Enterasys 802.1Q Dokumentacja Pobierz pdf

April 15, 2011 Page 1 of 36

Configuring User Authentication

Thischapterprovidesthefollowinginformationaboutconfiguringandmonitoringuser

authenticationonEnterasys

N‐Series,S‐Series

,andK‐Seriesmodularswitches,A‐Series,

B‐Series,C‐Seriesstackablefixedswitches,andD‐Series,G‐Series,and I‐Seriesstandalonefixed

switches.

What is User Authentication?

Authenticationistheabilityofanetworkaccessserver,withadatabaseofvalidusersanddevices,

toacquireandverifytheappropriatecredentialsofauserordevice(supplicant)attemptingto

gainaccesstothenetwork.EnterasysauthenticationusestheRADIUSprotocoltocontrolaccessto

switchportsfroman

authenticationserverandtomanagethemessageexchangebetweenthe

authenticatingdeviceandtheserver.BothMultiAuthandMulti‐userauthenticationare

supported.MultiAuthistheabilitytoconfiguremultipleauthenticationmodesforauserand

applytheauthenticationmodewiththehighestprecedence.Multi‐useristheabilityto

appropriatelyauthenticatemultiplesupplicantsonasinglelinkandprovisionnetworkresources,

baseduponanappropriatepolicyforeachsupplicant.TheEnterasysswitchproductssupportthe

followingfiveauthenticationmethods:

• IEEE802.1x

•MAC‐basedAuthenti cation(MAC)

•PortWebAuthentication(PWA)

Note: Through out this document:

• Use of the term “modular switch” indicates that the information is valid for the N-Series, S-Series,

and K-Series platforms.

• Use of the term “stackable fixed switch” indicates that the information is valid for the A-Series,

B-Series, and C-Series platforms.

• Use of the term “standalone fixed switch” indicates that the information is valid for the D-Series,

G-Series, and I-Series platforms.

For information about... Refer to page...

What is User Authentication? 1

Why Would I Use It in My Network? 2

How Can I Implement User Authentication? 2

Authentication Overview 2

Configuring Authentication 14

Authentication Configuration Example 29

Terms and Definitions 34

1 2 3 4 5 6 ... 35 36

Podsumowanie treści

Strona 1 - What is User Authentication?

April 15, 2011 Page 1 of 36Configuring User AuthenticationThischapterprovidesthefollowinginformationaboutconfiguringandmonitoringuserauthen

Strona 2

Authentication OverviewApril 15, 2011 Page 10 of 36RFC 3580EnterasysswitchessupporttheRFC3580RADIUStunnelattributefordynamicVLANassignment

Strona 3 - Port Web Authentication (PWA)

Authentication OverviewApril 15, 2011 Page 11 of 36• Value:Indicatesthetypeoftunnel.Avalueof0x0D(decimal13)indicatesthatthe tunnelingp

Strona 4 - Convergence End Point (CEP)

Authentication OverviewApril 15, 2011 Page 12 of 36•AproblemwithmovinganendsystemtoanewVLANisthattheendsystemmustbeissuedanIPaddr

Strona 5 - Multi-User Authentication

Authentication OverviewApril 15, 2011 Page 13 of 36authorizationisenabledgloballyandontheauthenticatinguser’sport,theVLANspecifiedbythe

Strona 6 - Port ge.1.5

Configuring AuthenticationApril 15, 2011 Page 14 of 36Configuring AuthenticationThissectionprovidesdetailsfortheconfigurationofauthentication

Strona 7 - MAU LogicMAU Logic

Configuring AuthenticationApril 15, 2011 Page 15 of 36pwa Globally enables or disables PWA authentication.Disabled.pwa enhancemode Allows a user on an

Strona 8 - MAU Logic

Configuring AuthenticationApril 15, 2011 Page 16 of 36Configuring IEEE 802.1xConfiguringIEEE802.1xonanauthenticatorswitchportconsistsof:•Sett

Strona 9 - The RADIUS Filter-ID

Configuring AuthenticationApril 15, 2011 Page 17 of 36Configuring MAC-based AuthenticationConfiguringMAC‐basedauthenticationonaswitchconsistsof

Strona 10 - RFC 3580

Configuring AuthenticationApril 15, 2011 Page 18 of 36Configuring Port Web Authentication (PWA)ConfiguringPWAontheswitchconsistsof:•Settingthe

Strona 11 - April 15, 2011 Page 11 of 36

Configuring AuthenticationApril 15, 2011 Page 19 of 36Whenenhancedmodeisenabled,PWAwilluseaguestpasswordandguestusernametograntnetwor

Strona 12 - Policy Maptable Response

Why Would I Use It in My Network?April 15, 2011 Page 2 of 36• ConvergenceEndPoint(CEP)•RADIUSSnoopingEnterasysswitchproductssupporttheconfigu

Strona 13 - April 15, 2011 Page 13 of 36

Configuring AuthenticationApril 15, 2011 Page 20 of 36Procedure 5describesthestepstoconfigureCEP.Setting MultiAuth Idle and Session Timeout for

