Specifications

ManualsBrandsEnterasys ManualsComputer equipment802.1Q

April 15, 2011 Page 1 of 36

Configuring User Authentication

Thischapterprovidesthefollowinginformationaboutconfiguringandmonitoringuser

authenticationonEnterasys

N‐Series,S‐Series

,andK‐Seriesmodularswitches,A‐Series,

B‐Series,C‐Seriesstackablefixedswitches,andD‐Series,G‐Series,and I‐Seriesstandalonefixed

switches.

What is User Authentication?

Authenticationistheabilityofanetworkaccessserver,withadatabaseofvalidusersanddevices,

toacquireandverifytheappropriatecredentialsofauserordevice(supplicant)attemptingto

gainaccesstothenetwork.EnterasysauthenticationusestheRADIUSprotocoltocontrolaccessto

switchportsfroman

authenticationserverandtomanagethemessageexchangebetweenthe

authenticatingdeviceandtheserver.BothMultiAuthandMulti‐userauthenticationare

supported.MultiAuthistheabilitytoconfiguremultipleauthenticationmodesforauserand

applytheauthenticationmodewiththehighestprecedence.Multi‐useristheabilityto

appropriatelyauthenticatemultiplesupplicantsonasinglelinkandprovisionnetworkresources,

baseduponanappropriatepolicyforeachsupplicant.TheEnterasysswitchproductssupportthe

followingfiveauthenticationmethods:

• IEEE802.1x

•MAC‐basedAuthenti cation(MAC)

•PortWebAuthentication(PWA)

Note: Through out this document:

• Use of the term “modular switch” indicates that the information is valid for the N-Series, S-Series,

and K-Series platforms.

• Use of the term “stackable fixed switch” indicates that the information is valid for the A-Series,

B-Series, and C-Series platforms.

• Use of the term “standalone fixed switch” indicates that the information is valid for the D-Series,

G-Series, and I-Series platforms.

For information about... Refer to page...

What is User Authentication? 1

Why Would I Use It in My Network? 2

How Can I Implement User Authentication? 2

Authentication Overview 2

Configuring Authentication 14

Authentication Configuration Example 29

Terms and Definitions 34

Summary of content (36 pages)

