Authentication Configuration Guide

---

Authentication is the process by which end users identify themselves to the network and are given customized access capabilities based on the role they serve in the organization. Policy Manager uses a RADIUS server and an authentication-enabled device to dynamically assign a policy (role) to a port, based on the end user's login or MAC address.

Policy Manager supports the following types of authentication: Web-based, 802.1X, MAC, CEP, Quarantine, and Auto Tracking. (For more information on each type, see the Authentication section in the Policy Manager Concepts Help topic.) This guide presents steps for configuring the various components required for authentication, and, if necessary, refers you to additional configuration supplements that provide information specific to the different types of authentication.

Some devices support multiple authentication types and multiple users (Multi-User Authentication) per port, while others are restricted to only one or two authentication types and single users per port (Single User Authentication). Refer to the NetSight Firmware Support tables for information on the authentication types supported by each device type.

While most of the main configuration tasks can be performed in any order, the recommended sequence is below. When you have completed the configuration tasks, a test user should be able to authenticate on the network and be assigned the correct role.

In order to configure your setup for authentication, you will need the following components:

• NetSight Policy Manager
• RADIUS authentication server and user interface
• Policy-enabled devices (switches)
• Hardware for running Policy Manager and the RADIUS Server

You may already have these components installed and running, but you should read all the sections of this document anyway, as they contain information that will help you to configure them for use with Policy Manager. You may want to perform your initial configuration in a test environment before deploying it on your network.

	NOTES:	Configuring Windows Server 2008 Users of Windows Server 2008 should read this Authentication Configuration Guide, but should follow the steps in Configuring a Windows Server 2008 for RADIUS Authentication for instructions on installing and configuring the RADIUS server. Configuring Windows 2000 Advanced Server and Windows Server 2003 Users of Windows 2000 Advanced Server and Windows Server 2003 should read this Authentication Configuration Guide, but should follow the steps in Configuring a Windows Server 2000 or 2003 for RADIUS Authentication for instructions on installing and configuring the RADIUS server. Configuring Windows 2000 Windows 2000 users who plan to utilize Funk Software Inc.'s Steel-Belted RADIUS should consult Funk's website www.funk.com for assistance in setting up Steel-Belted RADIUS on Windows 2000, in particular Tech Bulletins RD 410 and RD 447 (look for Tech Support > Steel-Belted Radius > Steel-Belted Radius Tech Notes > View by Tech Note ID Number).

Instructions on:

1. Preliminary Reading
2. Installing Policy Manager
3. Post-Installation Reading
4. Planning Your Policies (Roles and Services)
   1. Identifying Roles
   2. Defining Services
5. Planning for Port Mode
6. Configuring End Users
   1. Configuring a Windows Workstation as a DHCP Client
   2. Configuring a Linux Workstation as a DHCP Client
   3. Browser Requirements for Web-Based Authentication
7. Installing and Configuring the RADIUS Server
   1. Installing the RADIUS Server
   2. Adding RADIUS Client Devices
   3. Adding RADIUS Users
8. Configuring RADIUS in Policy Manager
   1. Downloading the Firmware
   2. Adding Devices to Policy Manager
   3. Configuring the Port Mode
   4. Configuring Devices as RADIUS Clients
   5. Configuring Authentication on Devices
9. Testing Authentication
   1. Testing Web-Based Authentication
   2. Testing 802.1X Authentication

Preliminary Reading

Before configuring your network for Policy Manager, read as much about Policy Manager and its associated technologies as you can, to familiarize yourself with Policy Manager's features and the business challenges it has been designed to solve. The following reading sequence is advised:

• RADIUS Vendor Documentation - Policy Manager utilizes a RADIUS server for authentication. If you do not already have a RADIUS server installed, you will need to install one following your vendor's installation instructions. You will then need to be able to use the RADIUS server user interface to configure the RADIUS server for use with Policy Manager.
  
• NetSight Installation - This topic provides information on the minimum requirements for running Policy Manager, platform-specific information, and instructions for installing the application. The Installation document is available by selecting Help > Help Topics from the Policy Manager menu after installation, or on the Network Management Suite (NMS) Documentation web page: http://extranet.extremenetworks.com/downloads/Pages/NMS.aspx.
  
• NetSight Release Notes - The release notes contain release-specific information, including known issues and any available workarounds. You can access the Release Notes by selecting Help > Release Notes from the Policy Manager menu after installation. In addition, the latest version of the release notes are available on the Network Management Suite (NMS) Documentation web page: http://extranet.extremenetworks.com/downloads/Pages/NMS.aspx.

Installing Policy Manager

In Policy Manager, you will be setting up communication between your RADIUS server and your Policy Manager devices, and creating the roles that will be mapped to your users in the RADIUS server for authentication purposes. Although it is not required that you install Policy Manager before installing your RADIUS server, installing Policy Manager as a first step gives you easy access to Policy Manager documentation via the Help > Help Topics menu option, and lets you familiarize yourself with the application before doing any actual configuration. To install Policy Manager, follow the Installation instructions.

Post-Installation Reading

After you've installed Policy Manager, familiarize yourself with the application by selecting Help > Help Topics from the menu and reading the following Help topics:

• Getting Started with Policy Manager - This topic provides a brief overview of Policy Manager and a Quick Tour of its features. It is suggested that you take the Quick Tour before you start creating roles and configuring devices in Policy Manager.
  
• Policy Manager Concepts - This topic explains some of the concepts you'll need to understand in order to make the most effective use of Policy Manager, including a section on Authentication that describes the types of authentication that Policy Manager supports, and how authentication works.
  
