Authentication Tab
(Device)

The device Authentication tab enables you to configure and change the authentication settings on the selected device. Authentication must be configured and enabled on the device in order for individual port authentication settings to take effect (see How to Configure Ports).

To access this tab, select a device on the left panel's Network Elements tab, then click the Authentication tab in the right panel.

Click the graphic for more information.

General Settings

Authentication Type
Select the appropriate single user or multi-user authentication types, or None. Only options supported by the selected device will be available for selection. Some devices support multiple authentication types and multiple users (Multi-User Authentication) per port, while others are restricted to only one or two authentication types and single users per port (Single User Authentication). Deselect all options to see what authentication types are supported by this device, or refer to the Policy Manager/Firmware Feature Support tables in the Release Notes for information on the authentication types supported by each device type. When you choose an authentication type, the sections unrelated to that type of authentication are grayed out on this tab and on the Authentication Configuration tab for the device's ports. If you choose None, authentication of all types is disabled on the device. For more information on the different types of authentication, see Authentication Types.

  WARNING: Switching Authentication Types, or changing the Authentication Status from Enabled to Disabled, will log off any currently authenticated users.
  NOTE: Matrix C2 Devices. Because Matrix C2 devices let you enable all three authentication types at the device level, use the Multi-User section to configure authentication types even though the device only supports single user authentication per port. The order in which authentication types are enabled at the device level may affect authentication settings that are already configured on the port. Because of this, it is important to configure authentication types at the device level first, and then configure your port-level authentication settings second.
Authentication Status
If you've selected an authentication type other than None, you can enable it here. The default is Disabled. Leaving Authentication Status disabled gives you the ability to configure and reconfigure authentication settings without affecting your network until authentication configuration is complete. If you have selected multiple authentication types, all of the authentication types selected will be enabled or disabled with this one setting.

  CAUTION: Setting the authentication status to Enabled will affect communications through the front panel ports. Any front panel port being used for management should be set to inactive/default mode before setting authentication status to Enabled. If you select the Enabled button, an Authentication Status window appears, offering you choices for actions that will take effect on front panel ports when authentication status is enabled. These options are described in detail on the Authentication Status window. (If you choose the Select Ports to set to Inactive/Default Role option, the Set Authentication Port Mode to Inactive/Default Role window appears, where you can select the ports you wish to set to Inactive/Default Role.)
Maximum Number of Users
For Matrix N-Series devices with Multi-User as their configured authentication type. The maximum number of users that can be actively authenticated or have authentications in progress at one time on this device. You can specify the maximum number of users per port on the port's Authentication Configuration tab.
Current Number of Users
For Matrix N-Series devices with Multi-User as their configured authentication type. The current number of users that are actively authenticated or have authentications in progress, or that the device is keeping authentication termination information for. Any unauthenticated traffic on the port is not included in this count.
Multi-User Authentication Type Precedence
For Matrix N Series devices. Allows you to set the order in which the authentication types will be tried on the device, with the authentication type on the left having the highest precedence (it will be tried first). Select the authentication type you want to position, and use the left or right arrow to arrange the types in the desired order of precedence. The order determined here is also reflected in the position of the options under Authentication Type.

  NOTE: On Matrix E1 and Matrix E6/E7 devices, if both 802.1X and MAC authentication are enabled, it is possible for the device to receive a start or response 802.1X packet while a MAC authentication is in progress. If this happens, the device immediately terminates the MAC authentication, and the 802.1X authentication proceeds to completion. Regardless of the success of the 802.1X login attempt, no new MAC authentication logins may occur on the port until 1) the link is toggled; 2) the user executes an 802.1X logout; or 3) the 802.1X session is terminated administratively.

Apply
Saves any change you made to the General settings.
RFC3580 VLAN Authorization
RFC 3580 VLAN Authorization must be enabled on devices in networks where the RADIUS server has been configured to return a VLAN ID when a user authenticates. When RFC 3580 VLAN Authorization is enabled: You can also enable and disable VLAN Authorization at the port level using the port Authentication Configuration tab. If the device does not support RFC 3580, this section will be grayed out.
VLAN Authorization Status
Allows you to enable and disable RFC 3580 VLAN Authorization for the selected device.
Apply
Saves any change you made to the VLAN Authorization setting.
MAC Authentication Settings
This section enables you to set up the MAC password for MAC authentication. In order for MAC authentication to work, you must also configure the RADIUS server with the MAC password as well as the MAC addresses which are allowed to authenticate.
MAC User Password
The password that will be passed to the RADIUS server for MAC authentication (1-32 characters).
MAC Mask
You can select a mask, however, masking a MAC address is only supported on Matrix N-Series Platinum devices. Using a mask provides a way to authenticate end stations based on a portion of their MAC address. For example, you could specify a mask that would base authentication on the manufacturers ID portion of the MAC address. The MAC Mask is passed to the RADIUS server for authentication after the primary attempt to authenticate using the full MAC address fails.
Apply
Saves any change you made to the MAC Authentication settings.
Web Authentication Settings
For users of web-based authentication, this area lets you specify web authentication parameters using four tabs: General, Guest Networking, Web Login, and DNS.

General Tab
The General tab lets you specify the URL of the authentication web page and the IP address of the system where it resides. It also lets you enable certain web authentication features such as Enhanced Login Mode, on devices that support those features.

Click the graphic for more information.

