Brocade Communications Systems Brocade ICX 6650 6650 User Manual

Page 255

background image

Brocade ICX 6650 Security Configuration Guide

235

53-1002601-01

Multi-device port authentication and 802.1X security on the same port

4. If the Foundry-802_1x-enable VSA is present in the Access-Accept message, and is set to 0,

then 802.1X authentication is skipped. The device is authenticated, and any dynamic VLANs
specified in the Access-Accept message returned during multi-device port authentication are
applied to the port.

5. If 802.1X authentication is performed on the device, and is successful, then dynamic VLANs or

ACLs specified in the Access-Accept message returned during 802.1X authentication are
applied to the port.

If multi-device port authentication fails for a device, then by default traffic from the device is either
blocked in hardware, or the device is placed in a restricted VLAN. You can optionally configure the
Brocade device to perform 802.1X authentication on a device when it fails multi-device port
authentication. Refer to

“Example 2 — Creating a profile on the RADIUS server for each MAC

address”

on page 265 for a sample configuration where this is used.

Configuring Brocade-specific attributes on the
RADIUS server

If the RADIUS authentication process is successful, the RADIUS server sends an Access-Accept
message to the Brocade device, authenticating the device. The Access-Accept message can
include Vendor-Specific Attributes (VSAs) that specify additional information about the device. If
you are configuring multi-device port authentication and 802.1X authentication on the same port,
then you can configure the Brocade VSAs listed in

Table 55

on the RADIUS server.

You add these Brocade vendor-specific attributes to your RADIUS server configuration, and
configure the attributes in the individual or group profiles of the devices that will be authenticated.
The Brocade Vendor-ID is 1991, with Vendor-Type 1.