Specifications

Authentication Overview

April 15, 2011 Page 4 of 36

switchcancontainanyFilter‐IDattributeconfiguredontheauthenticationserver,allowingpolicy

tobeappliedfortheauthenticatinguser.

PWAenhancedmodeissupported.PWAenhancedmodeallowsauseronanun‐authenticated

PWAporttoenteranyURLintothebrowserandbepresentedthePWAlogin

pageontheirinitial

webaccess.Whenenhancedmodeisdisabled,ausermustenterthecorrectURLtoaccesslogin.

Themodularswitches,B‐SeriesandC‐Seriesstackablefixedswitches,andthestandalonefixed

switchessupportPWA.

Convergence End Point (CEP)

CEPdetectsanIPtelephonyorvideodeviceonaportand dynamicallyappliesaspecificpolicyto

theport.Theswitchdetectsaconvergenceendpointbyinspectingreceivedpacketsforspecific

trafficattributes.CEPdoesnotrequireaRADIUSconfiguration.

TheCEPimplementationsupportsthefollowingdetectionmethods:

• Cisco

PhoneDetection‐thefirmwareparsesaCiscoDiscoveryProtocol(CDP)packetto

identifythephonetype.IfitwassentbyanIPphone,thefirmwareusesthephonetype.A

responseissentbacktothephone,verifyingauthentication.

• SiemensHiPathPhoneDetection‐TCP/UPDportnumbersnooping

isused.Port4060isthe

defaultportforcommunication.

• H.323PhoneDetection‐TCP/UDPportnumbersnoopingandreservedIPaddresssnooping

areused.Ports1718‐1720andIPaddress224.0.1.41arethedefaultvalues.

• SessionInitiationProtocol(SIP)PhoneDetection‐TCP/UDPportnumbersnoopingand

reserved

IPaddresssnoopingareused.Port5060andIPaddress224.0.1.75arethedefault

values.

ThemodularswitchessupportCEP.

Multi-User And MultiAuth Authentication

Thissectionwilldiscussmulti‐userandMultiAuthauthentication.Multi‐userandMultiAuthare

separateconcepts.Theprimarydifferencebetweenthetwoisasfollows:

•Multi‐userauthenticationreferstotheabilitytoauthenticatemultipleusersanddeviceson

thesameport,witheachuserordevicebeingprovidedtheappropriate

levelofnetwork

resourcesbaseduponpolicy.

•MultiAuthauthenticationreferstotheabilityofasingleormultipleuser(s),device(s),or

port(s)tosuccessfullyauthenticateusingmultipleauthenticationmethodsatthesametime,

suchas802.1x,PWA,andMAC,withprecedencedeterminingwhic hauthenticationmethodis

actuallyappliedtothat

user,device,orport.

Note: For stackable fixed switches and standalone fixed switches:

• One user per PWA-configured port can be authenticated

• PWA authentication supports RFC 3580 VLAN authorization on B3, B5, C3, C5,and G3 devices