100 Summit 300-48 Switch Software User Guide
Unified Access Security
Supplicant Side
On the client or supplicant side, the only platform that natively supports 802.1x is Windows XP, which
performs MD5 and TLS. 802.1x clients can be obtained for other operating systems and may support a
combination of authentication methods.
A Windows XP 802.1x supplicant can be authenticated as a computer or as a user. Computer
authentication requires a certificate installed in the computer certificate store, and user authentication
requires a certificate installed in the individual user's certificate store.
By default, the Windows XP machine performs computer authentication as soon as the computer is
powered on, or at link-up when no user is logged into the machine. User authentication is performed at
link-up when the user is logged in.
Windows XP also supports guest authentication, but this is disabled by default. Refer to relevant
Microsoft documentation for further information. The Windows XP machine can be configured to
perform computer authentication at link-up even if user is logged in.
Authentication Server Side
The RADIUS server used for authentication must be EAP-capable. Consider the following when
choosing a RADIUS server:
• Types of authentication methods supported on RADIUS, as mentioned previously.
• Need to support Vendor Specific Attributes (VSA). Parameters such as Extreme-Netlogin-Vlan
(destination vlan for port movement after authentication) and
Extreme-NetLogin-only
(authorization for network login only) are brought back as VSAs.
• Need to support both EAP and traditional username-password authentication. These are used by
network login and switch console login respectively.
Exclusions and Limitations
The following are limitations and exclusions for network login:
• For wired netlogin ports, all unauthenticated MACs see broadcasts and multicasts sent to the port if
even a single MAC is authenticated on that port.
• Network login must be disabled on a port before that port can be deleted from a VLAN.
• A network login VLAN port should be an untagged Ethernet port and should not be a part of
following protocols:
— ESRP
— STP
• Rate-limiting is not supported on network login ports (web-based and 802.1x).
• You cannot enable wired netlogin on a port that has been enabled for wireless access.
• Enabling a port for wireless access, will automatically disable wired netlogin on that port.
Configuring Network Login
The following configuration example shows the Extreme Networks switch configuration and the
associated RADIUS server entries for network login. VLAN corp is assumed to be a corporate subnet
To Next Page
Loading...
