Configuring 802.1X Authentication
25-2 Authentication Configuration
•Localusercredentials—usedforlocalauthenticationandauthorizationofCLIandWebView
managementsessions.Fordetails,referto“SettingUserAccountsandPasswords”on
page 2‐15and“SettingtheAuthenticationLoginMethod”onpage 25‐50.
•RemoteAAAservice—usedforremoteauthentication,authorization,andaccountingof
CLI
andWebViewmanagementsessions,aswellasallnetworkaccesssessionsprovisionedby
wayof802.1x,PWA,orMACAuthentication.Fordetails,referto“SettingtheAuthentication
LoginMethod”onpage 25 ‐50and“Configuring802.1XAuthentication”onpage 25‐2.
• SupportforRADUIS,RFC3580,andTACACS+canbe
foundinthefollowingsections:
“ConfiguringRADIUS”onpage 25‐53,“ConfiguringRFC3580”onpage 25‐60,and
“ConfiguringTACACS+”onpage 25‐63
Configuring 802.1X Authentication
About Multi-User Authentication
EnterasysNetworks’enhancedversionoftheIEEE802.1X‐2001specificationdecreasessecurity
vulnerabilitiesinherentwiththestandardimplementation,andallowsmultipledevicesand users,
alsoknownas“supplicants,”tobeauthenticatedonasingleport.Theenhancedstandardclearly
distinguisheseachnetworkaccessportfromitsaccess“entities,”whichmaintainauthentication
instructionsassociatedwitheachuniquepotentialsupplicant.
802.1Xenhancementsarebackwards‐compatiblewithexisting802.1Xsupplicantsand
configurations,andaredesignedtoseamlesslyintegrateintoEnterasys’per‐userpolicy
managementsystem;allowingmuchmoregranularcontroloveruserauthorization.
TheEnterasysmulti‐user802.1Ximplementationincludesthefollow ingcomponents:
•AMulti‐Mode
EnabledEnterasysMatrixSystem—onlywhenasystemissettooperatein
multipleauthenticationmode(asdescribedin“ConfiguringMultipleAuthentication”on
page 27‐1)cantheenhanced802.1Xfeaturebeused.Thesystemʹsportsintendedfornetwork
accesstoauthenticateandauthorizesupplicantswillbeallowedtosimultaneously
utilize
morethanoneaccessentity.
• AccessEntities—responsibleformaintainingstate,counters,andstatisticsforanindividual
supplicant.Anaccessentityisactivatedfromapoolofconfiguredaccessentitieswhena
potentialsupplicantonaportneedstobeauthenticated.Itbecomesdeactivatedwhenthe
supplicantlogsoff,cannotbe
authenticated,ortheEnterasysMatrixdevicedeterminesthat
thesupplicantorassociatedpolicysettingsarenolongervalid.
• Supplicants—devicesorusersthatdesireaccesstothenetwork,suchasworkstations,
printers,PDAs,orhard‐wiredorwirelessphones.Thesewillbeidentifiedbythesystemusing
acombinationofconnectionport,
MACaddresses,andallocatedaccessentityindex.Oncea
supplicantissuccessfullyauthenticated,thesystemisresponsible forenforcingthedegreeto
whichthesupplicantwillbeauthorizedtoaccessthenetwork,usinginformationsenttoitby
theauthenticationserver.
• AuthenticationServer—typicallyaRADIUSauthority,wheretheEnterasysMatrixsystem
and
serverhavemutually‐configuredknowledgeofoneanother.
Purpose
Toreviewandconfigure802.1XauthenticationforoneormoreportsusingEAPOL(Extensible
AuthenticationProtocol).802.1Xcontrolsnetworkaccessbyenforcinguserauthorizationon