Brocade Communications Systems Brocade ICX 6650 6650 User Manual
Brocade ICX 6650 Security Configuration Guide
263
53-1002601-01
Example port authentication configurations
mac-authentication enable
mac-authentication auth-fail-vlan-id 1023
mac-authentication auth-fail-vlan-id 1023
interface ethernet 1/1/1
mac-authentication enable
mac-authentication auth-fail-action restrict-vlan
mac-authentication enable-dynamic-vlan
dual-mode
mac-authentication enable
mac-authentication auth-fail-action restrict-vlan
mac-authentication enable-dynamic-vlan
dual-mode
Examples of multi-device port authentication and 802.1X
authentication configuration on the same port
authentication configuration on the same port
The following examples show configurations that use multi-device port authentication and 802.1X
authentication on the same port.
authentication on the same port.
Example 1 — Multi-device port authentication and 802.1x authentication on the
same port
same port
illustrates an example configuration that uses multi-device port authentication and
802.1X authentication n the same port. In this configuration, a PC and an IP phone are connected
to port e 1/1/3 on a Brocade device. Port e 1/1/3 is configured as a dual-mode port.
to port e 1/1/3 on a Brocade device. Port e 1/1/3 is configured as a dual-mode port.
The profile for the PC MAC address on the RADIUS server specifies that the PC should be
dynamically assigned to VLAN "Login-VLAN", and the RADIUS profile for the IP phone specifies that
it should be dynamically assigned to the VLAN named "IP-Phone-VLAN". When User 1 is
successfully authenticated using 802.1X authentication, the PC is then placed in the VLAN named
"User-VLAN".
dynamically assigned to VLAN "Login-VLAN", and the RADIUS profile for the IP phone specifies that
it should be dynamically assigned to the VLAN named "IP-Phone-VLAN". When User 1 is
successfully authenticated using 802.1X authentication, the PC is then placed in the VLAN named
"User-VLAN".
NOTE
This example assumes that the IP phone initially transmits untagged packets (for example, CDP or
DHCP packets), which trigger the authentication process on the Brocade device and client lookup
on the RADIUS server. If the phone sends only tagged packets and the port (e 1/1/3) is not a
member of that VLAN, authentication would not occur. In this case, port e 1/1/3 must be added to
that VLAN prior to authentication.
DHCP packets), which trigger the authentication process on the Brocade device and client lookup
on the RADIUS server. If the phone sends only tagged packets and the port (e 1/1/3) is not a
member of that VLAN, authentication would not occur. In this case, port e 1/1/3 must be added to
that VLAN prior to authentication.