Use case 2: MAC authentication with dynamic VLAN assignment
This use case shows the configuration required on a Brocade switch to authenticate a non-802.1X-capable client by way of MAC authentication and assign the client to a VLAN dynamically. In the following example, after authentication, the printer will be placed in VLAN 200.
Figure 14
MAC authentication with dynamic VLAN assignment
RADIUS configuration
Create a device profile for the printer's MAC address on the RADIUS server and configure following attributes.
| Attribute | Value |
|---|---|
| Tunnel-Medium-Type | IEEE-802 |
| Tunnel-Pvt-Group-ID | 200 |
| Tunnel-Type | VLAN |
Brocade switch configuration
- Specify RADIUS as an authentication server. The following command configures the switch to use the configured RADIUS server to authenticate 802.1X authentication or MAC authentication clients.
device(config)# aaa authentication dot1x default radius
- Configure a RADIUS server. In the following example, the RADIUS server IP address is 10.20.64.208 and the shared key is "secret". The shared key should match the key given during client configuration on the RADIUS server. UDP port 1812 is used for RADIUS authentication messages and UDP port 1813 is used for RADIUS accounting messages.
device(config)# radius-server host 10.20.64.208 auth-port 1812 acct-port 1813 default key secret dot1x mac-auth web-auth
- Create a VLAN to be used as the auth-default VLAN. This VLAN must be configured to enable authentication. When any port is enabled for 802.1X authentication or MAC authentication, the port is moved into this VLAN by default as a MAC VLAN member. Sometimes the RADIUS server may authenticate the client but not return VLAN information on where the client should be placed. The auth-default VLAN is used in this scenario.
device(config)# vlan 2 name auth-default-vlan device(config-vlan-2)# exit
- Create the VLANs that will be assigned to clients by RADIUS. RADIUS will return VLAN 200 for the printer. This VLAN must be active in the Brocade switch. A VLAN is active when it has at least one untagged or tagged member port. In the example, VLAN 200 is made active by adding the unused port 2/1/12 as an untagged member.
device(config)# vlan 200 device(config-vlan-200)# untagged ethernet 2/1/12 device(config-vlan-200)# exit
- Specify which VLAN ID to use as the auth-default VLAN under authentication mode. Refer to step 3 for the use of the auth-default VLAN.
device(config)# authentication device(config-authen)# auth-default-vlan 2
- Enable MAC authentication on the switch under authentication mode and enable MAC authentication for port 1/1/11.
device(config)# authentication device(config-authen)# mac-auth enable device(config-authen)# mac-auth enable ethernet 1/1/11 device(config-authen)# exit
- To verify the authentication-related configuration on the switch, use the
show run authentication command. Authentication-related configurations are stored under the keyword "authentication".
device# show run authentication authentication critical-vlan 601 auth-default-vlan 2 mac-authentication enable mac-authentication enable ethernet 1/1/11 !