Switch User Manual

ManualsBrandsEnterasys Networks ManualsSwitchSECURESTACK 9034313-07

741

742

743

744

745

746

747

748

749

750

Overview of Authentication and Authorization Methods

26-2 Authentication and Authorization Configuration

TACACS+application.WhenRADIUSorTACACS+isenabled,thisessentiallyoverrideslogin

useraccounts.WhenHACAisactiveperavalidRADIUSorTACACS+configuration,theuser

namesandpasswordsusedtoaccesstheswitchviaTelnet,SSH,WebView,andCOMports

willbevalidatedagainsttheconfiguredRADIUSserver.Only

inthecaseofaRADI US 

timeoutwillthosecredentialsbecomparedagainstcredentialslocallyconfiguredonthe

switch.

Fordetails,referto“ConfiguringRADIUS”onpage 26‐6.

•SNMPuserorcommunitynames–allowsaccesstotheSecureStackC3switchviaanetwork

SNMPmanagementapplication.Toaccesstheswitch,youmustenteranSNMPuseror

communitynamestring.Thelevelofmanagementaccessisdependenton

theassociated

accesspolicy.Fordetails,refertoChapter 8.

• 802.1XPortBasedNetworkAccessControlusingEAPOL(ExtensibleAuthenticationProtocol)

–providesamechanismviaaRADIUSserverforadministra tors tosecurelyauthenticateand

grantappropriateaccesstoenduserdevicescommunicatingwithSecureStackC3ports.For

detailsonusingCLI

commandstoconfigure802.1X,referto“Configuring802.1X

Authentication”onpage 26 ‐15.

•MACAuthentication–providesamechanismforadministratorstosecurelyauthenticate

sourceMACaddressesandgrantappropriateaccesstoenduserdevicescommunicatingwith

SecureStackC3ports.Fordetails,referto“ConfiguringMACAuthentication”onpage 26‐25.

•MultipleAuthenticationMethods–allowsuserstoauthenticateusingmultiplemethodsof

authenticationonthesameport.Fordetails,referto“ConfiguringMultipleAuthentication

Methods”onpage 26‐37.

•Multi‐UserAuthentication—allowsmultipleusersanddevicesonthesameportto

authenticateusinganysupportedauthenticationmethod.Eachuseror

devicecanbemapped

tothesameordifferentrolesusingEnterasyspolicyforaccesscontrol,VLANauthorization,

trafficratelimiting,andqualityofservice.Thisisthemostflexibleandpreferredmethodto

useforVoIP(PCdaisychainedtoaphone).Fordetails,referto“AboutMulti‐User

Authentication”onpage 26 ‐37.RefertoAppendix A,PolicyandAuthenticationCapacities,

foralistingofthenumberofusersperportsupportedbytheSecureStackC3.

•User+IPPhone(Legacyfeature)—TheUser+IPPhoneauthenticationfeatureprovides

legacysupportforauthenticati onandauthorizationoftwodevices,

specificallyaPCcascaded

withaVLAN‐taggingIPphone,onasingleportonthe

switch.TheIPphonemust

authenticateusingMACor802.1Xauthentication,but theusermayauthenticatebyany

method.Thisfeatureallowsboththeuser’sPCandIPphonetosimultaneouslyauthenticate

onasingleportandeachreceiveauniq uelevelofnetworkaccess.Fordetails,referto

“Configuring

User+IPPhoneAuthentication”onpage 26‐48.

•RFC3580tunnelattributesprovideamechanismtocontainan802.1X,MAC,orPWA

authenticatedusertoaVLANregardlessofthePVID.Thisfeaturedynamicallyassignsa

VLANbasedontheRFC3580tunnelattributesreturnedintheRADIUSacceptmessage.Refer



to“ConfiguringVLANAuthorization(RFC3580)”onpage 26‐49.

• ConfiguringPolicyMaptableResponse—allowsyoutodefinehowthesystemshouldhandle

allowinganauthenticateduserontoaportbasedonthecontentsoftheRADIUSserver

Access‐Acceptreply.Therearethreepossibleresponsesettings:tunnelmode,policy

mode,or

Note: To configure EAP pass-through, which allows client authentication packets to be forwarded

through the switch to an upstream device, 802.1X authentication must be globally disabled with the

set dot1x command.

Note: User + IP Phone authentication is a legacy feature that should only be used if you have

already implemented User + IP Phone in your network with switches that do not support true

multi-user authentication.