Vlan Assignment Expires - Dell PowerConnect B-RX Configuration Manual
Bigiron rx series configuration guide v02.7.02
Hide thumbs
Also See for PowerConnect B-RX:
- Configuration manual (1458 pages) ,
- Getting started manual (32 pages) ,
- Installation manual (240 pages)
Table of Contents
Advertisement
To enable dynamic VLAN assignment for authenticated MAC addresses, you must add the following
attributes to the profile for the MAC address on the RADIUS server (dynamic VLAN assignment on
multi-device port authentication-enabled interfaces is enabled by default and can be disabled).
Refer to
set on the RADIUS server
Dynamic VLAN assignment on a multi-device port authentication-enabled interface is enabled by
default. If it is disabled, enter commands such as the following command to enable it.
BigIron RX(config)# interface e 3/1
BigIron RX(config-if-e100-3/1)# mac-authentication enable-dynamic-vlan
Syntax: [no] mac-authentication enable-dynamic-vlan
If a previous authentication attempt for a MAC address failed, and as a result the port was placed
in the restricted VLAN, but a subsequent authentication attempt was successful, the RADIUS
Access-Accept message may specify a VLAN for the port. By default, the device moves the port out
of the restricted VLAN and into the RADIUS-specified VLAN. You can optionally configure the device
to ignore the RADIUS-specified VLAN in the RADIUS Access-Accept message, and leave the port in
the restricted VLAN.
To do this, enter the following command.
BigIron RX(config)# mac-authentication no-override-restrict-vlan
Syntax: [no] mac-authentication no-override-restrict-vlan
Notes:
•
•
•
•
Specifying to which VLAN a port is moved after its RADIUS-specified
VLAN assignment expires
When a port is dynamically assigned to a VLAN through the authentication of a MAC address, and
the MAC session for that address is deleted on the BigIron RX device, then by default the port is
removed from its RADIUS-assigned VLAN and placed back in the VLAN where it was originally
assigned.
BigIron RX Series Configuration Guide
53-1001810-01
"Dynamic VLAN and ACL assignments"
For untagged ports, if the VLAN ID provided by the RADIUS server is valid, then the port is
removed from its current VLAN and moved to the RADIUS-specified VLAN as an untagged port.
If you configure dynamic VLAN assignment on a multi-device port authentication enabled
interface, and the Access-Accept message returned by the RADIUS server does not contain a
Tunnel-Private-Group-ID attribute, then it is considered an authentication failure, and the
configured authentication failure action is performed for the MAC address.
If the <vlan-name> string does not match either the name or the ID of a VLAN configured on
the device, then it is considered an authentication failure, and the configured authentication
failure action is performed for the MAC address.
If an untagged port had previously been assigned to a VLAN though dynamic VLAN assignment,
and then another MAC address is authenticated on the same port, but the RADIUS
Access-Accept message for the second MAC address specifies a different VLAN, then it is
considered an authentication failure for the second MAC address, and the configured
authentication failure action is performed. Note that this applies only if the first MAC address
has not yet aged out. If the first MAC address has aged out, then dynamic VLAN assignment
would work as expected for the second MAC address.
Configuring multi-device port authentication
on page 928 for a list of the attributes that must be
31
933
Advertisement
Table of Contents