• Configuration Supplements - These Help topics provide supplemental information for specific authentication types and configurations:
  • Configuring a Windows Server 2000 or 2003 for RADIUS Authentication -- for users of Windows 2000 Advanced Server or Windows Server 2003.
  • Configuring a Windows Server 2008 for RADIUS Authentication -- for users of Windows Server 2008.
  • 802.1X Authentication -- configuration information specifically for networks using 802.1X authentication.

After completing this reading, continue with the tasks below.

Planning Your Policies (Roles and Services)

It is recommended that, prior to performing any configuration tasks, you plan in advance the policy profiles, or "roles," that will be applied to your users. For testing purposes, you do not need to create all the roles at this point, but you should have an idea what some, if not all, of the role names are going to be.

The roles you will eventually be creating in Policy Manager are usually named for business functions that already exist in the enterprise. You will create customized services made up of traffic classification rules, that you will apply to your roles. A role may also contain default actions including access control (VLAN) and class of service designations that will be applied to traffic not identified specifically by the set of access services contained in the role. The set of services included in a role, along with any default actions, determine how all network traffic will be handled at any network access point configured to use that role.

If you have not done so already, read the discussion of Roles and Services in Policy Manager Concepts, and the Traffic Classification Rules Help topic for background. This will assist you in planning your roles, and the services and rules you'll need to create to apply to them.

Identifying Roles

Roles are usually named for a type of user such as Student or Faculty. As you begin identifying potential policy roles within your organization, consider the following issues:

• What are the different users and their network access requirements? For example, do you have some users that require priority access? Do you have other users that should be denied access?
• What are the network service or application priority requirements? For example, is there an application like SAP that requires priority?

After the different roles have been determined, you must determine if each role will have a default access control and whether or not the traffic should be contained to a VLAN or denied. Should there be a default class of service for a role? If so, what should it be?

Defining Services

Once a role has been identified, you need to define the services and rules that will make up that role. It is helpful to establish a naming convention for services where the name describes the service's action. By carefully determining this naming convention, you can facilitate the administration of the policy configuration.

Examples of a naming conventions might be:

• Services that do not deny traffic and don't have a class of service action associated with them are prefixed with the term "Allow" (e.g. "Allow Print Access" or "Allow Email").
• Services that deny traffic are prefixed with the term "Deny" (e.g. "Deny Telnet").
• Services that do not deny traffic and have a priority action associated with them are suffixed with a term denoting the priority of the action (e.g. "External Web (P3)" and "External Web (P7)").

An alternative convention would be to have the "Allow" and "Deny" terms be suffixes so when the services are listed alphabetically, all the different versions of a single service would be listed together.

You should also consider whether there is an advantage to grouping your services into Service Groups. If you will be adding the same group of services to multiple roles, Service Groups will make this task easier.

Once you have defined your required services, you can outline the various classification rules that must be created as the working base of each service. For more information on how classification rules are created and used, see Traffic Classification Rules.

Once you've got an idea of what your roles and services will be, continue with the configuration tasks below.

Planning for Port Mode

Another issue to be decided in advance is port mode. Port mode determines which ports in your network will require authentication by users, and how you wish unauthenticated traffic to be handled on all ports, whether authentication is active or inactive. See Port Mode in the Policy Manager Concepts Help topic for more information.

For testing purposes, you do not need to set the port mode on every port, but you should know how you want each port to behave before you implement your policies. We will be setting the port mode on a couple of ports later on in our configuration procedures (Configuring the Port Mode) for testing purposes.

Once you have an idea of what the port mode settings will be on your ports, continue with the tasks below.

Configuring End Users

This section deals with configuring the end user. Depending on your setup, you may or may not need to set up your end user workstations as DHCP clients. If you are configuring web-based authentication, the end user must have access to either an Internet Explorer (IE) or Mozilla Firefox browser in order to launch the authentication web page. Use the procedures in this section that are appropriate to your configuration.

Configuring a Windows Workstation as a DHCP Client

To configure a Windows workstation as a DHCP client, you will enable the DHCP protocol and remove the WINS and DNS IP addresses. The procedure may vary slightly, depending on the operating system. The following instructions are for a Windows XP workstation:

1. Launch the TCP/IP Properties window. Select Start > Settings > Network Connections and right-click on Local Area Connection to open the Local Area Connection Properties window.
2. Select Internet Protocol (TCP/IP) and click the Properties button to open the Internet Protocol (TCP/IP) Properties window.
3. In the General tab, select the "Obtain an IP address automatically" and "Obtain DNS server address automatically" options. Click the Advanced button to open the Advanced TCP/IP Settings window.

   	NOTE:	The next two steps are required so that the existing IP addresses will not overwrite the addresses obtained by DHCP.

4. In the DNS tab, remove all the values or IP addresses, except for the Host Name.
5. In the WINS tab, remove all WINS IP addresses and check the "Enable LMHOSTS Lookup" box.
6. Click OK to close the windows.
7. Reboot the system.
8. To verify that the DHCP server is now providing the IP addresses for the clients, open an MS-DOS window and use the appropriate ipconfig command:
   • To view the current IP address: ipconfig /all
   • To release the current IP address: ipconfig /release
   • To renew the current IP address or request a new IP address: ipconfig /renew

Configuring a Linux Workstation as a DHCP Client

To cause a Linux workstation to request a DHCP address, type the command:
     /sbin/dhclient
in an xterm window where you are logged in as root. This request will not persist if you reboot the workstation.

If you would like to configure DHCP so that it is persistent across reboots, you can use the DHCP configuration tool.

1. In an xterm window where you are logged in as root, type: /usr/sbin/redhat-config-network
2. In the tool window, select the appropriate network adapter (e.g. eth0).
3. Select Edit from the menu bar.
4. Select the "Automatically obtain IP Address Settings with DHCP" option.
5. Select the "Automatically obtain DNS Information from Provider" checkbox.
6. Click Ok.
7. Select File > Save from the menu bar.
8. Reboot the workstation.

