Overview of Authentication and Authorization Methods
23-2 Authentication and Authorization Configuration
• 802.1XPortBasedNetworkAccessControlusingEAPOL(ExtensibleAuthenticationProtocol)
–providesamechanismviaaRADIUSserverforadministra tors tosecurelyauthenticateand
grantappropriateaccesstoenduserdevicescommunicatingwithSecureStackC2ports.For
detailsonusingCLIcommandstoconfigure802.1X,referto“Configuring802.1X
Authentication”onpage 23‐11.
•MACAuthentication–providesamechanismforadministratorstosecurelyauthenticate
sourceMACaddressesandgrantappropriateaccesstoenduserdevicescommunicatingwith
SecureStackC2ports.Fordetails,referto“ConfiguringMACAuthentication”onpage 23‐21.
•MultipleAuthenticationMethods–allowsuserstoauthenticateusing
multiplemethodsof
authenticationonthesameport.Fordetails,referto“ConfiguringMultipleAuthentication
Methods”onpage 23‐33.
•Multi‐UserAuthentication–User+IPPhone.TheUser+IPPhoneauthenticationfeature
supportsauthenticationandauthorizationoftwodevices,specificallyaPCcascadedwithan
IPphone,on
asingleportontheC2.TheIPphonemustauthenticateusingMACor802.1X
authentication,buttheusermayauthenticatebyanymethod.Thisfeatureallowsboththe
user’sPCandIPphonetosimultaneouslyauthenticateonasingleportandeachreceivea
uniquelevelofnetworkaccess.For
details,referto“ConfiguringMulti‐UserAu thentication
(User+IPphone)”onpage 23‐33.
•RFC3580TunnelAttributesprovideamechanismtocontainan802.1XauthenticatedorMAC
authenticatedusertoaVLANregardlessofthePVID.Uptosixuserscanbeconfiguredper
Gigabitport.Referto“
ConfiguringVLANAuthorization(RFC3580)”onpage 23‐45.
•MACLocking–locksaporttooneormoreMACaddresses,preventingtheuseof
unauthorizeddevicesandMACspoofingontheportFordetails,referto“ConfiguringMAC
Locking”onpage 23‐50.
•PortWebAuthentication(PWA)–passesalllogin
informationfromtheendstationtoa
RADIUSserverforau thenticationbeforeallowingausertoaccessthenetwork.PWAisan
alternativeto802.1XandMACauthentication.Fordetails,referto“ConfiguringPortWeb
Authentication(PWA)”onpage 23‐61.
•SecureShell(SSH)–providessecureTelnet.Fordetails,
referto“ConfiguringSecureShell
(SSH)”onpage 23‐73.
•IPAccessLists(ACLs)–permitsordeniesaccesstoroutinginterfacesbasedonprotocoland
inboundand/oroutboundIPaddressrestrictionsconfiguredinaccesslists.Fordetails,referto
“ConfiguringAccessLists”onpage 23‐75.
RADIUS Filter-ID Attribute and Dynamic Policy Profile Assignment
IfyouconfigureanauthenticationmethodthatrequirescommunicationwithaRADIUSserver,
youcanusetheRADIUSFilter‐IDattributetodynamicallyassignapolicyprofileand/or
managementleveltoauthenticatingusersand/ordevices.
Note: To configure EAP pass-through, which allows client authentication packets to be forwarded
through the switch to an upstream device, 802.1X authentication must be globally disabled with the
set dot1x command.
Notes: The C2 supports up to six authenticated users per port.
The C2 cannot simultaneously support Policy and RFC 3580 on the same port. If multiple users are
configured to use a port, and the C2 is then switched from "policy" mode to "tunnel" mode (RFC-
3580 VLAN to port mapping), the total number of users supported to use a port will be reset to one.
RFC-3580 VLAN authorization is not supported by PWA authentication.
To Next Page
Loading...
Need help?
General