Authentication Configuration
Guide

Authentication is the process by which end users identify themselves to the network and are given customized access capabilities based on the role they serve in the organization. Policy Manager uses a RADIUS server and an authentication-enabled device to dynamically assign a policy (or role) to a port, based on the end user's login or MAC address.

Policy Manager supports three different types of authentication: Web-based, 802.1X, and MAC. (For more information on each type, see the Authentication section in the Policy Manager Concepts Help topic.) This guide presents steps for configuring the various components required for authentication, and, if necessary, refers you to additional configuration supplements that provide information specific to the different types of authentication.

Some devices support multiple authentication types and multiple users (Multi-User Authentication) per port, while others are restricted to only one or two authentication types and single users per port (Single User Authentication). Refer to the Policy Manager/Firmware Feature Support tables in the Release Notes for information on the authentication types supported by each device type.

While most of the main configuration tasks can be performed in any order, the recommended sequence is below. When you have completed the configuration tasks, a test user should be able to authenticate on the network and be assigned the correct role.

In order to configure your setup for authentication, you will need the following components:

NetSight Atlas Policy Manager
RADIUS authentication server and user interface
Policy-enabled devices (switches)
Hardware for running Policy Manager and the RADIUS Server

You may already have these components installed and running, but you should read all the sections of this document anyway, as they contain information that will help you to configure them for use with Policy Manager. You may want to perform your initial configuration in a test environment before deploying it on your network.

NOTES: Configuring Windows 2000 Advanced Server
Users of Windows 2000 Advanced Server should read this Authentication Configuration Guide, but should follow the steps in Configuring Windows 2000 Advanced Server for RADIUS Authentication for instructions on installing and configuring the RADIUS server.
Configuring Windows 2000
Windows 2000 users who plan to utilize Funk Software Inc.'s Steel-Belted RADIUS should consult Funk's website www.funk.com for assistance in setting up Steel-Belted RADIUS on Windows 2000, in particular Tech Bulletins RD 410 and RD 447 (look for Tech Support > Steel-Belted Radius > Steel-Belted Radius Tech Notes > View by Tech Note ID Number).

	NOTES:	Configuring Windows 2000 Advanced Server Users of Windows 2000 Advanced Server should read this Authentication Configuration Guide, but should follow the steps in Configuring Windows 2000 Advanced Server for RADIUS Authentication for instructions on installing and configuring the RADIUS server. Configuring Windows 2000 Windows 2000 users who plan to utilize Funk Software Inc.'s Steel-Belted RADIUS should consult Funk's website www.funk.com for assistance in setting up Steel-Belted RADIUS on Windows 2000, in particular Tech Bulletins RD 410 and RD 447 (look for Tech Support > Steel-Belted Radius > Steel-Belted Radius Tech Notes > View by Tech Note ID Number).

Instructions on:

Preliminary Reading
Installing Policy Manager
Post-Installation Reading
Planning Your Policies (Roles and Services)
1. Identifying Roles
2. Defining Services
Planning for Port Mode
Configuring End Users
Installing and Configuring the RADIUS Server
Configuring RADIUS in Policy Manager
Testing Authentication
1. Testing Web-Based Authentication
2. Testing 802.1X Authentication

Preliminary Reading

Before configuring your network for Policy Manager, read as much about Policy Manager and its associated technologies as you can, to familiarize yourself with Policy Manager's features and the business challenges it has been designed to solve. The following reading sequence is advised:

Secure Networks Technology Foundation - This Enterasys white paper provides an in depth discussion of Enterasys Secure Networks technology, and presents NetSight Atlas Policy Manager as the key to role-based administration—the modeling of both IT and business concepts inherent in an Enterasys Secure Network. You can access this white paper at http://www.enterasys.com/products/whitepapers.
RADIUS Vendor Documentation - Policy Manager utilizes a RADIUS server for authentication. If you do not already have a RADIUS server installed, you will need to install one following your vendor's installation instructions. You will then need to be able to use the RADIUS server user interface to configure the RADIUS server for use with Policy Manager.
Installation - This topic provides information on the minimum requirements for running Policy Manager, platform-specific information, and instructions for installing the application. The Installation document is available on the NetSight Documentation website: http://www.enterasys.com/support/manuals/netsight.html. You can also access this document from the Policy Manager installation directory ([Solaris or Windows]/docs/p_install.html) or by selecting Help > Help Topics from the Policy Manager menu after installation.
Policy Manager Release Notes - The release notes for your version of Policy Manager contain release-specific information, including known issues and any available workarounds. The latest version of the release notes are available on the NetSight Documentation website: http://www.enterasys.com/support/manuals/netsight.html. You can also access this document from the Policy Manager installation directory ([Solaris or Windows]/docs/p_release_notes.html or srn.txt) or by selecting Help > Release Notes from the Policy Manager menu after installation.

