Authentication Configuration
The Authentication Configuration wizard enables you to configure and change the authentication settings on your devices. Authentication must be configured and enabled on a device in order for individual port authentication settings to take effect (see How to Configure Ports).
To access this tab, select Authentication Configuration from the Tools drop-down list.
Device Selection
Use the Device Selection tab to select the devices on which you are configuring authentication settings.
Select a device from the available devices list in the left of the tab and select the right arrow icon to move the device to the selected devices list. Select Next> to proceed to the next tab.
Port Selection
Use the Port Selection tab to select the ports on which you are configuring authentication settings.
Select a port from the Available Ports list at the top of the tab and select Add Ports to move the port to the Selected Devices list. Select Next> to proceed to the next tab.
Device Configuration
The Device Configuration tab allows you to configure authentication for a device. Use the Port Configuration tab to configure authentication settings for individual ports on the device. You can also use the drop-down list at the top of the tab to load device and port configuration settings from a template or import a template from the ExtremeCloud IQ Site Engine server into ExtremeCloud IQ Site Engine.
- Import Template
- Select to open a window from which you can select a device and port configuration template saved on the ExtremeCloud IQ Site Engine server.
- Rename/Delete Template
- Select rename or delete a device and port configuration template saved on the ExtremeCloud IQ Site Engine server.
- Save Device & Port Config Settings To Template
- Select to save the settings you define on the Device Configuration and Port Configuration tabs to a template you can load for other devices.
- Load Device & Port Config Settings From Template
- Select to load a previously saved template of settings you previously defined on the Device Configuration and Port Configuration tabs.
Authentication Status
Use this section to select the authentication mode and types used on the device.
- Use the fields on the left side of this section to select the appropriate single- or multi-user authentication types. Only options supported by the selected device are available for selection. Some devices support multiple authentication types and multiple users (Multi-User Authentication) per port, while others are restricted to only one or two authentication types and single users per port. Refer to the Firmware Support matrix for information on the authentication types supported by each device type.
-
WARNING: Switching Authentication Types, or changing the Authentication Status from Enabled to Disabled, logs off any currently authenticated users.
- Auth Type Precedence (High->Low)
- This displays the order in which the
authentication types are attempted on the device, with the
authentication type on the left having the highest precedence (attempted first). You can edit the precedence order by selecting the field. In the Edit Precedence window, select the authentication type you want to position,
and use the Up and Down buttons to arrange the types in the desired
order of precedence.
WARNING: | Leave the default precedence, if possible. Changing the Quarantine precedence to be lower than any other type or changing the Auto Track precedence to be higher than any other type may cause problems. |
- Re-Auth Timeout Action
- This setting defines the action for sessions that need to be re-authenticated if the RADIUS server re-authentication request times out. Select the Terminate option to terminate the session or the None option to allow the current session to continue without disruption.
- Maximum Number of Users
- This setting applies to devices with Multi-User as their configured authentication type. The maximum number of users that can be actively authenticated or have authentications in progress at one time on this device. You can specify the maximum number of users per port on the port's Port Properties Authentication Configuration tab.
- RFC3580 VLAN Authorization
- This allows you to enable and disable RFC 3580 VLAN Authorization for the
selected device. RFC 3580 VLAN Authorization must be enabled on devices in networks where the
RADIUS server is configured to return a VLAN ID when a user authenticates.
When RFC 3580 VLAN Authorization is enabled:- devices that do not support policy tag packets with the VLAN ID.
- devices that support both policy and Authentication-Based VLAN to Role Mapping classify packets according to the role to which the VLAN ID maps.
Global Authentication Settings
This section lets you set session timeout and session idle timeout values for each authentication type.
- Session Timeout
- This setting represents the maximum number of seconds an authenticated session may last before automatic termination of the session. A value of zero indicates that no session timeout applies. This value may be superseded by a session timeout value provided by the authenticating server. For example, if a session is authenticated by a RADIUS server, that server may send a session timeout value in its authentication response.
NOTE: | Non-zero values are rounded to the nearest non-zero multiple of 10 by the
device. |
---|
- Session Idle Timeout
- This displays the maximum number of consecutive seconds an authenticated session may be idle before ExtremeCloud IQ Site Engine automatically terminates the session. A value of zero indicates that no idle timeout applies. This value may be superseded by an idle timeout value provided by the authenticating server. For example, if a session is authenticated by a RADIUS server, that server may send an idle timeout value in its authentication response.
