Enterasys Networks D2G124-12, D2G124-12P RADIUS Filter-ID Attribute and Dynamic Policy Profile Assignment

Overview of Security Methods

15-2 Security Configuration

ports.FordetailsonusingCLIcommandstoconfigure802.1X,referto“Configuring802.1X

Authentication”onpage 15‐9.

•MACAuthentication–providesamechanismforadministratorstosecurelyauthenticate

sourceMACaddressesandgrantappropriateaccesstoenduserdevicescommunicatingwith

D‐Seriesports.Fordetails,referto“ConfiguringMACAuthentication”onpage15‐19.

•MultipleAuthenticationMethods–allowsuserstoauthenticateusingmultiplemethodsof

authenticationonthesameport.Fordetails,referto“ConfiguringMultipleAuthentication

Methods”onpage 15‐30.

•RFC3580TunnelAttributesprovideamechanismtocontainan802.1XauthenticatedorMAC

authenticatedusertoaVLANregardlessofthePVID.Referto“ConfiguringVLAN

Authorization(RFC3580)”onpage 15‐41.

•MACLocking–locksaporttooneormoreMACaddresses,preventingtheuseof

unauthorizeddevicesandMACspoofingontheportFordetails,referto“ConfiguringMAC

Locking”onpage 15‐46.

•PortWe bAuthentication(PWA)–passesalllogininformationfromtheendstationtoa

RADIUSserverforauthenticationbeforeallowingausertoaccessthenetwork.PWAisan

alternativeto802.1XandMACauthentication.Fordetails,referto“ConfiguringPortWeb

Authentication(PWA)”onpage15‐57.

•SecureShell(SSH)–providessecureTeln et. Fordetails,referto“ConfiguringSecureShell

(SSH)”onpage 15‐68.

RADIUS Filter-ID Attribute and Dynamic Policy Profile Assignment

IfyouconfigureanauthenticationmethodthatrequirescommunicationwithaRADIUSserver,

youcanusetheRADIUSFilter‐IDattributetodynamicallyassignapolicyprofileand/or

managementleveltoauthenticatingusersand/ordevices.

TheRADIUSFilter‐IDattributeissimplyastringthatisformattedintheRADIUSAccess‐Accept

packetsentbackfromtheRADIUSservertotheswitchduringtheauthenticationprocess.

EachusercanbeconfiguredintheRADIUSserverdatabasewithaRADIUSFilter‐IDattribute

thatspecifiesthenameofthepolicyprofileand/ormanagementleveltheusershouldbeassigned

uponsuccessfulauthentication.Duringtheauthenticationprocess,whentheRADIUSserver

returnsaRADIUSAccess‐AcceptmessagethatincludesaFilter‐IDmatchingapolicyprofilename

configuredontheswitch,theswitchthendynamicallyappliesthepolicyprofiletothephysical

porttheuser/deviceisauthenticatingon.

EnterasysNetworkssupportstwoFilter‐IDformats—“decorated”and“undecorated.”The

decoratedformathasthreeforms:

•Tospecifythepolicyprofiletoassigntotheauthenticatinguser(networkaccess

authentication):

Enterasys:version=1:policy=string

wherestringspecifiesthepolicyprofilename.Policyprofilenamesarecase‐sensitive.

Note: To configure EAP pass-through, which allows client authentication packets to be forwarded

through the switch to an upstream device, 802.1X authentication must be globally disabled with the

set dot1x command.