Are you looking for my non-technical blog?

This is now my technical-only blog, my non-technical blog is here.

21 December 2005

Foundry IEEE 802.1x

To configure a foundry switch in order to authenticate people using their IEEE 802.1x clients on their PCs.

You need to enable the RADIUS authentication on the switch first
BigIron(config)# aaa authentication dot1x default radius
Then you net to tell it the RADIUS server's IP and other parameters
radius-server host auth-port 1812 acct-port 1813 default key abc123 dot1x
Now let only one user has access to ethernet port "3/2"
BigIron(config)# int e 3/2
BigIron(config-if-e100-3/2)# port security
BigIron(config-port-security-e100-3/2)# maximum 2
BigIron(config-port-security-e100-3/2)# exit
Then enable the 802.1x on the switch, and enable multi-user policy
BigIron#(config) dot1x enable
BigIron#(config-dot1x)# multi-user-policy enable
And enable flow-based ACL
BigIron#(config) interface e 3/11
BigIron#(config-if-e1000-3/11)# ip access-group flow-mode
Configure place holder ACL, just a fake ACL with fake IP in it to redirect the first packet of the session to the CPU

BigIron(config)# access-list 131 deny tcp host any
BigIron(config)# access-list 131 deny udp host any
BigIron(config)# access-list 131 deny icmp host any
BigIron(config)# access-list 131 permit ip any any

BigIron(config) interface e 3/11
BigIron#(config-if-e1000-3/11)# ip access-group flow-mode
BigIron#(config-if-e1000-3/11)# ip access-group 131 in
BigIron#(config-if-e1000-3/11)# ip access-group 131 out
BigIron#(config-if-e1000-3/11)# exit

So, if the source MAC address of the flow is already associated with a successfully authenticated 802.1X host that has a dynamically assigned IP ACL applied to it, then that dynamically assigned IP ACL is applied to the flow. When a port is authenticated using 802.1X security, an IP ACL or MAC address filter that exists in the running-config on the Foundry device can be dynamically applied to the port. To do this, you configure the Filter-ID (type 11) attribute on the RADIUS server. The Filter-ID attribute specifies the name or number of the Foundry IP ACL or MAC address filter. For example, "", applies the specified numbered ACL to the 802.1X authenticated port in the inbound direction.

So to configure a dynamic ACL to permit incoming traffic from then add the following command to the switch: " access-list 2 permit host", and then make the RADIUS send the following attribute value ""
You may do the same but with a MAC filter by applying the following command on the switch: " mac filter 2 permit 3333.3333.3333 ffff.ffff.ffff any etype eq 0800" and let the RADIUS send this: ""

Foundry, Configuring 802.1X Port Security
Foundry, Software-Based IP Access Control Lists (ACLs)

Tags: , , ,