User Guide

ManualsBrandsAlcatel-Lucent ManualsOtherOMNIACCESS SAFEGUARD CONTROLLER

201

202

203

204

205

206

207

208

209

210

OmniAccess SafeGuard OS Administration Guide

202

Chapter 6: Configuring Authentication and Role Derivation

Configuring User Authentication

This section explains the different types of user authentication available in SafeGuard OS.

It also explains how to configure the SafeGuard device using the CLI to achieve the

maximum benefit in your deployment. It contains the following sections:

■ Authentication Concepts

■ Limiting Access with Trusted Servers

■ Maintaining the Host Mapping Table

■ Working with Protocol Data Unit Parsers

■ Configuring Captive Portal

■ Configuring MAC-Based RADIUS

Authentication Concepts

An integral part of any security solution is access control, which is the way you control

user access into the network and what services users are allowed to use after they have

access.

Authentication, Authorization, and Accounting (AAA) is an industry accepted

framework that implements access control. This chapter focuses on the authentication

component and how SafeGuard OS offers a wide variety of implementation features that

can be tailored to various types of network configurations.

Users in the network belong to one of two groups: authenticated users, and

unauthenticated users. Unauthenticated users are users that have not authenticated, or

have tried to authenticate and failed. These users are placed in the unauthenticated user

role (for more information on roles, see Role Derivation on page 276). Authenticated users

are users that have authenticated through either an active mechanism (Captive Portal,

802.1x), or a passive mechanism (snooped kerberos or RADIUS). When a user is

authenticated, they are granted additional network access, as defined by their user

specific role.

Authentication is defined as the process by which we map or associate a user’s identity

with a set of user hosts. SafeGuard OS supports two forms of authentication: active and

passive.

During active authentication, the SafeGuard OS interacts directly with the end-user’s

host machine to obtain the authentication status of a client. Examples of active

authentication are:

■ HTTP-based Captive Portal

■ MAC-based RADIUS

■ IEEE 802.1x with either local or RADIUS backend (SafeGuard Switch only)