MAC Authentication Settings
This section enables you to set up the MAC password for MAC authentication. In order for MAC authentication to work, you must also configure the RADIUS server with the MAC password as well as the MAC addresses which are allowed to authenticate.
- MAC Mask
- You can select a mask to provide a way to authenticate end-systems based on a portion of their MAC address. For example, you could specify a mask that would base authentication on the manufacturers ID portion of the MAC address. The MAC Mask is passed to the RADIUS server for authentication after the primary attempt to authenticate using the full MAC address fails.
- MAC Address Delimiter
- The character used between octets in a MAC address:
-
- None — No delimiter is used in the MAC address (e.g. xxxxxxxxxxxx).
- Hyphen — A hyphen is used as a delimiter in the MAC address (e.g. xx-xx-xx-xx-xx-xx).
Web Authentication Settings
For users of web-based authentication, this tab lets you specify web authentication parameters using three sections:
General
The General section lets you specify the URL of the authentication web page and the IP address of the system where it resides. It also lets you enable certain web authentication features, such as Enhanced Login Mode, on devices that support those features.
- Enhanced Login Mode
- Enabling the Enhanced Login Mode causes the authentication web page to be displayed regardless of whether the URL or IP address entered into the browser by the end user is the designated Web Authentication URL or IP address. This option is grayed out if the device does not support the mode.
- Enhanced Mode Redirect Time(s)
- This setting applies for devices with Enhanced Login Mode
enabled. It specifies the amount of time (in seconds) before the end-user
is redirected from the authentication web page to their requested URL.
An end-system using DHCP requires time to transition from the temporary IP address issued by the authentication process to the official IP address issued by the network. Enhanced Mode Redirect Time specifies the amount of time allowed for the end-system to complete this process and begin using its official IP address.
For example, if an end-user (in Enhanced Login Mode and a Redirect Time of 30 seconds) enters the URL of "http://ExtremeNetworks.com", the user is presented the authentication web page. When the user successfully authenticates into the network, the user sees a login success page that displays "Welcome to the Network. Completing network connections. You will be redirected to http://ExtremeNetworks.com in approximately 30 seconds."
- WINS/DNS Spoofing
- This setting allows you to enable and disable WINS/DNS spoofing for the selected device. Spoofing allows the end-user to resolve the Web Authentication URL name to the IP address using WINS/DNS. The default is Disabled. This option is grayed out if not supported by the device.
- Logo Display Status
- Specifies whether the Extreme Networks logo is displayed or hidden on the authentication web page window. This option is grayed out if not supported by the device.
- Authentication Protocol
- This setting is the authentication protocol being used (PAP or CHAP). PAP (Password Authentication Protocol) provides an automated way for a PPP (Point-to Point Protocol) server to request the identity of user, and confirm it via a password. CHAP (Challenge Handshake Authentication Protocol), the more secure of the two protocols, provides a similar function, except that the confirmation is accomplished using a challenge and response authentication dialog.
- Web Authentication URL
- This is the URL for your authentication web page. Users wishing to receive network services access the web page from a browser using this URL. The http:// is supplied. Alphabetical characters, numerical characters and dashes are allowed as part of the URL, but dots are not. The URL needs to be mapped to the Web Authentication IP address in DNS or in the hosts file of each client. It must be resolvable via DNS/WINS, either on the device or at corporate, assuming the Web Authentication mapping has been set up on the corporate DNS/WINS service. This option is grayed out if not supported by the device.
- Web Authentication IP Address
- This is the IP address of your authentication web page server. If you have specified a Web Authentication URL, the IP address needs to be mapped to the URL in DNS or in the host file of each client.
Guest Networking
The Guest Networking section lets you configure guest networking, a feature that allows any user to access the network and obtain a guest policy without having to know a username or password. The user accesses the authentication web page, where the username and password fields are automatically filled in, allowing them to log access as a guest. If the user does not want to log in as a guest, they can type in their valid username and password to log in.
NOTE: | Guest networking is designed for networks using web-based authentication,
with port mode set to Active/Discard. |
---|
- Guest Networking Status
- Use the drop-down list to specify guest networking status:
- Disable — Guest networking is unavailable.
