Enterasys 802.1Q Especificaciones descargar pdf

April 15, 2011 Page 1 of 36

Configuring User Authentication

Thischapterprovidesthefollowinginformationaboutconfiguringandmonitoringuser

authenticationonEnterasys

N‐Series,S‐Series

,andK‐Seriesmodularswitches,A‐Series,

B‐Series,C‐Seriesstackablefixedswitches,andD‐Series,G‐Series,and I‐Seriesstandalonefixed

switches.

What is User Authentication?

Authenticationistheabilityofanetworkaccessserver,withadatabaseofvalidusersanddevices,

toacquireandverifytheappropriatecredentialsofauserordevice(supplicant)attemptingto

gainaccesstothenetwork.EnterasysauthenticationusestheRADIUSprotocoltocontrolaccessto

switchportsfroman

authenticationserverandtomanagethemessageexchangebetweenthe

authenticatingdeviceandtheserver.BothMultiAuthandMulti‐userauthenticationare

supported.MultiAuthistheabilitytoconfiguremultipleauthenticationmodesforauserand

applytheauthenticationmodewiththehighestprecedence.Multi‐useristheabilityto

appropriatelyauthenticatemultiplesupplicantsonasinglelinkandprovisionnetworkresources,

baseduponanappropriatepolicyforeachsupplicant.TheEnterasysswitchproductssupportthe

followingfiveauthenticationmethods:

• IEEE802.1x

•MAC‐basedAuthenti cation(MAC)

•PortWebAuthentication(PWA)

Note: Through out this document:

• Use of the term “modular switch” indicates that the information is valid for the N-Series, S-Series,

and K-Series platforms.

• Use of the term “stackable fixed switch” indicates that the information is valid for the A-Series,

B-Series, and C-Series platforms.

• Use of the term “standalone fixed switch” indicates that the information is valid for the D-Series,

G-Series, and I-Series platforms.

For information about... Refer to page...

What is User Authentication? 1

Why Would I Use It in My Network? 2

How Can I Implement User Authentication? 2

Authentication Overview 2

Configuring Authentication 14

Authentication Configuration Example 29

Terms and Definitions 34

1 2 3 4 5 6 ... 35 36

Indice de contenidos

Pagina 1 - What is User Authentication?

April 15, 2011 Page 1 of 36Configuring User AuthenticationThischapterprovidesthefollowinginformationaboutconfiguringandmonitoringuserauthen

Pagina 2

Authentication OverviewApril 15, 2011 Page 10 of 36RFC 3580EnterasysswitchessupporttheRFC3580RADIUStunnelattributefordynamicVLANassignment

Pagina 3 - Port Web Authentication (PWA)

Authentication OverviewApril 15, 2011 Page 11 of 36• Value:Indicatesthetypeoftunnel.Avalueof0x0D(decimal13)indicatesthatthe tunnelingp

Pagina 4 - Convergence End Point (CEP)

Authentication OverviewApril 15, 2011 Page 12 of 36•AproblemwithmovinganendsystemtoanewVLANisthattheendsystemmustbeissuedanIPaddr

Pagina 5 - Multi-User Authentication

Authentication OverviewApril 15, 2011 Page 13 of 36authorizationisenabledgloballyandontheauthenticatinguser’sport,theVLANspecifiedbythe

Pagina 6 - Port ge.1.5

Configuring AuthenticationApril 15, 2011 Page 14 of 36Configuring AuthenticationThissectionprovidesdetailsfortheconfigurationofauthentication

Pagina 7 - MAU LogicMAU Logic

Configuring AuthenticationApril 15, 2011 Page 15 of 36pwa Globally enables or disables PWA authentication.Disabled.pwa enhancemode Allows a user on an

Pagina 8 - MAU Logic

Configuring AuthenticationApril 15, 2011 Page 16 of 36Configuring IEEE 802.1xConfiguringIEEE802.1xonanauthenticatorswitchportconsistsof:•Sett

Pagina 9 - The RADIUS Filter-ID

Configuring AuthenticationApril 15, 2011 Page 17 of 36Configuring MAC-based AuthenticationConfiguringMAC‐basedauthenticationonaswitchconsistsof

Pagina 10 - RFC 3580

Configuring AuthenticationApril 15, 2011 Page 18 of 36Configuring Port Web Authentication (PWA)ConfiguringPWAontheswitchconsistsof:•Settingthe

Pagina 11 - April 15, 2011 Page 11 of 36

Configuring AuthenticationApril 15, 2011 Page 19 of 36Whenenhancedmodeisenabled,PWAwilluseaguestpasswordandguestusernametograntnetwor

Pagina 12 - Policy Maptable Response

Why Would I Use It in My Network?April 15, 2011 Page 2 of 36• ConvergenceEndPoint(CEP)•RADIUSSnoopingEnterasysswitchproductssupporttheconfigu

Pagina 13 - April 15, 2011 Page 13 of 36

Configuring AuthenticationApril 15, 2011 Page 20 of 36Procedure 5describesthestepstoconfigureCEP.Setting MultiAuth Idle and Session Timeout for

