Owner's Manual

ManualsBrandsNetgear ManualsHubsNetgear XCM8806

481

482

483

484

485

486

487

488

489

490

486 | Chapter 17. Security

NETGEAR 8800 User Manual

redirect message while the web client is redirected to the web page specified by attribute

204. If a login method other than Web-based is used, the switch ignores this attribute.

The following describes the guidelines for VSA 205:

• To let the user know where they will be redirected to after authentication (specified by

VSA 204), use an ASCII string to provide a brief description of the URL.

• VSA 205 applies only to the web-based authentication mode of Network Login.

The following example specifies a redirect description to send to the switch after successful

authentication:

Netgear: Netlogin-URL-Desc = “Authentication successful. Stand by for the home page.”

VSA 206: NETGEAR-Netlogin-Only

The NETGEAR-Netlogin-Only attribute can be used to allow normal authentication or restrict

authentication to only the network login method. When this attribute is assigned to a user and

authentication is successful, the RADIUS server sends the configured value back to the

switch. The configured value is either disabled or enabled.

The NETGEAR switch uses the value received from the RADIUS server to determine if the

authentication is valid. If the configured value is disabled, all normal authentication processes

are supported (Telnet and SSH, for example), so the switch accepts the authentication. If the

configured value is enabled, the switch verifies whether network login was used for

authentication. If network login was used for authentication, the switch accepts the

authentication. If an authentication method other than network login was used, the switch

rejects the authentication.

Add the following line to the RADIUS server users file for users who are not restricted to

network login authentication:

Netgear:Netgear-Netlogin-Only = Disabled

Add the following line to the RADIUS server users file for users who are restricted to network

Netgear:Netgear-Netlogin-Only = Enabled

To reduce the quantity of information sent to the switch, the RADIUS server sends either a 1

for the enabled configuration or a 0 for the disabled configuration. These values must be

configured in the RADIUS dictionary file as shown in

Configuring the Dictionary File on

page 489.

VSA 209: NETGEAR-Netlogin-VLAN-ID

This attribute specifies a destination VLAN ID (or VLAN tag) that the RADIUS server sends to

the switch after successful authentication. The VLAN must already exist on the switch. When

the switch receives the VSA, it adds the authenticated user to the VLAN.

The following describes the guidelines for VSA 209:

• For untagged VLAN movement with 802.1x netlogin, you can use all current NETGEAR

VLAN VSAs: VSA

203, VSA 209, and VSA 211.