- Local Auth — Guest Networking is enabled. The user accesses the authentication web page where the username field is automatically filled in with the specified Guest Name. When the user submits the web page using this guest name, the default policy of that port becomes the active policy. The port mode must be set to Active/Discard mode.
- RADIUS Auth — Guest Networking is enabled. The user accesses the authentication web page, where the username field is automatically filled in with the specified Guest Name, and the password field is masked out with asterisks. When the user submits the web page using these credentials, the value of the Guest Password is used for authentication. Following successful authentication from the RADIUS server, the port applies the policy (role) returned from the RADIUS server. The port mode must be set to Active/Discard mode.
- Guest Name
- The username that Guest Networking uses to authenticate users. The guest name is displayed automatically on the authentication web page. If the user does not want to log in as a guest, they can type in their valid username to override the guest username.
- Guest Password
- The password that Guest Networking uses to authenticate users when RADIUS Auth is selected.
Web Page Banner
The Web Page Banner section allows you to customize the banner end users see at the top of the authentication web page and set a Redirect Time, if applicable.
- Web Page Banner
- Use this area to create a banner end users see at the top of the
authentication web page. For example, you might include your company name and information
on what to do if the user has questions or problems. Because this banner also
appears in messages that occur during successful login and failed
authentication, as well as on the "Radius Busy" screen, it is not appropriate to include "Welcome to [Your Company]" in the banner.
The Default button allows you to reset the banner to default text provided in a text file (pwa_banner.txt). Initially, the default banner text is the Extreme Networks contact information. However, you can customize the text for your network by editing the pwa_banner.txt file, located in the top level of the Policy Manager install directory. Then, when you select the Default button, the new text will be displayed in the Web Page Banner area.
Convergence End-Point Settings
This section provides a way to identify Convergence End-Points (IP phones) connecting to the device, and apply a role to the end-point based on the type of end-point detected. The CEP Detection section lets you create detection rules for identifying the end-points, and the CEP Role Mappings section lets you map a role to each CEP product type.
In addition to configuring CEP on the device, you must also enable CEP protocols on each port using the CEP Access section in the Port Authentication Tab. After you have configured CEP on the device and each port, you can monitor CEP usage on the Port Usage Tab (Port) or Port Usage Tab (Device).
CEP Role Mappings
This section lets you select the CEP product types supported on the device, and map a role for each type. Then, when a convergence end-point (such as an IP phone) connects to the network, the device identifies the type of end-point (using CEP detection rules) and applies the assigned role.
- Add
- Select a CEP Type and select the Add button to open the Add Role Mapping window, where you can select a role for the selected CEP Type. Your selections are added to the CEP Role Mappings list.
CEP Detection Tab
Use this section to create CEP detection rules used to determine if a connecting end-system is a CEP device and the type of CEP device. This allows ExtremeCloud IQ Site Engine to assign the appropriate role to the port based on the type of CEP device detected.
NOTE: | CEP detection rules apply only to Siemens, H.323, and SIP (Session Initiation
Protocol) phone detection. Cisco
detection uses CiscoDP as its detection method. |
---|
CEP detection rules are based on two detection methods:
- TCP/UDP Port Number detection — Many CEP vendors use specific TCP/UDP port numbers for call setup on their IP phones. You can create detection rules that identify CEP devices based on specific TCP/UDP port numbers. By default, Siemens Hi-Path phones are detected on TCP/UDP port 4060.
- IP Address detection — H.323 phones use a reserved IP multicast address and UDP port number for call setup. You can create detection rules to detect an IP phone based on its IP address in combination with an IP address mask. By default, H.323 phones are detected using the multicast address 224.0.1.41 and the TCP/UDP ports 1718, 1719, and 1720. SIP phones are detected using the multicast address 224.0.1.75 and the TCP/UDP port 5060. H.323 and SIP phones are also detected using only their respective multicast addresses without the TCP/UDP ports.
- Priority
- The rule priority with one (1) being the highest priority. The rule with the highest priority is used first, so it is recommended the highest priority be given to the predominate protocol in the network to provide for greater efficiency.
- Address
- If the rule is based on IP address detection, this field displays the IP address
that incoming packets matched against. By default, H.323 uses
224.0.1.41 as its IP address, SIP uses 224.0.1.75 as its IP address, and Siemens has no IP address configured.