PAGE 1
Configuring User Authentication This chapter provides the following information about configuring and monitoring user authentication on Enterasys® N‐Series, S‐Series®, and K‐Series modular switches, A‐Series, B‐Series, C‐Series stackable fixed switches, and D‐Series, G‐Series, and I‐Series standalone fixed switches. Note: Through out this document: • Use of the term “modular switch” indicates that the information is valid for the N-Series, S-Series, and K-Series platforms.
PAGE 2
Why Would I Use It in My Network? • Convergence End Point (CEP) • RADIUS Snooping Note: The RADIUS Snooping user authentication feature is detailed in the Configuring RADIUS Snooping feature guide. The RADIUS Snooping feature guide can be found at: https://extranet.enterasys.com/downloads. Enterasys switch products support the configuration of up to three simultaneous authentication methods per user, with a single authentication method applied based upon MultiAuth authentication precedence.
PAGE 3
Authentication Overview IEEE 802.1x Using EAP The IEEE 802.1x port‐based access control standard allows you to authenticate and authorize user access to the network at the port level. Access to the switch ports is centrally controlled from an authentication server using RADIUS. The Extensible Authentication Protocol (EAP), defined in RFC 3748, provides the means for communicating the authentication information.
PAGE 4
Authentication Overview switch can contain any Filter‐ID attribute configured on the authentication server, allowing policy to be applied for the authenticating user. PWA enhanced mode is supported. PWA enhanced mode allows a user on an un‐authenticated PWA port to enter any URL into the browser and be presented the PWA login page on their initial web access. When enhanced mode is disabled, a user must enter the correct URL to access login.
PAGE 5
Authentication Overview Multi-User Authentication Multi‐user authentication provides for the per‐user or per‐device provisioning of network resources when authenticating.
PAGE 6
Authentication Overview Figure 1 Applying Policy to Multiple Users on a Single Port Authentication Request User 1 Switch Authentication Response Radius Server SMAC 00-00-00-11-11-11 Authentication Credentials User 1 Authentication Credentials User 2 Authentication Request Authentication Credentials User 3 Authentication Response User 2 SMAC 00-00-00-22-22-22 Port ge.1.5 Authentication Request User 3 Dynamic Admin Rule for Policy 1 SMAC = 00-00-00-11-11-11 ge.1.
PAGE 7
Authentication Overview Figure 2 Authenticating Multiple Users With Different Methods on a Single Port Authentication Method 802.1x Switch Radius Server User 1 SMAC 00-00-00-11-11-11 MAU Logic Authentication Method PWA User 2 SMAC 00-00-00-22-22-22 802.1X User 1: 802.
PAGE 8
Authentication Overview Figure 3 Selecting Authentication Method When Multiple Methods are Validated SMAC=User 1 SMAC=User 2 SMAC=User 3 Switch MultiAuth Sessions Auth. Agent 802.
PAGE 9
Authentication Overview Required authentication credentials depend upon the authentication method being used. For 802.1x and PWA authentication, the switch sends username and password credentials to the authentication server. For MAC authentication, the switch sends the device MAC address and a password configured on the switch to the authentication server. The authentication server verifies the credentials and returns an Accept or Reject message back to the switch.
PAGE 10
Authentication Overview RFC 3580 Enterasys switches support the RFC 3580 RADIUS tunnel attribute for dynamic VLAN assignment. The VLAN‐Tunnel‐Attribute implements the provisioning of service in response to a successful authentication. On ports that do not support policy, the packet will be tagged with the VLAN‐ID. The VLAN‐Tunnel‐Attribute defines the base VLAN‐ID to be applied to the user.
PAGE 11
Authentication Overview • Value: Indicates the type of tunnel. A value of 0x0D (decimal 13) indicates that the tunneling protocol is a VLAN. Tunnel‐Medium‐Type indicates the transport medium to use when creating a tunnel for the tunneling protocol, determined from Tunnel‐Type attribute.
PAGE 12
Authentication Overview • A problem with moving an end system to a new VLAN is that the end system must be issued an IP address on the new VLAN’s subnet to which it has become a member. If the end system does not yet have an IP address, this is not usually a problem. However, if the end system has an IP address, the lease of the address must time out before it attempts to obtain a new address, which may take some time.
PAGE 13
Authentication Overview authorization is enabled globally and on the authenticating user’s port, the VLAN specified by the tunnel attributes is applied to the authenticating user. If VLAN authorization is not enabled, the VLAN specified by the policy profile is applied. See “RFC 3580” on page 10 for information about VLAN authorization.
PAGE 14
