1x authentication with dynamic vlan assignment – Brocade BigIron RX Series Configuration Guide User Manual

BigIron RX Series Configuration Guide

1075

53-1002484-04

Sample 802.1x configurations

34

802.1X Authentication with dynamic VLAN assignment

Figure 141

illustrates 802.1X authentication with dynamic VLAN assignment. In this configuration,

two user PCs are connected to a hub, which is connected to port 2/1. Port 2/1 is configured as a
dual-mode port. Both PCs transmit untagged traffic. The profile for User 1 on the RADIUS server
specifies that User 1 PC should be dynamically assigned to VLAN 3. The RADIUS profile for User 2
on the RADIUS server specifies that User 2 PC should be dynamically assigned to VLAN 20.

FIGURE 141

Sample configuration using 802.1X authentication with dynamic VLAN assignment

In this example, the PVID for port 2/1 would be changed based on the first host to be successfully
authenticated. If User 1 is authenticated first, then the PVID for port 2/1 is changed to VLAN 3. If
User 2 is authenticated first, then the PVID for port 2/1 is changed to VLAN 20. Since a PVID
cannot be changed by RADIUS authentication after it has been dynamically assigned, if User 2 is
authenticated after the port PVID was changed to VLAN 3, then User 2 would not be able to gain
access to the network.

If there were only one device connected to the port, and authentication failed for that device, it
could be placed into the restricted VLAN, where it could gain access to the network.

The part of the running-config related to 802.1X authentication would be as follows.

dot1x-enable

re-authentication

servertimeout 10

timeout re-authperiod 10

auth-fail-action restricted-vlan

auth-fail-vlanid 1023

mac-session-aging no-aging permitted-mac-only

enable ethe 2/1 to 2/4

!

!

Hub

Untagged

Untagged

User 1

MAC: 0002.3f7f.2e0a

User 2

MAC: 0050.048e.86ac

Port e2
Dual Mode

FastIron Switch

RADIUS Server
Tunnel-Private-Group-ID:
User 1 -> “U:3”
User 2 -> “U:20”