Brocade Communications Systems Brocade ICX 6650 6650 Manuel D’Utilisation
Brocade ICX 6650 Security Configuration Guide
199
53-1002601-01
Multi-device port authentication and 802.1X security on the same port
auth-fail-vlanid 1023
mac-session-aging no-aging permitted-mac-only
enable ethe 1/2/1 to 1/2/4
!
!
!
interface ethernet 1/2/1
dot1x port-control auto
dual-mode
mac-session-aging no-aging permitted-mac-only
enable ethe 1/2/1 to 1/2/4
!
!
!
interface ethernet 1/2/1
dot1x port-control auto
dual-mode
If User 1 is successfully authenticated before User 2, the PVID for port e1/2/1 would be changed
from the default VLAN to VLAN 3.
from the default VLAN to VLAN 3.
Had User 2 been the first to be successfully authenticated, the PVID would be changed to 20, and
User 1 would not be able to gain access to the network. If there were only one device connected to
the port that was sending untagged traffic, and 802.1X authentication failed for that device, it
would be placed in the restricted VLAN 1023, and would be able to gain access to the network.
User 1 would not be able to gain access to the network. If there were only one device connected to
the port that was sending untagged traffic, and 802.1X authentication failed for that device, it
would be placed in the restricted VLAN 1023, and would be able to gain access to the network.
Multi-device port authentication and 802.1X
security on the same port
security on the same port
You can configure the Brocade device to use multi-device port authentication and 802.1X security
on the same port:
on the same port:
•
The multi-device port authentication feature allows you to configure a Brocade device to
forward or block traffic from a MAC address based on information received from a RADIUS
server. Incoming traffic originating from a given MAC address is switched or forwarded by the
device only if the source MAC address is successfully authenticated by a RADIUS server. The
MAC address itself is used as the username and password for RADIUS authentication. A
connecting user does not need to provide a specific username and password to gain access to
the network.
forward or block traffic from a MAC address based on information received from a RADIUS
server. Incoming traffic originating from a given MAC address is switched or forwarded by the
device only if the source MAC address is successfully authenticated by a RADIUS server. The
MAC address itself is used as the username and password for RADIUS authentication. A
connecting user does not need to provide a specific username and password to gain access to
the network.
•
The IEEE 802.1X standard is a means for authenticating devices attached to LAN ports. Using
802.1X port security, you can configure a Brocade device to grant access to a port based on
information supplied by a client to an authentication server.
802.1X port security, you can configure a Brocade device to grant access to a port based on
information supplied by a client to an authentication server.
When both of these features are enabled on the same port, multi-device port authentication is
performed prior to 802.1X authentication. If multi-device port authentication is successful, 802.1X
authentication may be performed, based on the configuration of a vendor-specific attribute (VSA) in
the profile for the MAC address on the RADIUS server.
performed prior to 802.1X authentication. If multi-device port authentication is successful, 802.1X
authentication may be performed, based on the configuration of a vendor-specific attribute (VSA) in
the profile for the MAC address on the RADIUS server.
For more information, including configuration examples, see