Dell PowerConnect B-RX Configuration Manual page 1008
Bigiron rx series configuration guide v02.8.00
Hide thumbs
Also See for PowerConnect B-RX:
- Configuration manual (1436 pages) ,
- Getting started manual (32 pages) ,
- Installation manual (240 pages)
Table of Contents
Advertisement
31
Configuring multi-device port authentication
For a configuration example, refer to
page 972.
Configuring a port to remain in the restricted VLAN after a successful
authentication attempt
If a previous authentication attempt for a MAC address failed, and as a result the port was placed
in the restricted VLAN, but a subsequent authentication attempt was successful, the RADIUS
Access-Accept message may specify a VLAN for the port. By default, the Brocade device moves the
port out of the restricted VLAN and into the RADIUS-specified VLAN. You can optionally configure
the device to leave the port in the restricted VLAN. To do this, enter the following command.
BigIron RX(config)# mac-authentication no-override-restrict-vlan
Syntax: [no] mac-authentication no-override-restrict-vlan
When the above command is applied, if the RADIUS-specified VLAN configuration is tagged (e.g.,
T:1024) and the VLAN is valid, then the port is placed in the RADIUS-specified VLAN as a tagged
port and left in the restricted VLAN. If the RADIUS-specified VLAN configuration is untagged (e.g.,
U:1024), the configuration from the RADIUS server is ignored, and the port is left in the restricted
VLAN.
Notes:
•
•
•
•
•
•
932
If you configure dynamic VLAN assignment on a multi-device port authentication enabled
interface, and the Access-Accept message returned by the RADIUS server does not contain a
Tunnel-Private-Group-ID attribute, then it is considered an authentication failure, and the
configured authentication failure action is performed for the MAC address.
If the <vlan-name> string does not match either the name or the ID of a VLAN configured on
the device, then it is considered an authentication failure, and the configured authentication
failure action is performed for the MAC address.
For untagged ports, if the VLAN ID provided by the RADIUS server is valid, then the port is
removed from its current VLAN and moved to the RADIUS-specified VLAN as an untagged port.
For tagged or dual-mode ports, if the VLAN ID provided by the RADIUS server does not match
the VLAN ID in the tagged packet that contains the authenticated MAC address as its source
address, then it is considered an authentication failure, and the configured authentication
failure action is performed for the MAC address.
If an untagged port had previously been assigned to a VLAN though dynamic VLAN assignment,
and then another MAC address is authenticated on the same port, but the RADIUS
Access-Accept message for the second MAC address specifies a different VLAN, then it is
considered an authentication failure for the second MAC address, and the configured
authentication failure action is performed. Note that this applies only if the first MAC address
has not yet aged out. If the first MAC address has aged out, then dynamic VLAN assignment
would work as expected for the second MAC address. "
For dual mode ports, if the RADIUS server returns T:<vlan-name>, the traffic will still be
forwarded in the statically assigned PVID. If the RADIUS server returns U:<vlan-name>, the
traffic will not be forwarded in the statically assigned PVID.
"Configuring dynamic VLAN assignment for 802.1x ports"
BigIron RX Series Configuration Guide
53-1002253-01
on
Advertisement
Table of Contents
