Specifications

ManualsBrandsEnterasys ManualsComputer equipmentC2K122-24

681

682

683

684

685

686

687

688

689

690

Configuring Multiple Authentication Methods

21-34 Security Configuration

Configuring Multiple Authentication Methods

About Multiple Authentication Types

Whenenabled,multipleauthenticationtypesallowsuserstoauthenticateusinguptotwo

methodsonthesameport.Inorderformultipleauthenticationtofunctiononthedevice,each

possiblemethodofauthentication(MACauthentication, 802.1X,PWA)must beenabledglobally

andconfiguredappropriatelyonthedesiredportswithitscorresponding

commandsetdescribed

inthischapter. 

Multipleauthenti cationmodemustbegloballyenabledonthedeviceusingthesetmultiau th 

modecommand.

Configuring Multi-User Authentication (User + IP phone)

TheUser+IPphonemulti‐userauthenticationfeatureallowsauserandtheirIPphonetobothto

useasingleportontheC3buttohaveseparatepolicyroles.

ʺUser+IPPhoneʺAuthenticationontheSecureStackC3isimplementedbyassigninganingressed

packetreceivedona

porttoapolicyrolebasedontheVLANthepacketwasassignedto,andnot

thepacketʹssourceMACaddress.Therefore,onaportconfiguredforUser+IPPhone

Authentication,thereexiststwodifferentVLAN‐to‐policyrolemappings.

ThepolicyrolefortheIP phoneis

staticallymappedusingtheVLAN‐to‐policy mappingfeature

whichassignsanypacketsreceivedwithaVLANtagsettoaspecificVID(forexample,Voice

VLAN)toanind icat e dpolicyrole(forexample,IPPhonepolicyrole).Therefore,itisrequiredthat

IPphoneisconfiguredtosendVLANtagged

packetstothe“Voice”VLAN.

Thesecondpolicyrole,fortheuser,caneitherbestaticallyconfiguredwiththedefaultpolicyrole

ontheportordynamicallyassignedthroughauthenticationtothenetwork.Whenthedefault

policyroleisassignedonaport,theVLANsetastheportʹs

PVIDismappedtothedefaultpolicy

role.Whenapolicyroleisdynamicallyappliedtoaportastheresultofasuccessfully

authenticatedsession,the“authenticatedVLAN”ismapped tothepolicyrolesetintheFilter‐ID

returnedfromtheRADIUSserver.The“authenticatedVLAN”mayeitherbe

thePVIDoftheport,

ifthePVIDOverrideforthepolicyprofileisdisabled,ortheVLANspecifiedinthePVIDOverride

ifthePVIDOverrideisenabled.

Commands

Thecommandsneededtoreview,enable,disable,andconfiguremultipleauthenticationarelisted

below:

Note: The only Multi-User Authentication supported on the C3 is User + IP phone. The IP phone

has to authenticate using 802.1x or MAC authentication, but the User may authenticate using

802.1x, PWA, or MAC authentication.

For information about... Refer to page...

show multiauth 21-36

set multiauth mode 21-37

clear multiauth mode 21-37

set multiauth precedence 21-38

clear multiauth precedence 21-38