentication-enabled interface, enter
commands such as the following.

TurboIron(config)#interface e 1

TurboIron(config-if-e10000-1)#mac-authentication enable-dynamic-vlan

Syntax: [no] mac-authentication enable-dynamic-vlan

Configuring a port to remain in the restricted VLAN after a successful
authentication attempt

If a previous authentication attempt for a MAC address failed, and as a result the port was placed
in the restricted VLAN, but a subsequent authentication attempt was successful, the RADIUS
Access-Accept message may specify a VLAN for the port. By default, the device moves the port out
of the restricted VLAN and into the RADIUS-specified VLAN. You can optionally configure the device
to leave the port in the restricted VLAN. To do this, enter the following command.

TurboIron(config-if-e10000-1)#mac-authentication no-override-restrict-vlan

When the above command is applied, if the RADIUS-specified VLAN configuration is tagged (e.g.,
T:1024) and the VLAN is valid, then the port is placed in the RADIUS-specified VLAN as a tagged
port and left in the restricted VLAN. If the RADIUS-specified VLAN configuration is untagged (e.g.,
U:1024), the configuration from the RADIUS server is ignored, and the port is left in the restricted
VLAN.

Syntax: [no] mac-authentication no-override-restrict-vlan

Configuration notes

•

If you configure dynamic VLAN assignment on a multi-device port authentication enabled
interface, and the Access-Accept message returned by the RADIUS server contains a
Tunnel-Type and Tunnel-Medium-Type, but does not contain a Tunnel-Private-Group-ID attribute,
then it is considered an authentication failure, and the configured authentication failure action
is performed for the MAC address.

•

If the > string does not match either the name or the ID of a VLAN configured on
the device, then it is considered an authentication failure, and the configured authentication
failure action is performed for the MAC address.