Enterasys 6000 Betriebsanweisung
Overview of Security Methods
Accessing Local Management
3-21
3.6.3
MAC Authentication Overview
This section discusses a method for a user to gain access to the network by validating the MAC
address of their connected device. Network management statically provisions MAC addresses in a
central radius server. Those pre-configured MAC addresses are allowed access to the network
through the usual RADIUS validation process. This section further discusses how MAC
Authentication and 802.1X cooperate to provide an integrated approach to authentication.
address of their connected device. Network management statically provisions MAC addresses in a
central radius server. Those pre-configured MAC addresses are allowed access to the network
through the usual RADIUS validation process. This section further discusses how MAC
Authentication and 802.1X cooperate to provide an integrated approach to authentication.
3.6.3.1
Authentication Method Selection
The 802.1X and PWA authentication methods are globally exclusive. Additionally, MAC
Authentication and PWA are globally mutually exclusive. However, MAC Authentication and
802.1X are not mutually exclusive, so that both 802.1X and MAC authentications can be
configured concurrently on the same device using the Local Management (LM) System
Authentication Configuration screen described in
Authentication and PWA are globally mutually exclusive. However, MAC Authentication and
802.1X are not mutually exclusive, so that both 802.1X and MAC authentications can be
configured concurrently on the same device using the Local Management (LM) System
Authentication Configuration screen described in
. When both methods are enabled on
the same device, the switch enforces a precedence relationship between MAC Authentication and
802.1X methods.
802.1X methods.
When configuring a device using the System Authentication Configuration screen, only the valid
set of global and per port authentication methods are available for selection. These are EAP, PWA,
MAC, MAC EAP, and NONE. If there is an attempt to enable both MAC Authentication and PWA
either through the sole use of MIBs or by using both the LM screen and MIBs, then an appropriate
error message is displayed.
set of global and per port authentication methods are available for selection. These are EAP, PWA,
MAC, MAC EAP, and NONE. If there is an attempt to enable both MAC Authentication and PWA
either through the sole use of MIBs or by using both the LM screen and MIBs, then an appropriate
error message is displayed.
3.6.3.2
Authentication Method Sequence
When MAC Authentication is enabled on a port, the Authentication of a specific MAC address
commences immediately following the reception of any frame. The MAC address and a currently
stored password for the port are used to perform a PAP authentication with one of the configured
radius servers. If successful, the port forwarding behavior is changed according to the authorized
policy and a session is started. If unsuccessful, the forwarding behavior of the port remains
unchanged.
commences immediately following the reception of any frame. The MAC address and a currently
stored password for the port are used to perform a PAP authentication with one of the configured
radius servers. If successful, the port forwarding behavior is changed according to the authorized
policy and a session is started. If unsuccessful, the forwarding behavior of the port remains
unchanged.
If successful, the filter-id in the radius response may contain a policy string of the form
policy=”policy name”. If the string exists and it refers to a currently configured policy in this
switch, then the port receives this new policy. If authenticated, but the authorized policy is invalid
or non-existent, then the port forwards the frame normally according to the port default policy, if
one exists. Otherwise, frames are forwarded without any policy.
policy=”policy name”. If the string exists and it refers to a currently configured policy in this
switch, then the port receives this new policy. If authenticated, but the authorized policy is invalid
or non-existent, then the port forwards the frame normally according to the port default policy, if
one exists. Otherwise, frames are forwarded without any policy.