Browser Requirements for Web-Based Authentication

These instructions pertain to web-based authentication only. In order to launch the authentication web page, the end user must have access to one of the following supported web browsers.

• Microsoft Edge and Internet Explorer version 11
• Mozilla Firefox 34 and later
• Google Chrome 33.0 and later

Installing and Configuring the RADIUS Server

Policy Manager has been designed to work with a RADIUS server for authentication. It exchanges information between a RADIUS client (a device that provides network access to users) and a RADIUS authentication server (a device that contains authentication information for these users).

There are many RADIUS server products available. Policy Manager has been tested with the following:

• FreeRADIUS
• Windows Server 2008 Network Policy Server
• Windows Server 2003 Internet Authentication Service
• Windows Server 2000 Internet Authentication Service
• Steel-Belted RADIUS

To give you an idea of how to configure your RADIUS server, we are providing instructions for configuring the RADIUS server using Funk's Steel Belted RADIUS Administrator user interface. If you are using another vendor's product, adapt the instructions as needed.

After installing your RADIUS server and user interface, you will need to use the user interface to configure your Policy Manager devices (RADIUS client devices) and end users on the server. The RADIUS server user interface is sometimes called the "client". This is not to be confused with the RADIUS client devices that you will be adding to the server.

	NOTES:	The procedures below may vary depending on the operating system you are using. Configuring Windows Server 2008 Users of Windows Server 2008 should read this Authentication Configuration Guide, but should follow the steps in Configuring a Windows Server 2008 for RADIUS Authentication for instructions on installing and configuring the RADIUS server. Configuring Windows 2000 Advanced Server and Windows Server 2003 Users of Windows 2000 Advanced Server and Windows Server 2003 should read this Authentication Configuration Guide, but should follow the steps in Configuring a Windows Server 2000 or 2003 for RADIUS Authentication for instructions on installing and configuring the RADIUS server. Configuring Windows 2000 Windows 2000 users who plan to utilize Funk Software Inc.'s Steel-Belted RADIUS should consult Funk's website www.funk.com for assistance in setting up Steel-Belted RADIUS on Windows 2000, in particular Tech Bulletins RD 410 and RD 447 (look for Tech Support > Steel-Belted Radius > Steel-Belted Radius Tech Notes > View by Tech Note ID Number).

Installing the RADIUS Server

Install your RADIUS server and its user interface according to the vendor's instructions. In preparation, read the following installation requirements:

• The RADIUS server must be installed on a machine other than the one where Policy Manager is installed.
• Make sure you install the RADIUS server on a machine whose operating system is supported by the vendor's product.
• You'll need to install both the RADIUS server and the RADIUS user interface (or RADIUS client -- in Steel Belted RADIUS, it's called the Steel Belted RADIUS Administrator). However, they do not need to be on the same machine.
• Be sure to read the vendor's release notes prior to installing.
• Have on hand the license key provided to you by your vendor.
• You must be logged in as Administrator, or another user with full read/write privileges.

Adding RADIUS Client Devices

Now that you've installed the RADIUS server and user interface, you will add the RADIUS clients (Policy Manager devices, not end users) to the server. If you are using a RADIUS server other than Funk Software Inc.'s Steel-Belted RADIUS, you will need to adapt the instructions below to your product.

1. From the Windows Start menu, select Settings > Control Panel > Services and confirm that the RADIUS server is running by scrolling down to Steel Belted Radius Server. The Status of the server should be "Started." If it is not running, start it by clicking Start.
2. Close the Services window.
3. Open the RADIUS server user interface (Start > Programs > Steel Belted Radius > Steel Belted Radius Administrator).
4. Click Connect to connect to the local RADIUS server.
5. Select RAS Clients.
6. Click Add.
7. Client Name: If the device has a name that can be resolved to an IP address, enter the name. Otherwise, enter its IP address.
8. IP Address: Enter the IP address of the device.
9. Make/Model: Verify that Standard Radius is selected.
10. Select Edit authentication shared secret.
11. Shared Secret: Enter a string of characters that will be used to encrypt and decrypt communications between the RADIUS server and the device (RADIUS client). Without the shared secret, the server and client will be unable to communicate, and authentication attempts will fail. The shared secret must be at least 6 characters long; 16 characters is recommended. Dashes are allowed in the string, but spaces are not. Be sure to write the shared secret down, as you will be adding it to the RADIUS client devices later.

    	NOTE:	If you are configuring multiple RADIUS servers, the same server shared secret must be used for each RADIUS server. This is because most Policy Manager devices (RADIUS clients) only support one shared secret. N-Series devices with firmware version 5.0 or above, and S-Series devices are an exception to this, as these devices do support a unique shared secret for each server.

12. Click Set.
13. Repeat until all of your Policy Manager devices have been added.

Adding RADIUS Users

In order for your end users to communicate with the RADIUS server, you need to add them to the RADIUS server and map them to the appropriate Policy Manager roles. You will do this with the RADIUS user interface. You can add RADIUS users as Native users (local users) or as Domain users (defined on a domain controller) or both.

	NOTE:	If you are configuring MAC authentication in addition to 802.1X and/or Web-based authentication, you will need to make two entries for each end user: one for the MAC address and one for the user name.

	NOTE:	For information on configuring end user VLAN ID attributes (in compliance with RFC 3580) to be used in conjunction with VLAN to Role Mapping, refer to your device firmware and RADIUS server documentation.

Preparation: In order to add RADIUS users, you need to know what role names will apply to each user. See Planning Your Policies for more information.

