Brocade Communications Systems Brocade ICX 6650 6650 Manual De Usuario
198
Brocade ICX 6650 Security Configuration Guide
53-1002601-01
Sample 802.1X configurations
Brocade(config)#interface ethernet 1/2/1
Brocade(config-if-e10000-1/2/1)# dot1x port-control auto
Brocade(config-if-e10000-1/2/1)# exit
Brocade(config-if-e10000-1/2/1)# dot1x port-control auto
Brocade(config-if-e10000-1/2/1)# exit
802.1X authentication with dynamic VLAN assignment
illustrates 802.1X authentication with dynamic VLAN assignment. In this configuration,
two user PCs are connected to a hub, which is connected to port e1/2/1. Port e1/2/1 is configured
as a dual-mode port. Both PCs transmit untagged traffic. The profile for User 1 on the RADIUS
server specifies that User 1 PC should be dynamically assigned to VLAN 3. The RADIUS profile for
User 2 on the RADIUS server specifies that User 2 PC should be dynamically assigned to VLAN 20.
as a dual-mode port. Both PCs transmit untagged traffic. The profile for User 1 on the RADIUS
server specifies that User 1 PC should be dynamically assigned to VLAN 3. The RADIUS profile for
User 2 on the RADIUS server specifies that User 2 PC should be dynamically assigned to VLAN 20.
FIGURE 8
Sample configuration using 802.1X authentication with dynamic VLAN assignment
In this example, the PVID for port e1/2/1 would be changed based on the first host to be
successfully authenticated. If User 1 is authenticated first, then the PVID for port e1/2/1 is
changed to VLAN 3. If User 2 is authenticated first, then the PVID for port e1/2/1 is changed to
VLAN 20. Since a PVID cannot be changed by RADIUS authentication after it has been dynamically
assigned, if User 2 is authenticated after the port PVID was changed to VLAN 3, then User 2 would
not be able to gain access to the network.
successfully authenticated. If User 1 is authenticated first, then the PVID for port e1/2/1 is
changed to VLAN 3. If User 2 is authenticated first, then the PVID for port e1/2/1 is changed to
VLAN 20. Since a PVID cannot be changed by RADIUS authentication after it has been dynamically
assigned, if User 2 is authenticated after the port PVID was changed to VLAN 3, then User 2 would
not be able to gain access to the network.
If there were only one device connected to the port, and authentication failed for that device, it
could be placed into the restricted VLAN, where it could gain access to the network.
could be placed into the restricted VLAN, where it could gain access to the network.
The portion of the running-config related to 802.1X authentication is as follows.
dot1x-enable
re-authentication
servertimeout 10
timeout re-authperiod 10
auth-fail-action restricted-vlan
re-authentication
servertimeout 10
timeout re-authperiod 10
auth-fail-action restricted-vlan
Hub
Untagged
Untagged
User 1
MAC: 0000.007f.2e0a
User 2
MAC: 0000.008e.86ac
Port e1/2/1
Dual Mode
Dual Mode
Brocade Switch
RADIUS Server
Tunnel-Private-Group-ID:
User 1 -> “U:3”
User 2 -> “U:20”
Tunnel-Private-Group-ID:
User 1 -> “U:3”
User 2 -> “U:20”