•
Disabling and enabling strict security mode for dynamic filter assignment
By default, 802.1X dynamic filter assignment operates in strict security mode. When strict security
mode is enabled, 802.1X authentication for a port fails if the Filter-ID attribute contains invalid
information, or if insufficient system resources are available to implement the per-user IP ACLs or
MAC address filters specified in the Vendor-Specific attribute.
When strict security mode is enabled:
•
•
•
When strict security mode is disabled:
•
•
By default, strict security mode is enabled for all 802.1X-enabled interfaces, but you can manually
disable or enable it, either globally or for specific interfaces.
To disable strict security mode globally, enter the following commands.
PowerConnect(config)#dot1x-enable
PowerConnect(config-dot1x)#no global-filter-strict-security
After you globally disable strict security mode, you can re-enable it by entering the following
command.
PowerConnect(config-dot1x)#global-filter-strict-security
Syntax: [no] global-filter-strict-security
To disable strict security mode for a specific interface, enter commands such as the following.
PowerConnect B-Series FCX Configuration Guide
53-1002266-01
A dynamic IP ACL will take precedence over an IP ACL that is bound to a port (port ACL). When
a client authenticates with a dynamic IP ACL, the port ACL will not be applied. Also, future
clients on the same port will authenticate with a dynamic IP ACL or no IP ACL. If no clients on
the port use dynamic ACL, then the port ACL will be applied to all traffic.
If the Filter-ID attribute in the Access-Accept message contains a value that does not refer to
an existing filter (that is, a MAC address filter or IP ACL configured on the device), then the port
will not be authenticated, regardless of any other information in the message (for example, if
the Tunnel-Private-Group-ID attribute specifies a VLAN on which to assign the port).
If the Vendor-Specific attribute specifies the syntax for a filter, but there are insufficient system
resources to implement the filter, then the port will not be authenticated.
If the device does not have the system resources available to dynamically apply a filter to a
port, then the port will not be authenticated.
NOTE
If the Access-Accept message contains values for both the Filter-ID and Vendor-Specific
attributes, then the value in the Vendor-Specific attribute (the per-user filter) takes
precedence.
Also, if authentication for a port fails because the Filter-ID attribute referred to a non-existent
filter, or there were insufficient system resources to implement the filter, then a Syslog
message is generated.
If the Filter-ID attribute in the Access-Accept message contains a value that does not refer to
an existing filter (that is, a MAC address filter or IP ACL configured on the device), then the port
is still authenticated, but no filter is dynamically applied to it.
If the Vendor-Specific attribute specifies the syntax for a filter, but there are insufficient system
resources to implement the filter, then the port is still authenticated, but the filter specified in
the Vendor-Specific attribute is not applied to the port.
Configuring 802.1X port security
34
1235