Adding Native (Local) Users

1. In the RADIUS client window (Steel Belted RADIUS Administrator window), select Users.
2. Click Add.
3. In the Add New User window, verify that the Native tab is selected.
4. In the Enter User Name field, enter the user name, and click OK.

   	NOTE:	If you are configuring MAC authentication, enter the MAC address in the Enter User Name field. When you enter the MAC addresses, do not use dots, semi-colons, or colons as delimiters. The correct format is as follows:  XX-XX-XX-XX-XX-XX

5. Click Set Password.
6. In the Enter User Password window, enter the user's password.

   	NOTE:	If you are configuring MAC authentication, enter the MAC password in the Enter User Password field.

7. Click Set.
8. Select Allow CHAP. (You can also use PAP for native users. PAP would be used for users configured on a domain controller.)
9. Click Set.
10. In the Users Window, select the Return list attributes tab and click Ins.
11. Add New Attributes window: In the Available Attributes panel, click Filter-Id.
12. In the Enter a String field, enter:
    Enterasys:version=1:mgmt=su:policy=[role]
    where [role] is the role name to be applied to this user.

    	CAUTION:	Include :mgmt=su in the string only for users who should have administrative privileges and the ability to telnet to devices and/or use local management on devices when authentication is enabled. For other users, leave it out.

13. Click Add, then Close, then Save.
14. Repeat until all of your native users have been added.

Adding Domain Users

If you are going to add domain users, they must be set up in your Domain Controller first.

1. In the RADIUS client window (Steel Belted RADIUS Administrator window), select Users.
2. Click Add.
3. In the Add New User window, select the Domain tab.
4. Select a domain on the left pane and users or groups on the right pane, and click OK.
5. Click Ins.
6. Add New Attributes window: In the Available Attributes panel, click Filter-Id.
7. In the Enter a String field, enter:
   Enterasys:version=1:mgmt=su:policy=[role]
   where [role] is the role name to be applied to this user.

   	CAUTION:	Include :mgmt=su in the string only for users who should have administrative privileges and the ability to telnet to devices and/or use local management on devices when authentication is enabled. For other users, leave it out.

8. Click Add, then Close, then Save.
9. Repeat until all of your domain users have been added.

Configuring RADIUS in Policy Manager

Now that the RADIUS server side has been set up, you can complete your configuration using Policy Manager. The steps are as follows:

1. Downloading the Firmware
2. Adding Devices to Policy Manager
3. Configuring the Port Mode
4. Configuring Devices as RADIUS Clients
5. Configuring Authentication on Devices

Downloading the Firmware

Policy Manager works with devices that support the Enterasys Policy Profile and Enterasys Web Authentication MIBs, such as the S-Series and K-Series devices. Follow the instructions that come with your hardware to download the latest authentication image (which includes the MIBs) to your devices. An easy way to download firmware to multiple devices is to use NetSight Inventory Manager, or you can use NetSight Console to download firmware to a single device.

Once you have downloaded the firmware, clear NVRAM on all the devices.

Adding Devices to Policy Manager

Policy Manager and Console share the NetSight database which contains the device models that represent the actual devices in your network. There are three ways to add devices to the NetSight database. Initially, you must perform a Console Discover to populate the database or you can also use Console to import devices from a .ngf file. Once devices have been added to the NetSight database, you must assign the devices to a Policy Domain using Policy Manager. As soon as the devices are assigned to a domain, they are automatically displayed in the Policy Manager Network Elements tree. Only devices assigned to the domain you are currently viewing are displayed.

After you have initially added your devices, you can use Policy Manager's Add Device window to add a single device to the database and the current domain. See How to Add and Delete Devices for information and instructions.

Configuring the Port Mode

The port mode for the following port types should be set to Inactive/Default Role. This will prevent losing contact with your devices when authentication is enabled. Since this is the default port mode for all ports, you only need to confirm that these ports are set correctly.

• Router ports
• RADIUS server ports
• NetSight Policy Manager port
• DHCP/DNS/WINS server ports
• Backplane ports
• Front panel interswitch link ports

To confirm that the required ports are set to Inactive/Default Role:

1. Launch Policy Manager.
2. In the left panel, select the Network Elements tab.
3. Open the All Devices folder and select the device on which the port is located.
4. Select the right-panel Ports tab for the device and click Retrieve. Scroll to the right to see the Port Mode column and verify that the Port Mode for the port is Inactive/Default Role.

If the port mode for a port is incorrect, do the following:

1. Right click on the port and select Properties. The Port Properties window opens.
2. Select the Authentication Configuration tab.
3. Select the General sub-tab. In the Port Mode area, set the port as follows:
   Authentication Behavior: Inactive
   Unauthenticated Behavior: Default Role
4. Click Apply. To confirm that the port was set to Inactive/Default Role, select the right-panel Ports tab for the applicable device and check the Port Mode column for the port.

	NOTE:	The procedures above enable you to set a few ports quickly for testing purposes. If you need to set a large number of ports, you may want to use the Port Configuration Wizard, which includes windows where you can set up authentication parameters and default roles and apply them to multiple ports. See the How to Configure Ports Help topic for more information.

Configuring Devices as RADIUS Clients

You can now use Policy Manager to configure each device as a RADIUS client.

	CAUTION:	Be sure you have completed the previous task, Configuring the Port Mode, before moving on to this procedure. Otherwise, you may lose contact with your devices.

