Creating and Managing Authentication Profiles
Use the Manage Authentication Profiles page to create new Authentication profiles and manage existing Authentication profiles.
To display the Manage Authentication Profiles page: In Build mode, select Authentication from Profile and Configuration Management in the Tasks pane. The Manage Authentication Profiles page appears.
This topic describes:
Managing Authentication Profiles
From the Manage Authentication Profiles page, you can:
Create a new Authentication profile by clicking Add. For directions, see Creating an Authentication Profile.
Modify an existing profile by selecting it and clicking Edit.
View information about a profile, including the interfaces it is associated with, by clicking the profile name or by selecting the profile and clicking Details.
Delete an Authentication profile by selecting a profile and clicking Delete.
Tip:You cannot delete profiles that are in use—that is, assigned to objects or used by other profiles. To see the current assignments for a profile, select the profile and click Details.
Clone a profile by selecting a profile and clicking Clone.
Table 1 describes the information provided about Authentication profiles on the Manage Authentication Profiles page. This page lists all Authentication profiles defined for your network, regardless of the scope you selected in the network view.
Field |
Description |
---|---|
Profile Name |
Name given to the profile when the profile was created. |
Family Type |
The device family on which the profile was created. |
Description |
Description of the profile that was entered when the profile was created. Tip:
To display the entire description, you might need to resize the Description column by clicking the column border in the heading and dragging it. |
Creation Time |
Date and time when this profile was created. |
Update Time |
Date and time when this profile was last modified. |
User Name |
The username of the user who created or modified the profile. |
All columns might not be displayed. To show or hide fields in the Manage Authentication Profiles table, click the down arrow on the field header, select Columns, and select or clear the check box adjacent to the field that you want to show or hide.
Creating an Authentication Profile
In Network Director, you can create an Authentication profile to configure methods to be used to authenticate users. You can also specify details about the accounting servers to be used for accounting purposes.
For an Authentication profile, you must specify the following:
A profile name
At least one access rule
After you create an Authentication profile, you can include it in a Port profile. The Authentication profile specified in a Port profile acts as the default profile for all the users and devices that connect to the port.
To create an Authentication profile:
Specifying Authentication Settings for Switches
To configure an Authentication profile for switching devices, enter the Create Authentication Profile page settings described in Table 2 for creating Authentication profiles on switches. Required settings are indicated by a red asterisk (*) that appears next to the field label in the user interface.
Field |
Action |
---|---|
Profile Name |
Type the name of the profile. You can use up to 64 characters for profiles created for wired devices. Profile name must not contain special characters or spaces. Note that profiles that are automatically created by Network Director as part of device discovery or out-of-band changes may contain the underscore (_) character. |
Description |
Type a short description for the profile. |
802.1X Authenticator | |
Enable 802.1X |
802.1X authentication is enabled by default for a switching profile. 802.1X authentication works by using an Authenticator Port Access Entity (the switch) to block all traffic to and from a supplicant (end device) at the port until the supplicant's credentials are presented and matched on the Authentication server (a RADIUS server). When authenticated, the switch stops blocking traffic and opens the port to the supplicant. Network access can be further defined using VLANs. Note:
If you disable 802.1X authentication, several related settings become unavailable. |
Enable MAC-RADIUS |
Select to enable MAC-RADIUS based authentication for this profile. MAC RADIUS authentication enables LAN access to permitted MAC addresses. When a new MAC address appears on an interface, the switch consults the RADIUS server to check whether the MAC address is a permitted address. If the MAC address is configured on the RADIUS server, the device is allowed access to the LAN. Tip:
You can combine 802.1X and MAC-RADIUS authentication. |
Supplicant Mode |
Specify the mode authentication supplicants use, either Single, Multiple, or Single-Secure.
|
Guest VLAN |
Click Select and then select the VLAN to which an interface is moved when no 802.1X supplicants are connected on the interface. The VLAN specified must already exist on the switch. |
Reject VLAN |
Click Select and then select the VLAN to which an interface is moved when the switch receives an Extensible Authentication Protocol Over LAN (EAPoL) Access-Reject message during the authentication process between the switch and the RADIUS authentication server. |
Server Fail Type |
Specify the server fail fallback action the switch takes when all RADIUS authentication servers are unreachable, either None, Deny, Permit, Use cache, or VLAN Name.
|
Captive Portal A Captive Portal is a special web page used for authentication by turning a web browser into an authentication mechanism. |
|
Enable Captive-Portal |
Enable this option to display the captive portal setting for supplicant mode. When this option is enabled, additional captive portal settings are also available under Advanced Settings. |
Supplicant Mode |
Specify the mode to be used for Captive Portal supplicants, either Single, Multiple, or Single-Secure.
|
To skip configuring the advanced settings and accept the default settings, click Done. You can now link the Authentication profile to a Port profile. For directions, see Creating and Managing Port Profiles.
