User guide

ManualsBrandsExtreme Networks ManualsComputer equipmentSummit Summit4

151

152

153

154

155

156

157

158

159

160

152 ExtremeWare 7.2e Installation and User Guide

Security

• Once the first MAC is authenticated, the port is transitioned to the authenticated state and other

unauthenticated MACs can listen to all data destined for the first MAC. This could raise some

security concerns as unauthenticated MACs can listen to all broadcast and multicast traffic directed

to a Network Login-authenticated port.

Exclusions and Limitations

The following are limitations and exclusions for Network Login:

• All unauthenticated MACs will be seeing broadcasts and multicasts sent to the port if even a single

MAC is authenticated on that port.

• Network Login must be disabled on a port before that port can be deleted from a VLAN.

• In Campus mode, once the port moves to the destination VLAN, the original VLAN for that port is

not displayed.

• A Network Login VLAN port should be an untagged Ethernet port and should not be a part of

following protocols:

— ESRP

— STP

— VLAN Aggregation

— VLAN Translation

• Network Login is not supported for T1, E1, T3, ATM, PoS and MPLS TLS interfaces.

• No Hitless Failover support has been added for Network Login.

• Rate-limiting is not supported on Network Login ports (both web-based and 802.1x).

• Network Login and MAC-limits cannot be used together on the same switch (see “Network Login”

on page 146).

• EAP-NAK cannot be used to negotiate 802.1x authentication types.

Configuring Network Login

The following configuration example demonstrates how users can initially log in using web-based

authentication, allowing them limited access to the network in order to download the 802.1x client and

a certificate. After the client is configured, the user is then able to access the network by using 802.1x.

The example illustrates the following configuration steps:

1 Create a VLAN on all edge switches called “temp,” which is the initial VLAN to which users will

connect before they are authenticated.

2 Create a VLAN on all edge and core switches called “guest,” which is the VLAN from which users

will access the Certificate Authority and be able to download the 802.1x software.

The following example demonstrates the first network login configuration step for a Summit 48si edge

switch:

create vlan temp

configure temp ipaddress 192.168.1.1/24

configure temp add port 1-48

configure vlan temp dhcp-address-range 192.168.1.11 - 192.168.1.200

configure vlan temp dhcp-options default-gateway 192.168.1.1

enable netlogin port 1-48 vlan temp