Enhanced Login Mode
Enabling the Enhanced Login Mode causes the authentication web page to be displayed regardless of whether the URL or IP address entered into the browser by the end user is the designated Web Authentication URL or IP address. This option is grayed out if the device does not support the mode.
Logo Display Status
Specifies whether the Enterasys Networks logo is displayed or hidden on the authentication web page window. This option is grayed out if not supported by the device.
WINS/DNS Spoofing
Allows you to enable and disable WINS/DNS spoofing for the selected device. Spoofing allows the end user to resolve the Web Authentication URL name to the IP address using WINS/DNS. The default is Disabled. This option is grayed out if not supported by the device.
Authentication Protocol
Authentication protocol being used (PAP or CHAP). PAP (Password Authentication Protocol) provides an automated way for a PPP (Point-to Point Protocol) server to request the identity of user, and confirm it via a password. CHAP (Challenge Handshake Authentication Protocol), the more secure of the two protocols, provides a similar function, except that the confirmation is accomplished using a challenge and response authentication dialog.
Web Authentication URL
URL for your authentication web page. Users wishing to receive network services access the web page from a browser using this URL. The http:// is supplied. Alphabetical characters, numerical characters and dashes are allowed as part of the URL, but dots are not. The default URL is secureharbour. The URL needs to be mapped to the Web Authentication IP address in DNS or in the hosts file of each client. It must be resolvable via DNS/WINS, either on the device or at corporate, assuming the Web Authentication mapping has been set up on the corporate DNS/WINS service. This option is grayed out if not supported by the device.
Web Authentication IP Address
IP address of your authentication web page server. If you have specified a Web Authentication URL, the IP address needs to be mapped to the  URL in DNS or in the hosts file of each client.
Apply
Saves any change you made to the General tab.

Guest Networking Tab
The Guest Networking tab lets you configure guest networking, a feature that allows any user to access the network and obtain a guest policy without having to know a username or password. The user accesses the authentication web page, where the username and password fields are automatically filled in, allowing them to log in as a guest. If the user does not want to log in as a guest, they can type in their valid username and password to log in.

  NOTE: Guest networking is designed for networks using web-based authentication, with port mode set to Active/Discard.

Click the graphic for more information.

Guest Networking Status
Use the drop-down list to specify guest networking status:
Guest Name
The username that Guest Networking will use to authenticate users. The guest name is displayed automatically on the authentication web page. If the user does not want to log in as a guest, they can type in their valid username to override the guest username.
Guest Password
The password that Guest Networking will use to authenticate users when RADIUS Auth is selected.
Apply
Saves any change you made to the Guest Networking tab.

Web Login Tab
The Web Login tab allows you to customize the banner end users see at the top of the authentication web page and set a Redirect Time, if applicable.

Click the graphic for more information.

Web Page Banner
Use this area to create a banner that end users will see at the top of the authentication web page. For example, you might include your company name and information on what to do if the user has questions or problems. Because this banner also appears in messages that occur during successful login and failed authentication, as well as on the "Radius Busy" screen, it would not be appropriate to include "Welcome to [Your Company]" in the banner.

The Default button allows you to reset the banner to default text provided in a text file (pwa_banner.txt). Initially, the default banner text is the Enterasys contact information. However, you can customize the text for your network by editing the pwa_banner.txt file, located in the top level of the Policy Manager install directory. Then, when you click the Default button, the new text will be displayed in the Web Page Banner area.

The default authentication web page looks like this:

Redirect Time
For devices with Enhanced Login Mode enabled. Specifies the amount of time (in seconds) before the end user is redirected from the authentication web page to their requested URL.

An endstation using DHCP requires time to transition from the temporary IP address issued by the authentication process to the official IP address issued by the network. Redirect Time specifies the amount of time allowed for the end station to complete this process and begin using its official IP address. The default value of 30 seconds is adequate for most networks; however, some networks may require a longer or shorter time period. If the Redirect Time is not long enough, the browser times out while attempting to load the requested URL. In networks that only use static IP addresses, a Redirect Time of 5 to 10 seconds is usually sufficient; a value of less than 5 seconds is not recommended.

For example, if a user (in Enhanced Login Mode and a Redirect Time of 30 seconds) enters the URL of "http://enterasys.com", they will be presented the authentication web page. When the user successfully authenticates into the network, they will see a login success page that displays "Welcome to the Network. Completing network connections. You will be redirected to http://enterasys.com in approximately 30 seconds".
Default
Resets the authentication web page banner text to the default text provided in the text file, pwa_banner.txt. The default banner text is the Enterasys contact information. However, you can customize the text for your network by editing the pwa_banner.txt file, located in the top level of the Policy Manager install directory. Clicking Default also sets the Redirect Time field to the default value of 30 seconds.
Apply
Saves any change you made to the Web Login tab.

DNS Tab
The DNS tab lets you add your DNS domain name and server addresses to support the Enhanced Login Mode on Matrix E1 devices. Enhanced Login Mode must be enabled in order to use this tab. The DNS servers are used to resolve URLs to IP addresses.

Click the graphic for more information.

DNS Domain Name
Enter your local DNS Domain Name, for example, Enterasys.com.
DNS Server Addresses
List your local DNS Server Addresses. Enter an IP address and click Add to add a server address. Select an address and click Remove to remove an address from the list. Addresses are used in the order they are listed.
Apply
Saves any change you made to the DNS tab.

Top

Related Information

For information on related tasks: Top