Ethernet Switches & Routers

Reply
Contributor
Posts: 24
Registered: ‎03-28-2014

FastIron mac-authentication

Hello,

 

Recently I have been trying to figure out a way of authenticating both a PC and a Phone on a Foundry FastIron GS648P Switch. For the moment I am still unlucky as apparently some of the commands specified in the Foundry documentation appears to be abscent from my switch. To clarify, I am speaking of the following:

 

mac-authentication enable
mac-authentication auth-fail-vlan-id 1023
interface ethernet 1
dual-mode     - Exists, but only if I manually tag the interface with a VLAN before (this is not what I want, I am looking for dynamic                                 VLAN assignment, achieved by the RADIUS server)
mac-authentication enable
mac-authentication auth-fail-action restrict-vlan
mac-authentication enable-dynamic-vlan
mac-authentication disable-ingress-filtering        - Does not exist at all, even though the final release notes state that it is valid for                                                                                              versions above FSX 04.2.00. Current version is 5.0.01.

 

Any ideas, please? Upgrade?

 

Thank you

 

Regards

 

Stoimen Hristov

Contributor
Posts: 24
Registered: ‎03-28-2014

Re: FastIron mac-authentication

Hello, I upgraded the version but disable-ingress-filtering is still not present...

 

Any ideas?

 

Thank you

Frequent Contributor
Posts: 144
Registered: ‎11-07-2013

Re: FastIron mac-authentication

Hi Stoimen,

    You cannot have a port in two VLAN untagged (mac-authentication auth-fail-action restrict-vlan would override dot1x from memory).

 

    Most VOIP system can be setup in a Tagged VLAN (e.g. the phone system and phones will add the tag), I suggest you use dual mode with a tagged VALN for Voice, and untagged for data.

 

Thanks

Michael. 

Thanks
Michael
Contributor
Posts: 24
Registered: ‎03-28-2014

Re: FastIron mac-authentication

Hello Michael,

 

This has been achieved already with phones supporting CDP. With LLDP ones, I still experience problems even though I have upgraded to version 7.

 

What I want to do is to be able to authenticate both the phone and a PC behind it. To do so, I will tag the VLAN VOICE and put a specified interface in dual-mode (VLAN 1 - default).

 

I want phones to be authenticated by MAC, and PCs by dot1x as well as to be dynamically assigned a VLAN and a PVID.

 

This must be possible, at least I hope. Have you tested such a config?

 

Thank you 

Frequent Contributor
Posts: 144
Registered: ‎11-07-2013

Re: FastIron mac-authentication

 

No I have not done the exact same setup, close but not exact .e.g. I did not use authenticated by MAC in that way.

 

However I the Brocade way of doing what you want to achive is to use a MAC filter for the VOIP setup to by pass 802.1X (the filter locks is down by a wildcard filter)

 

Have a look at the config guide for 7.4 - search for  "MAC address filter override for 802.1X-enabled ports". (in 7.4.00a it is page 572)

 

Thanks

Michael.

Thanks
Michael

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

vADC is now Pulse Secure
Download FREE NVMe eBook