Enterasys 802.1Q Spécifications télécharger pdf

April 15, 2011 Page 1 of 36

Configuring User Authentication

Thischapterprovidesthefollowinginformationaboutconfiguringandmonitoringuser

authenticationonEnterasys

N‐Series,S‐Series

,andK‐Seriesmodularswitches,A‐Series,

B‐Series,C‐Seriesstackablefixedswitches,andD‐Series,G‐Series,and I‐Seriesstandalonefixed

switches.

What is User Authentication?

Authenticationistheabilityofanetworkaccessserver,withadatabaseofvalidusersanddevices,

toacquireandverifytheappropriatecredentialsofauserordevice(supplicant)attemptingto

gainaccesstothenetwork.EnterasysauthenticationusestheRADIUSprotocoltocontrolaccessto

switchportsfroman

authenticationserverandtomanagethemessageexchangebetweenthe

authenticatingdeviceandtheserver.BothMultiAuthandMulti‐userauthenticationare

supported.MultiAuthistheabilitytoconfiguremultipleauthenticationmodesforauserand

applytheauthenticationmodewiththehighestprecedence.Multi‐useristheabilityto

appropriatelyauthenticatemultiplesupplicantsonasinglelinkandprovisionnetworkresources,

baseduponanappropriatepolicyforeachsupplicant.TheEnterasysswitchproductssupportthe

followingfiveauthenticationmethods:

• IEEE802.1x

•MAC‐basedAuthenti cation(MAC)

•PortWebAuthentication(PWA)

Note: Through out this document:

• Use of the term “modular switch” indicates that the information is valid for the N-Series, S-Series,

and K-Series platforms.

• Use of the term “stackable fixed switch” indicates that the information is valid for the A-Series,

B-Series, and C-Series platforms.

• Use of the term “standalone fixed switch” indicates that the information is valid for the D-Series,

G-Series, and I-Series platforms.

For information about... Refer to page...

What is User Authentication? 1

Why Would I Use It in My Network? 2

How Can I Implement User Authentication? 2

Authentication Overview 2

Configuring Authentication 14

Authentication Configuration Example 29

Terms and Definitions 34

1 2 3 4 5 6 ... 35 36

Résumé du contenu

Page 1 - What is User Authentication?

April 15, 2011 Page 1 of 36Configuring User AuthenticationThischapterprovidesthefollowinginformationaboutconfiguringandmonitoringuserauthen

Page 2

Authentication OverviewApril 15, 2011 Page 10 of 36RFC 3580EnterasysswitchessupporttheRFC3580RADIUStunnelattributefordynamicVLANassignment

Page 3 - Port Web Authentication (PWA)

Authentication OverviewApril 15, 2011 Page 11 of 36• Value:Indicatesthetypeoftunnel.Avalueof0x0D(decimal13)indicatesthatthe tunnelingp

Page 4 - Convergence End Point (CEP)

Authentication OverviewApril 15, 2011 Page 12 of 36•AproblemwithmovinganendsystemtoanewVLANisthattheendsystemmustbeissuedanIPaddr

Page 5 - Multi-User Authentication

Authentication OverviewApril 15, 2011 Page 13 of 36authorizationisenabledgloballyandontheauthenticatinguser’sport,theVLANspecifiedbythe

Page 6 - Port ge.1.5

Configuring AuthenticationApril 15, 2011 Page 14 of 36Configuring AuthenticationThissectionprovidesdetailsfortheconfigurationofauthentication

Page 7 - MAU LogicMAU Logic

Configuring AuthenticationApril 15, 2011 Page 15 of 36pwa Globally enables or disables PWA authentication.Disabled.pwa enhancemode Allows a user on an

Page 8 - MAU Logic

Configuring AuthenticationApril 15, 2011 Page 16 of 36Configuring IEEE 802.1xConfiguringIEEE802.1xonanauthenticatorswitchportconsistsof:•Sett

Page 9 - The RADIUS Filter-ID

Configuring AuthenticationApril 15, 2011 Page 17 of 36Configuring MAC-based AuthenticationConfiguringMAC‐basedauthenticationonaswitchconsistsof

Page 10 - RFC 3580

Configuring AuthenticationApril 15, 2011 Page 18 of 36Configuring Port Web Authentication (PWA)ConfiguringPWAontheswitchconsistsof:•Settingthe

Page 11 - April 15, 2011 Page 11 of 36

Configuring AuthenticationApril 15, 2011 Page 19 of 36Whenenhancedmodeisenabled,PWAwilluseaguestpasswordandguestusernametograntnetwor

Page 12 - Policy Maptable Response

Why Would I Use It in My Network?April 15, 2011 Page 2 of 36• ConvergenceEndPoint(CEP)•RADIUSSnoopingEnterasysswitchproductssupporttheconfigu

Page 13 - April 15, 2011 Page 13 of 36

Configuring AuthenticationApril 15, 2011 Page 20 of 36Procedure 5describesthestepstoconfigureCEP.Setting MultiAuth Idle and Session Timeout for

