Brocade Communications Systems Brocade ICX 6650 6650 Manual De Usuario
216
Brocade ICX 6650 Security Configuration Guide
53-1002601-01
MAC-based VLAN configuration
Using MAC-based VLANs and 802.1X security
on the same port
on the same port
On Brocade devices, MAC-based VLANs and 802.1X security can be configured on the same port.
When both of these features are enabled on the same port, MAC-based VLAN is performed prior to
802.1X authentication. If MAC-based VLAN is successful, 802.1X authentication may be
performed, based on the configuration of a vendor-specific attribute (VSA) in the profile for the MAC
address on the RADIUS server.
When both of these features are enabled on the same port, MAC-based VLAN is performed prior to
802.1X authentication. If MAC-based VLAN is successful, 802.1X authentication may be
performed, based on the configuration of a vendor-specific attribute (VSA) in the profile for the MAC
address on the RADIUS server.
When both features are configured on a port, a device connected to the port is authenticated as
follows.
follows.
1. MAC-based VLAN is performed on the device to authenticate the device MAC address.
2. If MAC-based VLAN is successful, the device then checks to see if the RADIUS server included
the Foundry-802_1x-enable VSA (described in
) in the Access-Accept message that
authenticated the device.
3. If the Foundry-802_1x-enable VSA is not present in the Access-Accept message, or is present
and set to 1, then 802.1X authentication is performed for the device.
4. If the Foundry-802_1x-enable VSA is present in the Access-Accept message, and is set to 0,
then 802.1X authentication is skipped.
Configuring generic and Brocade vendor-specific
attributes on the RADIUS server
attributes on the RADIUS server
If the RADIUS authentication process is successful, the RADIUS server sends an Access-Accept
message to the Brocade device, authenticating the device. The Access-Accept message includes
Vendor-Specific Attributes (VSAs) that specify additional information about the device.
message to the Brocade device, authenticating the device. The Access-Accept message includes
Vendor-Specific Attributes (VSAs) that specify additional information about the device.
Add Brocade vendor-specific attributes to your RADIUS server configuration, and configure the
attributes in the individual or group profiles of the devices that will be authenticated. Brocade.
vendor-ID is 1991, vendor-type 1.
attributes in the individual or group profiles of the devices that will be authenticated. Brocade.
vendor-ID is 1991, vendor-type 1.
lists generic RADIUS attributes.
lists Brocade
Vendor-Specific Attributes.
TABLE 46
Generic RADIUS attributes
Attribute name
Attribute ID
Data type
Optional or
mandatory
mandatory
Description
Tunnel-Type
64
13
decimal
VLAN
decimal
VLAN
Mandatory
RFC 2868.
Tunnel-Medium-Type
65
6
decimal
802
decimal
802
Mandatory
RFC 2868.
Tunnel-Private-Group-ID 81
decimal
Mandatory
RFC
2868.
vlan-id or U:vlan -id – a
MAC-based VLAN ID configured on the
Brocade device.
Brocade device.