How to Configure
Ports

In Policy Manager, you can specify a port's authentication settings, as well as specify a default role for the port, freeze or unfreeze a port, enable or disable the Drop VLAN Tagged Frames and MAC Locking features, and enable CEP (Convergence End Point) protocols. There are two ways to configure ports:

• Using the Port Configuration Wizard: The Port Configuration Wizard is a series of windows that leads you through all the steps required to configure ports. You can configure a single port with the wizard, but it is even more useful for configuring multiple ports simultaneously. To configure authentication for a port in a Pre-Defined Port Group, you must use the Port Configuration Wizard
• Using the Port Tabs: This method consists of selecting a port in the left-panel Network Elements tab, then using the right panel tabs to configure port settings. It is an alternative way of configuring a single port, but it is probably most useful for changing a configuration setting or settings for a single port.

Instructions on:

• Using the Port Configuration Wizard
• Using the Port Tabs

Using the Port Configuration Wizard

1. From the menu bar, select Tools > Port Configuration Wizard. The Port Configuration Wizard opens.
2. In the Port Configuration window, select the configurations you wish to perform:
   • Authentication
     Specify the authentication type(s) you want to configure: Single User or Multi-User. Some devices support multiple authentication types and multiple users (Multi-User Authentication) per port, while others are restricted to only one or two authentication types and single users per port (Single User Authentication). Refer to the Policy Manager/Firmware Feature Support tables in the Release Notes for information on the authentication types supported by each device type. For more information on the different types of authentication, see Authentication Types.

     	NOTE:	The authentication type(s) selected here must match exactly those set on the device(s) being configured.

   • General Settings
     Select the general port options you want to configure.
     • Default Role & Drop VLAN Tagged Frames - Lets you assign a default role and enable the Drop VLAN Tagged Frames feature on the ports. A port's default role takes effect when an end user on a port fails to authenticate, or if authentication is inactive on the port. See Default Role for more information. If you set a default role for the ports, it is recommended that you enable the Drop VLAN Tagged Frames feature. This feature lets you set the ports so that any packet already tagged with a VLAN coming into the ports will be dropped. See Drop VLAN Tagged Frames for more information.
     • Frozen Status - Enables you to "lock" the ports so that no one can accidentally reconfigure its sensitive attributes. See How to Freeze/Unfreeze a Port for more information.
     • MAC Locking - Lets you enable MAC Locking on ports, if the device on which the port is located supports it.
     • CEP Protocol Enable - Lets you enable various CEP (Convergence End Point) protocols on ports, if the device on which the port is located supports CEP. See How to Configure CEP for more information.
     • TCI Overwrite - Lets you enable TCI Overwrite on ports, if the device on which the port is located supports it. TCI Overwrite is required for Tagged Packet VLAN to Role Mapping.
     • Disable Traffic Classification Types - Lets you create a list of rule types that will be disabled on the ports.
     • RFC3580 VLAN Authorization - Lets you enable or disable RFC 3580 VLAN Authorization on the ports and specify an egress state.
3. The sequence of windows you see next depends on the selections you made in the Port Configuration window.

   	NOTE:	Each window provides the option to use the current configuration on the port(s), or set a new configuration. If you select Use Current Configuration on Port(s), the default settings in the window are visible, but are unavailable for entry or editing. Keep in mind that these values do not necessarily reflect the current settings on the port.

   If you have selected to configure Authentication
   All the windows you could see are listed below, but only those related to the Authentication type(s) you selected will actually appear:

