Enterasys Matrix DFE-Gold Series

944 pages

To Next Page

To Next Page

To Previous Page

To Previous Page

Loading...

clear dot1x auth-config Configuring Port Web Authentication (PWA)

Enterasys Matrix DFE-Gold Series Configuration Guide 25-11

Configuring Port Web Authentication (PWA)

About PWA

PWAprovidesawayofauthenticatingusersbeforeallowinggeneralaccesstothenetwork.A

PWAuser’saccesstothenetworkisrestricteduntilaftertheusersuccessfullylogsinviaaweb

browserusingtheEnterasysMatrixSeriesweb‐basedsecuri tyinterface.TheEnterasysMatrix

Seriesdevicewillvalidateall

logincredentialfromtheuserwithaRADIUSserverbeforeallowing

networkaccess.

PWAisanalternativeto802.1XandMACauthentication.Itallowsonlytheessentialprotocols

andservicesrequiredbytheauthenticationprocessbetweentheend‐stationandthenetwork.All

othertrafficisdiscarded.Whenauseris

intheunauthenticatedstate,anyusertrafficrequesting

networkresourceswillnotbeallowed.

Tologonusing PWA,theusermakesarequestviaawebbrowserforthe PWAwebpageoris

automaticallyredirectedtothisloginpageafterrequestingaURLinabrowser.

Dependingupon

theauthenticatedstateoftheuser,aloginpageoralogoutpagewilldisplay.

Whenausersubmitsusernameandpassword,theswitchthenauthenticatestheuserviaa

preconfiguredRADIUSserver.Iftheloginissuccessful,thentheuserwillbegrantedfullnetwork

accessaccordingtotheuser’s

policyconfigurationontheswitch.

PWA Configuration Considerations

InordertooptimizePWAauthenticationontheEnterasysMatrixSeriesdevice,thedevicemustbe

configuredtosatisfytheminimumrequirementsofanauthenticatingclientneedingtosendan

HTTPrequestwithitswebbrowser.Typically,theclientwillneedDNS andARPresolutionbefore

itcangeneratetheHTTP

requestneededtodoaPWAlogin.Also,DHCPmaybeneededinmany

environments.TheseservicesarenotprovidedbyPWAandmustbeprovidedbythenetwork.To

accomplishthis,thedevicemustbeconfiguredtoallowaccesstotheneededservices.

Thefirststepistomakesure

thatthemultipleauthenticationportmodesettingsaresetto“auth‐

opt”onallportsthatareconfiguredtorun PWA.

Examples

Thisexampleshowshowtosetthemultipleauthenticationportmodeto“auth‐opt”forallFast

Ethernetportsinthechassisorstandalonedevice:

Matrix(rw)->set multiauth port mode auth-opt fe.*.*

Fordetailsonusingthesetmultiauthportcommand,referto“setmultiauthport”onpage 27‐6.

Settingtheportmodeinthisfashionwillallowtraffictoflowthroughtheportwithout

authenticationaccordingtoitsconfiguration.Bydefault,thiswouldallowalltraffictobe

forwarded.Conversely,you

couldconfiguretheportstodropalltraffic,butthisisnotthemost

effectivesolution.Betteryetwouldbetoconfiguretheporttoprovideonlytheminimalservices

andnothingmore.Themostpowerfultoolforaccomplishingthisgoalispolicyconfiguration.

Policiesprovidetheflexibilityneededtotailor

theseservicestotheconfigurationandsecurity

needsofyourenvironment.

Thisexampleshowshowtoconfigureapolicyprofilethatwilldiscardalltrafficbydefault:

Matrix(rw)->set policy profile 1 name “Unauthenticated User” pvid 0 pvid-status

enable

Thisexampleshowshowtoconfigurepolicyprofilerule1thatwillenabletheselectiveservices

requiredforPWA.Thisrulewill:

•forwardARPrequests,

Table of Contents

Related product manuals

Preview: Enterasys Matrix 2G4072-52

Enterasys Matrix 2G4072-52

Preview: Enterasys Matrix E1 1H582-51

Enterasys Matrix E1 1H582-51

Enterasys Matrix E1 1G694-13

Preview: Enterasys Matrix-V V2H124-24

Enterasys Matrix-V V2H124-24

Preview: Enterasys C3G124-24

Enterasys C3G124-24

Preview: Enterasys B5G124-24

Enterasys B5G124-24

Enterasys A4H124-48P

Preview: Enterasys B5G124-24P2

Enterasys B5G124-24P2

Preview: Enterasys SecureStack C2

Enterasys SecureStack C2

Enterasys SSA-G1018-0652

Preview: SecureStack B3 B3G124-24P

SecureStack B3 B3G124-24P

Preview: SecureStack B2 B2G124-48P

SecureStack B2 B2G124-48P