Creating and Managing Authentication Profiles
Use the Manage Authentication Profiles page to create new Authentication profiles and manage existing Authentication profiles.
To display the Manage Authentication Profiles page: In Build mode, select Authentication from Profile and Configuration Management in the Tasks pane. The Manage Authentication Profiles page appears.
This topic describes:
Managing Authentication Profiles
From the Manage Authentication Profiles page, you can:
Create a new Authentication profile by clicking Add. For directions, see Creating an Authentication Profile.
Modify an existing profile by selecting it and clicking Edit.
View information about a profile, including the interfaces it is associated with, by clicking the profile name or by selecting the profile and clicking Details.
Delete an Authentication profile by selecting a profile and clicking Delete.
You cannot delete profiles that are in use—that is, assigned to objects or used by other profiles. To see the current assignments for a profile, select the profile and click Details.
Clone a profile by selecting a profile and clicking Clone.
Table 1 describes the information provided about Authentication profiles on the Manage Authentication Profiles page. This page lists all Authentication profiles defined for your network, regardless of the scope you selected in the network view.
Table 1: Manage Authentication Profile Fields
Name given to the profile when the profile was created.
The device family on which the profile was created.
Description of the profile that was entered when the profile was created.
Tip: To display the entire description, you might need to resize the Description column by clicking the column border in the heading and dragging it.
Date and time when this profile was created.
Date and time when this profile was last modified.
The username of the user who created or modified the profile.
All columns might not be displayed. To show or hide fields in the Manage Authentication Profiles table, click the down arrow on the field header, select Columns, and select or clear the check box adjacent to the field that you want to show or hide.
Creating an Authentication Profile
In Network Director, you can create an Authentication profile to configure methods to be used to authenticate users. You can also specify details about the accounting servers to be used for accounting purposes.
For an Authentication profile, you must specify the following:
A profile name
At least one access rule
After you create an Authentication profile, you can include it in a Port profile. The Authentication profile specified in a Port profile acts as the default profile for all the users and devices that connect to the port.
To create an Authentication profile:
- Click in the Network Director banner.
- Under Select View, select either Logical View, Location View, Device View or Custom
Do not select Dashboard View or Topology View.
- From the Tasks pane, select the type of network (Wired), the appropriate functional area (System or AAA), and select the name of the profile that you want to create. For example, to create a port profile for a wired device, click Wired > Profiles > Port. The Manage Profile page opens.
- Click Add to add a new profile.
If you chose to create a profile for the wired network, Network Director opens the Device Family Chooser window.
- From the Device Family Chooser, select the device family for which you want to create a profile. The available device families are Switching (EX), Campus Switching ELS (Enhanced Layer 2 Software), and Data Center Switching ELS.
- Click OK.
The Create Authentication Profile page for the selected device family is displayed.
- Specify authentication settings by doing one of the following:
For EX Series switches, Campus Switching Enhanced Layer 2 Software, specify the settings as described in Specifying Authentication Settings for Switches.
- Click Done to save the Authentication profile.
The system saves the Authentication profile and displays the Manage Authentication Profiles page. Your new or modified Authentication profile is listed in the table of Authentication profiles.
Specifying Authentication Settings for Switches
To configure an Authentication profile for switching devices, enter the Create Authentication Profile page settings described in Table 2 for creating Authentication profiles on switches. Required settings are indicated by a red asterisk (*) that appears next to the field label in the user interface.
Table 2: Authentication Profile Settings for Switches
Type the name of the profile.
You can use up to 64 characters for profiles created for wired devices. Profile name must not contain special characters or spaces. Note that profiles that are automatically created by Network Director as part of device discovery or out-of-band changes may contain the underscore (_) character.
Type a short description for the profile.
802.1X authentication is enabled by default for a switching profile. 802.1X authentication works by using an Authenticator Port Access Entity (the switch) to block all traffic to and from a supplicant (end device) at the port until the supplicant's credentials are presented and matched on the Authentication server (a RADIUS server). When authenticated, the switch stops blocking traffic and opens the port to the supplicant. Network access can be further defined using VLANs.
Note: If you disable 802.1X authentication, several related settings become unavailable.
