User guide

ManualsBrandsExtreme Networks ManualsComputer equipmentSummit Summit4

151

152

153

154

155

156

157

158

159

160

Network Login

ExtremeWare 7.2e Installation and User Guide 151

NOTE

The Extreme Networks vendor ID is 1916.

Multiple Supplicant Support

An important enhancement over the IEEE 802.1x standard, is that ExtremeWare supports multiple

clients (supplicants) to be individually authenticated on the same port. This feature makes it possible for

two client stations to be connected to the same port, with one being authenticated and the other not. A

port's authentication state is the logical “OR” of the individual MAC's authentication states. In other

words, a port is authenticated if any of its connected clients is authenticated. Multiple clients can be

connected to a single port of authentication server through a hub or layer-2 switch.

Multiple supplicants are supported in ISP mode for both web-based and 802.1x authentication. Multiple

supplicants are not supported in Campus mode. Versions of ExtremeWare previous to version 7.1.0 did

not support multiple supplicants.

The choice of web-based versus 802.1x authentication is again on a per-MAC basis. Among multiple

clients on the same port, it is possible that some clients use web-based mode to authenticate, and some

others use 802.1x.

There are certain restrictions for multiple supplicant support:

• Web-based mode will not support Campus mode for multiple supplicant because once the first MAC

gets authenticated, the port is moved to a different VLAN and therefore other unauthenticated

clients (which are still in the original VLAN), cannot have layer 3 message transactions with the

authentication server.

Table 28: VSA definitions for web-based network login

VSA Attribute Value Type Sent-in Description

Extreme-Netlogin

-Vlan

203 String Access-Accept Name of destination VLAN (must already exist

on switch) after successful authentication.

Extreme-Netlogin

-Url

204 String Access-Accept Destination web page after successful

authentication.

Extreme-Netlogin

-Url-Desc

205 String Access-Accept Text description of network login URL attribute.

Extreme-Netlogin

-Only

206 Integer Access-Accept Determines if user can authenticate via other

means, such as telnet, console, SSH, or Vista.

A value of “1” (enabled) indicates that the user

can only authenticate via network login. A

value of zero (disabled) indicates that the user

can also authenticate via other methods.

Table 29: VSA definitions for 802.1x network login

VSA Attribute Value Type Sent-in Description

Extreme-Netlogin

-Vlan

203 String Access-Accept Name of destination VLAN (must already exist

on switch) after successful authentication.