Switch User Manual

ManualsBrandsEnterasys Networks ManualsSwitchSECURESTACK 9034313-07

741

742

743

744

745

746

747

748

749

750

Overview of Authentication and Authorization Methods

SecureStack C3 Configuration Guide 26-3

bothtunnelandpolicy,alsoknownashybridauthenticationmode.Referto“Configuring

PolicyMaptableResponse”onpage 26‐52.

•MACLocking–locksaporttooneormoreMACaddresses,preventingtheuseof

unauthorizeddevicesandMACspoofingontheportFordetails,referto“ConfiguringMAC

Locking

”onpage 26‐57.

•PortWebAuthentication(PWA)–passesalllogininform ationfromtheendstationtoa

RADIUSserverforau thenticationbeforeallowingausertoaccessthenetwork.PWAisan

alternativeto802.1XandMACauthentication.Fordetails,referto“ConfiguringPortWeb

Authentication(PWA)”

onpage 26‐68.

•SecureShell(SSH)–providessecureTelnet.Fordetails,referto“ConfiguringSecureShell

(SSH)”onpage 26‐80.

•IPAccessLists(ACLs)–permitsordeniesaccesstoroutinginterfacesbasedonprotocoland

inboundand/oroutboundIPaddressrestrictionsconfiguredinaccesslists.Fordetails,referto



“ConfiguringAccessLists”onpage 26‐82.

• TACACS+(TerminalAccessControllerAccess‐ControlSystemPlus)

– asecurityprotocol

developedbyCiscoSystemsthatcanbeusedasanalternativetothestandardRADIUS

securityprotocol(RFC2865).TACACS+runsoverTCPandencryptsthebodyofeachpacket.

RefertoChapter 27,TACACS+Configuration,forinformationaboutthecomm andsusedto

configureTACACS+.

RADIUS Filter-ID Attribute and Dynamic Policy Profile Assignment

IfyouconfigureanauthenticationmethodthatrequirescommunicationwithaRADIUSserver,

youcanusetheRADIUSFilter‐IDattributetodynamicallyassignapolicyprofileand/or

managementleveltoauthenticatingusersand/ordevices.

TheRADIUSFilter‐IDattributeissimplyastringthatisformattedintheRADIUSAccess‐

Accept

packetsentbackfromtheRADIUSservertotheswitchduringtheauthenticationprocess.

EachusercanbeconfiguredintheRADIUSserverdatabasewithaRADIUSFilter‐IDattribute

thatspecifiesthenameofthepolicyprofileand/ormanagementleveltheusershouldbeassigned

uponsuccessfulauthentication.During

theauthenticationprocess,whentheRADIUSserver

returnsaRADIUSAccess‐AcceptmessagethatincludesaFilter‐IDmatchingapolicyprofilename

configuredontheswitch,theswitchthendynamicallyappliesthepolicyprofiletothephysical

porttheuser/deviceisauthenticatingon.

Filter-ID Attribute Formats

Enterasys NetworkssupportstwoFilter‐IDformats—“decorated”and“undecorated.”The

decoratedformathasthreeforms:

•Tospecifythepolicyprofiletoassigntotheauthenticatinguser(networkaccess

authentication):

Enterasys:version=1:policy=string

wherestringspecifiesthe policyprofilename.Policyprofilenamesarecase‐sensitive.

•Tospecifyamanagementlevel(managementaccessauthentication):

Enterasys:version=1:mgmt=level

where

levelindicatesthemanagementlevel,eitherro,rw,orsu.

•Tospecifybothmanagementlevelandpolicyprofile:

Enterasys:version=1:mgmt=level:policy=string