   • Port Authentication Configuration window
     The options presented in this window vary depending on the authentication type(s) you have selected. Select the authentication parameters you wish to configure.
     • Shared Settings
       • Port Mode (802.1X , MAC, Web-Based) - Defines whether or not end users are required to authenticate, and how unauthenticated traffic will be handled. See Port Mode for more information.
       • Hold Time (802.1X, MAC, Web-Based) - (Also known as Quiet Period in web-based and MAC authentication.) Amount of time (in seconds) authentication will remain timed out after the specified Timeout Number has been reached.
       • Automatic Re-Authentication (802.1X, MAC) - Lets you enable the periodic automatic re-authentication of logged-in users.
       • Authenticated User Counts (802.1X, MAC, Web-Based) - The number of users that can be actively authenticated or have authentications in progress at one time on a port. This option is for ports on Matrix N-Series devices with Multi-User as their configured authentication type.
     • 802.1X Settings
       • Authentication Request Period - How often (in seconds) the device queries the port to see if there is a new user on it. If a user is found, the device then attempts to authenticate the user.
       • User Timeout - The amount of time (in seconds) the device waits for an answer when querying the port for the existence of a user.
       • Authentication Server Timeout - If a user is found on the port, the amount of time (in seconds) the device waits for a response from the authentication server before timing out.
       • Port Handshake Requests - The number of times the device tries to finalize the authentication process with the user, before the authentication request is considered invalid and authentication fails.
     • Web-Based Settings
       • Timeout Number - Number of times a user can attempt to log in before authentication fails and login attempts are not allowed.
     
     
   • Port Mode window (802.1X, MAC, Web-Based)
     Specify the desired port mode for ports. Port mode defines whether or not a user is required to authenticate on a port, and how unauthenticated traffic will be handled. It is a combination of Authentication Behavior (whether or not authentication is enabled on a port), and Unauthenticated Behavior (whether unauthenticated traffic will be assigned to a port's default role or discarded). See Port Mode for a complete description of each port mode.

     	NOTES:	-- If you set the ports' Authentication Behavior to Active, it is recommended that you enable the Drop VLAN Tagged Frames feature on the ports. -- For Single User 802.1X or 802.1X+MAC authentication: If you set port mode to Active/Default Role, then the selected default role will be automatically set on the configured ports. If you set port mode to Active/Discard, then any default role assigned to the ports will be automatically cleared.

     In addition, the Port Mode window provides checkboxes that allow you to disable a specific authentication type at the port level. If the device is only configured with one authentication type, selecting the corresponding checkbox will result in the port Authentication Behavior being set to Inactive.

     	NOTE:	-- For Single User 802.1X+MAC authentication with Active/Default Role as the selected port mode: Disabling 802.1X authentication also disables MAC authentication on the port. An end user connecting to the port will not be able to authenticate via 802.1X or MAC. The port will behave as if Inactive/Default Role is the selected port mode. -- For Multi-User Web-Based authentication with Active/Discard as the selected port mode: The "Disable Web-Based authentication for specified port(s)" checkbox is automatically selected because multi-user web-based authentication does not support the Active/Discard port mode.

     
     
     
   • Hold Time window (802.1X, MAC, Web-Based)
     Enter the amount of time (in seconds) authentication will remain timed out after the specified Timeout Number has been reached. Valid values are 0-65535. The default is 60. (Hold Time is also known as Quiet Period in web-based and MAC authentication.)
     
     
   • Authentication Request Period window (802.1X)
     Enter how often (in seconds) the device should query the port to see if there is a new user on it. Valid values are 1-65535. The default is 30.
     
     
   • User Timeout window (802.1X)
     Enter the amount of time (in seconds) the device should wait for an answer when querying the port for the existence of a user. Valid values are 1-300. The default is 30.
     
     
   • Authentication Server Timeout window (802.1X)
     Enter the amount of time (in seconds) the device should wait for a response from the authentication server before timing out, if a user is found on the port. Valid values are 1-300. The default is 30.
     
     
   • Port Handshake Requests window (802.1X)
     Enter the number of times the device should try to finalize the authentication process with the user, before the authentication request is considered invalid and authentication fails. Valid values are 1-10. The default is 2.
     
     
   • Automatic Re-Authentication window (802.1X, MAC)
     Enable or disable the automatic re-authentication feature by setting the Re-Authentication Status to Active (enabled) or Inactive (disabled). This specifies whether or not the device should periodically repeat the authentication process for logged-in users on this port. If you activate automatic re-authentication, specify how often this should occur (Re-Authentication Frequency), in seconds. Valid values are 1-2147483647. The default is 3600.
     
     
   • Authenticated User Counts window (802.1X, MAC, Web-Based)
     This option is for ports on Matrix N-Series devices with Multi-User as their configured authentication type. Enter the maximum number of users that can be actively authenticated or have authentications in progress at one time on the specified ports. The maximum number allowed varies for different port types. If you set this value below the current number of users on the ports, end user sessions exceeding that number will be terminated.  If you have selected MAC as a Multi-User authentication type, enter the maximum number of users that can be actively authenticated via MAC authentication, or have MAC authentications in progress at one time on this interface. The number of allowed MAC users cannot exceed the number of allowed users. If you set this value below the current number of users, end user sessions exceeding that number will be terminated.
     
     
   • Timeout Number window (Web-Based)
     Enter the number of times a user can attempt to log in before authentication times out and further login attempts are not allowed. Valid values are 1-2147483647. Zero is not allowed. The default is 2.

   If you have selected General Settings:
   All the windows you could see are listed below, but only those related to the options you selected will actually appear:

   • Default Role window
     Use the drop-down list to select a default role for the ports. If you already set the ports' Authentication Behavior to Active and specified a default role in the Port Mode window, then this panel will be disabled. Select the Clear the current default role option to set the default role back to <None>. If you set a default role for the ports, it is recommended that you enable the Drop VLAN Tagged Frames feature.
     
     
   • Drop VLAN Tagged Frames window
     Choose whether or not you want packets already tagged with a VLAN to be dropped from the ports. Usually you would have this enabled for user ports and disabled for interswitch ports. See Drop VLAN Tagged Frames for more information.

     	WARNING:	Enabling this feature on a CDP or Backplane port is likely to result in loss of contact with devices connected through the port.

     
     

   • Frozen Status window
     Enables you to "lock" the ports so that no one can accidentally reconfigure its sensitive attributes. Select either the Set Frozen or Clear Frozen option.
     
     
   • MAC Locking window
     Enable or disable MAC Locking for the ports being configured. You can also set the maximum number of MAC addresses that are allowed to be locked dynamically or statically on a port. Use the Static Locked MAC Addresses table to create a list of locked MAC addresses, so that the ports only accepts traffic from those MAC addresses. Click Add to open the Enter Static Locked MAC window, where you can enter a MAC address to add to the list. Click Remove to remove a selected entry from the Locked MAC Addresses list.
     
     
   • CEP Protocol Enable window
     Enable or disable various CEP protocols for the ports being configured. The table lists all the CEP protocols currently supported by Policy Manager. Use the checkboxes (or the Enable All and Disable All buttons) to enable or disable the desired CEP protocols. You must configure and enable CEP on the device in addition to configuring CEP on the ports (see How to Configure Devices).
     
     
   • TCI Overwrite window
     Enable or disable TCI Overwrite functionality for the ports being configured. Enabling TCI Overwrite causes the VLAN or class of service tag in a received packet to be overwritten by the VLAN (access control) and class of service characteristics defined in the port's current or default role. If there is no role assigned to the port, the port uses any static classification rules which exist. If there are no static rules, the port uses the PVID and default class of service for the port.
     
     TCI Overwrite is required for Tagged Packet VLAN to Role Mapping, and can be enabled either here at the port level, or for an individual role in the role's General tab.
     
     
   • Disable Traffic Classification Types window
     Create a list of traffic classification rule types that will be disabled on the ports. For example, you can disable the VLAN ID traffic classification type to disable Tagged Packet VLAN to Role Mapping on the ports you are configuring. Click Add to open the Traffic Classification Type wizard where you can select the rule type you want to add to the list, or click Add All to add all rule types to the list. Adding all rule types would disable all traffic classification on the port, and the role's default class of service and/or default access control would take effect. Click Remove to remove selected rule types from the list.
     
     
   • RFC3580 VLAN Authorization window
     Enable or disable RFC 3580 VLAN Authorization for the ports being configured. VLAN Authorization must be enabled in networks where the RADIUS server has been configured to return a VLAN ID when a user authenticates. When RFC 3580 VLAN Authorization is enabled:
     • ports on devices that do not support policy, will tag packets with the VLAN ID.
     • ports on devices that do support policy and also support Authentication-Based VLAN to Role Mapping, will classify packets according to the role that the VLAN Attribute maps to.
     For Matrix V2 devices, you can also modify the VLAN egress list for the VLAN ID returned by the RADIUS server when a user authenticates on the port:
     • None - No modification to the VLAN egress list will be made.
     • Tagged - The port will be added to the list with the egress state set to Tagged (frames will be forwarded as tagged.)
     • Untagged - The port will be added to the list with the egress state set to Untagged (frames will be forwarded as untagged.).
     The current egress settings for the port are displayed in the VLAN Oper Egress column in the End User Sessions table on the Port Usage tabs.
   