Configure each device as follows (see the RADIUS Tab Help topic for more information):

1. In the left-panel Network Elements tab, select the device.
2. In the right panel, select the RADIUS tab.
3. In the RADIUS Server(s) area, select the Authentication sub-tab and click Add to open the Add RADIUS Authentication Server window .
4. Enter the following information:
   
   Authentication Server IP: [IP address of your RADIUS server]
   Authentication Client UDP Port: 1812

   	NOTE:	Depending on what RADIUS server you are using, another client UDP port might be appropriate. For example, 1645 is the client UDP port used by Funk Software, Inc.'s RADIUSTM version 2.25.80). 1812 is the client UDP port used by many other RADIUS servers.

   Server Shared Secret: This must match the RADIUS server shared secret entered when you added the client device to the RADIUS server.
   Verify Shared Secret: Retype the shared secret to confirm.

   	NOTE:	If you are configuring multiple RADIUS servers, the same server shared secret must be used for each RADIUS server. This is because most Policy Manager devices (RADIUS clients) only support one shared secret. Matrix N-Series devices with firmware version 5.0 or above and Matrix S-Series devices are an exception to this, as these devices do support a unique shared secret for each server.

   Auth. Access Type: Use the drop-down list to select the type of authentication access allowed for this RADIUS server:
   • Any access - the server can authenticate users originating from any access type.
   • Management access - the server can only authenticate users that have requested management access via the console, Telnet, SSH, or HTTP, etc.
   • Network access - the server can only authenticate users that are accessing the network via 802.1X, MAC, or Web-Based authentication.
   
   This feature allows you to have one set of servers for authenticating management access requests and a different set for authenticating network access requests. Devices that do not support this feature will have this field grayed out.
   Server Priority: Select the order in which the RADIUS authentication server will be checked, as compared to the other RADIUS authentication servers on the device. The lower the number, the higher the priority.
5. If this is the only RADIUS server you are adding, click OK. If you are adding another RADIUS server for backup or for another reason, click Apply and repeat steps 4 and 5.
6. On the RADIUS tab, click the Apply button in the RADIUS Server(s) section.
7. In the RADIUS Authentication Client Settings section, set the RADIUS Client Status field to Enabled, and click the Apply button in that section.

Configuring Authentication on Devices

Now, use Policy Manager to configure authentication on each device. The steps you will use depend on the authentication type(s) you are configuring. Some devices support multiple authentication types and multiple users (Multi-User Authentication) per port, while others are restricted to only one or two authentication types and single users per port (Single User Authentication). Refer to the NetSight Firmware Support tables for information on the authentication types supported by each device type.

Configure the appropriate authentication types as follows (see the Help topic Authentication Tab (Device) for more information).

WARNING:

Leaving the default multi-user authentication type precedence is recommended. In particular, changing the Quarantine precedence to be lower than any other type or changing the Auto Track precedence to be higher than any other type can cause problems.

Web-Based Authentication

1. In the left-panel Network Elements tab, select the device.
2. In the right panel, select the Authentication tab and make the following selections in the General Settings section:
   Authentication Type: Single User Web-Based or Multi-User Web-Based
   Authentication Status: Enabled
   For devices that support multi-authentication types, you can set the Multi-User Authentication Type Precedence. This allows you to set the order in which the authentication types will be tried on the device, with the authentication type on the left having the highest precedence (it will be tried first). Select the authentication type you want to position, and use the left or right arrow to arrange the types in the desired order of precedence.
3. Click the Apply button in the General Settings section.
4. In the Web Authentication Settings sub-tab, select the General sub-tab and select/enter the following information:
   Enhanced Login Mode: Enable this feature, if desired. (This option is grayed out if not supported on the device.)
   Logo Display Status: Select Show or Hide, as desired. (This option is grayed out if not supported on the device.)
   WINS/DNS Spoofing: Select Enabled. (This option is grayed out if not supported on the device.)
   Authentication Protocol: Select PAP
   Web Authentication URL: Enter the URL for your authentication web page. (This option is grayed out if not supported on the device.)
   Web Authentication IP Address: Enter the IP address of your authentication web page server.
5. Click the Apply button at the bottom of the tab.
6. Still in the Web Authentication Settings sub-tab, select the Web Login sub-tab and modify the Web Page Banner the end users will see at the top of the authentication web page so that it fits your needs. For example, you might include your company name and information on what to do if the user has questions or problems. Because this banner also appears in messages that occur during successful logon and failed authentication, as well as on the "Radius Busy" screen, it would not be appropriate to include "Welcome to [Your Company]" in the banner.
7. Click the Apply button at the bottom of the tab.
8. Repeat until all of your devices have been configured. If you are configuring multiple devices, you may want to use the Device Configuration Wizard.

802.1X Authentication

1. In the left-panel Network Elements tab, select the device.
2. In the right panel, select the Authentication tab and make the following selections in the General Settings section:
   Authentication Type: Single User 802.1X or Multi-User 802.1X
   Authentication Status: Enabled
   For devices that support multi-authentication types, you can set the Multi-User Authentication Type Precedence. This allows you to set the order in which the authentication types will be tried on the device, with the authentication type on the left having the highest precedence (it will be tried first). Select the authentication type you want to position, and use the left or right arrow to arrange the types in the desired order of precedence.
3. Click the Apply button in the General Settings section.
4. Repeat until all of your devices have been configured. If you are configuring multiple devices, you may want to use the Device Configuration Wizard.

MAC Authentication

1. In the left-panel Network Elements tab, select the device.
2. In the right panel, select the Authentication tab and make the following selections in the General Settings section:
   Authentication Type: Single User MAC or Multi-User MAC
   Authentication Status: Enabled
   For devices that support multi-authentication types, you can set the Multi-User Authentication Type Precedence. This allows you to set the order in which the authentication types will be tried on the device, with the authentication type on the left having the highest precedence (it will be tried first). Select the authentication type you want to position, and use the left or right arrow to arrange the types in the desired order of precedence.
3. Click the Apply button in the General Settings section.
4. In the MAC Authentication Settings sub-tab, specify the MAC authentication password that will be used for that device.
5. Click the Apply button at the bottom of the tab.
6. Repeat until all of your devices have been configured. If you are configuring multiple devices, you may want to use the Device Configuration Wizard.

