Table of Contents
Advertisement
Configuring Multiple Authentication Methods
About Multiple Authentication Types
When enabled, multiple authentication types allow users to authenticate using more than one
method on the same port. In order for multiple authentication to function on the device, each
possible method of authentication (MAC authentication, 802.1X, PWA) must be enabled globally
and configured appropriately on the desired ports with its corresponding command set described
in this chapter.
Multiple authentication mode must be globally enabled on the device using the set multiauth
mode command.
Configuring Multi-User Authentication (User + IP phone)
The User + IP phone multi‐user authentication feature allows a user and their IP phone to both use
a single port on the D2 but to have separate policy roles.
ʺUser + IP Phoneʺ Authentication on the D‐Series is implemented by assigning an ingressed
packet received on a port to a policy role based on the VLAN the packet was assigned to, and not
the packetʹs source MAC address. Therefore, on a port configured for User + IP Phone
Authentication, there exists two different VLAN‐to‐policy role mappings.
The policy role for the IP phone is statically mapped using the VLAN‐to‐policy mapping feature
which assigns any packets received with a VLAN tag set to a specific VID (for example, Voice
VLAN) to an indicated policy role (for example, IP Phone policy role). Therefore, it is required that
IP phone is configured to send VLAN tagged packets to the "Voice" VLAN.
The second policy role, for the user, can either be statically configured with the default policy role
on the port or dynamically assigned through authentication to the network. When the default
policy role is assigned on a port, the VLAN set as the portʹs PVID is mapped to the default policy
role. When a policy role is dynamically applied to a port as the result of a successfully
authenticated session, the "authenticated VLAN" is mapped to the policy role set in the Filter‐ID
returned from the RADIUS server. The "authenticated VLAN" may either be the PVID of the port,
if the PVID Override for the policy profile is disabled, or the VLAN specified in the PVID Override
if the PVID Override is enabled.
Commands
For information about...
show multiauth
set multiauth mode
clear multiauth mode
Note: D2 devices support up to two authenticated users per port.
Note: The only Multi-User Authentication supported on the D2 is User + IP phone. The IP phone
and the user may authenticate using 802.1x or MAC authentication.
Configuring Multiple Authentication Methods
Refer to page...
17-34
17-35
17-35
Enterasys D-Series CLI Reference 17-33
- Quick Links:
- Starting a Cli Session
Hide quick links:
Advertisement
Table of Contents
