Enterasys Networks D-Series RADIUS Filter-ID Attribute and Dynamic Policy Profile Assignment

Overview of Security Methods

17-2 Security Configuration

onusingCLIcommandstoconfigure802.1X,referto“Configuring802.1XAuthentication”on

page17‐11.

•MACAuthentication–providesamechanismforadministratorstosecurelyauthenticate

sourceMACaddressesandgrantappropriateaccesstoenduserdevicescommunicatingwith

D‐Seriesports.Fordetails,referto“ConfiguringMACAuthentication”onpage17‐21.

•MultipleAuthenticationMethods–allowsuserstoauthenticateusingmultiplemethodsof

authenticationonthesameport.Fordetails,referto“ConfiguringMultipleAuthentication

Methods”onpage17 ‐33.

•Multi‐UserAuthentication–User+IPPhone.TheUser+IPPhoneauthenticationfeature

supportsauthenticationandauthorizationoftwodevices,specificallyaPCcascadedwithan

IPphone,onasingleportontheD2.TheIPphonemustauthenticateusingMACor802.1X

authentication,buttheusermayauthenticatebyanymethod.Thisfeatureallowsboththe

user’sPCandIPphonetosimultaneouslyauthenticateonasingleportandeachreceivea

uniquelevelofnetworkaccess.Fordetails,referto“ConfiguringMulti‐UserAuthentication

(User+IPphone)”onpage 17‐33.

•RFC3580TunnelAttributesprovideamechanismtocontainan802.1XauthenticatedorMAC

authenticatedusertoaVLANregardlessofthePVID.Referto“ConfiguringVLAN

Authorization(RFC3580)”onpage 17‐45.

•MACLocking–locksaporttooneormoreMACaddresses,preventingtheuseof

unauthorizeddevicesandMACspoofingontheportFordetails,referto“ConfiguringMAC

Locking”onpage17‐51.

•PortWebAuthentication(PWA)–passesalllogininformationfromtheendstationtoa

RADIUSserverforauthenticationbeforeallowingausertoaccessthenetwork.PWAisan

alternativeto802.1XandMACauthentication.Fordetails,referto“ConfiguringPortWeb

Authentication(PWA)”onpage17‐62.

•SecureShell(SSH)–providessecureTelne t.Fordetails,referto“ConfiguringSecureShell

(SSH)”onpage 17‐74.

RADIUS Filter-ID Attribute and Dynamic Policy Profile Assignment

IfyouconfigureanauthenticationmethodthatrequirescommunicationwithaRADIUSserver,

youcanusetheRADIUSFilter‐IDattributetodynamicallyassignapolicyprofileand/or

managementleveltoauthenticatingusersand/ordevices.

TheRADIUSFilter‐IDattributeissimplyastringthatisformattedintheRADIUSAccess‐Accept

packetsentbackfromtheRADIUSservertotheswitchduringtheauthenticationprocess.

EachusercanbeconfiguredintheRADIUSserverdatabasewithaRADIUSFilter‐IDattribute

thatspecifiesthenameofthepolicyprofileand/ormanagementleveltheusershouldbeassigned

uponsuccessfulauthentication.Duringtheauthenticationprocess,whentheRADIUSserver

returnsaRADIUSAccess‐AcceptmessagethatincludesaFilter‐IDmatchingapolicyprofilename

Note: To configure EAP pass-through, which allows client authentication packets to be forwarded

through the switch to an upstream device, 802.1X authentication must be globally disabled with the

set dot1x command.

Notes: The D2 supports up to two authenticated users per port.

The D2 cannot simultaneously support Policy and RFC 3580 on the same port. If multiple users are

configured to use a port, and the D2 is then switched from "policy" mode to "tunnel" mode (RFC-

3580 VLAN to port mapping), the total number of users supported to use a port will be reset to one.

RFC-3580 VLAN authorization is not supported by PWA authentication.