Motorola WS5100 Series Reference Manual page 126

4-44 WS5100 Series Switch System Reference Guide
access, configure the Radius Server with two attributes. Once with a value 1 for monitor access and then
with a value 2 for the helpdesk role.
Multiple roles can also be defined by configuring the Radius Server with attribute 1 and value 3 (or
monitor value 1 and helpdesk value 2).
NOTE: If user privilege attributes are not defined for the Radius Server, users will be
authenticated with a default privilege role of 1 (Monitor read-only access).
Configuring the User Login Sources
The following recommended Radius Server user login sources specify the location (ssh/telnet/console/Web)
from which users are allowed switch access. If login access permissions are not defined (restricted), users
will be allowed to login from each interface. To define login source access locations:
1. Set the attribute number to 100 and its type as "integer."
2. Define the following possible decimal values for login sources:
a. Set the
b. Set the
c. Set the
d. Set the
3. Specify multiple access sources by using different values. The privilege values can be ORed and specified
once. For example, if a user needs access from both the console and Web, configure the Radius Server
with the 100 attribute twice, once with value 128 for console and next with value 16 for Web access.
Configuring NAC Server Support
There is an increasing proliferation of insecure devices (laptops, mobile computers, PDA, smart-phones)
accessing WiFi networks. These devices often lack proper anti-virus software and can potentially infect the
network they access. Device compliance per an organization's security policy must be enforced using NAC.
A typical security compliance check entails verifying the right operating system patches, anti-virus software
etc.
NAC is a continuous process for evaluating MU credentials, mitigating security issues, admitting MUs to the
network and monitoring MUs for compliance with globally-maintained standards and policies. If a MU is not
in compliance, network access is restricted by quarantining the MU.
Using NAC, the switch hardware and software grants access to specific network devices. NAC performs a
user and MU authorization check for devices without a NAC agent. NAC verifies a MU's compliance with the
switch's security policy. The switch supports only EAP/802.1x NAC. However, the switch provides a mean to
bypass NAC authentication for MU's without NAC 802.1x support (printers, phones, PDAs etc.).
For a NAC configuration example using the switch CLI, see
Configuring the NAC Exclusion List on page
• None – NAC disabled, no NAC is conducted. A MU can only be authenticated by a Radius server.
• Do NAC except exclude list – A MU NAC check is conducted except for those in the exclude-list. Devices
in the exclude-list will not have any NAC checks.
• Bypass NAC except include list – A MU NAC check is conducted only for those MUs in the
include-list.
To configure NAC Server support:
Console Access value to 128 (user is allowed login privileges only from console).
Telnet Access value to 64 (user is allowed login privileges only from a Telnet session).
SSH Access value to 32 (user is allowed login privileges only from ssh session).
Web Access value to 16 (user is allowed login privileges only from Web/applet).
Configuring the NAC Inclusion List on page 4-64
4-68.
or