Add Authentication Profiles

Use the Add Authentication Profiles page in the Customer Portal to add authentication profiles.

To add an authentication profile, you must:

  1. Define the primary and secondary methods for authenticating a supplicant—dot1x, MAC RADIUS.

  2. Define the action, the port must take, when the RADIUS server is not reachable or a user is not authenticated (fallback options).

  3. Define the authentication process parameters, such as number of times the switch can request for user authentication, whether a user must be reauthenticated at regular intervals, number of times a switch can attempt to contact the RADIUS server for authenticating a user, and so on.

Procedure

To add an authentication profile:

  1. Select Configuration > SD-LAN > Authentication Profiles in Customer Portal.

    The Authentication Profiles page appears, displaying the configured authentication profiles.

  2. Click the Add icon (+) to create a new authentication profile.

    The Add Authentication Profiles wizard appears.

  3. Complete the configuration according to the guidelines provided in Table 221.

    Note Fields marked with * are mandatory.

  4. Click OK.

    An authentication profile is created. You are returned to the Authentication Profiles page where a confirmation message is displayed.

    After you create an authentication profile, you can assign it to the port profile. See Add Port Profiles.

Table 221: Fields on the Add Authentication Profile Page

 

Setting

Guideline

General

Profile Name

Enter a unique name for the authentication profile, which can only contain alphanumeric characters and hyphen (-); 15-characters maximum.

Profile Description

Enter a description for the authentication profile.

Supplicant Mode

Select a mode for authenticating the supplicant:

  • Single—Authenticates only the first supplicant in a LAN. All other supplicants in the LAN that connect later to the port are allowed access without any further authentication, based on the first supplicant’s authentication.

  • Single Secure—Allows only one supplicant in a LAN to connect to the port. No other supplicant in the LAN is allowed to connect until the first supplicant logs out.

  • Multiple—Allows multiple supplicants in a LAN to connect to the port. Each supplicant is authenticated individually.

Authentication Method

Primary Method

Select the primary method of authenticating a supplicant:

  • dot1x—IEEE 802.1X standard for port-based network access control (PBNAC); protects Ethernet LANs from unauthorized user access.

    The dot1x method blocks all traffic to and from a supplicant at the port until the supplicant’s credentials are presented and matched on the authentication server (a RADIUS server). When the supplicant is authenticated, the switch allows traffic from and to the supplicant to transmit through it.

  • MAC RADIUS—Used for supplicants connected in a LAN that needs to access network resources, such as printer or camera, but do not support the 802.1X standard.

    When a switch detects a supplicant that is not 802.1X-enabled on its port, the switch transmits the MAC address of the supplicant to the authentication server. The server then tries to match the MAC address with a list of MAC addresses in its database. If the MAC address matches an address in the list, the supplicant is authenticated.

Secondary Method

The secondary method for authenticating a supplicant when the switch is unable to validate a supplicant by using the primary method:

  • None

  • dot1x, when MAC RADIUS is selected as the primary authentication method.

  • MAC RADIUS, when dot1x is selected as the primary authentication method.

Fallback Options

You can configure authentication fallback options to specify how supplicants connected to a switch are supported if the RADIUS authentication server becomes unavailable or sends a RADIUS access-reject message.

Server Fail

Select an action that the switch applies to supplicants when the authentication servers are unavailable. The switch can accept or deny access to supplicants or maintain the access already granted to supplicants before the RADIUS timeout occurred. You can also configure the switch to move the supplicants to a specific VLAN.

  • None—No action is taken. If network access is already granted to a supplicant, the access is maintained.

  • Deny—Network access is denied to the supplicant.

  • Permit—Network access is permitted to the supplicant. If a RADIUS server timeout occurs during reauthentication, traffic is allowed from and to the supplicant as the supplicant is already authenticated.

  • Use Cache—Recognizes already connected supplicants and reauthenticates the supplicants when there is a RADIUS timeout (new supplicants are denied access):

  • VLAN ID—Moves a supplicant to a specified VLAN (server-fail VLAN) if a RADIUS server timeout occurs:

    If you select this option, enter the VLAN ID in the text box that appears below the Server Fail field.

    Note: The server-fail VLAN should be already configured on the site containing the switch.

VLAN ID

If you select VLAN ID for the Server Fail option, enter the VLAN ID of the VLAN to which the supplicant must be assigned.

Server Reject

The action the switch takes when the switch is unable to validate a supplicant because of incorrect credentials provided by the supplicant:

  • None—No action is taken and the supplicant is denied network access.

  • VLAN ID—Moves the supplicant to a specified VLAN (server-reject VLAN) with limited network access (Internet only). The server-reject VLAN is already configured on the switch.

    If you select this option, enter the VLAN ID in the text box that appears below the Server Reject field.

    Note: The server-reject VLAN should be already configured on the site containing the switch.

VLAN ID

If you select VLAN ID for the Server Reject option, enter the VLAN ID to which the supplicant must be assigned.

Guest

Select an action to be taken for a guest. A guest can be:

  • Corporate guest

  • Supplicant that are not 802.1X-enabled

  • Supplicant that are not 802.1X enabled connected to ports on which MAC RADIUS authentication is not configured

Select one of the following actions:

  • None—No action is taken and the supplicant is denied network access.

  • VLAN ID—Moves the supplicants to a specified VLAN (guest VLAN) with limited network access (Internet only)

    If you select this option, enter the VLAN ID of the guest VLAN in the text box that appears below this field.

    Note: The guest VLAN should be already configured on the site containing the switch.

VLAN ID

Enter the VLAN ID of the guest VLAN.

Advanced Settings

Transmit Period

Enter the number of seconds the switch waits before retransmitting the initial authentication request to the supplicant.

Range: 1 through 65,535 seconds

Default: 30 seconds

Maximum Requests

Enter the maximum number of times authentication request packets are retransmitted to a supplicant before the authentication session times out.

Range: 1 through 10

Default: 2

Retries

Enter the number of times the switch attempts to contact an authentication server for authenticating a supplicant after an initial failure.

Range: 1 through 10

Default: 3

Quiet Period

Enter the number of seconds the port remains in the wait state following a failed authentication exchange with the supplicant, before reattempting authentication.

Range: 0 through 65,535 seconds

Default: 3 seconds

Reauthentication

Click to enable or disable (default) reauthentication of the supplicant after a specified interval. If you enable this option, you must provide the reauthentication interval.

Reauthentication Interval

If you enable reauthentication, enter the number of seconds after which a supplicant must be reauthenticated.

Range: 1 through 65,535 seconds

Default: 3600 seconds

Supplicant Timeout

Enter the number of seconds the port must wait for a response from the supplicant, before considering a timeout and resending the request.

Range: 1 through 60 seconds

Default: 30 seconds

RADIUS Server Timeout

Enter the number of seconds the port waits for a reply from the RADIUS server when authenticating a supplicant before timing out and invoking the server-fail action.

Range: 1 through 60 seconds

Default: 30 seconds