Overview of Authentication and Authorization Methods
Enterasys C3 Configuration Guide 32-3
• MAC Locking – locks a port to one or more MAC addresses, preventing the use of
unauthorized devices and MAC spoofing on the port For details, refer to “Configuring MAC
Locking” on page 32-61.
• Port Web Authentication (PWA) – passes all login information from the end station to a
RADIUS server for authentication before allowing a user to access the network . PWA is an
alternative to 802.1X and MAC authentication. For details, refer to “Configuring Port Web
Authentication (PWA)” on page 32-77.
• Secure Shell (SSH) – provides secure Telnet. For details, refer to “Configuring Secure Shell
(SSH)” on page 32-89.
• TACACS+ (Terminal Access Controller Access-Control System Plus)
– a security protocol
developed by Cisco Systems that can be used as an alternative to the standard RADIUS
security protocol (RFC 2865). TACACS+ runs over TCP and encrypts the body of each packet.
Refer to Chapter 36, TACACS+ Configuration, for information about the commands used to
configure TACACS+.
RADIUS Filter-ID Attribute and Dynamic Policy Profile Assignment
If you configure an authentication method that requires communication with a RADIUS server,
you can use the RADIUS Filter-ID attribute to dynamically assign a policy profile and/or
management level to authenticating users and/or devices.
The RADIUS Filter-ID attribute is simply a string that is formatted in the RADIUS Access-Accept
packet sent back from the RADIUS server to the switch during the authentication process.
Each user can be configured in the RADIUS server database with a RADIUS Filter-ID attribute
that specifies the name of the policy profile and/or management level the user should be assigned
upon successful authentication. During the authentication process, when the RADIUS server
returns a RADIUS Access-Accept message that includes a Filter-ID matching a policy profile name
configured on the switch, the switch then dynamically applies the policy profile to the physical
port the user/device is authenticating on.
Filter-ID Attribute Formats
Enterasys Networks supports two Filter-ID formats — “decorated” and “undecorated.” The
decorated format has three forms:
• To specify the policy profile to assign to the authenticating user (network access
authentication):
Enterasys:version=1:policy=string
where string specifies the policy profile name. Policy profile names are case-sensitive.
• To specify a management level (management access authentication):
Enterasys:version=1:mgmt=level
where level indicates the management level, either ro, rw, or su.
• To specify both management level and policy profile:
Enterasys:version=1:mgmt=level:policy=string
The undecorated format is simply a string that specifies a policy profile name. The undecorated
format cannot be used for management access authentication.
Decorated Filter-IDs are processed first by the switch. If no decorated Filter-IDs are found, then
undecorated Filter-IDs are processed. If multiple Filter-IDs are found that contain conflicting
values, a Syslog message is generated.
To Next Page
Loading...
