Dynamic multiple vlan assignment for 802.1x ports – Brocade BigIron RX Series Configuration Guide User Manual
Page 1133
BigIron RX Series Configuration Guide
1055
53-1002484-04
Configuring 802.1x port security
34
•
If the Tunnel-Type or the Tunnel-Medium-Type attributes in the Access-Accept message do have
the values specified above, but there is no value specified for the Tunnel-Private-Group-ID
attribute, the client will not become authorized.
•
When the BigIron RX receives the value specified for the Tunnel-Private-Group-ID attribute, it
checks whether the <vlan-name> string matches the name of a VLAN configured on the
device. If there is a VLAN on the device whose name matches the <vlan-name>, then the
client’s port is placed in the VLAN whose ID corresponds to the VLAN name.
•
If the <vlan-name> string does not match the name of a VLAN, the BigIron RX checks whether
the string, when converted to a number, matches the ID of a VLAN configured on the device. If
it does, then the client’s port is placed in the VLAN with that ID.
•
If the <vlan-name> string does not match either the name or the ID of a VLAN configured on
the device, then the client will not become authorized.
The show interface command displays the VLAN to which an 802.1x-enabled port has been
dynamically assigned, as well as the port from which it was moved (that is, the port’s default VLAN).
Refer to
“Displaying dynamically assigned VLAN information”
on page 1068 for sample output
indicating the port’s dynamically assigned VLAN.
Dynamic multiple VLAN assignment for 802.1X ports
BigIron RX Series supports 802.1x authentication on untagged ports only. When the RADIUS server
specifies an untagged VLAN ID, the port default VLAN ID (or PVID) is changed from the system
DEFAULT-VLAN (VLAN 1) to the specified VLAN ID. The port transmits only untagged traffic on its
PVID. For more information, refer to
“Dynamic multiple VLAN assignment for Multi-device port
For a configuration example, refer to
“802.1X Authentication with dynamic VLAN assignment”
Considerations for dynamic VLAN assignment in an
802.1x multiple client configuration
The following considerations apply when a Client in a 802.1x multiple client configuration is
successfully authenticated, and the RADIUS Access-Accept message specifies a VLAN for the port:
•
If the port is not already a member of a RADIUS-specified VLAN, and the RADIUS Access-Accept
message specifies the name or ID of a valid VLAN on the Brocade BigIron RX, then the port is
placed in that VLAN.
•
If the port is already a member of a RADIUS-specified VLAN, and the RADIUS Access-Accept
message specifies the name or ID of a different VLAN, then it is considered an authentication
failure. The port’s VLAN membership is not changed.
•
If the port is already a member of a RADIUS-specified VLAN, and the RADIUS Access-Accept
message specifies the name or ID of that same VLAN, then traffic from the Client is forwarded
normally.
•
If the RADIUS Access-Accept message specifies the name or ID of a VLAN that does not exist
on the Brocade BigIron RX, then it is considered an authentication failure.
•
If the RADIUS Access-Accept message does not contain any VLAN information, the Client’s
dot1x-mac-session is set to “access-is-allowed”. If the port is already in a RADIUS-specified
VLAN, it remains in that VLAN.