Enterasys Networks D2G124-12P Manual

A SERVICE OF

next previous

Overview of Security Methods

15-2 Security Configuration

ports.FordetailsonusingCLIcommandstoconfigure802.1X,referto“Configuring802.1X

Authentication”onpage 15 ‐9.

•MACAuthentication–providesamechanismforadministratorstosecurelyauthenticate

sourceMACaddressesandgrantappropriateaccesstoenduserdevicescommunicatingwith

D‐Seriesports.Fordetails,referto“Configuring

MACAuthentication”onpage 15‐19.

•MultipleAuthenticationMethods–allowsuserstoauthenticateusingmultiplemethodsof

authenticationonthesameport.Fordetails,referto“ConfiguringMultipleAuthentication

Methods”onpage 15‐30.

•RFC3580TunnelAttributesprovideamechanismtocontainan802.1XauthenticatedorMAC

authenticateduserto

aVLANregardlessofthePVID.Referto“ConfiguringVLAN

Authorization(RFC3580)”onpage 15‐41.

•MACLocking–locksaporttooneormoreMACaddresses,preventingtheuseof

unauthorizeddevicesandMACspoofingontheportFordetails,referto“ConfiguringMAC

Locking”onpage 15

‐46.

•PortWebAuthentication(PWA)–passesalllogininformationfromtheendstationtoa

RADIUSserverforauthenticationbeforeallowingausertoaccessthenetwork.PWAisan

alternativeto802.1XandMACauthentication.Fordetails,referto“ConfiguringPortWeb

Authentication(PWA)”onpage 15‐57.

•SecureShell(SSH)–providessecureTelnet.Fordetails,referto“ConfiguringSecureShell

(SSH)”onpage 15‐68.

RADIUS Filter-ID Attribute and Dynamic Policy Profile Assignment

IfyouconfigureanauthenticationmethodthatrequirescommunicationwithaRADIUSserver,

youcanusetheRADIUSFilter‐IDattributetodynamicallyassignapolicyprofileand/or

managementleveltoauthenticatingusersand/ordevices.

TheRADIUSFilter‐IDattributeissimplyastringthatisformattedintheRADIUSAccess‐

Accept

packetsentbackfromtheRADIUSservertotheswitchduringtheauthenticationprocess.

EachusercanbeconfiguredintheRADIUSserverdatabasewithaRADIUSFilter‐IDattribute

thatspecifiesthenameofthepolicyprofileand/ormanagementleveltheusershouldbeassigned

uponsuccessfulauthentication.During

theauthenticationprocess,whentheRADIUSserver

returnsaRADIUSAccess‐AcceptmessagethatincludesaFilter‐IDmatchingapolicyprofilename

configuredontheswitch,theswitchthendynamicallyappliesthepolicyprofiletothephysical

porttheuser/deviceisauthenticatingon.

Filter-ID Attribute Formats

EnterasysNetworkssupportstwoFilter‐IDformats—“decorated”and“undecorated.”The

decoratedformathasthreeforms:

•Tospecifythepolicyprofiletoassigntotheauthenticatinguser(networkaccess

authentication):

Enterasys:version=1:policy=string

wherestringspecifiesthepolicyprofilename.Policyprofilenamesarecase‐sensitive.

Note: To configure EAP pass-through, which allows client authentication packets to be forwarded

through the switch to an upstream device, 802.1X authentication must be globally disabled with the

set dot1x command.