Port Web Authentication (Pwa); Multi-User And Multiauth Authentication - Enterasys C5G124-24 Configuration Manual

devices that do not support 802.1x or web authentication. Since MAC-based authentication
authenticates the device, not the user, and is subject to MAC address spoofing attacks, it should
not be considered a secure authentication method. However, it does provide a level of
authentication for a device where otherwise none would be possible.
The stackable fixed switch and standalone fixed switch devices support MAC-based
authentication.

Port Web Authentication (PWA)

Port Web Authentication (PWA) authenticates a user by utilizing a web browser for the login
process to authenticate to the network. To log in using PWA, a user opens the web browser
requesting a URL that either directly accesses the PWA login page or is automatically redirected to
the login page. At the PWA login page, the user enters a login username and password. On the
switch, either the Challenge Handshake Authentication Protocol (CHAP) or the Password
Authentication Protocol (PAP) verifies the username and password credentials provided to the
authentication server. If the credentials are validated, the authentication server returns a RADIUS
Accept message, optionally containing Filter-ID or tunnel attributes, to the switch.
PAP uses an unencrypted password. CHAP uses the password to generate a digest that is
transmitted to the authentication server. If RADIUS determines that the digest matches the digest
generated on the authentication server, access is granted. The acceptance message back to the
switch can contain any Filter-ID attribute configured on the authentication server, allowing policy
to be applied for the authenticating user.
PWA enhanced mode is supported. PWA enhanced mode allows a user on an unauthenticated
PWA port to enter any URL into the browser and be presented the PWA login page on their initial
web access. When enhanced mode is disabled, a user must enter the correct URL to access login.
The A4, B-Series, and C-Series stackable fixed switches, and the standalone fixed switches support
PWA.
Note: For stackable and standalone fixed switches:
• One user per PWA-configured port can be authenticated
• PWA authentication supports RFC 3580 VLAN authorization on A4, B3, B5, C3, C5, G-Series,
and I-Series devices

Multi-User And MultiAuth Authentication

This section discusses multi-user and MultiAuth authentication. Multi-user and MultiAuth are
separate concepts.
• Multi-user authentication refers to the ability to authenticate multiple users and devices on
the same port, with each user or device being provided the appropriate level of network
resources based upon policy.
• MultiAuth authentication refers to the ability of a single or multiple user(s), device(s), or
port(s) to successfully authenticate using multiple authentication methods at the same time,
such as 802.1x, PWA, and MAC, with precedence determining which authentication method is
actually applied to that user, device, or port.
Note: Multi-user authentication is not supported on the A4 or I-Series platforms.
A limited form of multi-user authentication, called "User + IP Phone," is supported on the A4. See
"User + IP Phone" on page 10-5 for more information.
User Authentication Overview
Fixed Switch Configuration Guide 10-3