Network Login; Web-Based, Mac-Based, And 802.1X Authentication - Extreme Networks ExtremeWare XOS Guide Manual
Concepts guide
Hide thumbs
Also See for ExtremeWare XOS Guide:
- Command reference manual (2024 pages) ,
- Manual (698 pages) ,
- Command reference manual (1712 pages)
Table of Contents
Advertisement
Security
For ports that have lock-down in effect, the following traffic will still flow to the port:
Packets destined for the permanent MAC and other non-blackholed MAC addresses
●
Broadcast traffic
●
EDP traffic
●
Traffic from the permanent MAC will still flow from the virtual port.
To remove MAC address lock down, use the
configure ports <portlist> vlan <vlan name> [limit-learning <number> | lock-learning |
unlimited-learning | unlock-learning]
When you remove the lock down using the unlock-learning option, the learning-limit is reset to
unlimited, and all associated entries in the FDB are flushed.
Network Login
Network login controls the admission of user packets into a network by giving addresses only to users
that are properly authenticated. Network login is controlled on a per port basis. When network login is
enabled on a port in a VLAN, that port does not forward any packets until authentication takes place.
There are three choices for types of authentication to use with Network Login, web-based, MAC-based,
and 802.1x, and there are two different modes of operation, Campus mode and ISP mode. The
authentication types and modes of operation can be used in any combination. The following sections
describe these choices.
When web-based network login is enabled on a switch port, that port is placed into a non-forwarding
state until authentication takes place. To authenticate, a user (supplicant) must open a web browser and
provide the appropriate credentials. These credentials are either approved, in which case the port is
placed in forwarding mode, or not approved, in which case the port remains blocked.
For 802.1x authentication, three failed login attempts disables the port for a configured length of time.
For both 802.1x and web-based authentication user logout can be initiated by submitting a logout
request or closing the logout window.
Web-Based, MAC-based, and 802.1x Authentication
Authentication is handled as a web-based process, or as described in the IEEE 802.1x specification. Web-
based network login does not require any specific client software and can work with any HTTP-
compliant web browser. By contrast, 802.1x authentication may require additional software installed on
the client workstation, making it less suitable for a user walk-up situation, such as a cyber-café or coffee
1
shop.
Extreme Networks supports a smooth transition from web-based to 802.1x authentication.
MAC-based authentication is used for supplicants that do not support a network login mode, or
supplicants that are not aware of the existence of such security measure, for example an IP phone.
1.
A workstation running Windows XP supports 802.1x natively and does not require additional authentica-
tion software.
ExtremeWare XOS 11.1 Concepts Guide
option from the following command:
unlock-learning
228
Advertisement
Table of Contents
