Ports (Authentication)

The Ports (Authentication) tab allows you to configure and change the authentication settings for a port. Authentication must be configured and enabled on the device in order for individual port authentication settings to take effect. Only those areas of the tab that relate to the authentication type configured on the device are available for editing.

To access the Ports (Authentication) tab, select a device in the left-panel Devices > Devices tab, then select Authentication > Ports in the right panel.

Select a port in the top section to display and configure the authentication settings for that port in the bottom of the window.

Select the Apply button at the top of the window to save changes to this tab.

The Authentication Configuration tab has six sections:

Authentication Mode

This tab displays general authentication and port mode information about the port.

This area displays the current port mode for the port, and allows you to change the settings if desired. Port mode defines whether or not a user is required to authenticate on a port, and how unauthenticated traffic is handled. It is a combination of Authentication Behavior (whether or not authentication is enabled on the port), and Unauthenticated Behavior (whether unauthenticated traffic is assigned to the port's default role or discarded). See Port Mode for a complete description of each port mode.

In addition, this section provides checkboxes that allow you to disable a specific authentication type at the port level.

Port Mode (Auth/Unauth Behavior)
Select an option to specify whether or not authentication is enabled on the port. (See Port Mode for more information.)
 NOTE:Authentication Behavior must be set to Active for authentication to be allowed using CEP Protocols.
Disable 802.1X Auth
Select this checkbox to disable 802.1X authentication at the port level. If the device is only configured with 802.1X authentication, selecting this checkbox results in the port Authentication Behavior being set to Inactive.
 NOTE:For Single User 802.1X+MAC authentication with Active/Default Role as the selected port mode: Disabling 802.1X authentication also disables MAC authentication on the port. An end user connecting to the port is not able to authenticate via 802.1X or MAC. The port behaves as if Inactive/Default Role is the selected port mode.
Disable Web-Based Auth
Select this checkbox to disable web-based authentication at the port level. If the device is only configured with web-based authentication, selecting this checkbox results in the port Authentication Behavior being set to Inactive.
  NOTE: For Multi-User Web-Based authentication with Active/Discard as the selected port mode: This checkbox is automatically selected because multi-user web-based authentication does not support the Active/Discard port mode.
Disable MAC Auth
Select this checkbox to disable MAC authentication at the port level. If the device is only configured with MAC authentication, selecting this checkbox results in the port Authentication Behavior being set to Inactive.
Disable Quarantine Auth
Select this checkbox to disable Quarantine authentication at the port level. If the device is only configured with Quarantine authentication, selecting this checkbox results in the port Authentication Behavior being set to Inactive.
Disable Auto Tracking Auth
Select this checkbox to disable MAC authentication at the port level. If the device is only configured with Auto Tracking authentication, selecting this checkbox results in the port Authentication Behavior being set to Inactive.

RFC3580 VLAN Authorization

This section lets you enable or disable RFC 3580 VLAN Authorization on the port and specify an egress state. RFC 3580 VLAN Authorization must be enabled in networks where the RADIUS server has been configured to return a VLAN ID when a user authenticates. When RFC 3580 VLAN Authorization is enabled:

  • ports on devices that do not support policy, will tag packets with the VLAN ID.
  • ports on devices that do support policy and also support Authentication-Based VLAN to Role Mapping, will classify packets according to the role that the VLAN ID maps to.

You can also enable and disable VLAN Authorization at the device level using the device Authentication tab. If the device does not support RFC 3580, this tab will be grayed out.

VLAN Authorization Status
Allows you to enable and disable RFC 3580 VLAN Authorization for the selected port. This option is grayed out if not supported by the device.
VLAN Authorization Admin Egress
Allows you to modify the VLAN egress list for the VLAN ID returned by the RADIUS server when a user authenticates on the port:
  • None — No modification to the VLAN egress list is made.
  • Tagged — The port is added to the list with the egress state set to Tagged (frames are forwarded as tagged).
  • Untagged — The port is added to the list with the egress state set to Untagged (frames are forwarded as untagged).
  • Dynamic — The port uses information returned in the RADIUS response to modify the VLAN egress list. This value is supported only if the device supports a mechanism through which the egress state may be returned in the RADIUS response.

Login Settings

This tab displays the current login settings for the port and allows you to change the settings if desired. The options available depend on what type(s) of authentication are enabled on the device.

MAC

Hold Time (sec)
Amount of time (in seconds) authentication remains timed out after the user fails to login. Valid values are 0-65535. The default is 60. (Hold Time is also known as Quiet Period in web-based and MAC authentication.)