Installing Policy Manager

In Policy Manager, you will be setting up communication between your RADIUS server and your Policy Manager devices, and creating the roles that will be mapped to your users in the RADIUS server for authentication purposes. Although it is not required that you install Policy Manager before installing your RADIUS server, installing Policy Manager as a first step gives you easy access to Policy Manager documentation via the Help > Help Topics menu option, and lets you familiarize yourself with the application before doing any actual configuration.

To install Policy Manager, follow the Installation instructions. Contact your Enterasys sales rep or Technical Support for more information.

Post-Installation Reading

After you've installed Policy Manager, familiarize yourself with the application by selecting Help > Help Topics from the menu and reading the following Help topics:

Getting Started with Policy Manager - This topic provides a brief overview of Policy Manager and a Quick Tour of its features. It is suggested that you take the Quick Tour before you start creating roles and configuring devices in Policy Manager.
Policy Manager Concepts - This topic explains some of the concepts you'll need to understand in order to make the most effective use of Policy Manager, including a section on Authentication that describes the types of authentication that Policy Manager supports, and how authentication works.
Configuration Supplements - These Help topics provide supplemental information for specific authentication types and configurations:
- Configuring Windows 2000 Advanced Server for RADIUS Authentication -- for users of Windows 2000 Advanced Server.
- 802.1X Authentication -- configuration information specifically for networks using 802.1X authentication.

After completing this reading, continue with the tasks below.

Planning Your Policies (Roles and Services)

It is recommended that, prior to performing any configuration tasks, you plan in advance the policy profiles, or "roles," that will be applied to your users. For testing purposes, you do not need to create all the roles at this point, but you should have an idea what some, if not all, of the role names are going to be.

The roles you will eventually be creating in Policy Manager are usually named for business functions that already exist in the enterprise. You will create customized services made up of traffic classification rules, that you will apply to your roles. A role may also contain default access control (VLAN) and/or class of service designations that will be applied to traffic not identified specifically by the set of access services contained in the role. The set of services included in a role, along with any access control or class of service defaults, determine how all network traffic will be handled at any network access point configured to use that role.

If you have not done so already, read the white paper Secure Networks Technology Foundation, the discussion of Roles and Services in Policy Manager Concepts, and the Traffic Classification Rules Help topic for background. This will assist you in planning your roles, and the services and rules you'll need to create to apply to them.

Identifying Roles

Roles are usually named for a type of user such as Student or Faculty. As you begin identifying potential policy roles within your organization, consider the following issues:

What are the different users and their network access requirements? For example, do you have some users that require priority access? Do you have other users that should be denied access?
What are the network service or application priority requirements? For example, is there an application like SAP that requires priority?

After the different roles have been determined, you must determine if each role will have a default access control and whether or not the traffic should be contained to a VLAN or denied. Should there be a default class of service for a role? If so, what should it be?

Defining Services

Once a role has been identified, you need to define the services and rules that will make up that role. It is helpful to establish a naming convention for services where the name describes the service's action. By carefully determining this naming convention, you can facilitate the administration of the policy configuration.

Examples of a naming conventions might be:

Services that do not deny traffic (go to a discard VLAN) and don't have a class of service action associated with them are prefixed with the term "Allow" (e.g. "Allow Print Access" or "Allow Email").
Services that deny traffic (go to a discard VLAN) are prefixed with the term "Deny" (e.g. "Deny Telnet").
Services that do not deny traffic and have a priority action associated with them are suffixed with a term denoting the priority of the action (e.g. "External Web (P3)" and "External Web (P7)").

An alternative convention would be to have the "Allow" and "Deny" terms be suffixes so when the services are listed alphabetically, all the different versions of a single service would be listed together.

