Configuration manual

ManualsBrandsEnterasys ManualsSwitchEnterasys C5G124-24

141

142

143

144

145

146

147

148

149

150

User Authentication Overview

Fixed Switch Configuration Guide 10-5

Figure 10-1 Applying Policy to Multiple Users on a Single Port

User + IP Phone

The User + IP Phone authentication feature provides limited support for authentication and

authorization of two devices, specifically a PC cascaded with a VLAN-tagging IP phone, on a

single port on the switch. The IP phone must authenticate using MAC or 802.1X authentication,

but the user may authenticate by any method. This feature allows both the user’s PC and IP phone

to simultaneously authenticate on a single port and each receive a unique level of network access.

For details, refer to “Configuring User + IP Phone Authentication” on page 10-22.

MultiAuth Authentication

Authentication mode support provides for the global setting of a single authentication mode

802.1X (strict-mode) or multiple modes (MultiAuth) per user or port when authenticating.

Strict mode is the appropriate mode when authenticating a single 802.1X user. All traffic on the

port receives the same policy in strict mode. When authenticating PWA or MAC, you must use

MultiAuth authentication, whether authenticating a single or multiple supplicants.

MultiAuth authentication supports the simultaneous configuration of up to three authentication

methods per user on the same port, but only one method per user is actually applied. When

MultiAuth authentication ports have a combination of authentication methods enabled, and a user

is successfully authenticated for more than one method at the same time, the configured

authentication method precedence will determine which RADIUS-returned Filter-ID will be

processed and result in an applied traffic policy profile. See “Setting MultiAuth Authentication

Precedence” on page 10-18 for authentication method precedence details.

The number of users or devices MultiAuth authentication supports depends upon the type of

switch. See the firmware customer release note that comes with your switch for details on the

number of users or devices supported per port.

In Figure 10-2, multiple users are authenticated on a single port each with a different

authentication method. In this case, each user on a single port successfully authenticates with a

different authentication type. The authentication method is included in the authentication

User 1

SMAC

00-00-00-11-11-11

User 2

SMAC

00-00-00-22-22-22

User 3

SMAC

00-00-00-33-33-33

Authentication

Request

Authentication

Credentials User 2

User1 Filter ID --> Policy X

User2 Filter ID --> Policy Y

User3 Filter ID --> Policy Z

Authentication

Credentials User 1

Authentication

Credentials User 3

Dynamic Admin Rule

for Policy 1

SMAC = 00-00-00-11-11-11

ge.1.5

Dynamic Admin Rule

for Policy 2

SMAC = 00-00-00-22-22-22

ge.1.5

Dynamic Admin Rule

for Policy 3

SMAC = 00-00-00-33-33-33

ge.1.5

Authentication

Response

Authentication

Request

Authentication

Response

Authentication

Request

Switch

Authentication

Response

Radius Server

Port ge.1.5