To configure advanced switch settings, click Advanced Settings and enter the Advanced Settings described in Table 3.
Field |
Action |
---|---|
802.1X Settings These settings are available only when 802.1X authentication is enabled for this Authentication profile. You can use the default settings or you can change them. |
|
Transmit Period (default is 30 seconds) |
Specify how long, in seconds, the interface waits before retransmitting the initial EAPOL PDUs to the supplicant. The default is 30 seconds. |
Maximum Requests (default is 2 requests) |
Specify the maximum number of times an EAPOL request packet is transmitted to the supplicant before the authentication session times out. The default is 2 requests. |
Retries (default is 3 retries) |
Specify the number of times you want the switch to attempt to authenticate the port after an initial failure. The port remains in a wait state during the quiet period after the authentication attempt. The default is 3 retries. |
Quiet Period (default is 60 seconds) |
Specify the number of seconds the interface remains in the wait state following a failed authentication attempt by a supplicant before reattempting authentication. The default is 60 seconds. |
No Reauthentication (default is unselected) |
Select this check box if you do not want the switch to reauthenticate the supplicant after the Quiet Period elapses. |
Reauthentication Interval (default is 3600 seconds) |
If the No Reauthentication option is not checked, specify the number of seconds after which the authentication session times out. The default is 3600 seconds. |
Supplicant Timeout (default is 30 seconds) |
Specify how long the port waits for a response when relaying a request from the authentication server to the supplicant before resending the request. The default is 30 seconds. |
RADIUS Server Timeout (default is 30 seconds) |
Specify the length of time that the switch waits for a response from the RADIUS server. The default is 30 seconds. |
MAC Restrict (Switches using MAC RADIUS only) |
When MAC-RADIUS is enabled in this Authentication profile, select this option to restrict authentication to MAC RADIUS only. When MAC-RADIUS restrict is configured, the switch drops all 802.1X packets. This option is useful when no other 802.1X authentication methods, such as guest VLAN, are needed on the interface, and eliminates the delay that occurs while the switch determines that a connected device is a non-802.1X-enabled host. Optionally enable Flap-On-Disconnect. When the RADIUS server sends a disconnect message to a supplicant, the switch resets the interface on which the supplicant is authenticated. If the interface is configured for multiple supplicant mode, the switch resets all the supplicants on the specified interface. This option takes effect only when the MAC Restrict option is also set. |
Captive Portal If Captive Portal is enabled in this Authentication profile in the basic settings, you can either use the default advanced Captive Portal settings or change them as indicated. |
|
Quiet Period (default is 60 seconds) |
Configure the time, in seconds, between when a user exceeds the maximum number of retries and when they can again attempt to authenticate. Range: 1 through 65,535 Default: 60 |
Retries (default is 3 retries) |
Configure the number of times the user can attempt to submit authentication information. Range: 1 through 65,535 Default: 3 |
Session Expiry (default is 3600 seconds) |
Configure the maximum duration in seconds of a session. Range: 1 through 65,535 Default: 3600 |
Server Time Out (default is 30 seconds) |
Configure the time in seconds an interface will wait for a reply when relaying a response from the client to the authentication server before timing out and invoking the server-fail action. Range: 1 through 65,535 Default: 30 |
Click OK.
The Advanced Settings window closes and you once again see the Create Authentication Profile for Switching page.
Click Done.
The Manage Authentication Profiles page reappears with your new Authentication profile listed.
You can now link the Authentication profile to a Port profile. For more details, see Creating and Managing Port Profiles.
What To Do Next
After you create an Authentication profile, you can do the following:
For switching devices, link the Authentication profile to a Port profile. For more details, see Creating and Managing Port Profiles.