802.1X+MAC Authentication

1. In the left-panel Network Elements tab, select the device.
2. In the right panel, select the Authentication tab and make the following selections in the General Settings section:
   Authentication Type: Single User 802.1X+MAC
   Authentication Status: Enabled
3. Click the Apply button in the General Settings section.
4. In the MAC Authentication Settings sub-tab, specify the MAC authentication password that will be used for that device.
5. Click the Apply button at the bottom of the tab.
6. Repeat until all of your devices have been configured. If you are configuring multiple devices, you may want to use the Device Configuration Wizard.

CEP Authentication

1. In the left-panel Network Elements tab, select the device.
2. In the right panel, select the Authentication tab and make the following selections in the General Settings section:
   Authentication Type: Single User CEP or Multi-User CEP
   Authentication Status: Enabled
   For devices that support multi-authentication types, you can set the Multi-User Authentication Type Precedence. This allows you to set the order in which the authentication types will be tried on the device, with the authentication type on the left having the highest precedence (it will be tried first). Select the authentication type you want to position, and use the left or right arrow to arrange the types in the desired order of precedence.
3. Click the Apply button in the General Settings section.
4. In the CEP sub-tab, select the CEP product types supported on the device, and map a role for each type. Then, when a convergence endpoint (such as an IP phone) connects to the network, the device identifies the type of endpoint and applies the assigned role. Click Add to open the Add CEP Mapping window where you can select a CEP product type supported on the device, and map a role for that type. Click OK.
5. Click the Apply button at the bottom of the tab.
6. Repeat until all of your devices have been configured. If you are configuring multiple devices, you may want to use the Device Configuration Wizard.

	NOTE:	In addition to configuring CEP on the device, you must also enable CEP protocols on each port using the CEP Access sub-tab in the Port Properties Authentication Configuration Tab or the Port Configuration Wizard.

Quarantine Authentication

1. In the left-panel Network Elements tab, select the device.
2. In the right panel, select the Authentication tab and make the following selections in the General Settings section:
   Authentication Type: Multi-User Quarantine
   Authentication Status: Enabled
3. Click the Apply button in the General Settings section.
4. Repeat until all of your devices have been configured. If you are configuring multiple devices, you may want to use the Device Configuration Wizard.

For more information on Quarantine Authentication requirements, see How to Configure Quarantine Authentication.

Auto Tracking Authentication

1. In the left-panel Network Elements tab, select the device.
2. In the right panel, select the Authentication tab and make the following selections in the General Settings section:
   Authentication Type: Multi-User Auto Tracking
   Authentication Status: Enabled
3. Click the Apply button in the General Settings section.
4. Repeat until all of your devices have been configured. If you are configuring multiple devices, you may want to use the Device Configuration Wizard.

For more information on Auto Tracking Authentication requirements, see How to Configure Auto Tracking Authentication.

Testing Authentication

Upon completion of the steps in this document and any additional steps contained in the Configuration Supplements that are applicable to your authentication type, you will need to test your authentication configuration. This section provides two testing scenarios: one for web-based authentication and one for 802.1X authentication.

If your tests are successful, you can go on to create your remaining roles and services, referring to your plan and to the Help topics How to Create a Role and How to Create a Service as needed.

If your test is unsuccessful and you have issues you cannot resolve by reviewing the configuration steps in this document, contact Extreme Networks Support for assistance.

Testing Web-Based Authentication

In order to test your web-based authentication configuration, you will use Policy Manager to create one of the roles from the plan you worked out earlier. You do not need to create the role's services and classification rules at this time; only the role name is required for the test.

After creating the role, you will enforce it (write it to the device). You will then configure the port mode on one port to be Active/Discard and another to be Active/Default Role. Finally, you will attempt to log in to both ports as one of the users you mapped to the role on the RADIUS server.

	NOTE:	Because Multi-User Web-Based Authentication does not support the Active/Discard port mode, you must configure your device with Single User Web-Based Authentication in order to perform the following Active/Discard mode test.

Preparation

1. Decide on the role you want to test. It might be helpful to test the role that is assigned to your own user ID.
2. Create the role as follows:
   1. In Policy Manager, select the Roles tab in the left panel.
   2. Right-click the Roles folder, and select Create Role.
   3. Type the role name in the highlighted box and press Enter.
   4. Click Enforce on the toolbar, review the effects of enforcing on the Enforce Preview window if it is enabled, then click Enforce on that window. This writes the role to the devices, making them aware of the role's existence, but it does not associate the role with any port.
3. Select the Network Elements tab in the left panel.
4. Select a port to use as an Active/Discard mode port.
   1. Select the right-panel Ports tab for the device where the port resides and click Retrieve.
   2. Right click on the port and select Properties. The Port Properties window opens.
   3. Select the Authentication Configuration tab.
   4. Select the General sub-tab. In the Port Mode area, set the port as follows:
      Authentication Behavior: Active
      Unauthenticated Behavior: Discard
5. Select a port to use as an Active/Default Role mode port.
   1. Right click on the port and select Properties. The Port Properties window opens.
   2. Select the Authentication Configuration tab.
   3. Select the General sub-tab. In the Port Mode area, set the port as follows:
      Authentication Behavior: Active
      Unauthenticated Behavior: Default Role
   4. Assign a default role to the port by right-clicking the port and selecting Set Default Role.
   5. Select the role you created earlier, and click OK. Now the role is associated with the port.
6. To confirm that the ports are set correctly, select the right-panel Ports tab for the device and view the Default Role and Port Mode columns for the ports you just configured.

