beautypg.com

Dynamic multiple vlan, Assignment for 802.1x ports, Dynamic multiple vlan assignment for 802.1x ports – Brocade TurboIron 24X Series Configuration Guide User Manual

Page 989

background image

Brocade TurboIron 24X Series Configuration Guide

955

53-1003053-01

Configuring 802.1X port security

Enable 802.1X VLAN ID support by adding the following attributes to a user profile on the RADIUS
server.

The device reads the attributes as follows:

If the Tunnel-Type or the Tunnel-Medium-Type attributes in the Access-Accept message do not
have the values specified above, the device ignores the three Attribute-Value pairs. The client
becomes authorized, but the client port is not dynamically placed in a VLAN.

If the Tunnel-Type or the Tunnel-Medium-Type attributes in the Access-Accept message do have
the values specified above, but there is no value specified for the Tunnel-Private-Group-ID
attribute, the client will not become authorized.

When the device receives the value specified for the Tunnel-Private-Group-ID attribute, it
checks whether the <vlan-name> string matches the name of a VLAN configured on the
device. If there is a VLAN on the device whose name matches the <vlan-name> string, then
the client port is placed in the VLAN whose ID corresponds to the VLAN name.

If the <vlan-name> string does not match the name of a VLAN, the device checks whether the
string, when converted to a number, matches the ID of a VLAN configured on the device. If it
does, then the client port is placed in the VLAN with that ID.

If the <vlan-name> string does not match either the name or the ID of a VLAN configured on
the device, then the client will not become authorized.

The show interface command displays the VLAN to which an 802.1X-enabled port has been
dynamically assigned, as well as the port from which it was moved (that is, the port default
VLAN).Refer to

“Displaying dynamically assigned VLAN information”

on page 973 for sample output

indicating the port dynamically assigned VLAN.

Dynamic multiple VLAN assignment for 802.1X ports

When you add attributes to a user profile on the RADIUS server, the value for the
Tunnel-Private-Group-ID attribute can specify the name or number of one or more VLANs configured
on the device.

For example, to specify one VLAN, configure the following for the value in the
Tunnel-Private-Group-ID attribute on the RADIUS server.

"10" or "marketing"

In this example, the port on which the Client is authenticated is assigned to VLAN 10 or the VLAN
named "marketing". The VLAN to which the port is assigned must have previously been configured
on the device.

To specify an untagged VLAN, use the following.

"U:10" or "U:marketing"

Table 5:

Attribute name

Type

Value

Tunnel-Type

064

13 (decimal) – VLAN

Tunnel-Medium-Type

065

6 (decimal) – 802

Tunnel-Private-Group-ID

081

(string) – either the name or the number of a VLAN
configured on the device.

See also other documents in the category Brocade Computer Accessories: