Using voice aware 802.1x security, Using web authentication – Dell POWEREDGE M1000E User Manual
Page 289
10-27
Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide
OL-13270-03
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
•
Switching a port host mode from multidomain to single- or multihost mode removes all authorized
devices from the port.
•
If a data domain is authorized first and placed in the guest VLAN, non-IEEE 802.1x-capable voice
devices need to tag their packets on the voice VLAN to trigger authentication.
•
We do not recommend per-user ACLs with an MDA-enabled port. An authorized device with a
per-user ACL policy might impact traffic on both the voice and data VLANs of the port. If used,
only one device on the port should enforce per-user ACLs.
Using Voice Aware 802.1x Security
You use the voice aware 802.1x security feature to configure the switch to disable only the VLAN on
which a security violation occurs, whether it is a data or voice VLAN. In previous releases, when an
attempt to authenticate the data client caused a security violation, the entire port shut down, resulting in
a complete loss of connectivity.
You can use this feature in IP phone deployments where a PC is connected to the IP phone. A security
violation found on the data VLAN results in the shutdown of only the data VLAN. The traffic on the
voice VLAN flows through the switch without interruption.
For information on configuring voice aware 802.1x security, see the
“Configuring Voice Aware 802.1x
Security” section on page 10-39
.
Using Web Authentication
You can use a web browser to authenticate a client that does not support IEEE 802.1x functionality. This
feature can authenticate up to eight users on the same shared port and apply the appropriate policies for
each end host on a shared port.
You can configure a port to use only web authentication. You can also configure the port to first try and
use IEEE 802.1x authentication and then to use web authorization if the client does not support
IEEE 802.1x authentication.
Web authentication requires two Cisco Attribute-Value (AV) pair attributes:
•
The first attribute,
priv-lvl=15
, must always be set to 15. This sets the privilege level of the user
who is logging into the switch.
•
The second attribute is an access list to be applied for web authenticated hosts. The syntax is similar
to IEEE 802.1X per-user ACLs. However, instead of
ip:inacl
, this attribute must begin with
proxyacl
, and the
source
field in each entry must be
any
. (After authentication, the client IP
address replaces the
any
field when the ACL is applied.)
For example:
proxyacl# 10=permit ip any 10.0.0.0 255.0.0.0
proxyacl# 20=permit ip any 11.1.0.0 255.255.0.0
proxyacl# 30=permit udp any any eq syslog
proxyacl# 40=permit udp any any eq tftp
Note
The proxyacl entry determines the type of allowed network access.
For more information, see the
“Authentication Manager” section on page 10-7
and the