Enterasys Networks DFE-Gold Series Manuel D’Utilisation
Configuring 802.1X Authentication
25-2 Authentication Configuration
•
Local user credentials — used for local authentication and authorization of CLI and WebView
management sessions. For details, refer to “
management sessions. For details, refer to “
•
Remote AAA service — used for remote authentication, authorization, and accounting of CLI
and WebView management sessions, as well as all network access sessions provisioned by
way of 802.1x, PWA, or MAC Authentication. For details, refer to “
and WebView management sessions, as well as all network access sessions provisioned by
way of 802.1x, PWA, or MAC Authentication. For details, refer to “
” on page 25‐50 and “
•
Support for RADUIS, RFC 3580, and TACACS+ can be found in the following sections:
“
“
” on page 25‐60, and
Configuring 802.1X Authentication
About Multi-User Authentication
Enterasys Networks’ enhanced version of the IEEE 802.1X‐2001 specification decreases security
vulnerabilities inherent with the standard implementation, and allows multiple devices and users,
also known as “supplicants,” to be authenticated on a single port. The enhanced standard clearly
distinguishes each network access port from its access “entities,” which maintain authentication
instructions associated with each unique potential supplicant.
vulnerabilities inherent with the standard implementation, and allows multiple devices and users,
also known as “supplicants,” to be authenticated on a single port. The enhanced standard clearly
distinguishes each network access port from its access “entities,” which maintain authentication
instructions associated with each unique potential supplicant.
802.1X enhancements are backwards‐compatible with existing 802.1X supplicants and
configurations, and are designed to seamlessly integrate into Enterasys’ per‐user policy
management system; allowing much more granular control over user authorization.
configurations, and are designed to seamlessly integrate into Enterasys’ per‐user policy
management system; allowing much more granular control over user authorization.
The Enterasys multi‐user 802.1X implementation includes the following components:
•
A Multi‐Mode Enabled Enterasys Matrix System—only when a system is set to operate in
multiple authentication mode (as described in “
multiple authentication mode (as described in “
page 27‐1) can the enhanced 802.1X feature be used. The systemʹs ports intended for network
access to authenticate and authorize supplicants will be allowed to simultaneously utilize
more than one access entity.
access to authenticate and authorize supplicants will be allowed to simultaneously utilize
more than one access entity.
•
Access Entities—responsible for maintaining state, counters, and statistics for an individual
supplicant. An access entity is activated from a pool of configured access entities when a
potential supplicant on a port needs to be authenticated. It becomes deactivated when the
supplicant logs off, cannot be authenticated, or the Enterasys Matrix device determines that
the supplicant or associated policy settings are no longer valid.
supplicant. An access entity is activated from a pool of configured access entities when a
potential supplicant on a port needs to be authenticated. It becomes deactivated when the
supplicant logs off, cannot be authenticated, or the Enterasys Matrix device determines that
the supplicant or associated policy settings are no longer valid.
•
Supplicants—devices or users that desire access to the network, such as workstations,
printers, PDAs, or hard‐wired or wireless phones. These will be identified by the system using
a combination of connection port, MAC addresses, and allocated access entity index. Once a
supplicant is successfully authenticated, the system is responsible for enforcing the degree to
which the supplicant will be authorized to access the network, using information sent to it by
the authentication server.
printers, PDAs, or hard‐wired or wireless phones. These will be identified by the system using
a combination of connection port, MAC addresses, and allocated access entity index. Once a
supplicant is successfully authenticated, the system is responsible for enforcing the degree to
which the supplicant will be authorized to access the network, using information sent to it by
the authentication server.
•
Authentication Server—typically a RADIUS authority, where the Enterasys Matrix system and
server have mutually‐configured knowledge of one another.
server have mutually‐configured knowledge of one another.
Purpose
To review and configure 802.1X authentication for one or more ports using EAPOL (Extensible
Authentication Protocol). 802.1X controls network access by enforcing user authorization on
Authentication Protocol). 802.1X controls network access by enforcing user authorization on