You should also consider whether there is an advantage to grouping your services into Service Groups. If you will be adding the same group of services to multiple roles, Service Groups will make this task easier.

Once you have defined your required services, you can outline the various classification rules that must be created as the working base of each service. For more information on how classification rules are created and used, see Traffic Classification Rules.

Once you've got an idea of what your roles and services will be, continue with the configuration tasks below.

Planning for Port Mode

Another issue to be decided in advance is port mode. Port mode determines which ports in your network will require authentication by users, and how you wish unauthenticated traffic to be handled on all ports, whether authentication is active or inactive. See Port Mode in the Policy Manager Concepts Help topic for more information.

For testing purposes, you do not need to set the port mode on every port, but you should know how you want each port to behave before you implement your policies. We will be setting the port mode on a couple of ports later on in our configuration procedures (Configuring the Port Mode) for testing purposes.

Once you have an idea of what the port mode settings will be on your ports, continue with the tasks below.

Configuring End Users

This section deals with configuring the end user. Depending on your setup, you may or may not need to set up your end user workstations as DHCP clients. If you are configuring web-based authentication, the end user must have access to either an Internet Explorer (IE) or Netscape browser in order to launch the authentication web page. Use the procedures in this section that are appropriate to your configuration.

Configuring a Windows Workstation as a DHCP Client

To configure a Windows workstation as a DHCP client, you will enable the DHCP protocol and remove the WINS and DNS IP addresses. The procedure may vary slightly, depending on the operating system. The following instructions are for a Windows XP workstation:

Launch the TCP/IP Properties window. Select Start > Settings > Network Connections and right-click on Local Area Connection to open the Local Area Connection Properties window.
Select Internet Protocol (TCP/IP) and click the Properties button to open the Internet Protocol (TCP/IP) Properties window.
In the General tab, select the "Obtain an IP address automatically" and "Obtain DNS server address automatically" options. Click the Advanced button to open the Advanced TCP/IP Settings window.

NOTE: The next two steps are required so that the existing IP addresses will not overwrite the addresses obtained by DHCP.
In the DNS tab, remove all the values or IP addresses, except for the Host Name.
In the WINS tab, remove all WINS IP addresses and check the "Enable LMHOSTS Lookup" box.
Click OK to close the windows.
Reboot the system.
To verify that the DHCP server is now providing the IP addresses for the clients, open an MS-DOS window and use the appropriate ipconfig command:
- To view the current IP address: ipconfig /all
- To release the current IP address: ipconfig /release
- To renew the current IP address or request a new IP address: ipconfig /renew

	NOTE:	The next two steps are required so that the existing IP addresses will not overwrite the addresses obtained by DHCP.

Configuring a Solaris Workstation as a DHCP Client

To configure a Solaris workstation as a DHCP client, you need only start the DHCP daemon. Setting up DHCP and rebooting is not necessary.

To start the DHCP daemon at the prompt, type: /sbin/dhcpagent
To enable DHCP on interface le0, at the prompt, type: ifconfig le0 dhcp start
To get or release an IP address from the DHCP server, use the appropriate ipconfig command:
- To view the current IP address: ifconfig -a
- To release the current IP address: ifconfig le0 dhcp release
- To renew the current IP address or request a new IP address: ifconfig le0 dhcp

Configuring a Linux Workstation as a DHCP Client

To cause a Linux workstation to request a DHCP address, type the command:
/sbin/dhclient
in an xterm window where you are logged in as root. This request will not persist if you reboot the workstation.

If you would like to configure DHCP so that it is persistent across reboots, you can use the DHCP configuration tool.

In an xterm window where you are logged in as root, type: /usr/sbin/redhat-config-network
In the tool window, select the appropriate network adapter (e.g. eth0).
Select Edit from the menu bar.
Select the "Automatically obtain IP Address Settings with DHCP" option.
Select the "Automatically obtain DNS Information from Provider" checkbox.
Click Ok.
Select File > Save from the menu bar.
Reboot the workstation.

Browser Requirements for Web-Based Authentication

These instructions pertain to web-based authentication only. In order to launch the authentication web page, the end user must have access to either the Internet Explorer (IE) or Netscape browser. The requirements are as follows:

Netscape

Version 4.5 or later
Java Virtual Machine (JVM). This should come with the Netscape installation. If not, install the JVM after you've installed Netscape. You can download it from http://www.sun.com.