Pagina 14 - Configuring Authentication

Configuring AuthenticationApril 15, 2011 Page 21 of 36Procedure 6describessettingtheMultiAuthidleandsessiontimeoutforCEP.Configuring MultiA

Pagina 15 - April 15, 2011 Page 15 of 36

Configuring AuthenticationApril 15, 2011 Page 22 of 36switchdevices).Youmaychangetheprecedenceforoneormoremethodsbysettingtheauthentica

Pagina 16 - Configuring IEEE 802.1x

Configuring AuthenticationApril 15, 2011 Page 23 of 36Procedure 9describessettingtheMultiAuthauthenticationportandmaximumuserproperties.Set

Pagina 17 - April 15, 2011 Page 17 of 36

Configuring AuthenticationApril 15, 2011 Page 24 of 36Setting MultiAuth Authentication TrapsTraps canbeenabledatthesystemandmodulelevelswhen

Pagina 18 - April 15, 2011 Page 18 of 36

Configuring AuthenticationApril 15, 2011 Page 25 of 36Configuring VLAN AuthorizationVLANauthorizationallowsforthedynamicassignmentofuserstot

Pagina 19 - April 15, 2011 Page 19 of 36

Configuring AuthenticationApril 15, 2011 Page 26 of 36IftheauthenticationserverreturnsaninvalidpolicyorVLANtoaswitchforanauthenticating

Pagina 20 - April 15, 2011 Page 20 of 36

Configuring AuthenticationApril 15, 2011 Page 27 of 36Procedure 14describesauthenticationserverconfiguration.Configuring RADIUS AccountingTherea

Pagina 21 - April 15, 2011 Page 21 of 36

Configuring AuthenticationApril 15, 2011 Page 28 of 36Procedure 15describesRADIUSaccountingconfiguration.Procedure 15 RADIUS Accounting Configura

Pagina 22 - April 15, 2011 Page 22 of 36

Authentication Configuration ExampleApril 15, 2011 Page 29 of 36Authentication Configuration ExampleOurexamplecoversthefoursupportedmodularswit

Pagina 23 - April 15, 2011 Page 23 of 36

Authentication OverviewApril 15, 2011 Page 3 of 36IEEE 802.1x Using EAPTheIEEE802.1xport‐basedaccesscontrolstandardallowsyoutoauthenticatea

Pagina 24 - April 15, 2011 Page 24 of 36

Authentication Configuration ExampleApril 15, 2011 Page 30 of 36Figure 5 Stackable Fixed Switch Authentication Configuration Example OverviewOurconf

Pagina 25 - April 15, 2011 Page 25 of 36

Authentication Configuration ExampleApril 15, 2011 Page 31 of 365. ConfiguringtheprinterclusterMACauthenticationforthemodularswitchconfigura

Pagina 26 - Configuring RADIUS

Authentication Configuration ExampleApril 15, 2011 Page 32 of 36Configuring the Engineering Group 802.1x End-User StationsTherearethreeaspectstoc

Pagina 27 - Configuring RADIUS Accounting

Authentication Configuration ExampleApril 15, 2011 Page 33 of 36ThefollowingCLIinput:•EnablesCEPgloballyontheswitch.•SetsCEPpolicytoaprev

Pagina 28 - April 15, 2011 Page 28 of 36

Terms and DefinitionsApril 15, 2011 Page 34 of 36•SetuptheRADIUSuseraccountforthepublicstationontheauthenticationserver.•EnablePWAglobal

Pagina 29 - April 15, 2011 Page 29 of 36

Terms and DefinitionsApril 15, 2011 Page 35 of 36IEEE 802.1x An IEEE standard for port-based Network Access Control that provides authentication to de

Pagina 30 - April 15, 2011 Page 30 of 36

Enterasys Networksreservestherighttomakechangesinspecificationsandotherinformati oncontainedinthisdocumentanditswebsitewithoutpri

Pagina 31 - Enabling RADIUS On the Switch

Authentication OverviewApril 15, 2011 Page 4 of 36switchcancontainanyFilter‐IDattributeconfiguredontheauthenticationserver,allowingpolicy

Pagina 32 - April 15, 2011 Page 32 of 36

Authentication OverviewApril 15, 2011 Page 5 of 36Multi-User AuthenticationMulti‐userauthenticationprovidesfortheper‐userorper‐deviceprovision

Pagina 33 - April 15, 2011 Page 33 of 36

Authentication OverviewApril 15, 2011 Page 6 of 36Figure 1 Applying Policy to Multiple Users on a Single PortMultiAuth AuthenticationAuthenticationm

Pagina 34 - Terms and Definitions

Authentication OverviewApril 15, 2011 Page 7 of 36Figure 2 Authenticating Multiple Users With Different Methods on a Single PortInFigure 3,fullMul

Pagina 35 - April 15, 2011 Page 35 of 36

Authentication OverviewApril 15, 2011 Page 8 of 36Figure 3 Selecting Authentication Method When Multiple Methods are ValidatedRemote Authentication D

Pagina 36 - Revision History

Authentication OverviewApril 15, 2011 Page 9 of 36Requiredauthenticationcredentialsdependupontheauthenticationmethodbeingused.For802.1xand