Enterasys SecureStack B3

To Next Page

To Previous Page

Overview of Security Methods

20-2 Security Configuration

SecureStackB3ports.FordetailsonusingCLIcommandstoconfigure802.1X,referto

“Configuring802.1XAuthentication”onpage 20‐9.

•MACAuthentication–providesamechanismforadministratorstosecurelyauthenticate

sourceMACaddressesandgrantappropriateaccesstoenduserdevicescommunicatingwith

SecureStackB3ports.Fordetails,refer

to“ConfiguringMACAuthentication”onpage 20‐19.

•MultipleAuthenticationMethods–allowsuserstoauthenticateusingmultiplemethodsof

authenticationonthesameport.Fordetails,referto“ConfiguringMultipleAuthentication

Methods”onpage 20‐30.

•Multi‐UserAuthentication–OntheSecureStackB3,theonlytypeofmultipleuser

authentication

supportedis“User+IPPhone”.TheUser+IPPhoneauthenticationfeature

supportsauthenticationandauthorizationoftwodevices,specificallyaPCcascadedwithan

IPphone,onasingleportontheB3.TheIPphonemust a uthenticateusingMACor802.1X

authentication,buttheusermayauthentica te

byanymethod.Thisfeatureallowsboththe

user’sPCandIPphonetosimultaneouslyauthenticateonasingleportandeachreceivea

uniquelevelofnetworkaccess.Fordetails,referto“ConfiguringMulti‐UserAuthentication

(User+IPphone)” onpage 20‐30.

•RFC3580TunnelAttributesprovidea

mechanismtocontainan802.1Xauthenticatedusertoa

VLANregardlessofthePVID.UptothreeuserscanbeconfiguredperGigabitport.Referto

“ConfiguringVLANAuthorization(RFC3580)”onpage 20‐41.

•MACLocking–locksaporttooneormoreMACaddresses,preventingtheuseof

unauthorizeddevicesandMACspoofingontheportFordetails,referto“ConfiguringMAC

Locking”onpage 20‐46.

•PortWebAuthentication(PWA)–locksdownaportauserisattached tountilaftertheuser

logsinusingawebbrowsertoaccesstheswitch.Theswitchwillpass

alllogininformation

fromtheendstationtoaRADIUSserverforauthenticationbeforeturningtheporton.PWAis

analternativeto802.1XandMACauthentication.Fordetails,referto“ConfiguringPortWeb

Authentication(PWA)”onpage 20‐57.

•SecureShell(SSH)–providessecureTelnet.Fordetails,referto

“ConfiguringSecureShell

(SSH)”onpage 20‐69.

RADIUS Filter-ID Attribute and Dynamic Policy Profile Assignment

IfyouconfigureanauthenticationmethodthatrequirescommunicationwithaRADIUSserver,

youcanusetheRADIUSFilter‐IDattributetodynamicallyassignapolicyprofileand/or

managementleveltoauthenticatingusersand/ordevices.

TheRADIUSFilter‐IDattributeissimplyastringthatisformattedintheRADIUSAccess‐

Accept

packetsentbackfromtheRADIUSservertotheswitchduringtheauthenticationprocess.

EachusercanbeconfiguredintheRADIUSserverdatabasewithaRADIUSFilter‐IDattribute

thatspecifiesthenameofthepolicyprofileand/ormanagementleveltheusershouldbeassigned

uponsuccessfulauthentication.During

theauthenticationprocess,whentheRADIUSserver

returnsaRADIUSAccess‐AcceptmessagethatincludesaFilter‐IDmatchingapolicyprofilename

Note: To configure EAP pass-through, which allows client authentication packets to be forwarded

through the switch to an upstream device, 802.1X authentication must be globally disabled with the

set dot1x command.

Note: B3 devices support up to eight authenticated users per port.

Table of Contents

Related product manuals