Enterasys D-Series

To Next Page

To Previous Page

Configuring Multiple Authentication Methods

Enterasys D-Series CLI Reference 17-33

Configuring Multiple Authentication Methods

About Multiple Authentication Types

Whenenabled,multipleauthenticationtypesallowuserstoauthenticateusingmorethanone

methodonthesameport.Inorderformultipleauthenticationtofunctiononthedevice,each

possiblemethodofauthentication(MACauthentication, 802.1X,PWA)must beenabledglobally

andconfiguredappropriatelyonthedesiredportswithitscorresponding

commandsetdescribed

inthischapter.

Multipleauthenti cationmodemustbegloballyenabledonthedeviceusingthesetmultiauth

modecommand.

Configuring Multi-User Authentication (User + IP phone)

TheUser+IPphonemulti‐userauthenticationfeatureallowsauserand theirIPphonetobothuse

asingleportontheD2buttohaveseparatepolicyroles.

ʺUser+IPPhoneʺAuthenticationontheD‐Seriesisimplementedbyassigninganingressed

packetreceivedonaport

toapolicyrolebasedontheVLANthepacketwasassignedto,andnot

thepacketʹssourceMACaddress.Therefore,onaportconfiguredforUser+IPPhone

Authentication,thereexiststwodifferentVLAN‐to‐policyrolemappings.

ThepolicyrolefortheIP phoneisstatically

mappedusingtheVLAN‐to‐policymappingfea ture

whichassignsanypacketsreceivedwithaVLANtagsettoaspecificVID(forexample,Voice

VLAN)toanindicatedpolicyrole(forexample,IPPhonepolicyrole).Therefore,itisrequiredthat

IPphoneisconfiguredtosendVLANtaggedpackets

tothe“Voice”VLAN.

Thesecondpolicyrole,fortheuser,caneitherbestaticallyconfiguredwiththedefaultpolicyrole

ontheportordynamicallyassignedthroughauthenticationtothenetwork.Whenthedefault

policyroleisassignedonaport,theVLANsetastheportʹsPVID

ismappedtothedefaultpolicy

role.Whenapolicyroleisdynamicallyappliedtoaportastheresultofasuccessfully

authenticatedsession,the“authenticatedVLAN”ismapped tothepolicyrolesetintheFilter‐ID

returnedfromtheRADIUSserver.The“authenticatedVLAN”mayeitherbethe

PVIDoftheport,

ifthePVIDOverrideforthepolicyprofileisdisabled,ortheVLANspecifiedinthePVIDOverride

ifthePVIDOverrideisenabled.

Commands

Note: D2 devices support up to two authenticated users per port.

Note: The only Multi-User Authentication supported on the D2 is User + IP phone. The IP phone

and the user may authenticate using 802.1x or MAC authentication.

For information about... Refer to page...

show multiauth 17-34

set multiauth mode 17-35

clear multiauth mode 17-35

Related product manuals