Authentication Types - Extreme Networks ExtremeWare 7.2e Installation And User Manual

Network Login

Authentication Types

Authentication is handled either as a web-based process or as described in the IEEE 802.1x specification.
The initial release of Network Login by Extreme Networks supported only web-based authentication,
but later releases have supported both types of authentication.
Although somewhat similar in design and purpose, web-based and 802.1x authentication of Network
Login can be considered complementary, with Extreme Networks offering a smooth transition from
web-based to 802.1x authentication. In fact, both web-based and 802.1x can be configured on the same
switch port. The switch can play the role of the authentication server and authenticate based on its local
database of username and password for web-based authentication; or a RADIUS server can be used as
the authentication server for web-based and 802.1x authentication.
802.1x Authentication
802.1x will soon be considered the standard for network access authentication. 802.1x authentication
currently requires software installed on the client workstation, making it less suitable for a user walk-up
scenario, such as a cyber-café or coffee shop. 802.1x authentication also requires an Extensible
Authentication Protocol (EAP) capable RADIUS server.
A workstation running Windows XP supports 802.1x natively, and does not require additional
authentication software.
Extreme Networks uses a combination of secure certificates and RADIUS server to authenticate the user
and configure the switch so that the user is placed on the correct VLAN. When a new user accesses the
network, 802.1x authenticates the user through a RADIUS server to a user in an NT domain. The reply
from the RADIUS server checks the groups to which the user belongs and then responds to the switch
with the proper VLAN. The user is then able to connect to all the resources of the appropriate group
after logging in to the network.
Web-Based Authentication
Web-based Network Login does not require any specific client software and can work with any HTTP
compliant web browser.
DHCP is needed for web-based network login because the underlying protocol used to carry
authentication request-response is HTTP. The client needs an IP address to send and receive HTTP
packets. However, before the client is authenticated, the only connection is to the authenticator itself. As
a result, the authenticator must be furnished with a temporary DHCP server to distribute the
IP address.
The DHCP allocation for Network Login has short time duration of 10 seconds (default value). It is
intended to perform web-based network login only. As soon as the client is authenticated, it is deprived
of this address. Then it has to go to some other DHCP server in the network to obtain a permanent
address, as is normally done. (DHCP is not required for 802.1x because 802.1x uses only layer-2 frames
(EAPOL).)
URL redirection is a web-based mechanism to redirect any HTTP request to the base URL of the
authenticator when the port is in unauthenticated mode. In other words when user is trying to login to
the network using the browser, it will be first redirected to the Network Login page. Only after a
successful login will the user be connected to the network.
ExtremeWare 7.2e Installation and User Guide 151