Configuring Authentication Configuring Authentication This section provides details for the configuration of authentication methods, MultiAuth and RADIUS. For information about... Refer to page... Configuring IEEE 802.1x 16 Configuring MAC-based Authentication 17 Configuring Port Web Authentication (PWA) 18 Configuring Convergence End Point (CEP) 19 Configuring MultiAuth Authentication 21 Configuring RADIUS 26 Table 1 lists Authentication parameters and their default values.
PAGE 15
Configuring Authentication Table 1 April 15, 2011 Default Authentication Parameters (continued) Parameter Description Default Value pwa Globally enables or disables PWA authentication. Disabled. pwa enhancemode Allows a user on an un-authenticated port to enter any URL in the browser to access the login page. Disabled. radius Enable or disable RADIUS on this device. Disabled. radius accounting Enables or disables RADIUS accounting for this device. Disabled.
PAGE 16
Configuring Authentication Configuring IEEE 802.1x Configuring IEEE 802.1x on an authenticator switch port consists of: • Setting the authentication mode globally and per port • Configuring optional authentication port parameters globally and per port • Globally enabling 802.1x authentication for the switch Procedure 1 describes how to configure IEEE 802.1x on an authenticator switch port. Unspecified parameters use their default values. Procedure 1 IEEE 802.
PAGE 17
Configuring Authentication Procedure 1 IEEE 802.1x Configuration (continued) Step Task Command(s) 5. If an entity deactivates due to the supplicant logging off, inability to authenticate, or the supplicant or associated policy settings are no longer valid, you can reinitialize a deactivated access entity. If necessary, reinitialize the specified entity. set dot1x init [port-string] [index index-list] 6.
PAGE 18
Configuring Authentication Procedure 2 MAC-Based Authentication Configuration (continued) Step Task Command(s) 6. Display MAC authentication configuration or status of active sessions. show macauthentication If a session or port requires reinitialization, reinitialize a specific MAC session or port. set macauthentication macinitialize mac-address 7. show macauthentication session set macauthentication portinitialize port-string 8.
PAGE 19
Configuring Authentication When enhanced mode is enabled, PWA will use a guest password and guest user name to grant network access with default policy privileges to users without established login names and passwords. In order to configure guest networking privileges, you need to set the guest status, user name, and password. You can set guest status for no authentication, RADIUS authentication, or disabled.
PAGE 20
Configuring Authentication Procedure 4 CEP Detection Group Configuration (continued) Step Task Command(s) 3. Specify the CEP device IP address and mask or set to unknown. set cep detection-id id address {ip-address | unknown} mask {mask | unknown} 4. Set the CEP detection group protocol. set cep detection-id id protocol {tcp | udp | both | none} 5. Set the maximum or minimum port for the TCP or UDP group protocol.
PAGE 21
Configuring Authentication Procedure 6 describes setting the MultiAuth idle and session timeout for CEP. Procedure 6 DNS and DHCP Spoofing Configuration Step Task Command(s) 1. Optionally set the MultiAuth authentication idle timeout for this switch. set multiauth idle-timeout cep timeout 2. Optionally set the MultiAuth authentication session timeout for this switch.
PAGE 22
Configuring Authentication switch devices). You may change the precedence for one or more methods by setting the authentication methods in the order of precedence from high to low. Any methods not entered are given a lower precedence than the methods entered in their pre‐existing order. For instance, if you start with the default order and only set PWA and MAC, the new precedence order will be PWA, MAC, 802.1x, and CEP. Given the default order of precedence (802.
PAGE 23
Configuring Authentication Procedure 9 describes setting the MultiAuth authentication port and maximum user properties. Procedure 9 MultiAuth Authentication Port and Maximum User Properties Configuration Step Task Command(s) 1. Set the specified ports to the MultiAuth authentication optional port mode. set multiauth port mode auth-opt port-string 2. Set the specified ports to the MultiAuth authentication required port mode. set multiauth port mode auth-reqd port-string 3.
PAGE 24
Configuring Authentication Procedure 10 MultiAuth Authentication Timers Configuration (continued) Step Task Command(s) 4. Reset the maximum amount of time a session can last before termination to the default value for the specified authentication method. clear multiauth session-timeout auth-method Setting MultiAuth Authentication Traps Traps can be enabled at the system and module levels when the maximum number of users for the system and module, respectively, have been reached.
PAGE 25
Configuring Authentication Table 3 MultiAuth Authentication Traps Configuration (continued) Task Command(s) Display MultiAuth authentication idle timeout values. show multiauth idle-timeout Display MultiAuth authentication session timeout values. show multiauth session-timeout Display MultiAuth authentication trap settings. show multiauth trap Configuring VLAN Authorization VLAN authorization allows for the dynamic assignment of users to the same VLAN.