	NOTE:	Netscape browsers that are configured to use an HTTP (web) proxy server will need to be adjusted to launch the authentication login web page in order for the user to log in. There are two ways to do this: Add the authentication login web page URL as one of the web services not requiring a proxy: From the menu, select Preferences >Advanced >Proxies. Select "Manual proxy configuration" and click View. Enter your proxy address in the appropriate field. Under Exceptions, enter the URL for your authentication login web page. Click OK to save and exit the Manual Proxy Configuration window, and OK again to exit the Preferences window. Before launching the login web page, the user disables the proxy (Preferences >Advanced >Proxies, select "Direct connection to Internet"), and after logging in, re-enables the proxy in order to gain access to the Internet (Preferences >Advanced >Proxies, select "Automatic proxy configuration" and click OK).

	NOTE:	If you can't get out to the Internet after authentication login, close and restart Netscape.

Internet Explorer

Version 4.x or later
Solaris: Microsoft Virtual Machine (MVM). This should come with the Internet Explorer installation. If not, install it afterward. You can download it from http://www.microsoft.com.

	NOTE:	Internet Explorer users do not need to change the proxy as Netscape users do, but they will need to wait approximately thirty seconds for the system to detect the proxy change when launching the login page, and again when accessing the Internet after logging in.

Installing and Configuring the RADIUS Server

Policy Manager has been designed to work with a RADIUS server for authentication. Funk Software, Inc.'s RADIUS^TM (Remote Authentication Dial In User Service) is an authentication solution that has been tested at Enterasys. It exchanges information between a RADIUS client (a device that provides network access to users) and a RADIUS server (a device that contains authentication information for these users).

There are many RADIUS server products available. Policy Manager has been tested with the following:

Steel-Belted RADIUS (Funk Software Inc.)
Windows 2000 RADIUS
Radiator (Open System Consultants Ltd.)

To give you an idea of how to configure your RADIUS server, we are providing instructions for configuring the RADIUS server using Funk's Steel Belted RADIUS Administrator user interface. If you are using another vendor's product, adapt the instructions as needed.

After installing your RADIUS server and user interface, you will need to use the user interface to configure your Policy Manager devices (RADIUS client devices) and end users on the server. The RADIUS server user interface is sometimes called the "client". This is not to be confused with the RADIUS client devices that you will be adding to the server.

NOTES: The procedures below may vary depending on the operating system you are using.
Configuring Windows 2000 Advanced Server
Users of Windows 2000 Advanced Server should read this Authentication Configuration Guide, but should follow the steps in Configuring Windows 2000 Advanced Server for RADIUS Authentication for instructions on installing and configuring the RADIUS server.
Configuring Windows 2000
Windows 2000 users who plan to utilize Funk Software Inc.'s Steel-Belted RADIUS should consult Funk's website www.funk.com for assistance in setting up Steel-Belted RADIUS on Windows 2000, in particular Tech Bulletins RD 410 and RD 447 (look for Tech Support > Steel-Belted Radius > Steel-Belted Radius Tech Notes > View by Tech Note ID Number).

	NOTES:	The procedures below may vary depending on the operating system you are using. Configuring Windows 2000 Advanced Server Users of Windows 2000 Advanced Server should read this Authentication Configuration Guide, but should follow the steps in Configuring Windows 2000 Advanced Server for RADIUS Authentication for instructions on installing and configuring the RADIUS server. Configuring Windows 2000 Windows 2000 users who plan to utilize Funk Software Inc.'s Steel-Belted RADIUS should consult Funk's website www.funk.com for assistance in setting up Steel-Belted RADIUS on Windows 2000, in particular Tech Bulletins RD 410 and RD 447 (look for Tech Support > Steel-Belted Radius > Steel-Belted Radius Tech Notes > View by Tech Note ID Number).

