beautypg.com

Using voice aware 802.1x security, Using web authentication – Dell POWEREDGE M1000E User Manual

Page 289

background image

10-27

Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide

OL-13270-03

Chapter 10 Configuring IEEE 802.1x Port-Based Authentication

Understanding IEEE 802.1x Port-Based Authentication

Switching a port host mode from multidomain to single- or multihost mode removes all authorized
devices from the port.

If a data domain is authorized first and placed in the guest VLAN, non-IEEE 802.1x-capable voice
devices need to tag their packets on the voice VLAN to trigger authentication.

We do not recommend per-user ACLs with an MDA-enabled port. An authorized device with a
per-user ACL policy might impact traffic on both the voice and data VLANs of the port. If used,
only one device on the port should enforce per-user ACLs.

Using Voice Aware 802.1x Security

You use the voice aware 802.1x security feature to configure the switch to disable only the VLAN on
which a security violation occurs, whether it is a data or voice VLAN. In previous releases, when an
attempt to authenticate the data client caused a security violation, the entire port shut down, resulting in
a complete loss of connectivity.

You can use this feature in IP phone deployments where a PC is connected to the IP phone. A security
violation found on the data VLAN results in the shutdown of only the data VLAN. The traffic on the
voice VLAN flows through the switch without interruption.

For information on configuring voice aware 802.1x security, see the

“Configuring Voice Aware 802.1x

Security” section on page 10-39

.

Using Web Authentication

You can use a web browser to authenticate a client that does not support IEEE 802.1x functionality. This
feature can authenticate up to eight users on the same shared port and apply the appropriate policies for
each end host on a shared port.

You can configure a port to use only web authentication. You can also configure the port to first try and
use IEEE 802.1x authentication and then to use web authorization if the client does not support
IEEE 802.1x authentication.

Web authentication requires two Cisco Attribute-Value (AV) pair attributes:

The first attribute,

priv-lvl=15

, must always be set to 15. This sets the privilege level of the user

who is logging into the switch.

The second attribute is an access list to be applied for web authenticated hosts. The syntax is similar
to IEEE 802.1X per-user ACLs. However, instead of

ip:inacl

, this attribute must begin with

proxyacl

, and the

source

field in each entry must be

any

. (After authentication, the client IP

address replaces the

any

field when the ACL is applied.)

For example:

proxyacl# 10=permit ip any 10.0.0.0 255.0.0.0

proxyacl# 20=permit ip any 11.1.0.0 255.255.0.0

proxyacl# 30=permit udp any any eq syslog

proxyacl# 40=permit udp any any eq tftp

Note

The proxyacl entry determines the type of allowed network access.

For more information, see the

“Authentication Manager” section on page 10-7

and the

“Configuring

Web Authentication” section on page 10-61

.

See also other documents in the category Dell Computer Accessories: