Enterasys G3G170-24 - RADIUS Filter-ID Attribute and Dynamic Policy Profile Assignment

To Next Page

To Previous Page

Overview of Security Methods

20-2 Security Configuration

authenticateandgrantappropriateaccesstoenduserdevicescommunicatingwithG‐Series

ports.FordetailsonusingCLIcommandstoconfigure802.1X,referto“Configuring802.1X

Authentication”onpage 20‐10.

•MACAuthentication–providesamechanismforadministratorstosecurelyauthenticate

sourceMACaddressesandgrantappropriateaccessto

enduserdevicescommunicatingwith

G‐Seriesports.Fordetails,referto“ConfiguringMACAuthentication”onpage 20‐19.

•MultipleAuthenticationMethods–allowsuserstoauthenticateusingmultiplemethodsof

authenticationonthesameport.Fordetails,referto“ConfiguringMultipleAuthentication

Methods”onpage 20‐30.

•RFC3580TunnelAttributes

provideamechanismtocontainan802.1XauthenticatedorMA C

authenticatedusertoaVLANregardlessofthe PVID.Uptoeightuserscanbeconfiguredper

Gigabitport.Referto“ConfiguringVLANAuthorization(RFC3580)”onpage 20‐41.

•MACLocking–locksaporttooneormoreMAC

addresses,preventingtheuseof

unauthorizeddevicesandMACspoofingontheportFordetails,referto“ConfiguringMAC

Locking”onpage 20‐46.

•PortWebAuthentication(PWA)–passesalllogininform ationfromtheendstationtoa

RADIUSserverforauthenticationbeforeallowingausertoaccessthenetwork

.PWAisan

alternativeto802.1XandMACauthentication.Fordetails,referto“ConfiguringPortWeb

Authentication(PWA)”onpage 20‐57.

•SecureShell(SSH)–providessecureTelnet.Fordetails,referto“ConfiguringSecureShell

(SSH)”onpage 20‐68.

•IPAccessLists(ACLs)–permitsordeniesaccess

toroutinginterfacesbasedonprotocoland

inboundand/oroutboundIPaddressrestrictionsconfiguredinaccesslists.Fordetails,referto

“ConfiguringAccessLists”onpage 20‐70.

RADIUS Filter-ID Attribute and Dynamic Policy Profile Assignment

IfyouconfigureanauthenticationmethodthatrequirescommunicationwithaRADIUSserver,

youcanusetheRADIUSFilter‐IDattributetodynamicallyassignapolicyprofileand/or

managementleveltoauthenticatingusersand/ordevices.

TheRADIUSFilter‐IDattributeissimplyastringthatisformattedintheRADIUSAccess‐

Accept

packetsentbackfromtheRADIUSservertotheswitchduringtheauthenticationprocess.

EachusercanbeconfiguredintheRADIUSserverdatabasewithaRADIUS Filter‐IDattribute

thatspecifiesthenameofthepolicyprofileand/ormanagementleveltheusershouldbeassigned

uponsuccessfulauthentication.During

theauthenticationprocess,whentheRADIUSserver

returnsaRADIUSAccess‐AcceptmessagethatincludesaFilter‐IDmatchingapolicyprofilename

configuredontheswitch,theswitchthendynamicallyappliesthepolicyprofiletothephysical

porttheuser/deviceisauthenticatingon.

Note: To configure EAP pass-through, which allows client authentication packets to be forwarded

through the switch to an upstream device, 802.1X authentication must be globally disabled with the

set dot1x command.

Notes: The G3 supports up to eight authenticated users per port.

The G3 cannot simultaneously support Policy and RFC 3580 on the same port. If multiple users are

configured to use a port, and the G3 is then switched from "policy" mode to "tunnel" mode (RFC-

3580 VLAN to port mapping), the total number of users supported to use a port will be reset to one.

RFC-3580 VLAN authorization is not supported by PWA authentication.

Enterasys G3G170-24 - RADIUS Filter-ID Attribute and Dynamic Policy Profile Assignment

Table of Contents

Related product manuals