Testing Active/Discard Mode

	NOTE:	Because Multi-User Web-Based Authentication does not support the Active/Discard port mode, you must configure your device with Single User Web-Based Authentication in order to perform the following Active/Discard mode test.

Active/Discard mode means that authentication is enabled on the port, and unauthenticated traffic is not allowed. For this test, the Active/Discard mode port should behave as follows, as displayed on the Ports tab for the device:

• Prior to user login, the Default Role for the port is <None>, and the Current Role for the port is also <None>.
• After successful login, the Default Role for the port is still <None>, but the Current Role for the port becomes the user's assigned role.
• After the user logs out, the Default Role is still <None> and the Current Role reverts to <None>.

	NOTE:	This test assumes the end user workstation is configured as a DHCP client. If your end users use static IP addresses, they must be on the 192.168.0.0 network (with a mask of 255.255.0.0) or have a route to it. Otherwise, they will not be able to access the login screen for authentication.

To test your authentication configuration in Active/Discard mode:

1. Before the user is authenticated, verify that the Active/Discard port you configured earlier does not allow unauthenticated traffic to pass in either direction.
2. Configure a user machine to be a DHCP client and connect it to the Active/Discard port.
3. On the Ports tab, look at the Default Role and Current Role for the selected port. They should both be <None>.
4. On the user machine, confirm that you can get the correct IP address, as follows:
   Windows: Open a DOS window and enter: ipconfig /renew
   Solaris: At the prompt, enter: ifconfig le0 dhcp
   The IP address should be 192.168.1.[port number] where [port number]is the port number on the device to which the user machine is connected. End users who use DHCP receive this temporary IP address from the device. This IP address provides access to the authentication login web page. If authentication is successful, the user can obtain a permanent IP address from the DHCP server.
5. On the user machine, open your Firefox or Internet Explorer browser.
6. If you are using Netscape, disable the proxy (unless you have performed one of the other proxy configuration procedures in Browser Requirements, earlier).
7. Bring up the authentication login web page URL that you entered in the Web Authentication section of the Authentication tab.
8. Type in the user name and password for the user being tested, and click Login to Network. Within a few seconds, you should see the message Welcome to the Network.
   If the Welcome message does not appear, check the following:
   • Make sure you entered the user name and password correctly in the RADIUS server.
   • If the message "Access is Denied" appears, it could mean the device cannot reach the RADIUS server. Possible causes include:
     • The device's IP address has not been properly entered in the RADIUS server
     • The device has not been enabled as a RADIUS client
     • The RADIUS server has not been properly specified on the device
     • The correct client UDP port for the RADIUS server has not been specified in Policy Manager
   • Other possible causes of the "Access is Denied" message include:
     • The wrong user/password combination was entered
     • The user is not in the database
     • The wrong authentication protocol has been specified (PAP vs. CHAP) on the device.
     • The wrong shared secret has been specified on the device

     	NOTE:	In the event of errors, the RADIUS server log for today's date may assist in troubleshooting. For Funk RADIUS servers, this file is located in the Service directory in your RADIUS server installation area. For Microsoft Authentication servers, view this information in the Event Viewer.

9. To confirm that your authentication was successful, do the following:
   • To see that the role was assigned to the port, in Policy Manager, look at the Ports tab for the device again. The Default Role should say <None>, and the Current Role should be the one assigned to the user who just logged on.
   • To see that the user machine has the new IP address, issue the ipconfig /all (Windows) or ifconfig le0 dhcp (Solaris) command at the command prompt.
   • To see that the user is a client in the DHCP IP address scope, on the DHCP services machine open the DHCP Manager, double-click Local Machine, and double-click the scope. The Active Lease window opens to show you the active DHCP clients.
10. On the user machine, return to the web authentication URL and log off the network. To confirm that your role is no longer active on the port, return to the Policy Manager Ports tab for the device and note that the Current Role for the port again says <None>.
11. Verify again that the port does not allow unauthenticated traffic to pass in either direction.

Testing Active/Default Role Mode

Active/Default Role mode means that authentication has been enabled on the port, but a default role will apply in the absence of an authenticated user. A user does not need to authenticate to access the (usually limited) services provided by the default role. However, a user may opt to authenticate in order to access the (possibly more robust) services provided by his or her own role. For this test, the Active/Default Role mode port should behave as follows, as displayed on the Ports tab for the device:

• Prior to user login, the Default Role for the port is whatever role has been assigned as the default in Policy Manager, and the Current Role is the same as the Default Role.
• After successful login, the Default Role remains the assigned default role for the port, but the Current Role becomes the user's role.
• After the user logs off, the Current Role reverts to the Default Role.

	NOTE:	This test assumes the user has a static IP address. End users who use static IP addresses must be on the 192.168.0.0 network (with a mask of 255.255.0.0) or have a route to it.

To test your authentication configuration in Active/Default Role mode:

1. Connect a user machine to the Active/Default Role port to which you assigned the default role earlier.
2. In Policy Manager, on the Ports tab for the device, confirm that the Default Role and Current Role for that port are identical.
3. On the user machine, bring up the authentication login web page URL that you entered in the Web Authentication section of the Authentication tab.
4. Type in the user name and password, and click Login to Network. Within a few seconds, you should see the message Welcome to the Network.
   If the Welcome message does not appear, refer to the suggestions under step 8 in the previous section.
5. In Policy Manager, look at the Ports tab for the device again. The Default Role should be the role you assigned as the default for the port, but the Current Role should be the one assigned to the user who just logged on.
6. On the user machine, return to the web authentication login page and log off the network. To confirm that the role for the port has reverted to the default, return to the Policy Manager Ports tab for the device and note that the Current Role for the port is again the same as the Default Role.

