User Authentication Overview
10-4 Configuring User Authentication
Multi-User Authentication
Multi-user authentication provides for the per-user or per-device provisioning of network
resources when authenticating. It supports the ability to receive from the authentication server:
• A policy traffic profile, based on the user account’s RADIUS Filter-ID configuration
• A base VLAN-ID, based on the RFC 3580 tunnel attributes configuration, also known as
dynamic VLAN assignment
When a single supplicant connected to an access layer port authenticates, a policy profile can be
dynamically applied to all traffic on the port. When multi-user authentication is not implemented,
and more than one supplicant is connected to a port, firmware does not provision network
resources on a per-user or per-device basis. Different users or devices may require a different set
of network resources. The firmware tracks the source MAC address for each authenticating user
regardless of the authenticating protocol being used. Provisioning network resources on a
per-user basis is accomplished by applying the policy configured in the RADIUS Filter-ID, or the
base VLAN-ID configured in the RFC 3580 tunnel attributes, for a given user’s MAC address. The
RADIUS Filter-ID and tunnel attributes are part of the RADIUS user account and are included in
the RADIUS Accept message response from the authentication server.
The number of allowed users per port can be configured using the set multiauth port numusers
command. The show multiauth port command displays both the allowed number of users
configured and the maximum number of users supported per port for the device. The allowed
number of users defaults to 1 for the stackable fixed switch and standalone fixed switch platforms.
In Figure 10-1 each user on port ge.1.5 sends an authentication request to the RADIUS server.
Based upon the Source MAC address (SMAC), RADIUS looks up the account for that user and
includes the Filter-ID associated with that account in the authentication response back to the
switch (see section “The RADIUS Filter-ID” on page 8 for Filter-ID information). The policy
specified in the Filter-ID is then applied to the user. See section RFC 3580 — VLAN Authorization
on page 8 for information on dynamic VLAN assignment and tunnel attribute configuration.
Note: Multi-user authentication on stackable fixed switch and standalone fixed switch platforms
requires that the switch be the point of authentication, in order to apply policy.
To Next Page
Loading...
Need help?
General