PAGE 26
Configuring Authentication If the authentication server returns an invalid policy or VLAN to a switch for an authenticating supplicant, an invalid action of forward, drop, or default policy can be configured. Procedure 13 describes setting dynamic policy profile assignment and invalid policy action configuration. Procedure 13 Policy Profile Assignment and Invalid Action Configuration Step Task Command(s) 1. Identify the profile index to be used in the VID-to-policy mapping.
PAGE 27
Configuring Authentication Procedure 14 describes authentication server configuration. Procedure 14 Authentication Server Configuration Step Task Command(s) 1. Configure the index value, IP address, and secret value for this authentication server. set radius server index ip-address [secret-value] 2. Optionally set the number of seconds the switch will wait before retrying authentication server establishment. set radius timeout timeout 3.
PAGE 28
Configuring Authentication Procedure 15 describes RADIUS accounting configuration. Procedure 15 April 15, 2011 RADIUS Accounting Configuration Step Task Command(s) 1. Set the minimum interval at which RADIUS accounting sends interim updates. set radius accounting intervalminimum interval 2. Set the number of seconds between each RADIUS accounting interim update. set radius accounting updateinterval interval 3. Set the number of times a switch will attempt to contact a RADIUS accounting server.
PAGE 29
Authentication Configuration Example Authentication Configuration Example Our example covers the four supported modular switch and three supported stackable fixed switch authentication types being used in an engineering group: end‐user station, an IP phone, a printer cluster, and public internet access. For the stackable fixed switch devices, the example assumes C3 platform capabilities.
PAGE 30
Authentication Configuration Example Figure 5 Stackable Fixed Switch Authentication Configuration Example Overview 4 3 Printer cluster MAC Authentication Enable MAC authentication Set MAC authentication password Enable Port Engineering end-user stations 802.1x authentication Enable Eapol Enable 802.1x Set non-Authentication ports to force-auth LAN Cloud 1 Stackable Switch Configure policies Enable RADIUS Enable multi-user authentication 2 5 Public internet access PWA Authentication IP address: 10.
PAGE 31
Authentication Configuration Example 5. Configuring the printer cluster MAC authentication for the modular switch configuration. Configuring the public area internet access for PWA for the stackable fixed switch. 6. Configuring for the public area internet access for PWA for the modular switch. Configuring MultiAuth Authentication MultiAuth authentication must be set to multi whenever multiple users of 802.1x need to be authenticated or whenever any MAC‐based, PWA, or CEP authentication is present.
PAGE 32
Authentication Configuration Example Configuring the Engineering Group 802.1x End-User Stations There are three aspects to configuring 802.1x for the engineering group: • Configure EAP on each end‐user station. • Set up an account in RADIUS on the authentication server for each end‐user station. • Configure 802.1x on the switch.
PAGE 33
Authentication Configuration Example The following CLI input: • Enables CEP globally on the switch. • Sets CEP policy to a previously configured policy named siemens with an index of 9. • Sets ports ge.1.16‐18 to only accept default Siemens type phones and applies the Siemens policy to the specified ports. System(rw)->set cep enable System(rw)->set cep policy siemens 9 System(rw)->set cep port ge.1.16-18 siemens enable This completes the Siemens CEP end‐user stations configuration.
PAGE 34
Terms and Definitions • Setup the RADIUS user account for the public station on the authentication server. • Enable PWA globally on the switch. • Configure the IP address for the public station. • Optionally set up a banner for the initial PWA screen. • Enable PWA enhancemode so that any URL input will cause the PWA sign in screen to appear. • Set PWA gueststatus to RADIUS authentication mode. • Set the PWA login guest name. • Set the PWA login password.
PAGE 35
Terms and Definitions Table 4 April 15, 2011 Quality of Service Configuration Terms and Definitions (continued) Term Definition IEEE 802.1x An IEEE standard for port-based Network Access Control that provides authentication to devices attached to a LAN port, establishing a point-to-point connection or preventing access from that port if authentication fails.
PAGE 36
Revision History Date Description 05-14-2008 New document 07-11-2008 Added Enterasys Registration mark and fixed Version date in some footers. 02-04-2009 Spelled out D-Series, G-Series, and I-Series when appropriate. 04-29-2009 Clarified stackable fixed switch support. Provided hybrid authentication discussion. 06-23-2009 Clarified Multi-user support for stackable fixed switch devices. 04-15-2011 Added S-Series and K-Series support. Numerous miscellaneous edits.