Brocade Communications Systems Brocade ICX 6650 6650 User Manual
Page 189

Brocade ICX 6650 Security Configuration Guide
169
53-1002601-01
802.1X port security configuration
When the RADIUS server returns a value specifying both untagged and tagged VLAN IDs, the port 
becomes a dual-mode port, accepting and transmitting both tagged traffic and untagged traffic at 
the same time. A dual-mode port transmits only untagged traffic on its default VLAN (PVID) and 
only tagged traffic on all other VLANs.
In this example, the port VLAN configuration is changed so that it transmits untagged traffic on 
VLAN 10, and transmits tagged traffic on VLAN 12 and the VLAN named "marketing". 
For a configuration example, refer to
“802.1X authentication with dynamic VLAN assignment”
Saving dynamic VLAN assignments to the running-config file
You can configure the Brocade device to save the RADIUS-specified VLAN assignments to the 
device's running-config file. Enter commands such as the following.
Brocade(config)# dot1x-enable
Brocade(config-dot1x)# save-dynamicvlan-to-config
Syntax: save-dynamicvlan-to-config
By default, the dynamic VLAN assignments are not saved to the running-config file. Entering the 
show running-config command does not display dynamic VLAN assignments, although they can be 
displayed with the show vlan and show authenticated-mac-address detail commands.
NOTE
When this feature is enabled, issuing the command write mem will save any dynamic VLAN 
assignments to the startup configuration file.
Considerations for dynamic VLAN assignment in an 
802.1X multiple-host configuration 
The following considerations apply when a Client in a 802.1X multiple-host configuration is 
successfully authenticated, and the RADIUS Access-Accept message specifies a VLAN for the port:
•
If the port is not already a member of a RADIUS-specified VLAN, and the RADIUS Access-Accept 
message specifies the name or ID of a valid VLAN on the Brocade device, then the port is 
placed in that VLAN.
•
If the port is already a member of a RADIUS-specified VLAN, and the RADIUS Access-Accept 
message specifies the name or ID of a different VLAN, then it is considered an authentication 
failure. The port VLAN membership is not changed.
•
If the port is already a member of a RADIUS-specified VLAN, and the RADIUS Access-Accept 
message specifies the name or ID of that same VLAN, then traffic from the Client is forwarded 
normally.
•
If the RADIUS Access-Accept message specifies the name or ID of a VLAN that does not exist 
on the Brocade device, then it is considered an authentication failure.
•
If the port is a tagged or dual-mode port, and the RADIUS Access-Accept message specifies the 
name or ID of a valid VLAN on the Brocade device, then the port is placed in that VLAN. If the 
port is already a member of the RADIUS-specified VLAN, no further action is taken.
•
If the RADIUS Access-Accept message does not contain any VLAN information, the Client 
dot1x-mac-session is set to “access-is-allowed”. If the port is already in a RADIUS-specified 
VLAN, it remains in that VLAN.
