Specifications

ManualsBrandsEnterasys ManualsNetworkingEnterasys SecureStack B2 B2G124-24

521

522

523

524

525

526

527

528

529

530

Overview of Authentication and Authorization Methods

19-2 Authentication and Authorization Configuration

• 802.1XPortBasedNetworkAccessControlusingEAPOL(ExtensibleAuthenticationProtocol)

–providesamechanismviaaRADIUSserverforadministra tors tosecurelyauthenticateand

grantappropriateaccesstoenduserdevicescommunicatingwithSecureStackB2ports.For

detailsonusingCLIcommandstoconfigure802.1X,referto“Configuring802.1X

Authentication”onpage 19‐11.

•MACAuthentication–providesamechanismforadministratorstosecurelyauthenticate

sourceMACaddressesandgrantappropriateaccesstoenduserdevicescommunicatingwith

SecureStackB2ports.Fordetails,referto“ConfiguringMACAuthentication”onpage 19‐21.

•MultipleAuthenticationMethods–allowsuserstoauthenticateusing

multiplemethodsof

authenticationonthesameport.Fordetails,referto“ConfiguringMultipleAuthentication

Methods”onpage 19‐33.

•Multi‐UserAuthentication–User+IPPhone.TheUser+IPPhoneauthenticationfeature

supportsauthenticationandauthorizationoftwodevices,specificallyaPCcascadedwithan

IPphone,on

asingleportontheB2.TheIPphonemustauthenticateusingMACor802.1X

authentication,buttheusermayauthenticatebyanymethod.Thisfeatureallowsboththe

user’sPCand IPphonetosimultaneouslyauthenticateonasingleportandeachreceivea

uniquelevelofnetworkaccess.For

details,referto“ConfiguringMulti‐UserAu thentication

(User+IPphone)”onpage 19‐33.

•RFC3580TunnelAttributesprovideamechanismtocontainan802.1XauthenticatedorMAC

authenticatedusertoaVLANregardlessofthePVID.Uptothreeuserscanbeconfiguredper

Gigabitport.Referto“

ConfiguringVLANAuthorization(RFC3580)”onpage 19‐45.

•MACLocking–locksaporttooneormoreMACaddresses,preventingtheuseof

unauthorizeddevicesandMACspoofingontheportFordetails,referto“ConfiguringMAC

Locking”onpage 19 ‐50.

•PortWebAuthentication(PWA)–passesalllogin

informationfromtheendstationtoa 

RADIUSserverforau thenticationbeforeallowingausertoaccessthenetwork.PWAisan

alternativeto802.1XandMACauthentication.Fordetails,referto“ConfiguringPortWeb

Authentication(PWA)”onpage 19‐61.

•SecureShell(SSH)–providessecureTelnet.Fordetails,

referto“ConfiguringSecureShell

(SSH)”onpage 19‐73.

RADIUS Filter-ID Attribute and Dynamic Policy Profile Assignment

IfyouconfigureanauthenticationmethodthatrequirescommunicationwithaRADIUSserver,

youcanusetheRADIUSFilter‐IDattributetodynamicallyassignapolicyprofileand/or

managementleveltoauthenticatingusersand/ordevices.

TheRADIUSFilter‐IDattributeissimplyastringthatisformattedintheRADIUSAccess‐

Accept

packetsentbackfromtheRADIUSservertotheswitchduringtheauthenticationprocess.

Note: To configure EAP pass-through, which allows client authentication packets to be forwarded

through the switch to an upstream device, 802.1X authentication must be globally disabled with the

set dot1x command.

Notes: The B2 supports up to three authenticated users per port.

The B2 cannot simultaneously support Policy and RFC 3580 on the same port. If multiple users are

configured to use a port, and the B2 is then switched from "policy" mode to "tunnel" mode (RFC-

3580 VLAN to port mapping), the total number of users supported to use a port will be reset to one.

RFC-3580 VLAN authorization is not supported by PWA authentication.