Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Add Authentication Profiles

 

Use the Add Authentication Profiles page in Customer Portal to add authentication profiles. In the workflow to add an authentication profile, you:

  1. define the primary and secondary methods for authenticating a supplicant—802.1x (dot1x), MAC RADIUS.

  2. define the action that the port must take when the RADIUS server is not reachable or a user is not authenticated (fallback options).

  3. define the authentication process parameters, such as the number of times that the switch can request for user authentication, whether a user must be reauthenticated at regular intervals, the number of times a switch can attempt to contact the RADIUS server for authenticating a user, and so on.

To add an authentication profile:

  1. Select Configuration > SD-LAN > Authentication Profiles in Customer Portal.

    The Authentication Profiles page appears, displaying the existing authentication profiles.

  2. Click the Add icon (+).

    The Add Authentication Profiles wizard appears.

  3. Complete the configuration according to the guidelines provided in Table 1.Note

    Fields marked with * are mandatory.

  4. Click OK.

    An authentication profile is added. You are returned to the Authentication Profiles page where a confirmation message is displayed.

    After you add an authentication profile, you can assign it to a port profile. See Add Port Profiles.

Table 1: Fields on the Add Authentication Profile Page

Setting

Guideline

General

Profile Name

Enter a unique name for the authentication profile, which can only contain alphanumeric characters and hyphen (-); 15-character maximum.

Profile Description

Enter a description for the authentication profile.

Supplicant Mode

Select a mode for authenticating the supplicant:

  • Single—Authenticates only the first supplicant in a LAN. All other supplicants in the LAN that connect to the port later are allowed or denied access without any authentication, based on the first supplicant’s authentication.

  • Single Secure—Allows only one supplicant in a LAN to connect to the port. No other supplicant in the LAN is allowed to connect until the first supplicant logs out.

  • Multiple—Allows multiple supplicants in a LAN to connect to the port. Each supplicant is authenticated individually.

Authentication Method

Primary Method

Select the primary method of authenticating a supplicant:

  • dot1x—IEEE 802.1X standard for port-based network access control (PBNAC); protects Ethernet LANs from unauthorized user access.

    The 802.1x method blocks all traffic to and from a supplicant at the port until the supplicant’s credentials are presented and matched on the authentication server (a RADIUS server). When the supplicant is authenticated, the switch allows traffic from and to the supplicant to transmit through it.

  • MAC RADIUS—Used for supplicants, connected in a LAN that need to access network resources, such as printer or camera, but do not support the 802.1X standard.

    When a switch detects a supplicant that is not 802.1X-enabled, the switch transmits the MAC address of the supplicant to the authentication server. The server then tries to match the MAC address with a list of MAC addresses in its database. If the MAC address matches an address in the list, the supplicant is authenticated.

Secondary Method

The secondary method for authenticating a supplicant when the switch is unable to validate a supplicant by using the primary method:

  • None

  • dot1x, when MAC RADIUS is selected as the primary authentication method.

  • MAC RADIUS, when dot1x is selected as the primary authentication method.

Fallback Options

You can configure authentication fallback options to specify how supplicants connected to a switch are supported if the RADIUS authentication server becomes unavailable or sends a RADIUS access-reject message.

Server Fail

Select an action that the switch applies to supplicants when the authentication servers are not reachable. The switch can accept or deny access to supplicants or maintain the access already granted to supplicants before the RADIUS timeout occurred. You can also configure the switch to move the supplicants to a specific VLAN.

  • None—No action is taken. If network access is already granted to a supplicant, the access is maintained.

  • Deny—Network access is denied to the supplicant.

  • Permit—Network access is permitted to the supplicant. If a RADIUS server timeout occurs during reauthentication, traffic is allowed from and to the supplicant because the supplicant is already authenticated.

  • Use Cache—Recognizes already connected supplicants and reauthenticates the supplicants when there is a RADIUS timeout; new supplicants are denied access.

  • VLAN ID—Moves a supplicant to a specified VLAN (server-fail VLAN) if a RADIUS server timeout occurs:

    If you select this option, enter the VLAN ID in the text box that appears below the Server Fail field.

    Note: The server-fail VLAN should be already configured on the site containing the switch.

VLAN ID

If you select VLAN ID for the Server Fail option, enter the VLAN ID of the VLAN to which the supplicant must be assigned.

Server Reject

The action the switch takes when the switch is unable to validate a supplicant because of incorrect credentials provided by the supplicant:

  • None—No action is taken and the supplicant is denied network access.

  • VLAN ID—Moves the supplicant to a specified VLAN (server-reject VLAN) with limited network access (Internet only). The server-reject VLAN is already configured on the switch.

    If you select this option, enter the VLAN ID in the text box that appears below the Server Reject field.

    Note: The server-reject VLAN should be already configured on the site containing the switch.

VLAN ID

If you select VLAN ID for the Server Reject option, enter the VLAN ID to which the supplicant must be assigned.

Guest

Select an action to be taken for a guest (corporate guest or supplicants that are not 802.1x enabled):.

  • None—No action is taken and the supplicant is denied network access.

  • VLAN ID—Move the supplicants to a specified VLAN (guest VLAN) with limited network access (Internet only).

    If you select this option, enter the VLAN ID of the guest VLAN in the text box that appears below this field.

    Note: The guest VLAN should be already configured on the site containing the switch.

VLAN ID

Enter the VLAN ID of the guest VLAN.

Advanced Settings

Transmit Period

Enter the number of seconds that the switch waits before retransmitting the initial authentication request to the supplicant.

Range: 1 through 65,535 seconds.

Default: 30 seconds.

Maximum Requests

Enter the maximum number of times that authentication request packets are retransmitted to a supplicant before the authentication session times out.

Range: 1 through 10.

Default: 2.

Retries

Enter the number of times that the switch attempts to contact an authentication server for authenticating a supplicant after an initial failure.

Range: 1 through 10.

Default: 3.

Quiet Period

Enter the number of seconds that the port remains in the wait state following a failed authentication exchange with the supplicant, before reattempting authentication.

Range: 0 through 65,535 seconds.

Default: 3 seconds.

Reauthentication

Click to enable or disable (default) reauthentication of the supplicant after a specified interval. If you enable this option, you must provide the reauthentication interval.

Reauthentication Interval

If you enable reauthentication, enter the number of seconds after which a supplicant must be reauthenticated.

Range: 1 through 65,535 seconds.

Default: 3600 seconds.

Supplicant Timeout

Enter the number of seconds that the port must wait for a response from the supplicant, before considering a timing out and resending the request.

Range: 1 through 60 seconds.

Default: 30 seconds.

RADIUS Server Timeout

Enter the number of seconds that the port waits for a reply from the RADIUS server when authenticating a supplicant before timing out and invoking the server-fail action (action that the switch applies to supplicants when the authentication servers are not reachable).

Range: 1 through 60 seconds.

Default: 30 seconds.

WHAT'S NEXT

After you create an authentication profile, create a port profile and assign the authentication profile to the port profile; see Add Port Profiles.