Enterasys Networks 9034385 End-System Capabilities, Support of Multiple Authentication Methods

Survey the Network

Similar to 802.1X, web‐based authentication requires the input of credentials and is normally used on user‐centric end‐systems that have a concept of an associated user, such as a PC. Therefore, this authentication method is inappropriate for machine‐centric devices such as printers and IP cameras.

Note that web‐based authentication is a user‐initiated authentication method where the user must manually begin the network login process by opening a web browser and entering credentials. This user‐initiated method prevents seamless network connectivity because the end user must initiate the reauthentication after assessment is complete.

Since Enterasys NAC only acts as a pass‐through to an upstream RADIUS Server, it is mandatory that a full authentication deployment is configured on the network if web‐based authentication is used.

MAC Authentication

MAC authentication authenticates the source MAC address of an end‐system and grants the appropriate level of access by validating the MAC address on the RADIUS authentication server.

This authentication method only requires that the end‐system generate a packet; it requires no special software on the end‐system.

Unlike 802.1X and web‐based authentication, MAC authentication can be used to authenticate machine‐centric end‐systems that have no concept of an associated user, such as a printer or IP camera.

With this authentication method, Enterasys NAC can act as a pass‐through to an upstream RADIUS Server or can locally authorize MAC authentication attempts. Therefore, if a full authentication deployment has not been configured on the network, MAC authentication should be used.

End-System Capabilities

When authentication is configured on the network, it is important to consider end‐system capabilities and their ability to interact with the authentication process. Machine‐centric end‐ systems that do not possess an 802.1X supplicant, such as IP cameras and printers, may only be capable of MAC authenticating to the network. Some human‐centric end‐systems such as PCs, may be capable of 802.1X and web‐based authentication while other PCs not installed with an 802.1X supplicant, are only capable of web‐based authentication. If end‐systems are implementing 802.1X and web‐based authentication, Enterasys NAC should leverage these authentication methods for end‐system detection. For end‐systems not implementing 802.1X or web‐based authentication, MAC‐based authentication can be enabled on these switch ports.

Support of Multiple Authentication Methods

In order to support an enterprise network consisting of a diverse environment of machine‐centric and human‐centric devices, it is important that the intelligent edge of the network supports the concurrent enabling of multiple authentication methods, all at the same time on the same switch port. Some intelligent switches may not support the enabling of multiple authentication methods concurrently on a single port. For example, MAC and 802.1X authentication may be concurrently enabled on a port to account for the fact that a trusted user, guest user, or IP phone may connect to this port. The ability to support multiple authentication methods concurrently on a port is even more important for environments where mobility of devices around the network is essential for ensuring business continuity.

Support for Multiple End-System Connection

It is important to know whether multiple end‐system connection is supported by the intelligent edge of the network. If the intelligent edge devices only support the authentication of one end‐

4-6 Design Planning