Enterasys Networks DFE-Gold Series Configuring Port Web Authentication (PWA)

clear dot1x auth-config Configuring Port Web Authentication (PWA)

Enterasys Matrix DFE-Gold Series Configuration Guide 25-11

Configuring Port Web Authentication (PWA)

PWAprovidesawayofauthenticatingusersbeforeallowinggeneralaccesstothenetwork.A

PWAuser’saccesstothenetworkisrestricteduntilaftertheusersuccessfullylogsinviaaweb

browserusingtheEnterasysMatrixSeriesweb‐basedsecurityinterface.TheEnterasysMatrix

SeriesdevicewillvalidatealllogincredentialfromtheuserwithaRADIUSserverbeforeallowing

networkaccess.

PWAisanalternativeto802.1XandMACauthentication.Itallowsonlytheessentialprotocols

andservicesrequiredbytheauthenticationprocessbetweentheend‐stationandthenetwork.All

othertrafficisdiscarded.Whenauserisintheunauthenticatedstate,anyusertrafficrequesting

networkresourceswillnotbeallowed.

TologonusingPWA,theusermakesarequestviaawebbrowserforthePWAwebpageoris

automaticallyredirectedtothisloginpageafterrequestingaURLinabrowser.

Dependingupontheauthenticatedstateoftheuser,aloginpageoralogoutpagewilldisplay.

Whenausersubmitsusernameandpassword,theswitchthenauthenticatestheuserviaa

preconfiguredRADIUSserver.Iftheloginissuccessful,thentheuserwillbegrantedfullnetwork

accessaccordingtotheuser’spolicyconfigurationontheswitch.

InordertooptimizePWAauthenticationontheEnterasysMatrixSeriesdevice,thedevicemustbe

configuredtosatisfytheminimumrequirementsofanauthenticatingclientneedingtosendan

HTTPrequestwithitswebbrowser.Typically,theclientwillneedDNSandARPresolutionbefore

itcangeneratetheHTTPrequestneededtodoaPWAlogin.Also,DHCPmaybeneededinmany

environments.TheseservicesarenotprovidedbyPWAandmustbeprovidedbythenetwork.To

accomplishthis,thedevicemustbeconfiguredtoallowaccesstotheneededservices.

Thefirststepistomakesurethatthemultipleauthenticationportmodesettingsaresetto“auth‐

opt”onallportsthatareconfiguredtorunPWA.

Examples

Thisexampleshowshowtosetthemultipleauthenticationportmodeto“auth‐opt”forallFast

Ethernetportsinthechassisorstandalonedevice:

Matrix(rw)->set multiauth port mode auth-opt fe.*.*

Fordetailsonusingthesetmultiauthportcommand,referto“setmultiauthport”onpage 27‐6.

Settingtheportmodeinthisfashionwillallowtraffictoflowthroughtheportwithout

authenticationaccordingtoitsconfiguration.Bydefault,thiswouldallowalltraffictobe

forwarded.Conversely,youcouldconfiguretheportstodropalltraffic,butthisisnotthemost

effectivesolution.Betteryetwouldbetoconfiguretheporttoprovideonlytheminimalservices

andnothingmore.Themostpowerfultoolforaccomplishingthisgoalispolicyconfiguration.

Policiesprovidetheflexibilityneededtotailortheseservicestotheconfigurationandsecurity

needsofyourenvironment.

Thisexampleshowshowtoconfigureapolicyprofilethatwilldiscardalltrafficbydefault:

Matrix(rw)->set policy profile 1 name “Unauthenticated User” pvid 0 pvid-status

enable

Thisexampleshowshowtoconfigurepolicyprofilerule1thatwillenabletheselectiveservices

requiredforPWA.Thisrulewill:

•forwardARPrequests,