Testing 802.1X Authentication

In order to test your 802.1X authentication configuration, you will use Policy Manager to create one of the roles from the plan you worked out earlier. You do not need to create the role's services and classification rules at this time; only the role name is required for the test.

After creating the role, you will enforce it (write it to the device). You will then configure the port mode on one port to be Active/Discard and another to be Active/Default Role. Finally, you will attempt to log in to both ports as one of the users you mapped to the role on the RADIUS server.

	NOTE:	Be sure to complete the additional configuration steps in the 802.1X Authentication Configuration Supplement prior to performing this test.

Preparation

1. Decide on the role you want to test. It might be helpful to test the role that is assigned to your own user ID.
2. Create the role as follows:
   1. In Policy Manager, select the Roles tab in the left panel.
   2. Right-click the Roles folder, and select Create Role.
   3. Type the role name in the highlighted box and press Enter.
   4. Click Enforce on the toolbar, review the effects of enforcing on the Enforce Preview window if it is enabled, then click Enforce on that window. This writes the role to the devices, making them aware of the role's existence, but it does not associate the role with any port.
3. Select the Network Elements tab in the left panel.
4. Select a port to use as an Active/Discard mode port.
   1. Select the right-panel Ports tab for the device where the port resides and click Retrieve.
   2. Right click on the port and select Properties. The Port Properties window opens.
   3. Select the Authentication Configuration Settings tab.
   4. Select the General sub-tab. In the Port Mode area, set the port as follows:
      Authentication Behavior: Active
      Unauthenticated Behavior: Discard
   5. If you have configured Single User 802.1X or 802.1X+MAC authentication types, Active/Discard mode requires that any default role set on the port is cleared. If you have set a default role for this port, you will be prompted to clear it.
5. Select a port to use as an Active/Default Role mode port.
   1. Right click on the port and select Properties. The Port Properties window opens.
   2. Select the Authentication Configuration Settings tab.
   3. Select the General sub-tab. In the Port Mode area, set the port as follows:
      Authentication Behavior: Active
      Unauthenticated Behavior: Default Role
   4. If you have configured Single User 802.1X or 802.1X+MAC authentication types, Active/Default Role mode requires that you set a default role on the port, and you will be prompted to assign a role. Otherwise, you must assign a default role to the port by right-clicking the port and selecting Set Default Role.
   5. Select the role you created earlier, and click OK. Now the role is associated with the port.
6. To confirm that the ports are set correctly, select the right-panel Ports tab for the device and view the Default Role and Port Mode columns for the ports you just configured.

Testing Active/Discard Mode

Active/Discard mode means that authentication is enabled on the port, and unauthenticated traffic is not allowed. For this test, the Active/Discard mode port should behave as follows, as displayed on the Ports tab for the device:

• Prior to user login, the Default Role for the port is <None>, and the Current Role for the port is also <None>.
• After successful login, the Default Role for the port is still <None>, but the Current Role for the port becomes the user's assigned role.
• After the user logs off, the Default Role is still <None> and the Current Role reverts to <None>.

To test your authentication configuration in Active/Discard mode:

1. Before the user is authenticated, verify that the Active/Discard mode port you configured earlier does not allow unauthenticated traffic to pass in either direction.
2. Connect a user machine to the port.
3. On the Ports tab, look at the Default Role and Current Role for the selected port. They should both be <None>.
4. On the user machine, log on to the network.
5. In Policy Manager, look at the Ports tab for the device again. The Default Role should be <None>, but the Current Role should be the one assigned to the user who just logged on.
6. On the user machine, log off the network. To confirm that your role is no longer active on the port, return to the Ports tab for the device and note that the Current Role for the port again says <None>.
7. Verify again that the port does not allow unauthenticated traffic to pass in either direction.

Testing Active/Default Mode

Active/Default Role mode means that authentication has been enabled on the port, but a default role will apply in the absence of an authenticated user. A user does not need to authenticate to access the (usually limited) services provided by the default role. However, a user may opt to authenticate in order to access the (possibly more robust) services provided by his or her own role. For this test, the Active/Default Role mode port should behave as follows, as displayed on the Ports tab for the device:

• Prior to user login, the Default Role for the port is whatever role has been assigned as the default in Policy Manager, and the Current Role is the same as the Default Role.
• After successful login, the Default Role remains the assigned default role for the port, but the Current Role becomes the user's role.
• After the user logs off, the Current Role reverts to the Default Role.

To test your authentication configuration in Active/Default Role mode:

1. Connect a user machine to the Active/Default Role mode port to which you assigned the default role earlier.
2. In Policy Manager, on the Ports tab for the device, confirm that the Default Role and Current Role for that port are identical.
3. On the user machine, log on to the network.
4. In Policy Manager, look at the Ports tab for the device again. The Default Role should be the role you assigned as the default for the port, but the Current Role should be the one assigned to the user who just logged on.
5. On the user machine, log off the network. To confirm that the role for the port has reverted to the default, return to the Policy Manager Ports tab for the device and note that the Current Role for the port is again the same as the Default Role.

---

Related Information

For information on related concepts:

• Authentication
• Policy Manager Concepts
• Traffic Classification Rules

For information on related tasks:

• Getting Started with Policy Manager
• How to Configure Devices
• How to Configure Ports
• How to Create a Role
• How to Create a Service
• How to Create or Modify a Rule

For information on related windows:

• Authentication Tab (Device)
• RADIUS Tab (Device)
• Add RADIUS Authentication Server Window
• Add RADIUS Accounting Server Window