Overview of Security Methods
17-2 Security Configuration
onusingCLIcommandstoconfigure802.1X,referto“Configuring802.1XAuthentication”on
page 17‐11.
•MACAuthentication–providesamechanismforadministratorstosecurelyauthenticate
sourceMACaddressesandgrantappropriateaccesstoenduserdevicescommunicatingwith
D‐Seriesports.Fordetails,referto“ConfiguringMACAuthentication”
onpage 17‐21.
•MultipleAuthenticationMethods–allowsuserstoauthenticateusingmultiplemethodsof
authenticationonthesameport.Fordetails,referto“ConfiguringMultipleAuthentication
Methods”onpage 17‐33.
•Multi‐UserAuthentication–User+IPPhone.TheUser+IPPhoneauthenticationfeature
supportsauthenticationandauthorizationof
twodevices,specificallyaPCcascadedwithan
IPphone,onasingleportontheD2.TheIPphonemustauthenticateusingMACor802.1X
authentication,buttheusermayauthenticatebyanymethod.Thisfeatureallowsboththe
user’sPCandIPphonetosimultaneouslyauthenticateona
singleportandeachreceivea
uniquelevelofnetworkaccess.Fordetails,referto“ConfiguringMulti‐UserAuthentication
(User+IPphone)”onpage 17‐33.
•RFC3580TunnelAttributesprovideamechanismtocontainan802.1XauthenticatedorMAC
authenticatedusertoaVLANregardlessofthePVID.Refer
to“ConfiguringVLAN
Authorization(RFC3580)”onpage 17‐45.
•MACLocking–locksaporttooneormoreMACaddresses,preventingtheuseof
unauthorizeddevicesandMACspoofingontheportFordetails,referto“ConfiguringMAC
Locking”onpage 17‐51.
•PortWebAuthentication(PWA)–passesall
logininformationfromtheendstation toa
RADIUSserverforauthenticationbeforeallowingausertoaccessthenetwork.PWAisan
alternativeto802.1XandMACauthentication.Fordetails,referto“ConfiguringPortWeb
Authentication(PWA)”onpage 17‐62.
•SecureShell(SSH)–providessecureTelnet.For
details,referto“ConfiguringSecureShell
(SSH)”onpage 17‐74.
RADIUS Filter-ID Attribute and Dynamic Policy Profile Assignment
IfyouconfigureanauthenticationmethodthatrequirescommunicationwithaRADIUSserver,
youcanusetheRADIUSFilter‐IDattributetodynamicallyassignapolicyprofileand/or
managementleveltoauthenticatingusersand/ordevices.
TheRADIUSFilter‐IDattributeissimplyastringthatisformattedintheRADIUSAccess‐
Accept
packetsentbackfromtheRADIUSservertotheswitchduringtheauthenticationprocess.
EachusercanbeconfiguredintheRADIUSserverdatabasewithaRADIUS Filter‐IDattribute
thatspecifiesthenameofthepolicyprofileand/ormanagementleveltheusershouldbeassigned
uponsuccessfulauthentication.During
theauthenticationprocess,whentheRADIUSserver
returnsaRADIUSAccess‐AcceptmessagethatincludesaFilter‐IDmatchingapolicyprofilename
Note: To configure EAP pass-through, which allows client authentication packets to be forwarded
through the switch to an upstream device, 802.1X authentication must be globally disabled with the
set dot1x command.
Notes: The D2 supports up to two authenticated users per port.
The D2 cannot simultaneously support Policy and RFC 3580 on the same port. If multiple users are
configured to use a port, and the D2 is then switched from "policy" mode to "tunnel" mode (RFC-
3580 VLAN to port mapping), the total number of users supported to use a port will be reset to one.
RFC-3580 VLAN authorization is not supported by PWA authentication.
To Next Page
Loading...
