Disabling And Enabling Strict Security Mode For Dynamic; Filter Assignment - Dell PowerConnect B-RX Configuration Manual
Bigiron rx series configuration guide v02.8.00
Hide thumbs
Also See for PowerConnect B-RX:
- Configuration manual (1436 pages) ,
- Getting started manual (32 pages) ,
- Installation manual (240 pages)
Table of Contents
Advertisement
•
•
The show interface command displays the VLAN to which an 802.1x-enabled port has been
dynamically assigned, as well as the port from which it was moved (that is, the port's default VLAN).
Refer to
indicating the port's dynamically assigned VLAN.
Dynamic multiple VLAN assignment for 802.1X ports
BigIron RX Series supports 802.1x authentication on untagged ports only. When the RADIUS server
specifies an untagged VLAN ID, the port default VLAN ID (or PVID) is changed from the system
DEFAULT-VLAN (VLAN 1) to the specified VLAN ID. The port transmits only untagged traffic on its
PVID. For more information, refer to
authentication"
For a configuration example, refer to
page 992.
Considerations for dynamic VLAN assignment in an
802.1x multiple client configuration
The following considerations apply when a Client in a 802.1x multiple client configuration is
successfully authenticated, and the RADIUS Access-Accept message specifies a VLAN for the port:
•
•
•
•
•
Disabling and enabling strict security mode for dynamic
filter assignment
By default, 802.1x dynamic filter assignment operates in strict security mode. When strict security
mode is enabled, 802.1x authentication for a port fails if the Filter-ID attribute contains invalid
information, or if insufficient system resources are available to implement the per-user IP ACLs or
MAC address filters specified in the Vendor-Specific attribute.
BigIron RX Series Configuration Guide
53-1002253-01
If the <vlan-name> string does not match the name of a VLAN, the BigIron RX checks whether
the string, when converted to a number, matches the ID of a VLAN configured on the device. If
it does, then the client's port is placed in the VLAN with that ID.
If the <vlan-name> string does not match either the name or the ID of a VLAN configured on
the device, then the client will not become authorized.
"Displaying dynamically assigned VLAN information"
on page 931.
If the port is not already a member of a RADIUS-specified VLAN, and the RADIUS Access-Accept
message specifies the name or ID of a valid VLAN on the Brocade BigIron RX, then the port is
placed in that VLAN.
If the port is already a member of a RADIUS-specified VLAN, and the RADIUS Access-Accept
message specifies the name or ID of a different VLAN, then it is considered an authentication
failure. The port's VLAN membership is not changed.
If the port is already a member of a RADIUS-specified VLAN, and the RADIUS Access-Accept
message specifies the name or ID of that same VLAN, then traffic from the Client is forwarded
normally.
If the RADIUS Access-Accept message specifies the name or ID of a VLAN that does not exist
on the Brocade BigIron RX, then it is considered an authentication failure.
If the RADIUS Access-Accept message does not contain any VLAN information, the Client's
dot1x-mac-session is set to "access-is-allowed". If the port is already in a RADIUS-specified
VLAN, it remains in that VLAN.
Configuring 802.1x port security
on page 986 for sample output
"Dynamic multiple VLAN assignment for Multi-device port
"802.1X Authentication with dynamic VLAN assignment"
33
on
973
Advertisement
Table of Contents