Strona 14 - Configuring Authentication

Configuring AuthenticationApril 15, 2011 Page 21 of 36Procedure 6describessettingtheMultiAuthidleandsessiontimeoutforCEP.Configuring MultiA

Strona 15 - April 15, 2011 Page 15 of 36

Configuring AuthenticationApril 15, 2011 Page 22 of 36switchdevices).Youmaychangetheprecedenceforoneormoremethodsbysettingtheauthentica

Strona 16 - Configuring IEEE 802.1x

Configuring AuthenticationApril 15, 2011 Page 23 of 36Procedure 9describessettingtheMultiAuthauthenticationportandmaximumuserproperties.Set

Strona 17 - April 15, 2011 Page 17 of 36

Configuring AuthenticationApril 15, 2011 Page 24 of 36Setting MultiAuth Authentication TrapsTraps canbeenabledatthesystemandmodulelevelswhen

Strona 18 - April 15, 2011 Page 18 of 36

Configuring AuthenticationApril 15, 2011 Page 25 of 36Configuring VLAN AuthorizationVLANauthorizationallowsforthedynamicassignmentofuserstot

Strona 19 - April 15, 2011 Page 19 of 36

Configuring AuthenticationApril 15, 2011 Page 26 of 36IftheauthenticationserverreturnsaninvalidpolicyorVLANtoaswitchforanauthenticating

Strona 20 - April 15, 2011 Page 20 of 36

Configuring AuthenticationApril 15, 2011 Page 27 of 36Procedure 14describesauthenticationserverconfiguration.Configuring RADIUS AccountingTherea

Strona 21 - April 15, 2011 Page 21 of 36

Configuring AuthenticationApril 15, 2011 Page 28 of 36Procedure 15describesRADIUSaccountingconfiguration.Procedure 15 RADIUS Accounting Configura

Strona 22 - April 15, 2011 Page 22 of 36

Authentication Configuration ExampleApril 15, 2011 Page 29 of 36Authentication Configuration ExampleOurexamplecoversthefoursupportedmodularswit

Strona 23 - April 15, 2011 Page 23 of 36

Authentication OverviewApril 15, 2011 Page 3 of 36IEEE 802.1x Using EAPTheIEEE802.1xport‐basedaccesscontrolstandardallowsyoutoauthenticatea

Strona 24 - April 15, 2011 Page 24 of 36

Authentication Configuration ExampleApril 15, 2011 Page 30 of 36Figure 5 Stackable Fixed Switch Authentication Configuration Example OverviewOurconf

Strona 25 - April 15, 2011 Page 25 of 36

Authentication Configuration ExampleApril 15, 2011 Page 31 of 365. ConfiguringtheprinterclusterMACauthenticationforthemodularswitchconfigura

Strona 26 - Configuring RADIUS

Authentication Configuration ExampleApril 15, 2011 Page 32 of 36Configuring the Engineering Group 802.1x End-User StationsTherearethreeaspectstoc

Strona 27 - Configuring RADIUS Accounting

Authentication Configuration ExampleApril 15, 2011 Page 33 of 36ThefollowingCLIinput:•EnablesCEPgloballyontheswitch.•SetsCEPpolicytoaprev

Strona 28 - April 15, 2011 Page 28 of 36

Terms and DefinitionsApril 15, 2011 Page 34 of 36•SetuptheRADIUSuseraccountforthepublicstationontheauthenticationserver.•EnablePWAglobal

Strona 29 - April 15, 2011 Page 29 of 36

Terms and DefinitionsApril 15, 2011 Page 35 of 36IEEE 802.1x An IEEE standard for port-based Network Access Control that provides authentication to de

Strona 30 - April 15, 2011 Page 30 of 36

Enterasys Networksreservestherighttomakechangesinspecificationsandotherinformati oncontainedinthisdocumentanditswebsitewithoutpri

Strona 31 - Enabling RADIUS On the Switch

Authentication OverviewApril 15, 2011 Page 4 of 36switchcancontainanyFilter‐IDattributeconfiguredontheauthenticationserver,allowingpolicy

Strona 32 - April 15, 2011 Page 32 of 36

Authentication OverviewApril 15, 2011 Page 5 of 36Multi-User AuthenticationMulti‐userauthenticationprovidesfortheper‐userorper‐deviceprovision

Strona 33 - April 15, 2011 Page 33 of 36

Authentication OverviewApril 15, 2011 Page 6 of 36Figure 1 Applying Policy to Multiple Users on a Single PortMultiAuth AuthenticationAuthenticationm

Strona 34 - Terms and Definitions

Authentication OverviewApril 15, 2011 Page 7 of 36Figure 2 Authenticating Multiple Users With Different Methods on a Single PortInFigure 3,fullMul

Strona 35 - April 15, 2011 Page 35 of 36

Authentication OverviewApril 15, 2011 Page 8 of 36Figure 3 Selecting Authentication Method When Multiple Methods are ValidatedRemote Authentication D

Strona 36 - Revision History

Authentication OverviewApril 15, 2011 Page 9 of 36Requiredauthenticationcredentialsdependupontheauthenticationmethodbeingused.For802.1xand