Specifications

ManualsBrandsEnterasys ManualsComputer equipmentC2K122-24

651

652

653

654

655

656

657

658

659

660

Overview of Security Methods

21-2 Security Configuration

• 802.1XPortBasedNetworkAccessControlusingEAPOL(ExtensibleAuthenticationProtocol)

–providesamechanismviaaRADIUSserverforadministratorstosecurelyauthenticateand

grantappropriateaccesstoenduserdevicescommunicatingwithSecureStackC3ports.For

detailsonusingCLIcommandstoconfigure802.1X,referto“Configuring802.1X

Authentication”onpage 21‐12.

•MACAuthentication–providesamechanismforadministratorstosecurelyauthenticate

sourceMACaddressesandgrantappropriateaccesstoenduserdevicescommunicatingwith

SecureStackC3ports.Fordetails,referto“Conf iguringMACAuthentication”onpage 21‐23.

•MultipleAuthenticationMethods–allowsuserstoauthenticateusing

multiplemethodsof

authenticationonthesameport.Fordetails,referto“ConfiguringMultipleAuthentication

Methods”onpage 21 ‐34.

•Multi‐UserAuthentication–OntheSecureStackC3,theonlytypeofmultipleuser

authenticationsupportedis“User+IPPhone”.TheUser+IPPhoneauthenti cationfeature

supportsauthenticationand

authorizationoftwodevices,specificallyaPCcascadedwithan

IPphone,onasingleportontheC3.TheIPphonemustauthenticateusingMAC

authentication,buttheusermayauthenticatebyanymethod.Thisfeatureallowsboththe

user’sPCandIPphonetosimultaneouslyauthenticateonasingle

portandeachreceivea

uniquelevelofnetworkaccess.Fordetails,referto“ConfiguringMulti‐UserAuthentication

(User+IPphone)”onpage 21‐34.

•RFC3580TunnelAttributesprovideamechanismtocontainan802.1Xauthenticatedusertoa

VLANregardlessofthePVID.Referto“ConfiguringVLAN

Authorization(RFC3580)” on

page 21‐42.

•MACLocking–locksaporttooneormoreMACaddresses,preventingtheuseof

unauthorizeddevicesandMACspoofingontheportFordetails,referto“ConfiguringMAC

Locking”onpage 21‐46.

•PortWebAuthentication(PWA)–locksdownaporta

userisattachedtountilaftertheuser

logsinusingawebbrowsertoaccesstheswitch.Theswitchwillpassalllogininformation

fromtheendstationtoaRADIUSserverforauthenticationbeforeturningtheporton.PWAis

analternativeto802.1XandMACauthentication.Fordetails,

referto“ConfiguringPortWeb

Authentication(PWA)”onpage 21‐56.

•SecureShell(SSH)–providessecureTelnet.Fordetails,referto“ConfiguringSecureShell

(SSH)”onpage 21‐68.

•IPAccessLists(ACLs)–permitsordeniesaccesstoroutinginterfacesbasedonprotocoland

inboundand/oroutboundIPaddress

restrictionsconfiguredinaccesslists.Fordetails,referto

“ConfiguringAccessLists”onpage 21‐70.

RADIUS Filter-ID Attribute and Dynamic Policy Profile Assignment

IfyouconfigureanauthenticationmethodthatrequirescommunicationwithaRADIUSserver,

youcanusetheRADIUSFilter‐IDattributetodynamicallyassignapolicyprofileand/or

managementleveltoauthenticatingusersand/ordevices.

TheRADIUSFilter‐IDattributeissimplyastringthatisformattedintheRADIUSAccess‐

Accept

packetsentbackfromtheRADIUSservertotheswitchduringtheauthenticationprocess.

EachusercanbeconfiguredintheRADIUSserverdatabasewithaRADIUSFilter‐IDattribute

thatspecifiesthenameofthepolicyprofileand/ormanagementleveltheusershouldbeassigned

uponsuccessfulauthentication.During

theauthenticationprocess,whentheRADIUSserver

Note: To configure EAP pass-through, which allows client authentication packets to be forwarded

through the switch to an upstream device, 802.1X authentication must be globally disabled with the

set dot1x command.