Page 14 - Configuring Authentication

Configuring AuthenticationApril 15, 2011 Page 21 of 36Procedure 6describessettingtheMultiAuthidleandsessiontimeoutforCEP.Configuring MultiA

Page 15 - April 15, 2011 Page 15 of 36

Configuring AuthenticationApril 15, 2011 Page 22 of 36switchdevices).Youmaychangetheprecedenceforoneormoremethodsbysettingtheauthentica

Page 16 - Configuring IEEE 802.1x

Configuring AuthenticationApril 15, 2011 Page 23 of 36Procedure 9describessettingtheMultiAuthauthenticationportandmaximumuserproperties.Set

Page 17 - April 15, 2011 Page 17 of 36

Configuring AuthenticationApril 15, 2011 Page 24 of 36Setting MultiAuth Authentication TrapsTraps canbeenabledatthesystemandmodulelevelswhen

Page 18 - April 15, 2011 Page 18 of 36

Configuring AuthenticationApril 15, 2011 Page 25 of 36Configuring VLAN AuthorizationVLANauthorizationallowsforthedynamicassignmentofuserstot

Page 19 - April 15, 2011 Page 19 of 36

Configuring AuthenticationApril 15, 2011 Page 26 of 36IftheauthenticationserverreturnsaninvalidpolicyorVLANtoaswitchforanauthenticating

Page 20 - April 15, 2011 Page 20 of 36

Configuring AuthenticationApril 15, 2011 Page 27 of 36Procedure 14describesauthenticationserverconfiguration.Configuring RADIUS AccountingTherea

Page 21 - April 15, 2011 Page 21 of 36

Configuring AuthenticationApril 15, 2011 Page 28 of 36Procedure 15describesRADIUSaccountingconfiguration.Procedure 15 RADIUS Accounting Configura

Page 22 - April 15, 2011 Page 22 of 36

Authentication Configuration ExampleApril 15, 2011 Page 29 of 36Authentication Configuration ExampleOurexamplecoversthefoursupportedmodularswit

Page 23 - April 15, 2011 Page 23 of 36

Authentication OverviewApril 15, 2011 Page 3 of 36IEEE 802.1x Using EAPTheIEEE802.1xport‐basedaccesscontrolstandardallowsyoutoauthenticatea

Page 24 - April 15, 2011 Page 24 of 36

Authentication Configuration ExampleApril 15, 2011 Page 30 of 36Figure 5 Stackable Fixed Switch Authentication Configuration Example OverviewOurconf

Page 25 - April 15, 2011 Page 25 of 36

Authentication Configuration ExampleApril 15, 2011 Page 31 of 365. ConfiguringtheprinterclusterMACauthenticationforthemodularswitchconfigura

Page 26 - Configuring RADIUS

Authentication Configuration ExampleApril 15, 2011 Page 32 of 36Configuring the Engineering Group 802.1x End-User StationsTherearethreeaspectstoc

Page 27 - Configuring RADIUS Accounting

Authentication Configuration ExampleApril 15, 2011 Page 33 of 36ThefollowingCLIinput:•EnablesCEPgloballyontheswitch.•SetsCEPpolicytoaprev

Page 28 - April 15, 2011 Page 28 of 36

Terms and DefinitionsApril 15, 2011 Page 34 of 36•SetuptheRADIUSuseraccountforthepublicstationontheauthenticationserver.•EnablePWAglobal

Page 29 - April 15, 2011 Page 29 of 36

Terms and DefinitionsApril 15, 2011 Page 35 of 36IEEE 802.1x An IEEE standard for port-based Network Access Control that provides authentication to de

Page 30 - April 15, 2011 Page 30 of 36

Enterasys Networksreservestherighttomakechangesinspecificationsandotherinformati oncontainedinthisdocumentanditswebsitewithoutpri

Page 31 - Enabling RADIUS On the Switch

Authentication OverviewApril 15, 2011 Page 4 of 36switchcancontainanyFilter‐IDattributeconfiguredontheauthenticationserver,allowingpolicy

Page 32 - April 15, 2011 Page 32 of 36

Authentication OverviewApril 15, 2011 Page 5 of 36Multi-User AuthenticationMulti‐userauthenticationprovidesfortheper‐userorper‐deviceprovision

Page 33 - April 15, 2011 Page 33 of 36

Authentication OverviewApril 15, 2011 Page 6 of 36Figure 1 Applying Policy to Multiple Users on a Single PortMultiAuth AuthenticationAuthenticationm

Page 34 - Terms and Definitions

Authentication OverviewApril 15, 2011 Page 7 of 36Figure 2 Authenticating Multiple Users With Different Methods on a Single PortInFigure 3,fullMul

Page 35 - April 15, 2011 Page 35 of 36

Authentication OverviewApril 15, 2011 Page 8 of 36Figure 3 Selecting Authentication Method When Multiple Methods are ValidatedRemote Authentication D

Page 36 - Revision History

Authentication OverviewApril 15, 2011 Page 9 of 36Requiredauthenticationcredentialsdependupontheauthenticationmethodbeingused.For802.1xand