Enterasys Networks D-Series Configuring Multiple Authentication Methods

Configuring Multiple Authentication Methods

Enterasys D-Series CLI Reference 17-33

Configuring Multiple Authentication Methods

Whenenabled,multipleauthenticationtypesallowuserstoauthenticateusingmorethanone

methodonthesameport.Inorderformultipleauthenticationtofunctiononthedevice,each

possiblemethodofauthentication(MACauthentication,802.1X,PWA)mustbeenabledglobally

andconfiguredappropriatelyonthedesiredportswithitscorrespondingcommandsetdescribed

inthischapter.

Multipleauthenticationmodemustbegloballyenabledonthedeviceusingthesetmultiauth

modecommand.

TheUser+IPphonemulti‐userauthenticationfeatureallowsauserandtheirIPphonetobothuse

asingleportontheD2buttohaveseparatepolicyroles.

ʺUser+IPPhoneʺAuthenticationontheD‐Seriesisimplementedbyassigninganingressed

packetreceivedonaporttoapolicyrolebasedontheVLANthepacketwasassignedto,andnot

thepacketʹssourceMACaddress.Therefore,onaportconfiguredforUser+IPPhone

Authentication,thereexiststwodifferentVLAN‐to‐policyrolemappings.

ThepolicyrolefortheIPphoneisstaticallymappedusingtheVLAN‐to‐policymappingfeature

whichassignsanypacketsreceivedwithaVLANtagsettoaspecificVID(forexample,Voice

VLAN)toanindicatedpolicyrole(forexample,IPPhonepolicyrole).Therefore,itisrequiredthat

IPphoneisconfiguredtosendVLANtaggedpacketstothe“Voice”VLAN.

Thesecondpolicyrole,fortheuser,caneitherbestaticallyconfiguredwiththedefaultpolicyrole

ontheportordynamicallyassignedthroughauthenticationtothenetwork.Whenthedefault

policyroleisassignedonaport,theVLANsetastheportʹsPVIDismappedtothedefaultpolicy

role.Whenapolicyroleisdynamicallyappliedtoaportastheresultofasuccessfully

authenticatedsession,the“authenticatedVLAN”ismappedtothepolicyrolesetintheFilter‐ID

returnedfromtheRADIUSserver.The“authenticatedVLAN”mayeitherbethePVIDoftheport,

ifthePVIDOverrideforthepolicyprofileisdisabled,ortheVLANspecifiedinthePVIDOverride

ifthePVIDOverrideisenabled.

Commands

Note: D2 devices support up to two authenticated users per port.

Note: The only Multi-User Authentication supported on the D2 is User + IP phone. The IP phone

and the user may authenticate using 802.1x or MAC authentication.

For information about... Refer to page...

show multiauth 17-34

set multiauth mode 17-35

clear multiauth mode 17-35