Campus And Isp Modes - Extreme Networks 200 Series Installation And User Manual

Network Login
• Supplicants cannot be re-authenticated transparently. Can not be re-authenticated from the
authenticator side.
• Does not support more secure methods of authentication
Authentication Methods
The authentication methods supported are a matter between the supplicant (client) and the
authentication server. The most commonly used methods are MD5-Challenge, Transport Layer Security
(TLS) which uses Public Key Infrastructure (PKI), and strong mutual authentication and Tunneled TLS
(TTLS) which is a Funk/Certicom proposal.
So far, TLS represents the most secure protocol among all those mentioned. TTLS is advertised to be as
strong as TLS. Both TLS and TTLS are certificate-based, which requires setting up a PKI that can issue,
renew, and revoke certificates. TTLS is preferred from the ease of deployment point of view as it
requires only server certificates and client can use MD5 mode of username/password authentication.
See the documentation for your particular RADIUS server, and 802.1x client, if using 802.1x
authentication for information on setting up a PKI configuration.

Campus and ISP Modes

Network login has two modes of operation, Campus mode and ISP mode. Campus mode is meant for
mobile users who tend to move from one port to another and connect at various locations in the
network. ISP mode is meant for users who connect through the same port and VLAN each time, as
though the switch functions as an ISP.
In Campus mode, the authenticated port is moved from a temporary VLAN to a permanent VLAN,
which then has access to external network resources. Campus mode requires the use of a RADIUS
server as part of the authentication process.
In ISP mode, the port and VLAN remain constant. Before the supplicant is authenticated, the port is in
an unauthenticated state. After authentication, the port forwards packets.
User Accounts
You can create two types of user accounts for authenticating network login users: netlogin-only enabled
and netlogin-only disabled. A netlogin-only disabled user can log in using network login and can also
access the switch using Telnet, SSH, or HTTP. A netlogin-only enabled user can only log in using
network login and cannot access the switch using the same login.
Add the following line to the RADIUS server dictionary file for netlogin-only disabled users:
Extreme:Extreme-Netlogin-Only = Disabled
Add the following line to the RADIUS server dictionary file for netlogin-only enabled users:
Extreme:Extreme-Netlogin-Only = Enabled
Table 21 contains the Vendor Specific Attribute (VSA) definitions for web-based network login. See
Table 22 for the equivalent information for 802.1x network login. The Extreme Network Vendor ID is
1916.
Summit 200 Series Switch Installation and User Guide 73