Specifications

Authentication Overview

April 15, 2011 Page 5 of 36

Multi-User Authentication

Multi‐userauthenticationprovidesfortheper‐userorper‐deviceprovisioningofnetwork

resourceswhenauthenticating.Itsupportstheabilitytoreceivefromtheauthenticationserver:

•Apolicytrafficprofile,basedontheuseraccount’sRADIUSFilter‐IDconfiguration

•AbaseVLAN‐ID,basedontheRFC3580tunnelattributesconfiguration,

alsoknownas

dynamicVLANassignment

Whenasinglesupplicantconnectedtoanaccess layerportauthenticates,apolicyprofilecanbe

dynamicallyappliedtoalltrafficontheport.Whenmulti ‐userauthenticationisnot implemented,

andmorethanonesupplicantisconnectedtoaport,firmwaredoesnotprovision

network

resourcesonaper‐userorper‐devicebasis.Differentusersordevicesmayrequireadifferentset

ofnetworkresources.ThefirmwaretracksthesourceMACaddressforeachauthenticatinguser

regardlessoftheauthenticatingprotocolbeingused.Provisioningnetworkresourcesona

per‐userbasisisaccomplished

byapplyingthepolicyconfiguredintheRADIUSFilter‐ID,orthe

baseVLAN‐IDconfiguredintheRFC3580tunnelattributes,foragivenuser’sMACaddress.The

RADIUSFilter‐IDandtunnelattributesarepartoftheRADIUSuseraccountandareincludedin

theRADIUSAcceptmessageresponse

fromtheauthenticationserver.

Thenumberofallowedusersperportcanbeconfiguredusingthesetmultiauthportnumusers

command.Theshowmultiauthportcommanddisplaysboththeallowednumberofusers

configuredandthemaximumnumberofuserssupportedperportforthedevice.Theallowed

numberofusers

defaultstothemaximumnumberofsupportedusersfortheportforamodular

switchplatformandto1forthestackablefixedswitchandstandal onefixedswitchplatforms.

InFigure 1eachuseronportge.1.5sendsanauthenticationrequesttotheRADIUSserver.Based

upontheSourceMACaddress(SMAC),

RADIUSlooksuptheaccountforthatuserandincludes

theFilter‐IDassociatedwiththataccountintheauthenticationresponsebacktotheswitch(see

section“TheRADIUSFilter‐ID”onpage 9forFilter‐IDinformation).Thepolicyspecifiedinthe

Filter‐IDisthenappliedtothe

user.SeesectionRFC3580onpage 10forinformationondynamic

VLANassignmentandtunnelattributeconfiguration.

Note: Multi-user authentication on stackable fixed switch and standalone fixed switch platforms

requires that the switch be the point of authentication, in order to apply policy.