Creating and Managing Authentication Profiles

Use the Manage Authentication Profiles page to create new Authentication profiles and manage existing Authentication profiles.

To display the Manage Authentication Profiles page: In Build mode, select Authentication from Profile and Configuration Management in the Tasks pane. The Manage Authentication Profiles page appears.

This topic describes:

Managing Authentication Profiles

From the Manage Authentication Profiles page, you can:

Create a new Authentication profile by clicking Add. For directions, see Creating an Authentication Profile.
Modify an existing profile by selecting it and clicking Edit.
View information about a profile, including the interfaces it is associated with, by clicking the profile name or by selecting the profile and clicking Details.
Delete an Authentication profile by selecting a profile and clicking Delete.

Tip:
You cannot delete profiles that are in use—that is, assigned to objects or used by other profiles. To see the current assignments for a profile, select the profile and click Details.
Clone a profile by selecting a profile and clicking Clone.

Table 1 describes the information provided about Authentication profiles on the Manage Authentication Profiles page. This page lists all Authentication profiles defined for your network, regardless of the scope you selected in the network view.

Table 1: Manage Authentication Profile Fields
Field	Description
Profile Name	Name given to the profile when the profile was created.
Family Type	The device family on which the profile was created.
Description	Description of the profile that was entered when the profile was created. Tip: To display the entire description, you might need to resize the Description column by clicking the column border in the heading and dragging it.
Creation Time	Date and time when this profile was created.
Update Time	Date and time when this profile was last modified.
User Name	The username of the user who created or modified the profile.

Tip:

All columns might not be displayed. To show or hide fields in the Manage Authentication Profiles table, click the down arrow on the field header, select Columns, and select or clear the check box adjacent to the field that you want to show or hide.

Creating an Authentication Profile

In Network Director, you can create an Authentication profile to configure methods to be used to authenticate users. You can also specify details about the accounting servers to be used for accounting purposes.

For an Authentication profile, you must specify the following:

A profile name
At least one access rule

After you create an Authentication profile, you can include it in a Port profile. The Authentication profile specified in a Port profile acts as the default profile for all the users and devices that connect to the port.

To create an Authentication profile:

Click in the Network Director banner.
Under Select View, select either Logical View, Location View, Device View or Custom Group View.
Tip:
Do not select Dashboard View or Topology View.
From the Tasks pane, select the type of network (Wired), the appropriate functional area (System or AAA), and select the name of the profile that you want to create. For example, to create a port profile for a wired device, click Wired > Profiles > Port. The Manage Profile page opens.
Click Add to add a new profile.
If you chose to create a profile for the wired network, Network Director opens the Device Family Chooser window.
1. From the Device Family Chooser, select the device family for which you want to create a profile. The available device families are Switching (EX), Campus Switching ELS (Enhanced Layer 2 Software), and Data Center Switching ELS.
2. Click OK.
  The Create Authentication Profile page for the selected device family is displayed.
Specify authentication settings by doing one of the following:
- For EX Series switches, Campus Switching Enhanced Layer 2 Software, specify the settings as described in Specifying Authentication Settings for Switches.
Click Done to save the Authentication profile.
The system saves the Authentication profile and displays the Manage Authentication Profiles page. Your new or modified Authentication profile is listed in the table of Authentication profiles.

Specifying Authentication Settings for Switches

To configure an Authentication profile for switching devices, enter the Create Authentication Profile page settings described in Table 2 for creating Authentication profiles on switches. Required settings are indicated by a red asterisk (*) that appears next to the field label in the user interface.

Table 2: Authentication Profile Settings for Switches
Field	Action
Profile Name	Type the name of the profile. You can use up to 64 characters for profiles created for wired devices. Profile name must not contain special characters or spaces. Note that profiles that are automatically created by Network Director as part of device discovery or out-of-band changes may contain the underscore (_) character.
Description	Type a short description for the profile.
802.1X Authenticator
Enable 802.1X	802.1X authentication is enabled by default for a switching profile. 802.1X authentication works by using an Authenticator Port Access Entity (the switch) to block all traffic to and from a supplicant (end device) at the port until the supplicant's credentials are presented and matched on the Authentication server (a RADIUS server). When authenticated, the switch stops blocking traffic and opens the port to the supplicant. Network access can be further defined using VLANs. Note: If you disable 802.1X authentication, several related settings become unavailable.
Enable MAC-RADIUS	Select to enable MAC-RADIUS based authentication for this profile. MAC RADIUS authentication enables LAN access to permitted MAC addresses. When a new MAC address appears on an interface, the switch consults the RADIUS server to check whether the MAC address is a permitted address. If the MAC address is configured on the RADIUS server, the device is allowed access to the LAN. Tip: You can combine 802.1X and MAC-RADIUS authentication.
Supplicant Mode	Specify the mode authentication supplicants use, either Single, Multiple, or Single-Secure. Single—Allows only one host for authentication. Single-Secure—Allows only one end device to connect to the port. No other end device is enabled to connect until the first logs out. Multiple—Allows multiple hosts for authentication. Each host is checked before being admitted to the network.
Guest VLAN	Click Select and then select the VLAN to which an interface is moved when no 802.1X supplicants are connected on the interface. The VLAN specified must already exist on the switch.
Reject VLAN	Click Select and then select the VLAN to which an interface is moved when the switch receives an Extensible Authentication Protocol Over LAN (EAPoL) Access-Reject message during the authentication process between the switch and the RADIUS authentication server.
Server Fail Type	Specify the server fail fallback action the switch takes when all RADIUS authentication servers are unreachable, either None, Deny, Permit, Use cache, or VLAN Name. Deny—Force fail the supplicant authentication. No traffic will flow through the interface. Permit—Force succeed the supplicant authentication. Traffic will flow through the interface as if it were successfully authenticated by the RADIUS server. Use cache—Force succeed the supplicant authentication only if it was previously authenticated successfully. This action ensures that already authenticated supplicants are not affected. VLAN Name—Move supplicant on the interface to the VLAN specified by this name. This action is allowed only if it is the first supplicant connecting to an interface. If an authenticated supplicant is already connected, then the supplicant is not moved to the VLAN and is not authenticated. If you select this option, also provide a Fail VLAN name.
Captive Portal A Captive Portal is a special web page used for authentication by turning a web browser into an authentication mechanism.
Enable Captive-Portal	Enable this option to display the captive portal setting for supplicant mode. When this option is enabled, additional captive portal settings are also available under Advanced Settings.
Supplicant Mode	Specify the mode to be used for Captive Portal supplicants, either Single, Multiple, or Single-Secure. Single—Allows only one host for authentication. Multiple—Allows multiple hosts for authentication. Each host is checked before being admitted to the network. Single-Secure —Allows only one end device to connect to the port. No other end device is allowed to connect until the first logs out.

