Disabling And Enabling Strict Security Mode For Dynamic Filter Assignment - Dell PowerConnect B-RX Configuration Manual

•
•
The show interface command displays the VLAN to which an 802.1x-enabled port has been
dynamically assigned, as well as the port from which it was moved (that is, the port's default VLAN).
Refer to
indicating the port's dynamically assigned VLAN.
Considerations for dynamic VLAN assignment in an
802.1x multiple client configuration
The following considerations apply when a Client in a 802.1x multiple client configuration is
successfully authenticated, and the RADIUS Access-Accept message specifies a VLAN for the port:
•
•
•
•
•
Disabling and enabling strict security mode for dynamic
filter assignment
By default, 802.1x dynamic filter assignment operates in strict security mode. When strict security
mode is enabled, 802.1x authentication for a port fails if the Filter-ID attribute contains invalid
information, or if insufficient system resources are available to implement the per-user IP ACLs or
MAC address filters specified in the Vendor-Specific attribute.
When strict security mode is enabled:
•
•
•
BigIron RX Series Configuration Guide
53-1001986-01
If the <vlan-name> string does not match the name of a VLAN, the BigIron RX checks whether
the string, when converted to a number, matches the ID of a VLAN configured on the device. If
it does, then the client's port is placed in the VLAN with that ID.
If the <vlan-name> string does not match either the name or the ID of a VLAN configured on
the device, then the client will not become authorized.
"Displaying dynamically assigned VLAN information"
If the port is not already a member of a RADIUS-specified VLAN, and the RADIUS Access-Accept
message specifies the name or ID of a valid VLAN on the Brocade BigIron RX, then the port is
placed in that VLAN.
If the port is already a member of a RADIUS-specified VLAN, and the RADIUS Access-Accept
message specifies the name or ID of a different VLAN, then it is considered an authentication
failure. The port's VLAN membership is not changed.
If the port is already a member of a RADIUS-specified VLAN, and the RADIUS Access-Accept
message specifies the name or ID of that same VLAN, then traffic from the Client is forwarded
normally.
If the RADIUS Access-Accept message specifies the name or ID of a VLAN that does not exist
on the Brocade BigIron RX, then it is considered an authentication failure.
If the RADIUS Access-Accept message does not contain any VLAN information, the Client's
dot1x-mac-session is set to "access-is-allowed". If the port is already in a RADIUS-specified
VLAN, it remains in that VLAN.
If the Filter-ID attribute in the Access-Accept message contains a value that does not refer to
an existing filter (that is, a MAC address filter or IP ACL configured on the device), then the
client will not be authenticated, regardless of any other information in the message (for
example, if the Tunnel-Private-Group-ID attribute specifies a VLAN to which to assign the port).
If the Vendor-Specific attribute specifies the syntax for a filter, but there are insufficient system
resources to implement the filter, then the port will not be authenticated.
If the device does not have the system resources available to dynamically apply a filter to a
port, then the port will not be authenticated.
Configuring 802.1x port security
on page 969 for sample output
33
957