- Address Mask
- If the rule is based on IP address detection, this field displays the IP address mask against which incoming packets are matched.
- End Point Type
- Specifies the end-point type assigned (H.323, Siemens, or SIP) if incoming packets match this rule.
- Protocol
- If the rule is based on TCP/UDP port detection, this field displays the
protocol type used for matching, using a port range defined with the Port
Low and Port High values:
- UDP + TCP — Match the port number for both UDP and TCP frames.
- TCP — Match the port number only for TCP frames.
- UDP — Match the port number only for UDP frames.
- Add
- Opens the Add/Edit CEP Detection Rule window where you can create CEP detection rules.
- Edit
- To edit a CEP detection rule, select the rule and select Edit. The Add/Edit CEP Detection Rule window opens where you edit the rule's parameters. You can also double-click an entry in the table to open the edit window.
Port Configuration
The Port Configuration tab allows you to configure authentication for the ports of a device.
The Authentication Configuration tab has six sections:
- Authentication Mode
- RFC3580 VLAN Authorization
- Login Settings
- Automatic Re-Authentication
- Authenticated User Counts
- CEP Access
Authentication Mode
This section displays general authentication and port mode information about the port.
Port Mode
Port mode defines whether or not a user is required to authenticate on a port, and how unauthenticated traffic will be handled. It is a combination of Authentication Behavior (whether or not authentication is enabled on the port), and Unauthenticated Behavior (whether unauthenticated traffic will be assigned to the port's default role or discarded).
- Authentication Behavior -- Defines whether or not
end users are required to
authenticate on the port (device).
- Active -- Normal authentication procedures are implemented. End users are required to authenticate.
- Inactive -- Authentication of end users is not required.
- Unauthenticated Behavior -- Defines how the
traffic of unauthenticated end users will be handled on the port.
- Default Role -- If the end user is unauthenticated, the port will implement its default role. If there is no default role, there will be no role on the port.
- Discard -- If the end user is unauthenticated, no traffic is allowed on the port.
These two settings can be combined to create four possible port modes.
- Inactive/Discard Mode: In this mode, authentication is inactive for the port. All traffic from users connected to the port is discarded. This effectively turns
the port off. This port mode is not available for Single User MAC
Authentication.
- Inactive/Default Role Mode: In this mode, authentication is inactive for the port. All users connecting
to
this port will use the default role, if one has been assigned to the
port, in combination with any existing static classifications. If there is no default role
assigned to the port, the port uses only the static classification rules
which exist. If there are no static rules, the port uses the PVID
and default class of service for the port. This is the default
port mode for ports.
- Active/Discard Mode: In this mode, authentication is active for the port
and end users are required to authenticate. All traffic from
unauthenticated users connected to the port is discarded. The Unauthenticated Behavior
varies depending on the type of authentication configured on the device.
Single User Web-based Authentication: If authentication is successful, the port is assigned the end user's role as its current role. If unsuccessful, all traffic is discarded. A default role has no meaning on this Active/Discard port, since all unauthenticated traffic is discarded.
Single User 802.1X and 802.1X+MAC Authentication: If authentication is successful, the port is assigned the end user's role as its current role. If unsuccessful, all traffic is discarded. This mode requires that there be no default role assigned to the port.
Single User MAC Authentication: This port mode is not available for Single User MAC Authentication.
Multi-User 802.1X and MAC Authentication: If authentication is successful, the port is assigned the end user's role as its current role. If unsuccessful, all traffic is discarded. A default role has no meaning on this Active/Discard port, since all unauthenticated traffic is discarded.
Multi-User Web-based Authentication: This port mode is not available for Multi-User Web-based Authentication.
Advantages of Active/Discard mode: This mode is highly secure, since the end user receives no network services at all until authentication is successful.