Installing the RADIUS Server

Install your RADIUS server and its user interface according to the vendor's instructions. In preparation, read the following installation requirements:

The RADIUS server must be installed on a machine other than the one where Policy Manager is installed.
Make sure you install the RADIUS server on a machine whose operating system is supported by the vendor's product.
You'll need to install both the RADIUS server and the RADIUS user interface (or RADIUS client -- in Steel Belted RADIUS, it's called the Steel Belted RADIUS Administrator). However, they do not need to be on the same machine.
Be sure to read the vendor's release notes prior to installing.
Have on hand the license key provided to you by your vendor.
You must be logged in as Administrator, or another user with full read/write privileges.

Adding RADIUS Client Devices

Now that you've installed the RADIUS server and user interface, you will add the RADIUS clients (Policy Manager devices, not end users) to the server. If you are using a RADIUS server other than Funk Software Inc.'s Steel-Belted RADIUS, you will need to adapt the instructions below to your product.

From the Windows Start menu, select Settings > Control Panel > Services and confirm that the RADIUS server is running by scrolling down to Steel Belted Radius Server. The Status of the server should be "Started." If it is not running, start it by clicking Start.
Close the Services window.
Open the RADIUS server user interface (Start > Programs > Steel Belted Radius > Steel Belted Radius Administrator).
Click Connect to connect to the local RADIUS server.
Select RAS Clients.
Click Add.
Client Name: If the device has a name that can be resolved to an IP address, enter the name. Otherwise, enter its IP address.
IP Address: Enter the IP address of the device.
Make/Model: Verify that Standard Radius is selected.
Select Edit authentication shared secret.

Shared Secret: Enter a string of characters that will be used to encrypt and decrypt communications between the RADIUS server and the device (RADIUS client). Without the shared secret, the server and client will be unable to communicate, and authentication attempts will fail. The shared secret must be at least 6 characters long; 16 characters is recommended. Dashes are allowed in the string, but spaces are not. Be sure to write the shared secret down, as you will be adding it to the RADIUS client devices later.

	NOTE:	If you are configuring multiple RADIUS servers, the same server shared secret must be used for each RADIUS server. This is because most Policy Manager devices (RADIUS clients) only support one shared secret. Matrix N-Series devices with firmware version 5.0 or above are an exception to this, as these devices do support a unique shared secret for each server.

Click Set.
Repeat until all of your Policy Manager devices have been added.

Adding RADIUS Users

In order for your end users to communicate with the RADIUS server, you need to add them to the RADIUS server and map them to the appropriate Policy Manager roles. You will do this with the RADIUS user interface. You can add RADIUS users as Native users (local users) or as Domain users (defined on a domain controller) or both.

	NOTE:	If you are configuring MAC authentication in addition to 802.1X and/or Web-based authentication, you will need to make two entries for each end user: one for the MAC address and one for the user name.

	NOTE:	For information on configuring end user VLAN ID attributes (in compliance with RFC 3580) to be used in conjunction with VLAN to Role Mapping, refer to your device firmware and RADIUS server documentation.

Preparation: In order to add RADIUS users, you need to know what role names will apply to each user. See Planning Your Policies for more information.

Adding Native (Local) Users

In the RADIUS client window (Steel Belted RADIUS Administrator window), select Users.
Click Add.
In the Add New User window, verify that the Native tab is selected.

In the Enter User Name field, enter the user name, and click OK.

	NOTE:	If you are configuring MAC authentication, enter the MAC address in the Enter User Name field. When you enter the MAC addresses, do not use dots, semi-colons, or colons as delimiters. The correct format is as follows: `XX-XX-XX-XX-XX-XX`

Click Set Password.
In the Enter User Password window, enter the user's password.

NOTE: If you are configuring MAC authentication, enter the MAC password in the Enter User Password field.
Click Set.
Select Allow CHAP. (You can also use PAP for native users. PAP would be used for users configured on a domain controller.)
Click Set.
In the Users Window, select the Return list attributes tab and click Ins.
Add New Attributes window: In the Available Attributes panel, click Filter-Id.

	NOTE:	If you are configuring MAC authentication, enter the MAC password in the Enter User Password field.

In the Enter a String field, enter:
Enterasys:version=1:mgmt=su:policy=[role]
where [role] is the role name to be applied to this user.

	CAUTION:	Include :mgmt=su in the string only for users who should have administrative privileges and the ability to telnet to devices and/or use local management on devices when authentication is enabled. For other users, leave it out.

Click Add, then Close, then Save.
Repeat until all of your native users have been added.

