Overview of Authentication and Authorization Methods
22-2 Authentication and Authorization Configuration
TACACS+application.WhenRADIUS orTACACS+isenabled,this essentiallyoverrideslogin
useraccounts.WhenHACAisactiveperavalidRADIUSorTACACS+configuration,theuser
namesandpasswordsusedtoaccesstheswitchviaTelnet,SSH,WebView,andCOMports
willbevalidatedagainsttheconfiguredRADIUSserver.Only
inthecaseofaRADI US
timeoutwillthosecredentialsbecomparedagainstcredentialslocallyconfiguredonthe
switch.
Fordetails,referto“ConfiguringRADIUS”onpage 22‐6.
•SNMPuserorcommunitynames–allowsaccesstotheEnterasysB5switchviaanetwork
SNMPmanagementapplication.Toaccesstheswitch,youmust enteranSNMPuseror
communitynamestring.Thelevelofmanagementaccessisdependenton
theassociated
accesspolicy.Fordetails,refertoChapter 8.
• 802.1XPortBasedNetworkAccessControlusingEAPOL(ExtensibleAuthenticationProtocol)
–providesamechanismviaaRADIUSserverforadministratorstosecurelyauthenticateand
grantappropriateaccesstoenduserdevicescommunicatingwithEnterasysB5ports.For
detailsonusingCLI
commandstoconfigure802.1X,referto“Configuring802.1X
Authentication”onpage 22 ‐15.
•MACAuthentication–providesamechanismforadministratorstosecurelyauthenticate
sourceMACaddressesandgrantappropriateaccesstoenduserdevicescommunicatingwith
EnterasysB5ports.Fordetails,referto“ConfiguringMACAuthentication”onpage 22‐25.
•MultipleAuthenticationMethods–allowsuserstoauthenticateusingmultiplemethodsof
authenticationonthesameport.Fordetails,referto“ConfiguringMultipleAuthentication
Methods”onpage 22‐37.
•Multi‐UserAuthentication—allowsmultipleusersanddevicesonthesameportto
authenticateusinganysupportedauthenticationmethod.Eachuseror
devicecanbemapped
tothesameordifferentrolesusingEnterasyspolicyforaccesscontrol,VLANauthorization,
trafficratelimiting,andqualityofservice.Thisisthemostflexibleandpreferredmethodto
useforVoIP(PCdaisychainedtoaphone). Fordetails,referto“AboutMulti‐User
Authentication”onpage 22 ‐37.RefertoAppendix A,PolicyandAuthenticationCapacities,
foralistingofthenumberofusersperportsupportedbytheEnterasysB5.
•User+IPPhone(Legacyfeature)—TheUser+IPPhoneauthentication featu reprovides
legacysupportforauthenticationandauthorizationoftwodevices,
specificallyaPCcascaded
withaVLAN‐taggingIPphone,onasingleportonthe
switch.TheIPphonemust
authenticateusingMACor802.1Xauthentication,but theusermayauthenticatebyany
method.Thisfeatureallowsboththeuser’sPCandIPphonetosimultaneouslyauthenticate
onasingleportandeachreceiveauniquelevelofnetworkaccess.Fordetails,referto
“Configuring
User+IPPhoneAuthentication”onpage 22‐48.
•RFC3580tunnelattributesprovideamechanismtocontainan802.1X,MAC,orPWA
authenticatedusertoaVLANregardlessofthePVID.Thisfeaturedynamicallyassignsa
VLANbasedontheRFC3580tunnelattributesreturnedintheRADIUSacceptmessage.Refer
to“ConfiguringVLANAuthorization(RFC3580)”onpage 22‐49.
• ConfiguringPolicyMaptableResponse—allowsyoutodefinehowthesystemshouldhandle
allowinganauthenticateduserontoaportbasedonthecontentsoftheRADIUSserver
Access‐Acceptreply.Therearethreepossibleresponsesettings:tunnelmode,policy
mode,or
Note: To configure EAP pass-through, which allows client authentication packets to be forwarded
through the switch to an upstream device, 802.1X authentication must be globally disabled with the
set dot1x command.
Note: User + IP Phone authentication is a legacy feature that should only be used if you have
already implemented User + IP Phone in your network with switches that do not support true
multi-user authentication.
To Next Page
Loading...