Disadvantages of Active/Discard mode: The unauthenticated end user is unable to connect to any network services, such as the Domain Controller (if using a Microsoft operating system), DHCP services, DNS services, or the Web proxy. In single user web-based authentication, the device spoofs WINS/DNS services (if the functionality is enabled) in order to allow the user to communicate with it for authentication. - Active/Default Role Mode - In this mode, authentication is active
for the
port and end users are required to authenticate. If authentication is
successful, the port is assigned the end user's role as its current
role. All unauthenticated
users connected to the port will use the default role, if one has been assigned to the
port, in combination with any existing static classifications. If there is no default role
assigned to the port, the port uses only the static classification rules
which exist. If there are no static rules, the port uses the PVID and
default class of service for the port. For Single User 802.1X and 802.1X+MAC Authentication,
this mode requires that
a default role be assigned to the port.
Advantages of Active/Default Role mode: In this mode, a default role is applied to the port to allow unauthenticated end users access to basic services such as the DHCP Server, Domain Services, WINS, and the Web proxy. When the end user is authenticated, that user's role is applied to the port, providing a customized set of services allowed by his or her role. Active/Default Role mode is an alternative to Active/Discard mode, which is limiting in that there are no network services available at all until the end user is authenticated.
Disadvantages of Active/Default Role mode: This mode is less secure than Active/Discard, in that the user receives some network access prior to authentication.
RFC3580 VLAN Authorization Tab
This tab lets you enable or disable RFC 3580 VLAN Authorization on the port and specify an egress state. RFC 3580 VLAN Authorization must be enabled in networks where the RADIUS server has been configured to return a VLAN ID when a user authenticates.
When RFC 3580 VLAN Authorization is enabled:
- ports on devices that do not support policy tag packets with the VLAN ID.
- ports on devices that do support policy and also support Authentication-Based VLAN to Role Mapping classify packets according to the role to which the VLAN ID maps.
You can also enable and disable VLAN Authorization at the device level using the device Authentication tab. If the device does not support RFC 3580, this tab is grayed out.
- VLAN Authorization Status
- Allows you to enable and disable RFC 3580 VLAN Authorization for the selected port. This option is grayed out if not supported by the device.
- VLAN Authorization Admin Egress
- Allows you to modify the VLAN egress list for the VLAN ID returned
by the RADIUS server when a user authenticates on the port:
- None - No modification to the VLAN egress list will be made.
- Tagged - The port will be added to the list with the egress state set to Tagged (frames will be forwarded as tagged).
- Untagged - The port will be added to the list with the egress state set to Untagged (frames will be forwarded as untagged).
- Dynamic - The port will use information returned in the RADIUS response to modify the VLAN egress list. This value is supported only if the device supports a mechanism through which the egress state may be returned in the RADIUS response.
- The current egress settings for the port are displayed in the VLAN Oper Egress column in the User Sessions tab. These options are grayed out if not supported by the device.
Login Settings
This tab displays the current login settings for the port and allows you to change the settings if desired. The options available depend on what type(s) of authentication are enabled on the device.
- Number of Attempts Before Timeout
- Number of times a user can attempt to log in before authentication fails and login attempts are not allowed. For web-based authentication, valid values are 1-2147483647, zero is not allowed, and the default is 2. For 802.1X and MAC authentication, this value is permanently set to 1.
- Hold Time (seconds)
- Amount of time (in seconds) authentication will remain timed out after the specified Number of Attempts Before Timeout has been reached. Valid values are 0-65535. The default is 60. (Hold Time is also known as Quiet Period in web-based and MAC authentication.)
- Authentication Request Period
- For 802.1X authentication, how often (in seconds) the device queries the port to see if there is a new user on it. If a user is found, the device then attempts to authenticate the user. Valid values are 1-65535. The default is 30.
- User Timeout
- For 802.1X authentication, the amount of time (in seconds) the device waits for an answer when querying the port for the existence of a user. Valid values are 1-300. The default is 30.
- Authentication Server Timeout
- For 802.1X authentication, if a user is found on the port, the amount of time (in seconds) the device waits for a response from the authentication server before timing out. Valid values are 1-300. The default is 30.
- Port Handshake Requests Before Failure
- For 802.1X authentication, the number of times the device tries to finalize the authentication process with the user before the authentication request is considered invalid and authentication fails. Valid values are 1-10. The default is 2.
- Quarantine Session Timeout (sec)
- For Quarantine authentication, the maximum number of seconds an authenticated session may last before automatic termination of the session. A value of zero indicates that no session timeout will be applied.
- Quarantine Session Idle Timeout (sec)
- For Quarantine authentication, the maximum number of consecutive seconds an authenticated session may be idle before automatic termination of the session. A value of zero indicates that the device level setting is used.
