Specifications

ManualsBrandsEnterasys ManualsComputer equipmentN Standalone (NSA) Series

Authentication Overview

April 15, 2011 Page 9 of 36

Requiredauthenticationcredentialsdependupontheauthenticationmethodbeingused.For

802.1xandPWAauthentication,theswitchsendsusernameandpasswordcredentialstothe

authenticationserver.ForMACauthentication,theswitchsendsthedeviceMACaddressanda

passwordconfiguredontheswitchtotheauthenticationserver.Theauthenticationserververifies



thecredentialsandreturnsanAcceptorRejectmessagebacktotheswitch.

How RADIUS Data Is Used

TheEnterasysswitchbasesitsdecisiontoopentheportandapplyapolicyorclosetheportbased

ontheRADIUSmessage,theportʹsdefaultpolicy,andunauthenticatedbehaviorconfiguration.

RADIUSprovidesaccountingfunctionalitybywayofaccountingpacketsfromtheswitchtothe

RADIUSserver,forsuchsession

statisticsasstartandend,totalpackets,andsessionendreason

events.Thisdatacanbeusedforbothbillingandnetworkmonitoringpurposes.

AdditionallyRADI US iswidelyusedbyVoIPserviceproviders.Itisusedtopasslogincredentials

ofaSIPendpoint(likeabroadbandphone)toa

SIPRegistrarusingdigestauthentication,and

thentotheauthenticationserverusingRADIUS.Sometimesitisalsousedtocollectcalldetail

records(CDRs)laterused,forinstance,tobillcustomersforinternationallongdistance.

Ifyouconfigureanauthenticationmethodthatrequirescommunicationwithanauthentication

server,youcanuse

theRADIUSFilter‐IDattributetodynamically assigneitherapolicyprofileor

managementleveltoauthenticatingsupplicants.

The RADIUS Filter-ID

TheRADIUSFilter‐IDattributeconsistsofastringthatisformattedintheRADIUSAccess‐Accept

packetsentbackfromtheauthenticationservertotheswitchduringtheauthentica tionprocess.

EachusercanbeconfiguredintheRADIUSserverdatabasewithaRADIUSFilter‐IDattribute

thatspecifiesthename

ofeitherapolicyprofileormanagementleveltheusershouldbeassigned

uponsuccessfulauthentication.Duringtheauthenticationprocess,whentheauthenticationserver

returnsaRADIUSAccess‐AcceptpacketthatincludesaFilter‐IDmatchingapolicyprofilename

configuredontheswitch,theswitchthendynamicallyappliesthe

policyprofiletothephysical

portthesupplicantisauthenticatingon.

ThedecoratedFilter‐IDsupportsapolicyattribute,amanagementaccessattribute,orbothinthe

followingformats:

Enterasys:version=1:policy=policyname

Enterasys:version=1:mgmt=access-mgmtType

Enterasys:version=1:mgmt=access-mgmtType:policy=policyname

policynameisthenameofthepolicytoapplytothisauthentication.

access‐mgmtTypessupportedare:ro(read‐only),rw(read‐write),andsu(super‐user).

Theun‐decoratedFilter‐IDsupportsthepolicyattrib uteonlyinthefollowingformat:

policyname

Theundecoratedformatissimplyastringthatspecifiesapolicyprofilename.Theundecorated

formatcannotbeusedformanagementaccessauthentication.DecoratedFilter‐IDsareprocessed

first.Ifnodecorated Filter‐IDsarefound,thenundecoratedFilter‐IDsareprocessed.Ifmultiple

Filter‐IDsarefoundthatcontainconflicting

values,aSyslogmessageisgenerated.