   
   
4. In the Port Selection window, you can select the ports you want to include or exclude from this configuration.

   	NOTE:	For 802.1X devices that do not support Policy (such as the RoamAbout AP3000): -- FTM 1 Backplane ports must be excluded from the port selection when configuring this type of device. -- The Active/Default Role port mode is not a valid configuration for this type of device. If you are configuring Active/Default Role port mode, these devices must be excluded.

   1. In the Devices field, expand the folders and select the ports you want to configure.
   2. Click Add Include to include the selected ports in this configuration or click Add Exclude to exclude the ports from the configuration. For example, you may want to configure all your 10/100 ports except printer ports. You would select the Pre-Defined Port Group of 10/100 ports and click Add Include. Then you would select a User-Defined Port Group of printer ports and click Add Exclude.
   3. To remove a port from the Include Ports or Exclude Ports fields, select the port and click Remove.
5. Click Finish. The settings will take effect.

   	NOTE:	You must configure and enable authentication on the device before any port authentication settings will take effect (see How to Configure Devices).

Using the Port Tabs

• Assigning Default Roles to Ports
• Clearing Default Roles from Ports
• Disabling Traffic Classification Rules on Ports
• Enabling CEP Protocol
• Enabling Drop VLAN Tagged Frames
• Freezing/Unfreezing Ports
• Locking MAC Addresses to Ports
• Setting Port Authentication
• Terminating a Session

Assigning Default Roles to Ports

You can assign a default role to a single port, or to multiple ports. If you set a default role for a port, it is recommended that you enable the Drop VLAN Tagged Frames feature.

Single Port

1. In the Policy Manager left panel, select the Network Elements tab.
2. Expand either the Grouped By, Devices folder, or User-Defined Port Group folder and click on the port you want to configure.
3. In the right-panel Role tab, you can view the default role for the port. Click the Select button to select a new default role. This opens the Selection View, where you can select an existing role or click New to launch the Role Wizard and create a new role. Select the Clear the current default role option to set the default role back to <None>.
4. Click OK. The default role configuration will take effect unless you have created a new role. Then, you must enforce the role before the default role configuration setting will take effect.

Multiple Ports

There are two ways to assign a default role to multiple ports:

• Using the Default Role Window in the Port Configuration Wizard. Using the wizard is most useful when you want to do other port configuration tasks as well.

• Assigning the default role to a device, a device group, or a pre-defined or user-defined port group, as follows:
  1. In the left panel Network Elements tab, right-click the device, device group, or port group for the ports to which you want to assign the default role, and select Set Default Role from the menu.
  2. In the Selection View, select the role you want to assign as the default. You can also click New to access the Role Wizard, create a new role to add to the list, then select it.
  3. Click OK. The default role will take effect unless you have created a new role. Then, you must enforce the new role before the default role configuration setting will take effect.

Clearing Default Roles from Ports

You can clear the default role from a single port, or from multiple ports.

Single Port

1. In the Policy Manager left panel, select the Network Elements tab.
2. Expand the Grouped By, Devices folder, or User-Defined Port Group folder and click on the port whose default role you want to clear. (Pre-Defined Port Groups do not have their ports listed in the left panel, so you will need to select the port in the right panel Ports tab.)
3. Right-click the port and select Set Default Role to open the Selection View.
4. Select the Clear the current default role box.
5. Click OK.

Multiple Ports

There are two ways to clear the default role from multiple ports:

• Using the Clear the current default role option on the Default Role Window in the Port Configuration Wizard. Using the wizard is most useful when you want to do other port configuration tasks as well.
  
• Clearing the default role from a device, a device group, or a port group, as follows:
  
  1. In the left panel Network Elements tab, right-click the device, device group, or port group for the ports on which you want to clear the default role, and select Set Default Role from the menu.
  2. In the Selection View, select the Clear the current default role box.
  3. Click OK.

  	NOTE:	If you are replacing the current default role with another one, you don't need to clear the current default role. Selecting the new default role and clicking OK clears the previous default role automatically.

