BigIron RX Series Configuration Guide 95753-1001986-01Configuring 802.1x port security 33• If the string does not match the name of a VLAN, the BigIron RX checks whetherthe string, when converted to a number, matches the ID of a VLAN configured on the device. Ifit does, then the client’s port is placed in the VLAN with that ID.• If the string does not match either the name or the ID of a VLAN configured onthe device, then the client will not become authorized.The show interface command displays the VLAN to which an 802.1x-enabled port has beendynamically assigned, as well as the port from which it was moved (that is, the port’s default VLAN).Refer to “Displaying dynamically assigned VLAN information” on page 969 for sample outputindicating the port’s dynamically assigned VLAN.Considerations for dynamic VLAN assignment in an802.1x multiple client configurationThe following considerations apply when a Client in a 802.1x multiple client configuration issuccessfully authenticated, and the RADIUS Access-Accept message specifies a VLAN for the port:• If the port is not already a member of a RADIUS-specified VLAN, and the RADIUS Access-Acceptmessage specifies the name or ID of a valid VLAN on the Brocade BigIron RX, then the port isplaced in that VLAN.• If the port is already a member of a RADIUS-specified VLAN, and the RADIUS Access-Acceptmessage specifies the name or ID of a different VLAN, then it is considered an authenticationfailure. The port’s VLAN membership is not changed.• If the port is already a member of a RADIUS-specified VLAN, and the RADIUS Access-Acceptmessage specifies the name or ID of that same VLAN, then traffic from the Client is forwardednormally.• If the RADIUS Access-Accept message specifies the name or ID of a VLAN that does not existon the Brocade BigIron RX, then it is considered an authentication failure.• If the RADIUS Access-Accept message does not contain any VLAN information, the Client’sdot1x-mac-session is set to “access-is-allowed”. If the port is already in a RADIUS-specifiedVLAN, it remains in that VLAN.Disabling and enabling strict security mode for dynamicfilter assignmentBy default, 802.1x dynamic filter assignment operates in strict security mode. When strict securitymode is enabled, 802.1x authentication for a port fails if the Filter-ID attribute contains invalidinformation, or if insufficient system resources are available to implement the per-user IP ACLs orMAC address filters specified in the Vendor-Specific attribute.When strict security mode is enabled:• If the Filter-ID attribute in the Access-Accept message contains a value that does not refer toan existing filter (that is, a MAC address filter or IP ACL configured on the device), then theclient will not be authenticated, regardless of any other information in the message (forexample, if the Tunnel-Private-Group-ID attribute specifies a VLAN to which to assign the port).• If the Vendor-Specific attribute specifies the syntax for a filter, but there are insufficient systemresources to implement the filter, then the port will not be authenticated.• If the device does not have the system resources available to dynamically apply a filter to aport, then the port will not be authenticated.