Enterasys 802.1Q Especificaciones descargar pdf (Pagina 9)

Authentication Overview

April 15, 2011 Page 9 of 36

Requiredauthenticationcredentialsdependupontheauthenticationmethodbeingused.For

802.1xandPWAauthentication,theswitchsendsusernameandpasswordcredentialstothe

authenticationserver.ForMACauthentication,theswitchsendsthedeviceMACaddressanda

passwordconfiguredontheswitchtotheauthenticationserver.Theauthenticationserververifies



thecredentialsandreturnsanAcceptorRejectmessagebacktotheswitch.

How RADIUS Data Is Used

TheEnterasysswitchbasesitsdecisiontoopentheportandapplyapolicyorclosetheportbased

ontheRADIUSmessage,theportʹsdefaultpolicy,andunauthenticatedbehaviorconfiguration.

RADIUSprovidesaccountingfunctionalitybywayofaccountingpacketsfromtheswitchtothe

RADIUSserver,forsuchsession

statisticsasstartandend,totalpackets,andsessionendreason

events.Thisdatacanbeusedforbothbillingandnetworkmonitoringpurposes.

AdditionallyRADI US iswidelyusedbyVoIPserviceproviders.Itisusedtopasslogincredentials

ofaSIPendpoint(likeabroadbandphone)toa

SIPRegistrarusingdigestauthentication,and

thentotheauthenticationserverusingRADIUS.Sometimesitisalsousedtocollectcalldetail

records(CDRs)laterused,forinstance,tobillcustomersforinternationallongdistance.

Ifyouconfigureanauthenticationmethodthatrequirescommunicationwithanauthentication

server,youcanuse

theRADIUSFilter‐IDattributetodynamically assigneitherapolicyprofileor

managementleveltoauthenticatingsupplicants.

The RADIUS Filter-ID

TheRADIUSFilter‐IDattributeconsistsofastringthatisformattedintheRADIUSAccess‐Accept

packetsentbackfromtheauthenticationservertotheswitchduringtheauthentica tionprocess.

EachusercanbeconfiguredintheRADIUSserverdatabasewithaRADIUSFilter‐IDattribute

thatspecifiesthename

ofeitherapolicyprofileormanagementleveltheusershouldbeassigned

uponsuccessfulauthentication.Duringtheauthenticationprocess,whentheauthenticationserver

returnsaRADIUSAccess‐AcceptpacketthatincludesaFilter‐IDmatchingapolicyprofilename

configuredontheswitch,theswitchthendynamicallyappliesthe

policyprofiletothephysical

portthesupplicantisauthenticatingon.

ThedecoratedFilter‐IDsupportsapolicyattribute,amanagementaccessattribute,orbothinthe

followingformats:

Enterasys:version=1:policy=policyname

Enterasys:version=1:mgmt=access-mgmtType

Enterasys:version=1:mgmt=access-mgmtType:policy=policyname

policynameisthenameofthepolicytoapplytothisauthentication.

access‐mgmtTypessupportedare:ro(read‐only),rw(read‐write),andsu(super‐user).

Theun‐decoratedFilter‐IDsupportsthepolicyattrib uteonlyinthefollowingformat:

policyname

Theundecoratedformatissimplyastringthatspecifiesapolicyprofilename.Theundecorated

formatcannotbeusedformanagementaccessauthentication.DecoratedFilter‐IDsareprocessed

first.Ifnodecorated Filter‐IDsarefound,thenundecoratedFilter‐IDsareprocessed.Ifmultiple

Filter‐IDsarefoundthatcontainconflicting

values,aSyslogmessageisgenerated.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 ... 35 36

Comentarios a estos manuales

Sin comentarios

Enterasys 802.1Q Especificaciones Pagina 9

Comentarios a estos manuales

Relacionado con productos y manuales para Redes Enterasys 802.1Q