Configuring Port Web Authentication (Pwa); About Pwa - Enterasys Matrix DFE-Gold Series Configuration Manual

clear dot1x auth-config

Configuring Port Web Authentication (PWA)

About PWA

PWA provides a way of authenticating users before allowing general access to the network. A
PWA user's access to the network is restricted until after the user successfully logs in via a web
browser using the Enterasys Matrix Series web‐based security interface. The Enterasys Matrix
Series device will validate all login credential from the user with a RADIUS server before allowing
network access.
PWA is an alternative to 802.1X and MAC authentication. It allows only the essential protocols
and services required by the authentication process between the end‐station and the network. All
other traffic is discarded. When a user is in the unauthenticated state, any user traffic requesting
network resources will not be allowed.
To log on using PWA, the user makes a request via a web browser for the PWA web page or is
automatically redirected to this login page after requesting a URL in a browser.
Depending upon the authenticated state of the user, a login page or a logout page will display.
When a user submits username and password, the switch then authenticates the user via a
preconfigured RADIUS server. If the login is successful, then the user will be granted full network
access according to the user's policy configuration on the switch.
PWA Configuration Considerations
In order to optimize PWA authentication on the Enterasys Matrix Series device, the device must be
configured to satisfy the minimum requirements of an authenticating client needing to send an
HTTP request with its web browser. Typically, the client will need DNS and ARP resolution before
it can generate the HTTP request needed to do a PWA login. Also, DHCP may be needed in many
environments. These services are not provided by PWA and must be provided by the network. To
accomplish this, the device must be configured to allow access to the needed services.
The first step is to make sure that the multiple authentication port mode settings are set to "auth‐
opt" on all ports that are configured to run PWA.
Examples
This example shows how to set the multiple authentication port mode to "auth‐opt" for all Fast
Ethernet ports in the chassis or standalone device:
Matrix(rw)->set multiauth port mode auth-opt fe.*.*
For details on using the set multiauth port command, refer to "set multiauth port" on page 27‐6.
Setting the port mode in this fashion will allow traffic to flow through the port without
authentication according to its configuration. By default, this would allow all traffic to be
forwarded. Conversely, you could configure the ports to drop all traffic, but this is not the most
effective solution. Better yet would be to configure the port to provide only the minimal services
and nothing more. The most powerful tool for accomplishing this goal is policy configuration.
Policies provide the flexibility needed to tailor these services to the configuration and security
needs of your environment.
This example shows how to configure a policy profile that will discard all traffic by default:
Matrix(rw)->set policy profile 1 name "Unauthenticated User" pvid 0 pvid-status
enable
This example shows how to configure policy profile rule 1 that will enable the selective services
required for PWA. This rule will:
• forward ARP requests,
Configuring Port Web Authentication (PWA)
Enterasys Matrix DFE-Gold Series Configuration Guide 25-11