- Auto Tracking Session Timeout (sec)
- For Auto Tracking sessions, the maximum number of seconds a session may last before automatic termination of the session. A value of zero indicates that the device level setting is used.
- Auto Tracking Session Idle Timeout (sec)
- For Auto Tracking sessions, the maximum number of consecutive seconds a session may be idle before automatic termination of the session. A value of zero indicates that the device level setting is used.
Automatic Re-Authentication
This tab is grayed out if only web-based authentication is enabled on the device. For 802.1X and MAC authentication, the Automatic Re-Authentication tab lets you set up the periodic automatic re-authentication of logged-in users on this port. Without disrupting the user's session, the device repeats the authentication process using the most recently obtained user login information to see if the same user is still logged in. Authenticated logged-in users are not required to log in again for re-authentication, as this occurs "behind the scenes."
- 802.1X Re-auth Status
- If Active is selected, the re-authentication feature is enabled for 802.1X authentication. If Inactive is selected, the re-authentication feature is disabled.
- 802.1X Re-auth Frequency (sec)
- How often (in seconds) the device checks the port to re-authenticate the logged-in user via 802.1X authentication. Valid values are 1-2147483647. The default is 3600.
- MAC Re-auth Status
- If Active is selected, the re-authentication feature is enabled for MAC authentication. If Inactive is selected, the re-authentication feature is disabled.
- MAC Re-auth Frequency (sec)
- How often (in seconds) the device checks the port to re-authenticate the logged in user via MAC authentication. Valid values are 1-2147483647. The default is 3600.
Authenticated User Counts
This tab provides authenticated user-count information for devices with Multi-User as their configured authentication type. See the device Authentication tab for information on setting the device authentication type.
- Current Number of Users
- The current number of users actively authenticated or have authentications in progress on this interface. If Multi-User authentication is disabled, this number is 0. Any unauthenticated traffic on the port is not included in this count.
- Number of Users Allowed (up to 2048)
- The number of users that can be actively authenticated or have authentications
in progress at one time on this interface. If you set this value below the current number of users,
end-user sessions exceeding that number are terminated.
NOTE: B2/C2 Devices. If you are configuring a single user and an IP phone per port, set this value to 2.
- Number of MAC Users Allowed (up to 2048)
- The number of users that can be actively authenticated via MAC authentication, or have MAC authentications in progress at one time on this interface. The number of MAC users allowed cannot exceed the number of users allowed. If you set this value below the current number of users, end user sessions exceeding that number are terminated. If MAC is not selected as a Multi-User authentication type on the device Authentication tab, this field will be grayed out.
Number of Quarantine Users Allowed (up to 2048)
The number of users that can be actively authenticated via Quarantine authentication, or have Quarantine authentications in progress at one time on this interface. The number of Quarantine users allowed cannot exceed the number of users allowed. If you set this value below the current number of users, end user sessions exceeding that number are terminated. If Quarantine Auth is not enabled on the device Authentication tab, this field will be grayed out.
Number of Auto Tracking Users Allowed (up to 2048)
The number of Auto Tracking users that can be actively authenticated or have authentications in progress at one time on this interface. The number of Auto Tracking users allowed cannot exceed the number of users allowed. If you set this value below the current number of users, end user sessions exceeding that number will be terminated. If Auto Tracking is not enabled on the device Authentication tab, this field is grayed out.
Convergence End-Point Access
This tab lists all the CEP (Convergence End-Point) protocols supported by the device on which the port resides, and lets you enable or disable them for that port. For devices that do not support CEP, the tab is blank.
NOTE: | Port Mode Authentication Behavior must be set to Active (on the General sub-tab) for authentication to be allowed using these CEP Protocols. |
---|
Enable CEP protocols for multiple ports using the Port Configuration Wizard. In addition to enabling protocols on the port, you must also configure CEP for the device on which the port resides. Configure CEP for a single device using the device Authentication tab (CEP sub-tab) or for multiple devices using the Device Configuration Wizard.
- CEP Access
- Lists all the CEP protocols supported by the device on which the port resides. Use the checkboxes to enable or disable CEP protocols on this port. If the device does not support the CEP feature, this area is blank.
For information on related help topics: