Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Creating and Managing Authentication Profiles

    Authentication profiles enable specification of the authentication method and authentication parameters to be used for authenticating clients and users who connect to a WLAN or an access port switch.

    Use the Manage Authentication Profiles page to create new Authentication profiles and manage existing Authentication profiles.

    To display the Manage Authentication Profiles page: In Build mode, select Authentication from Profile and Configuration Management in the Tasks pane. The Manage Authentication Profiles page appears.

    This topic describes:

    Managing Authentication Profiles

    From the Manage Authentication Profiles page, you can:

    • Create a new Authentication profile by clicking Add. For directions, see Creating an Authentication Profile.
    • Modify an existing profile by selecting it and clicking Edit.
    • View information about a profile, including the interfaces it is associated with, by clicking the profile name or by selecting the profile and clicking Details.
    • Delete an Authentication profile by selecting a profile and clicking Delete.

      Tip: You cannot delete profiles that are in use—that is, assigned to objects or used by other profiles. To see the current assignments for a profile, select the profile and click Details.

    • Clone a profile by selecting a profile and clicking Clone.

    Table 1 describes the information provided about Authentication profiles on the Manage Authentication Profiles page. This page lists all Authentication profiles defined for your network, regardless of the scope you selected in the network view.

    Table 1: Manage Authentication Profile Fields

    Field

    Description

    Profile Name

    Name given to the profile when the profile was created.

    Family Type

    The device family on which the profile was created.

    Description

    Description of the profile that was entered when the profile was created.

    Tip: To display the entire description, you might need to resize the Description column by clicking the column border in the heading and dragging it.

    Creation Time

    Date and time when this profile was created.

    Update Time

    Date and time when this profile was last modified.

    User Name

    The username of the user who created or modified the profile.

    Tip: All columns might not be displayed. To show or hide fields in the Manage Authentication Profiles table, click the down arrow on the field header, select Columns, and select or clear the check box adjacent to the field that you want to show or hide.

    Creating an Authentication Profile

    In Network Director, you can create an Authentication profile to configure methods to be used to authenticate users. You can also specify details about the accounting servers to be used for accounting purposes.

    For an Authentication profile, you must specify the following:

    • A profile name
    • At least one access rule

    After you create an Authentication profile, you can include it in a WLAN profile or a Port profile. The Authentication profile specified in a WLAN profile or a Port profile acts as the default profile for all the users and devices that connect to that WLAN or on the port.

    To create an Authentication profile:

    1. Click in the Network Director banner.
    2. Under Select View, select either Logical View, Location View, Device View or Custom Group View.

      Tip: Do not select Dashboard View, Datacenter View or Topology View.

    3. From the Tasks pane, select the type of network (Wired or Wireless), the appropriate functional area (System, AAA, or Wireless), and select the name of the profile that you want to create. For example, to create a radius profile for a wireless device, click Wireless > AAA > Radius. The Manage Profile page opens.
    4. Click Add to add a new profile.

      If you chose to create a profile for the wired network, Network Director opens the Device Family Chooser window.

      1. From the Device Family Chooser, select the device family for which you want to create a profile. The available device families are Switching (EX), Campus Switching ELS (Enhanced Layer 2 Software), Data Center Switching Non ELS and Data Center Switching ELS.
      2. Click OK.

        The Create Authentication Profile page for the selected device family is displayed.

      If you chose to create a profile for the wireless network, Network Director opens the Create Authentication Profile for Wireless page.

    5. Specify authentication settings by doing one of the following:
    6. Click Done to save the Authentication profile.

      The system saves the Authentication profile and displays the Manage Authentication Profiles page. Your new or modified Authentication profile is listed in the table of Authentication profiles.

    Specifying Authentication Settings for Switches

    To configure an Authentication profile for switching devices, enter the Create Authentication Profile page settings described in Table 2 for creating Authentication profiles on switches. Required settings are indicated by a red asterisk (*) that appears next to the field label in the user interface.

    Table 2: Authentication Profile Settings for Switches

    Field

    Action

    Profile Name

    Type the name of the profile.

    You can use up to 64 characters for profiles created for wired devices. Profile name must not contain special characters or spaces. Note that profiles that are automatically created by Network Director as part of device discovery or out-of-band changes may contain the underscore (_) character.

    Description

    Type a short description for the profile.

    802.1X Authenticator

    Enable 802.1X

    802.1X authentication is enabled by default for a switching profile. 802.1X authentication works by using an Authenticator Port Access Entity (the switch) to block all traffic to and from a supplicant (end device) at the port until the supplicant's credentials are presented and matched on the Authentication server (a RADIUS server). When authenticated, the switch stops blocking traffic and opens the port to the supplicant. Network access can be further defined using VLANs.

    Note: If you disable 802.1X authentication, several related settings become unavailable.

    Enable MAC-RADIUS

    Select to enable MAC-RADIUS based authentication for this profile. MAC RADIUS authentication enables LAN access to permitted MAC addresses. When a new MAC address appears on an interface, the switch consults the RADIUS server to check whether the MAC address is a permitted address. If the MAC address is configured on the RADIUS server, the device is allowed access to the LAN.

    Tip: You can combine 802.1X and MAC-RADIUS authentication.

    Supplicant Mode

    Specify the mode authentication supplicants use, either Single, Multiple, or Single-Secure.

    • Single—Allows only one host for authentication.
    • Single-Secure—Allows only one end device to connect to the port. No other end device is enabled to connect until the first logs out.
    • Multiple—Allows multiple hosts for authentication. Each host is checked before being admitted to the network.

    Guest VLAN

    Click Select and then select the VLAN to which an interface is moved when no 802.1X supplicants are connected on the interface. The VLAN specified must already exist on the switch.

    Reject VLAN

    Click Select and then select the VLAN to which an interface is moved when the switch receives an Extensible Authentication Protocol Over LAN (EAPoL) Access-Reject message during the authentication process between the switch and the RADIUS authentication server.

    Server Fail Type

    Specify the server fail fallback action the switch takes when all RADIUS authentication servers are unreachable, either None, Deny, Permit, Use cache, or VLAN Name.

    • Deny—Force fail the supplicant authentication. No traffic will flow through the interface.
    • Permit—Force succeed the supplicant authentication. Traffic will flow through the interface as if it were successfully authenticated by the RADIUS server.
    • Use cache—Force succeed the supplicant authentication only if it was previously authenticated successfully. This action ensures that already authenticated supplicants are not affected.
    • VLAN Name—Move supplicant on the interface to the VLAN specified by this name. This action is allowed only if it is the first supplicant connecting to an interface. If an authenticated supplicant is already connected, then the supplicant is not moved to the VLAN and is not authenticated. If you select this option, also provide a Fail VLAN name.
    Captive Portal

    A Captive Portal is a special web page used for authentication by turning a web browser into an authentication mechanism.

    Enable Captive-Portal

    Enable this option to display the captive portal setting for supplicant mode. When this option is enabled, additional captive portal settings are also available under Advanced Settings.

    Supplicant Mode

    Specify the mode to be used for Captive Portal supplicants, either Single, Multiple, or Single-Secure.

    • Single—Allows only one host for authentication.
    • Multiple—Allows multiple hosts for authentication. Each host is checked before being admitted to the network.
    • Single-Secure —Allows only one end device to connect to the port. No other end device is allowed to connect until the first logs out.

    To skip configuring the advanced settings and accept the default settings, click Done. You can now link the Authentication profile to a Port profile. For directions, see Creating and Managing Port Profiles.

    To configure advanced switch settings, click Advanced Settings and enter the Advanced Settings described in Table 3.

    Table 3: Authentication Profile Advanced Settings for Switches

    Field

    Action

    802.1X Settings

    These settings are available only when 802.1X authentication is enabled for this Authentication profile. You can use the default settings or you can change them.

    Transmit Period
    (default is 30 seconds)

    Specify how long, in seconds, the interface waits before retransmitting the initial EAPOL PDUs to the supplicant. The default is 30 seconds.

    Maximum Requests
    (default is 2 requests)

    Specify the maximum number of times an EAPOL request packet is transmitted to the supplicant before the authentication session times out. The default is 2 requests.

    Retries
    (default is 3 retries)

    Specify the number of times you want the switch to attempt to authenticate the port after an initial failure. The port remains in a wait state during the quiet period after the authentication attempt. The default is 3 retries.

    Quiet Period
    (default is 60 seconds)

    Specify the number of seconds the interface remains in the wait state following a failed authentication attempt by a supplicant before reattempting authentication. The default is 60 seconds.

    No Reauthentication
    (default is unselected)

    Select this check box if you do not want the switch to reauthenticate the supplicant after the Quiet Period elapses.

    Reauthentication Interval
    (default is 3600 seconds)

    If the No Reauthentication option is not checked, specify the number of seconds after which the authentication session times out. The default is 3600 seconds.

    Supplicant Timeout
    (default is 30 seconds)

    Specify how long the port waits for a response when relaying a request from the authentication server to the supplicant before resending the request. The default is 30 seconds.

    RADIUS Server Timeout
    (default is 30 seconds)

    Specify the length of time that the switch waits for a response from the RADIUS server. The default is 30 seconds.

    MAC Restrict
    (Switches using MAC RADIUS only)

    When MAC-RADIUS is enabled in this Authentication profile, select this option to restrict authentication to MAC RADIUS only. When MAC-RADIUS restrict is configured, the switch drops all 802.1X packets. This option is useful when no other 802.1X authentication methods, such as guest VLAN, are needed on the interface, and eliminates the delay that occurs while the switch determines that a connected device is a non-802.1X-enabled host.

    Optionally enable Flap-On-Disconnect. When the RADIUS server sends a disconnect message to a supplicant, the switch resets the interface on which the supplicant is authenticated. If the interface is configured for multiple supplicant mode, the switch resets all the supplicants on the specified interface. This option takes effect only when the MAC Restrict option is also set.

    Captive Portal

    If Captive Portal is enabled in this Authentication profile in the basic settings, you can either use the default advanced Captive Portal settings or change them as indicated.

    Quiet Period
    (default is 60 seconds)

    Configure the time, in seconds, between when a user exceeds the maximum number of retries and when they can again attempt to authenticate.

    Range: 1 through 65,535

    Default: 60

    Retries
    (default is 3 retries)

    Configure the number of times the user can attempt to submit authentication information.

    Range: 1 through 65,535

    Default: 3

    Session Expiry
    (default is 3600 seconds)

    Configure the maximum duration in seconds of a session.

    Range: 1 through 65,535

    Default: 3600

    Server Time Out
    (default is 30 seconds)

    Configure the time in seconds an interface will wait for a reply when relaying a response from the client to the authentication server before timing out and invoking the server-fail action.

    Range: 1 through 65,535

    Default: 30

    Click OK.

    The Advanced Settings window closes and you once again see the Create Authentication Profile for Switching page.

    Click Done.

    The Manage Authentication Profiles page reappears with your new Authentication profile listed.

    You can now link the Authentication profile to a Port profile. For more details, see Creating and Managing Port Profiles.

    Specifying Authentication Settings for Wireless

    While configuring an Authentication profile for wireless devices, you define one or more access rules. Each access rule is specific to an access type or authentication mechanism, such as 802.1X, MAC, Web, and open authentication. All authentication mechanisms are supported in a chain and are allowed in any sequence with one exception—Web authentication and Open authentication must not be configured simultaneously in one Authentication profile.

    To configure an Authentication profile for wireless:

    1. Enter the wireless authentication settings described in Table 4. Required settings are indicated by a red asterisk (*) that appears next to the field label in the user interface.

      Table 4: Authentication Profile Wireless Settings

      Field

      Description

      Profile Name

      Type the name of the profile.

      You can use up to 32 characters for profiles created for wireless devices. Profile name must not contain special characters or spaces. Note that profiles that are automatically created by Network Director as part of device discovery or out-of-band changes might contain the underscore (_) character.

      Description

      Type the description of the profile.

    2. Add at least one access rule by clicking Add under Access Rule.

      The Add Access Rules window opens.

    3. Enter the access rule settings described in Table 5. Required settings are indicated by a red asterisk (*) that appears next to the field label in the user interface.

      Table 5: Wireless Access Rule Settings

      Field

      Description

      Access Type

      Select the type of access for the rule, either 802.1X Access (default), MAC Access, Web Access, or Open Access:

      • 802.1X Access—Select to authenticate the client using 802.1X authentication method. For more information, see Understanding the IEEE 802.11 Standard for Wireless Networks.
      • MAC Access—Select to authenticate the client using MAC RADIUS authentication method.
      • Web Access—Select to have the client log in to a web page before granting access to the SSID.
      • Open Access—Select to automatically authenticate the client and enable access to the SSID requested by the client, without requiring a username and password from the client.

        If you select open access as the access type, you must either enable local accounting or specify an Access profile to be able to save the access rule.

      The remaining options in this window vary, depending on which Access Type you choose.

      Matching Glob
      (all)

      Type the user glob for the access rule.

      A user glob is shorthand method for matching an authentication, authorization, and accounting (AAA) command to either a single user or a set of users.

      A user glob can contain up to 80 characters long and cannot include spaces or tabs. The double-asterisk (**) wildcard characters with no delimiter characters match all user names. The single-asterisk (*) wildcard character matches any number of characters up to, but not including, a delimiter character in the glob. Valid user glob delimiter characters are the at (@) sign and the period (.).

      Note: The matching glob value that you specify must be unique and cannot be used for any other access rules within the given authentication profile.

      EAP Type
      (801.X Access)

      If you selected 802.1X Access, you also need to indicate an EAP type. Extensible Authentication Protocol (EAP) is a generic point-to-point protocol that supports multiple authentication mechanisms. Select the EAP type that you want to use for this access rule:

      • PEAP Offload—Select if you want to offload all EAP processing from server groups. In this case, the RADIUS server is not required to communicate using the EAP protocols.
      • Local EAP-TLS—Select if you want to use a local database to authenticate clients. EAP-TLS provides encryption and data integrity checking for the connection. Local EAP-TLS can only be used with Local Authentication.
      • External Authentication Server(default)—Select if you want to use an external server for authentication.

        Note: If you select to use an external server for authentication, you must not select the Enable Local Authentication.

      Enable Authentication

      Selected by default to enable authentication for this access rule.

      Enable Local Authentication

      Select to have users authenticated against the local database on the controller.

      Tip: Network Director displays this check box only if you selected Enable Authentication.

      MAC Prefix
      (MAC Access)

      If MAC Access is the access type, you can enable MAC prefix authentication.

      Enable Accounting

      Select to enable accounting for this access rule and display the accounting settings. Accounting collects and sends information used for billing, auditing, and reporting. Accounting can be done using RADIUS or by using local accounting.

      If Enable Accounting is selected, you can configure these additional accounting parameters:

      • Enable Local Accounting—Select if you want to enable local accounting. If you select local accounting, the accounting information is stored locally on the controller.
      • Record Type—Select the local accounting mode to be used for this access rule:
        • Start-Stop—When this mode is selected, a start record is generated when a user is first connected, and an update record is generated when a user roams from one wireless access point to another. A stop record is generated when a user terminates the session.
        • Stop-Only—When this mode is selected, a stop record is generated when a user terminates the session.

      Access Profile

      Specify an Access profile (default is None) to use for this access rule. Network Director displays the Access Profile field when you have enabled authentication, accounting, or both, for the given access rule. Specify an Access profile for each access rule, unless:

      • Open Access is the access type.
      • 802.1X Access is the access type and Local EAP-TLS as the EAP type.
    4. Click OK to save and add the wireless access rule to the list of access rules in the Create Authentication Profile page. You can create one or more access rules and authenticate each user or device group differently depending on your security policy and requirements.
    5. You can configure a wireless web portal by providing the information listed in Table 6.

      Table 6: Wireless Web Portal Authentication

      Web Portal Settings

      A web portal is a web site that brings information together from diverse sources in a uniform way. The following Web Portal settings are valid only when the corresponding WLAN Service Profile has Fall Through Access set to web-portal. See Creating and Managing a WLAN Service Profile for more information and directions.

      Web Portal Login Page

      Type the name of a Web portal login page, for example, http://www.example.com. Web traffic will be directed to this location for logging into the Web portal. For more information about Web login, see “Configuring Web Portal Web AAA” in the Mobility System Software Configuration Guide.

      Tip: Web Portal settings are valid only when Fall Through Access is set to WEB Portal in a WLAN Service Profile. When you link this Authentication Profile to a WLAN Service Profile with Fall Through Access set to WEB Portal, the settings are used.

      Web Portal Logout

      Optionally, enable Web Portal Logout, and provide the name of the Web Portal Logout Page, for example, http://www.example.com.

    6. Click Done.

      The Manage Authentication Profiles for Wireless (WLC) page reappears with your new wireless Authentication profile listed. You can now link the Authentication profile to a WLAN profile. For more details, see Creating and Managing a WLAN Service Profile.

    What To Do Next

    After you create an Authentication profile, you can do the following:

    Note: Assigned settings from any profile, including this one, have lower priority than settings made directly to a controller or an access point. For more information, see Adding and Managing an Individual Access Point and Configuring a Controller .

    Modified: 2018-01-24