802.1X

Hold Time (sec)
Amount of time (in seconds) authentication remains timed out after the user fails to login. Valid values are 0-65535. The default is 60.
Auth request period (sec)
For 802.1X authentication, how often (in seconds) the device queries the port to see if there is a new user on it. If a user is found, the device then attempts to authenticate the user. Valid values are 1-65535. The default is 30.
User timeout (sec)
For 802.1X authentication, the amount of time (in seconds) the device waits for an answer when querying the port for the existence of a user. Valid values are 1-300. The default is 30.
Auth server timeout (sec)
For 802.1X authentication, if a user is found on the port, the amount of time (in seconds) the device waits for a response from the authentication server before timing out. Valid values are 1-300. The default is 30.
Handshake requests before failure
For 802.1X authentication, the number of times the device tries to finalize the authentication process with the user, before the authentication request is considered invalid and authentication fails. Valid values are 1-10. The default is 2.

Web Auth

Max Requests
Number of times a user can attempt to log in before authentication fails and login attempts are not allowed. For web-based authentication, valid values are 1-2147483647, zero is not allowed, and the default is 2.
Hold Time (sec)
Amount of time (in seconds) authentication remains timed out after the specified Max Requests is reached. Valid values are 0-65535. The default is 60.

Quarantine

Session Timeout (sec)

For Quarantine authentication, the maximum number of seconds an authenticated session may last before automatic termination of the session. A value of zero indicates that no session timeout applies.

Session Idle Timeout (sec)

For Quarantine authentication, the maximum number of consecutive seconds an authenticated session may be idle before automatic termination of the session. A value of zero indicates that the device level setting is used.

Auto Tracking

Session Timeout (sec)

For Auto Tracking sessions, the maximum number of seconds a session may last before automatic termination of the session. A value of zero indicates that the device level setting is used.

Session Idle Timeout (sec)

For Auto Tracking sessions, the maximum number of consecutive seconds a session may be idle before automatic termination of the session. A value of zero indicates that the device level setting is used.

Automatic Re-Authentication

This tab is grayed-out if only web-based authentication is enabled on the device. For 802.1X and MAC authentication, the Automatic Re-Authentication tab lets you set up the periodic automatic re-authentication of  logged-in users on this port. Without disrupting the user's session, the device repeats the authentication process using the most recently obtained user login information, to see if the same user is still logged in. Authenticated logged-in users are not required to log in again for re-authentication, as this occurs "behind the scenes."

802.1X Re-auth Status
If Enabled is selected, the re-authentication feature is enabled. If Disabled is selected, the re-authentication feature is disabled.
802.1X Re-auth Frequency (sec)
The length of time (in seconds) the device checks the port to re-authenticate the logged in user. Valid values are 1-2147483647. The default is 3600.
MAC Re-auth Status
If Enabled is selected, the re-authentication feature is enabled. If Disabled is selected, the re-authentication feature is disabled.
MAC Re-auth Frequency (sec)
The length of time (in seconds) the device checks the port to re-authenticate the logged in user. Valid values are 1-2147483647. The default is 3600.

Authenticated User Counts

This section provides authenticated user count information for devices with Multi-User as their configured authentication type. See the device Authentication tab for information on setting the device authentication type.

Current Number of Users
The current number of users actively authenticated or are in the process of authenticating on this interface. If multi-user authentication is disabled, this number is 0 (zero). Any unauthenticated traffic on the port is not included in this count.
Number of Users Allowed
The maximum number of users that can actively authenticate or be in the process of authenticating at one time on this interface. If you set this value below the current number of users, end user sessions exceeding that number are terminated.
 NOTE:B2/C2 Devices. If you are configuring a single user and an IP phone per port, set this value to 2.
Number of MAC Users Allowed
The number of users that can actively authenticate via MAC authentication, or be in the process of authenticating via MAC authentication at one time on this interface. The number of MAC users allowed cannot exceed the number of users allowed. If you set this value below the current number of users, end user sessions exceeding that number are terminated. If MAC is not selected as a Multi-User authentication type on the device Authentication tab, this field is grayed out.
Number of Quarantine Users Allowed
The number of users that can be actively authenticated via Quarantine authentication, or have Quarantine authentications in progress at one time on this interface. The number of Quarantine users allowed cannot exceed the number of users allowed. If you set this value below the current number of users, end user sessions exceeding that number are terminated. If Quarantine Auth is not enabled on the device Authentication tab, this field is grayed out.
Number of Auto Tracking Users Allowed
The number of Auto Tracking users that can be actively authenticated or have authentications in progress at one time on this interface. The number of Auto Tracking users allowed cannot exceed the number of users allowed. If you set this value below the current number of users, end user sessions exceeding that number are terminated. If Auto Tracking is not enabled on the device Authentication tab, this field is grayed out.

Convergence End-Point Access

This section lists all the Convergence End-Point (CEP) protocols supported by the device that the port resides on, and lets you enable or disable them for that port. For devices that do not support CEP, the section is blank.

Enable Button
Selects all the checkboxes and enables all the CEP protocols for this port.
Disable All Button
Deselects all the checkboxes and disables all the CEP protocols for this port.
CEP Protocols List
Lists all the CEP protocols supported by the device on which the port resides. Highlight a CEP protocol and select the Enable or Disable button to enable or disable CEP protocols, respectively. If the device does not support the CEP feature, this area is blank.

Related Information

For information on related help topics:

Top