Select to enable MAC-RADIUS based authentication for this profile. MAC RADIUS authentication enables LAN access to permitted MAC addresses. When a new MAC address appears on an interface, the switch consults the RADIUS server to check whether the MAC address is a permitted address. If the MAC address is configured on the RADIUS server, the device is allowed access to the LAN.
Tip: You can combine 802.1X and MAC-RADIUS authentication.
Specify the mode authentication supplicants use, either Single, Multiple, or Single-Secure.
Click Select and then select the VLAN to which an interface is moved when no 802.1X supplicants are connected on the interface. The VLAN specified must already exist on the switch.
Click Select and then select the VLAN to which an interface is moved when the switch receives an Extensible Authentication Protocol Over LAN (EAPoL) Access-Reject message during the authentication process between the switch and the RADIUS authentication server.
Server Fail Type
Specify the server fail fallback action the switch takes when all RADIUS authentication servers are unreachable, either None, Deny, Permit, Use cache, or VLAN Name.
A Captive Portal is a special web page used for authentication by turning a web browser into an authentication mechanism.
Enable this option to display the captive portal setting for supplicant mode. When this option is enabled, additional captive portal settings are also available under Advanced Settings.
Specify the mode to be used for Captive Portal supplicants, either Single, Multiple, or Single-Secure.
To skip configuring the advanced settings and accept the default settings, click Done. You can now link the Authentication profile to a Port profile. For directions, see Creating and Managing Port Profiles.
To configure advanced switch settings, click Advanced Settings and enter the Advanced Settings described in Table 3.
Table 3: Authentication Profile Advanced Settings for Switches
These settings are available only when 802.1X authentication is enabled for this Authentication profile. You can use the default settings or you can change them.
Specify how long, in seconds, the interface waits before retransmitting the initial EAPOL PDUs to the supplicant. The default is 30 seconds.
Specify the maximum number of times an EAPOL request packet is transmitted to the supplicant before the authentication session times out. The default is 2 requests.
Specify the number of times you want the switch to attempt to authenticate the port after an initial failure. The port remains in a wait state during the quiet period after the authentication attempt. The default is 3 retries.
Specify the number of seconds the interface remains in the wait state following a failed authentication attempt by a supplicant before reattempting authentication. The default is 60 seconds.
Select this check box if you do not want the switch to reauthenticate the supplicant after the Quiet Period elapses.
If the No Reauthentication option is not checked, specify the number of seconds after which the authentication session times out. The default is 3600 seconds.
Specify how long the port waits for a response when relaying a request from the authentication server to the supplicant before resending the request. The default is 30 seconds.
RADIUS Server Timeout
Specify the length of time that the switch waits for a response from the RADIUS server. The default is 30 seconds.
When MAC-RADIUS is enabled in this Authentication profile, select this option to restrict authentication to MAC RADIUS only. When MAC-RADIUS restrict is configured, the switch drops all 802.1X packets. This option is useful when no other 802.1X authentication methods, such as guest VLAN, are needed on the interface, and eliminates the delay that occurs while the switch determines that a connected device is a non-802.1X-enabled host.
Optionally enable Flap-On-Disconnect. When the RADIUS server sends a disconnect message to a supplicant, the switch resets the interface on which the supplicant is authenticated. If the interface is configured for multiple supplicant mode, the switch resets all the supplicants on the specified interface. This option takes effect only when the MAC Restrict option is also set.
If Captive Portal is enabled in this Authentication profile in the basic settings, you can either use the default advanced Captive Portal settings or change them as indicated.
Configure the time, in seconds, between when a user exceeds the maximum number of retries and when they can again attempt to authenticate.
Range: 1 through 65,535
Configure the number of times the user can attempt to submit authentication information.
Range: 1 through 65,535
Configure the maximum duration in seconds of a session.
Range: 1 through 65,535
Server Time Out
Configure the time in seconds an interface will wait for a reply when relaying a response from the client to the authentication server before timing out and invoking the server-fail action.
Range: 1 through 65,535
The Advanced Settings window closes and you once again see the Create Authentication Profile for Switching page.
The Manage Authentication Profiles page reappears with your new Authentication profile listed.
You can now link the Authentication profile to a Port profile. For more details, see Creating and Managing Port Profiles.
What To Do Next
After you create an Authentication profile, you can do the following:
For switching devices, link the Authentication profile to a Port profile. For more details, see Creating and Managing Port Profiles.