Campus And Isp Modes - Extreme Networks ExtremeWare XOS Guide Manual
Concepts guide
Hide thumbs
Also See for ExtremeWare XOS Guide:
- Command reference manual (2024 pages) ,
- Manual (698 pages) ,
- Manual (256 pages)
Table of Contents
Advertisement
Security
Disadvantages of Web-based Authentication:
The login process involves manipulation of IP addresses and must be done outside the scope of a
●
normal computer login process. It is not tied to Windows login. The client must bring up a login
page and initiate a login.
Supplicants cannot be re-authenticated transparently. They cannot be re-authenticated from the
●
authenticator side.
This method is not as effective in maintaining privacy protection.
●
802.1x Authentication Methods
802.1x authentication methods govern interactions between the supplicant (client) and the
authentication server. The most commonly used methods are Transport Layer Security (TLS); Tunneled
TLS (TTLS), which is a Funk/Certicom standards proposal; and PEAP.
TLS is the most secure of the currently available protocols, although TTLS is advertised to be as strong
as TLS. Both TLS and TTLS are certificate-based and require a Public Key Infrastructure (PKI) that can
issue, renew, and revoke certificates. TTLS is easier to deploy, as it requires only server certificates, by
contrast with TLS, which requires client and server certificates. With TTLS, the client can use the MD5
mode of username/password authentication.
If you plan to use 802.1x authentication, refer to the documentation for your particular RADIUS server,
and 802.1x client on how to set up a PKI configuration.
Campus and ISP Modes
Network login supports two modes of operation, Campus and ISP. Campus mode is intended for
mobile users who tend to move from one port to another and connect at various locations in the
network. ISP mode is meant for users who connect through the same port and VLAN each time (the
switch functions as an ISP).
In campus mode, the clients are placed into a permanent VLAN following authentication with access to
network resources. For wired ports, the port is moved from the temporary to the permanent VLAN.
In ISP mode, the port and VLAN remain constant. Before the supplicant is authenticated, the port is in
an unauthenticated state. After authentication, the port forwards packets.
User Accounts
You can create two types of user accounts for authenticating network login users: netlogin-only enabled
and netlogin-only disabled. A netlogin-only disabled user can log in using network login and can also
access the switch using Telnet or SSH. A netlogin-only enabled user can only log in using network login
and cannot access the switch using the same login.
Add the following line to the RADIUS server dictionary file for netlogin-only disabled users:
Extreme:Extreme-Netlogin-Only = Disabled
Add the following line to the RADIUS server dictionary file for netlogin-only enabled users:
Extreme:Extreme-Netlogin-Only = Enabled
ExtremeWare XOS 11.1 Concepts Guide
230
Advertisement
Table of Contents
