960 BigIron RX Series Configuration Guide53-1001986-01Configuring 802.1x port security33Configuring per-user IP ACLs or MAC address filtersPer-user IP ACLs and MAC address filters make use of the Vendor-Specific (type 26) attribute todynamically apply filters to ports. Defined in the Vendor-Specific attribute are Brocade ACL or MACaddress filter statements. When the RADIUS server returns the Access-Accept message granting aclient access to the network, the BigIron RX reads the statements in the Vendor-Specific attributeand applies these IP ACLs or MAC address filters to the client’s port. When the client disconnectsfrom the network, the dynamically applied filters are no longer applied to the port. If any filters hadbeen applied to the port previous to the client connecting, then those filters are reapplied to theport.The following is the syntax for configuring the BigIron RX Vendor-Specific attribute with ACL or MACaddress filter statements.The following table shows examples of IP ACLs and MAC address filters configured in the BrocadeVendor-Specific attribute on a RADIUS server. These IP ACLs and MAC address filters follow thesame syntax as other Brocade ACLs and MAC address filters. Refer to Chapter 21, “Access ControlList” for information on syntax.The RADIUS server allows one instance of the Vendor-Specific attribute to be sent in anAccess-Accept message. However, the Vendor-Specific attribute can specify multiple IP ACLs orMAC address filters. You can use commas, semicolons, or carriage returns to separate the filters(for example ipacl.e.in= permit ip any any,ipacl.e.in = deny ip any any).Enabling 802.1x port securityBy default, 802.1x port security is disabled on BigIron RX devices. To enable the feature on thedevice and enter the dot1x configuration level, enter the following command.BigIron RX(config)# dot1x-enableBigIron RX(config-dot1x)#Syntax: [no] dot1x-enableAt the dot1x configuration level, you can enable 802.1x port security on all interfaces at once, onindividual interfaces, or on a range of interfaces.For example, to enable 802.1x port security on all interfaces on the device, enter the followingcommand.BigIron RX(config-dot1x)# enable allSyntax: [no] enable allValue Descriptionipacl.e.in= Applies the specified extended ACL entries to the 802.1xauthenticated port in the inbound direction.macfilter.in= Applies the specified MAC address filter entries to the 802.1xauthenticated port in the inbound direction.Mac address filter Vendor-specific attribute on RADIUS serverMac address filter with one entry macfilter.in= deny any anyMac address filter with two entries macfilter.in= permit 0000.0000.3333 ffff.ffff.0000 any,macfilter.in= permit 0000.0000.4444 ffff.ffff.0000 any