964 BigIron RX Series Configuration Guide53-1001810-01Configuring 802.1x port security33NOTEIf the Access-Accept message contains values for both the Filter-ID and Vendor-Specificattributes, then the value in the Vendor-Specific attribute (the per-user filter) takesprecedence.Also, if authentication for a port fails because the Filter-ID attribute referred to a non-existentfilter, or there were insufficient system resources to implement the filter, then a Syslogmessage is generated.When strict security mode is disabled:• If the Filter-ID attribute in the Access-Accept message contains a value that does not refer toan existing filter (that is, a MAC address filter or IP ACL configured on the device), then the portis still authenticated, but no filter is dynamically applied to it.• If the Vendor-Specific attribute specifies the syntax for a filter, but there are insufficient systemresources to implement the filter, then the port is still authenticated, but the filter specified inthe Vendor-Specific attribute is not applied to the port.By default, strict security mode is enabled for all 802.1x-enabled interfaces, but you can manuallydisable or enable it, either globally or for specific interfaces.To disable strict security mode globally, enter the following commands.BigIron RX(config)# dot1x-enableBigIron RX(config-dot1x)# no global-filter-strict-securityAfter you have globally disabled strict security mode on the device, you can re-enable it by enteringthe following command.BigIron RX(config-dot1x)# global-filter-strict-securitySyntax: [no] global-filter-strict-securityTo disable strict security mode for a specific interface, enter commands such as the following.BigIron RX(config)# interface e 1BigIron RX(config-if-e10000-1)# no dot1x filter-strict-securityTo re-enable strict security mode for an interface, enter the following command.BigIron RX(config-if-e10000-1)# dot1x filter-strict-securitySyntax: [no] dot1x filter-strict-securityThe output of the show dot1x and show dot1x config commands has been enhanced to indicatewhether strict security mode is enabled or disabled globally and on an interface.Dynamically applying existing ACLs or MAC address filterWhen a port is authenticated using 802.1x security, an IP ACL or MAC address filter that exists inthe running configuration on the device can be dynamically applied to the port. To do this, youconfigure the Filter-ID (type 11) attribute on the RADIUS server. The Filter-ID attribute specifies thename or number of the Brocade IP ACL or MAC address filter.