Example port authentication configurations

Since there is no profile for the PC MAC address on the RADIUS server, multi-device port authentication for this MAC address fails. Ordinarily, this would mean that the PVID for the port would be changed to that of the restricted VLAN, or traffic from this MAC would be blocked in hardware. However, the device is configured to perform 802.1X authentication when a device fails multi-device port authentication, so when User 1 attempts to connect to the network from the PC, he is subject to 802.1X authentication. If User 1 is successfully authenticated, the PVID for port e 1/1/4 is changed to the VLAN named “User-VLAN”.

NOTE

This example assumes that the IP phone initially transmits untagged packets (for example, CDP or DHCP packets), which trigger the authentication process on the Brocade device and client lookup on the RADIUS server. If the phone sends only tagged packets and the port (e 1/1/4) is not a member of that VLAN, authentication would not occur. In this case, port e 1/1/4 must be added to that VLAN prior to authentication.

To configure the device to perform 802.1X authentication when a device fails multi-device port authentication, enter the following command.

Brocade(config)# mac-authentication auth-fail-dot1x-override

Syntax: [no] mac-authentication auth-fail-dot1x-override

266

Brocade ICX 6650 Security Configuration Guide

 

53-1002601-01

Page 286
Image 286
Brocade Communications Systems 6650 manual Syntax no mac-authentication auth-fail-dot1x-override