Specifications

ManualsBrandsEnterasys ManualsComputer equipment802.1Q

Authentication Overview

April 15, 2011 Page 3 of 36

IEEE 802.1x Using EAP

TheIEEE802.1xport‐basedaccesscontrolstandardallowsyoutoauthenticateandauthorizeuser

accesstothenetworkattheportlevel.Accesstotheswitchportsiscentrallycontrolledfroman

authenticationserverusingRADIUS.TheExtensibleAuthenticationProtocol(EAP),definedin

RFC3748,providesthemeansforcommunicating

theauthenticationinformation.

TherearethreesupportedtypesofEAP:

•MD5–EAP‐MD5isachallenge‐handshakeprotocoloverEAPthatauthenticatestheuser

withanormalusernameandpassword.

•TLS–EAP‐TLSprovidesatransportlayersecuritybaseduponthepresentationand

acceptanceofdigitalcertificatesbetweenthe

supplicantandtheauthenticationserver.

• Protected–ProtectedExtensibleAuthenticationProtocol(PEAP)optionallyauthenticatesthe

authenticationservertotheclientusinganX‐509certificateusingaTLStunnel,afterwhich

theclientauthenticationcredentialsareexchanged.

AllEnterasysplatformssupportIEEE802.1x,whichprotectsagainstunauthorizedaccesstoa

network,DoSattacks,theftofservicesanddefacementofcorporatewebpages.

802.1xconfigurationconsistsofsettingport,global802.1xparam eters,andRADIUSparameters

ontheswitchestopointtheswitchtotheauthenticationserver.TheFilter‐IDRADIUSattribute

canbeconfiguredontheauthenticationservertodirectdynamicpolicy

assignmentontheswitch

tothe802.1xauthentica ting endsystem.

MAC-Based Authentication (MAC)

MAC‐basedauthentication(MAC)au thenticatesadeviceusingthesourceMACaddressof

receivedpackets.TheauthenticatorsendstheauthenticationserverasourceMACaddressasthe

usernameandapasswordthatyouconfigureontheswitch.Iftheauthenticationserverreceives

validcredentialsfromtheswitch,RADIUSreturnsan

Acceptmessagetotheswitch.MAC

authenticationenablesswitchestoauthenticateendsystems,suchasprintersandcamcorder

devicesthatdonotsupport802.1xorwebauthenticati on.SinceMAC‐basedauthentication

authenticatesthedevice,notthe user,andissubjecttoMACaddressspoofingattacks,itshould

notbeconsidered

asecureauthentica tionmethod.However,itdoesprovidealevelof

authenticationforadevicewhereotherwisenonewouldbepossible.

Themodularswitch,stackablefixedswitch,andstandalonefixedswitchdevicessupport

MAC‐basedauthentica tion.

Port Web Authentication (PWA)

PortWebAuthentication (PWA)authenticatesauserbyutilizingawebbrowserforthelogin

processtoauthenticatetothenetwork.TologinusingPWA,auseropensthewebbrowser

requestingaURLthateitherdirectlyaccessesthePWAloginpageorisautomaticallyredirectedto

theloginpage.

AtthePWAloginpage,theuserentersaloginusernameandpassword.Onthe

switch,eithertheChallengeHandshakeAu thenticationProtocol(CHAP)orthePassword

AuthenticationProtocol(PAP)verifiestheusernameandpasswordcredentialsprovidedtothe

authenticationserver.Ifthecredentialsarevalidated,theauthenticationserverreturnsa

RADIUS

Acceptmessage,optionallycontainingFilter‐IDortunnelattributes,totheswitch.

PAPusesanunencryptedpassword.CHAPusesthepasswordtogenerateadigestthatis

transmittedtotheauthenticationserver.IfRADIUSdeterminesthatthedigestmatchesthedigest

generatedontheauthenticationserver,accessisgranted.The

acceptancemessagebacktothe