BigIron RX Series Configuration Guide 941
53-1002253-01
Example configurations
31
Multi-device port authentication with dynamic
VLAN assignment
Figure 120 illustrates multi-device port authentication with dynamic VLAN assignment on a
Brocade device. In this configuration, a PC and an IP phone are connected to a hub, which is
connected to port 2/1 on a Brocade device. The profile for the PC MAC address on the RADIUS
server specifies that the PC should be dynamically assigned to VLAN 102, and the RADIUS profile
for the IP phone specifies that it should be dynamically assigned to VLAN 3.
FIGURE 120 Using multi-device port authentication with dynamic VLAN assignment
In this example, multi-device port authentication is performed for both devices. If the PC is
successfully authenticated, port 2/1 PVID is changed from VLAN 1 (the DEFAULT-VLAN) to VLAN
102. If authentication for the PC fails, then the PC can be placed in a specified “restricted” VLAN,
or traffic from the PC can be blocked in hardware. In this example, if authentication for the PC fails,
the PC would be placed in VLAN 1023, the restricted VLAN.
If authentication for the IP phone is successful, then port 2/1 is added to VLAN 3. If authentication
for the IP phone fails, then traffic from the IP phone would be blocked in hardware. (Devices
sending tagged traffic cannot be placed in the restricted VLAN.)
The part of the running-config related to multi-device port authentication would be as follows.
mac-authentication enable
mac-authentication auth-fail-vlan-id 1023
interface ethernet 2/1
mac-authentication enable
mac-authentication auth-fail-action restrict-vlan
mac-authentication enable-dynamic-vlan
mac-authentication disable-ingress-filtering
Hub
BigIron Switch
Port 2/1
Hub
Untagged
Tagged
RADIUS Server
Tunnel-Private-Group-ID:
User 0002.3f7f.2e0a -> “U:102”
User 0050.048e.86ac -> “T:3”
PC
MAC: 0002.3f7f.2e0a
IP Phone
MAC: 0050.048e.86ac
To Next Page
Loading...
