Chapter 6
Security
RUGGEDCOM ROX II
CLI User Guide
132 Assigning VLANS with Tunnel Attributes
Section6.6.1.4
Assigning VLANS with Tunnel Attributes
RUGGEDCOM ROX II supports assigning a VLAN to an authorized port using tunnel attributes, as defined in RFC
3580 [http://tools.ietf.org/html/rfc3580], when the Port Security mode is set to 802.1x or 802.1x/MAC-Auth.
In some cases, it may be desirable to allow a port to be placed into a particular VLAN, based on the authentication
result. For example:
• To allow a particular device, based on its MAC address, to remain on the same VLAN as it moves within a
network, configure the switches for 802.1X/MAC-Auth mode
• To allow a particular user, based on the user’s login credentials, to remain on the same VLAN when the user logs
in from different locations, configure the switches for 802.1X mode
If the RADIUS server wants to use this feature, it indicates the desired VLAN by including tunnel attributes in the
Access-Accept message. The RADIUS server uses the following tunnel attributes for VLAN assignment:
• Tunnel-Type=VLAN (13)
• Tunnel-Medium-Type=802
• Tunnel-Private-Group-ID=VLANID
Note that VLANID is 12-bits and takes a value between 1 and 4094, inclusive. The Tunnel-Private-Group-ID is a
string as defined in RFC 2868 [http://tools.ietf.org/html/rfc2868], so the VLANID integer value is encoded as a
string.
If the tunnel attributes are not returned by the authentication server, the VLAN assigned to the switch port
remains unchanged.
Section6.6.2
Configuring Port Security
To configure port security for a switched Ethernet port, do the following:
1. Make sure the CLI is in Configuration mode.
2. Navigate to interface» switch» {slot}» {port}» port-security, where {slot} is the module and {port} is the
switched Ethernet port.
3. Configure the port security settings by configuring the following parameter(s) as required:
NOTE
If shutdown-enable is enabled and shutdown-time is not defined, the port will remain
disabled following a security violation until manually reset.
Parameter Description
security-mode { security-mode } Synopsis: { dot1x_mac_auth, dot1x, per_macaddress, off }
Default: off
The security mode for the port. Options include:
• dot1x_mac_auth - IEEE 802.1X with MAC authentication protocols are applied to
the port. Until the client is authenticated by an IEEE 802.1X server, only EAPoL packets
or packets from other network control protocols are forwarded. If the client does not
support IEEE 802.1X supplicant functionality, the router sends the client's MAC address
to server as the username and password for authentication.
• dot1x - IEEE 802.1X authentication protocols are applied to the port. Until the client
is authenticated by an IEEE 802.1X server, only EAPoL packets or packets from other
network control protocols are forwarded.
To Next Page
Loading...
Need help?
General