To skip configuring the advanced settings and accept the default settings, click Done. You can now link the Authentication profile to a Port profile. For directions, see Creating and Managing Port Profiles.

To configure advanced switch settings, click Advanced Settings and enter the Advanced Settings described in Table 3.

Table 3: Authentication Profile Advanced Settings for Switches
Field	Action
802.1X Settings These settings are available only when 802.1X authentication is enabled for this Authentication profile. You can use the default settings or you can change them.
Transmit Period (default is 30 seconds)	Specify how long, in seconds, the interface waits before retransmitting the initial EAPOL PDUs to the supplicant. The default is 30 seconds.
Maximum Requests(default is 2 requests)	Specify the maximum number of times an EAPOL request packet is transmitted to the supplicant before the authentication session times out. The default is 2 requests.
Retries(default is 3 retries)	Specify the number of times you want the switch to attempt to authenticate the port after an initial failure. The port remains in a wait state during the quiet period after the authentication attempt. The default is 3 retries.
Quiet Period (default is 60 seconds)	Specify the number of seconds the interface remains in the wait state following a failed authentication attempt by a supplicant before reattempting authentication. The default is 60 seconds.
No Reauthentication(default is unselected)	Select this check box if you do not want the switch to reauthenticate the supplicant after the Quiet Period elapses.
Reauthentication Interval (default is 3600 seconds)	If the No Reauthentication option is not checked, specify the number of seconds after which the authentication session times out. The default is 3600 seconds.
Supplicant Timeout (default is 30 seconds)	Specify how long the port waits for a response when relaying a request from the authentication server to the supplicant before resending the request. The default is 30 seconds.
RADIUS Server Timeout (default is 30 seconds)	Specify the length of time that the switch waits for a response from the RADIUS server. The default is 30 seconds.
MAC Restrict(Switches using MAC RADIUS only)	When MAC-RADIUS is enabled in this Authentication profile, select this option to restrict authentication to MAC RADIUS only. When MAC-RADIUS restrict is configured, the switch drops all 802.1X packets. This option is useful when no other 802.1X authentication methods, such as guest VLAN, are needed on the interface, and eliminates the delay that occurs while the switch determines that a connected device is a non-802.1X-enabled host. Optionally enable Flap-On-Disconnect. When the RADIUS server sends a disconnect message to a supplicant, the switch resets the interface on which the supplicant is authenticated. If the interface is configured for multiple supplicant mode, the switch resets all the supplicants on the specified interface. This option takes effect only when the MAC Restrict option is also set.
Captive Portal If Captive Portal is enabled in this Authentication profile in the basic settings, you can either use the default advanced Captive Portal settings or change them as indicated.
Quiet Period (default is 60 seconds)	Configure the time, in seconds, between when a user exceeds the maximum number of retries and when they can again attempt to authenticate. Range: 1 through 65,535 Default: 60
Retries (default is 3 retries)	Configure the number of times the user can attempt to submit authentication information. Range: 1 through 65,535 Default: 3
Session Expiry (default is 3600 seconds)	Configure the maximum duration in seconds of a session. Range: 1 through 65,535 Default: 3600
Server Time Out(default is 30 seconds)	Configure the time in seconds an interface will wait for a reply when relaying a response from the client to the authentication server before timing out and invoking the server-fail action. Range: 1 through 65,535 Default: 30

Click OK.

The Advanced Settings window closes and you once again see the Create Authentication Profile for Switching page.

Click Done.

The Manage Authentication Profiles page reappears with your new Authentication profile listed.

You can now link the Authentication profile to a Port profile. For more details, see Creating and Managing Port Profiles.

What To Do Next

After you create an Authentication profile, you can do the following:

For switching devices, link the Authentication profile to a Port profile. For more details, see Creating and Managing Port Profiles.