Dynamically Applying Existing Acls Or Mac Address Filter - Dell PowerConnect B-RX Configuration Manual
Bigiron rx series supporting multi-service ironware v02.7.03
Hide thumbs
Also See for PowerConnect B-RX:
- Configuration manual (1458 pages) ,
- Getting started manual (32 pages) ,
- Installation manual (240 pages)
Table of Contents
Advertisement
33
Configuring 802.1x port security
When strict security mode is disabled:
•
•
By default, strict security mode is enabled for all 802.1x-enabled interfaces, but you can manually
disable or enable it, either globally or for specific interfaces.
To disable strict security mode globally, enter the following commands.
BigIron RX(config)# dot1x-enable
BigIron RX(config-dot1x)# no global-filter-strict-security
After you have globally disabled strict security mode on the device, you can re-enable it by entering
the following command.
BigIron RX(config-dot1x)# global-filter-strict-security
Syntax: [no] global-filter-strict-security
To disable strict security mode for a specific interface, enter commands such as the following.
BigIron RX(config)# interface e 1
BigIron RX(config-if-e10000-1)# no dot1x filter-strict-security
To re-enable strict security mode for an interface, enter the following command.
BigIron RX(config-if-e10000-1)# dot1x filter-strict-security
Syntax: [no] dot1x filter-strict-security
The output of the show dot1x and show dot1x config commands has been enhanced to indicate
whether strict security mode is enabled or disabled globally and on an interface.
Dynamically applying existing ACLs or MAC address filter
When a port is authenticated using 802.1x security, an IP ACL or MAC address filter that exists in
the running configuration on the BigIron RX can be dynamically applied to the port. To do this, you
configure the Filter-ID (type 11) attribute on the RADIUS server. The Filter-ID attribute specifies the
name or number of the Brocade IP ACL or MAC address filter.
The following is the syntax for configuring the Filter-ID attribute to refer to a Brocade IP ACL or MAC
address filter.
958
NOTE
If the Access-Accept message contains values for both the Filter-ID and Vendor-Specific
attributes, then the value in the Vendor-Specific attribute (the per-user filter) takes
precedence.
Also, if authentication for a port fails because the Filter-ID attribute referred to a non-existent
filter, or there were insufficient system resources to implement the filter, then a Syslog
message is generated.
If the Filter-ID attribute in the Access-Accept message contains a value that does not refer to
an existing filter (that is, a MAC address filter or IP ACL configured on the device), then the port
is still authenticated, but no filter is dynamically applied to it.
If the Vendor-Specific attribute specifies the syntax for a filter, but there are insufficient system
resources to implement the filter, then the port is still authenticated, but the filter specified in
the Vendor-Specific attribute is not applied to the port.
BigIron RX Series Configuration Guide
53-1001986-01
Advertisement
Chapters
Table of Contents