Disabling Traffic Classification Rules on Ports

You can create a list of traffic classification rule types to disable on a port using the Disabled Traffic Classification Type section on the port General tab. For example, you could disable the VLAN ID traffic classification type, which would disable Tagged Packet VLAN to Role Mapping on the port.

1. In the Policy Manager left panel, select the Network Elements tab.
2. Expand either the Grouped By folder, Devices folder, or User-Defined Port Group folder and click on the port you want to configure.
3. Select the General tab in the right panel and use the Disabled Traffic Classification Type section to create the list of rules you want to disable.

Enabling CEP Protocol

You can enable and disable CEP protocols for a specific port using the port CEP Access tab. (You can enable CEP protocols for multiple selected ports using the Port Configuration wizard.) In order for CEP to take effect on a port, it must also be enabled at the device level. You can do this using the Device Configuration wizard, or the device CEP tab. See How to Configure CEP for more information.

Enabling Drop VLAN Tagged Frames

When the Drop VLAN Tagged Frames feature is enabled, any packet already tagged with a VLAN coming into the port will be dropped. Usually you would enable this for user ports, and disable it for interswitch ports. See Drop VLAN Tagged Frames for more information.

	WARNING:	Enabling this feature on a CDP or Backplane port is likely to result in loss of contact with devices connected through the port.

1. In the Policy Manager left panel, select the Network Elements tab.
2. In the Devices, Grouped By, or User-Defined Port Groups folder, select the port you want to configure .
3. In the right-panel Role tab, go to the Drop VLAN Tagged Frames area and select Enable.
4. Click Enforce on the toolbar, review the effects of enforcing in the Enforce Preview window if it is enabled, then click Enforce on that window.

Freezing/Unfreezing Ports

See How to Freeze/Unfreeze a Port.

Locking MAC Addresses to Ports

See How to Lock MAC Addresses to Ports.

Setting Port Authentication

You can configure authentication settings for a selected port on the Authentication Configuration tab for the port. Before any port authentication settings will take effect, you must configure and enable authentication on the device (see How to Configure Devices).

	NOTE:	In order to configure authentication for a port in a Pre-Defined Port Group, you must use the Port Configuration Wizard.

1. In the Policy Manager left panel, select the Network Elements tab.
2. Expand either the Grouped By folder, Devices folder, or User-Defined Port Group folder and click on the port you want to configure.
3. Select the Authentication Configuration tab in the right panel and make changes as required.

Terminating a Session

Terminating a session causes the port to be re-initialized. The user loses the access rights of the current role on the port and reverts to the access rights specified for unauthenticated behavior on the port, until he or she authenticates again.

With web-based authentication, the user must log in again using the authentication web page after the port re-initializes. With 802.1X authentication on Windows 2000, the user is prompted to log in again after the port re-initializes. With 802.1X authentication on the Windows XP platform, the user is automatically reauthenticated immediately after the port re-initializes, and no login prompt occurs.

You can terminate an authenticated session on a selected port or ports in the Port Usage tab for a device, the devices folder, a device group, a port, or a port group. If sequential multiple ports are selected, only authenticated sessions whose Terminate Cause is "Not Applicable" are affected. You cannot terminate sessions on frozen ports and you cannot terminate Role Override (IP) or Role Override (MAC) sessions that were created through the CLI (command line interface).

	NOTE:	For 802.1X authentication on the Windows XP platform, if you terminate a user's session, the user is automatically reauthenticated, unless there has been a policy change or a change in the user's authentication status (e.g., the user has been removed from the authentication list).

1. In the Policy Manager left panel, select the Network Elements tab.
2. Select the right panel Port Usage tab for one of the following left panel selections, depending on the ports whose session(s) you want to terminate:
   • Device
   • Devices Folder
   • Device Group
   • Port
   • Port Group
3. In the Port Usage tab, select the port(s) whose session(s) you want to terminate, and click Terminate.
4. Click Yes to confirm that you want to terminate.

Related Information

• Port Mode
• MAC Locking

• Authentication Configuration Guide
• 802.1X Authentication Configuration Supplement

• Authentication Configuration Tab
• Port Usage Tab (Port)
• General Tab (Port)