Adding Domain Users

If you are going to add domain users, they must be set up in your Domain Controller first.

In the RADIUS client window (Steel Belted RADIUS Administrator window), select Users.
Click Add.
In the Add New User window, select the Domain tab.
Select a domain on the left pane and users or groups on the right pane, and click OK.
Click Ins.
Add New Attributes window: In the Available Attributes panel, click Filter-Id.

In the Enter a String field, enter:
Enterasys:version=1:mgmt=su:policy=[role]
where [role] is the role name to be applied to this user.

	CAUTION:	Include :mgmt=su in the string only for users who should have administrative privileges and the ability to telnet to devices and/or use local management on devices when authentication is enabled. For other users, leave it out.

Click Add, then Close, then Save.
Repeat until all of your domain users have been added.

Configuring RADIUS in Policy Manager

Now that the RADIUS server side has been set up, you can complete your configuration using Policy Manager. The steps are as follows:

Downloading the Firmware
Importing Devices into Policy Manager
Configuring the Port Mode
Configuring Devices as RADIUS Clients
Configuring Authentication on Devices

Downloading the Firmware

Policy Manager works with devices that support the Enterasys Policy Profile and Enterasys Web Authentication MIBs, such as the Enterasys Matrix E7, SmartSwitch 2000, and Matrix N-Series devices. Follow the instructions that come with your hardware to download the latest authentication image (which includes the MIBs) to your devices. An easy way to download firmware to multiple devices is to use NetSight Atlas Inventory Manager, or you can use NetSight Atlas Console to download firmware to a single device.

Once you have downloaded the firmware, clear NVRAM on all the devices.

Importing Devices into Policy Manager

In Policy Manager, use the File > Import menu option to import your devices. See the How to Create and Import Device Lists and Import from Device List Window Help topics for information and instructions.

Configuring the Port Mode

The port mode for the following port types should be set to Inactive/Default Role. This will prevent losing contact with your devices when authentication is enabled. Since this is the default port mode for all ports, you only need to confirm that these ports are set correctly.

Router ports
RADIUS server ports
NetSight Atlas Policy Manager port
DHCP/DNS/WINS server ports
Backplane ports
Front panel interswitch link ports

To confirm that the required ports are set to Inactive/Default Role:

Launch Policy Manager (Start > Programs > Enterasys Networks > NetSight Atlas Policy Manager > Policy Manager).
In the left panel, select the Network Elements tab.
Open the Devices folder and select the device on which the port is located.
Select the right-panel Ports tab for the device and verify that the Port Mode for the port is Inactive/Default Role.

If the port mode for a port is incorrect, do the following:

Select the port in the left panel.
In the right panel, select the Authentication Configuration tab.
In the Port Mode area, set the port as follows:
Authentication Behavior: Inactive
Unauthenticated Behavior: Default Role
Click Apply. To confirm that the required ports are set to Inactive/Default Role, select the right-panel Ports tab for the applicable devices and check the Port Mode column for the ports.

	NOTE:	The procedures above enable you to set a few ports quickly for testing purposes. If you need to set a large number of ports, you may want to use the Port Configuration Wizard, which includes windows where you can set up authentication parameters and default roles and apply them to multiple ports. See the How to Configure Ports Help topic for more information.

Configuring Devices as RADIUS Clients

You can now use Policy Manager to configure each device as a RADIUS client.

	CAUTION:	Be sure you have completed the previous task, Configuring the Port Mode, before moving on to this procedure. Otherwise, you may lose contact with your devices.

Configure each device as follows (see the Help topic How to Configure Devices for more information):

In the left-panel Network Elements tab, select the device.
In the right panel, select the RADIUS tab.
In the RADIUS Server(s) area, click Add to open the Add RADIUS Server window.

Enter the following information:
RADIUS Server IP: [IP address of your RADIUS server]
Auth. Client UDP Port: 1812

	NOTE:	Depending on what RADIUS server you are using, another client UDP port might be appropriate. For example, 1645 is the client UDP port used by Funk Software, Inc.'s RADIUS^TMversion 2.25.80). 1812 is the client UDP port used by many other RADIUS servers.

Server Shared Secret: This must match the RADIUS server shared secret entered when you added the client device to the RADIUS server.
Verify Shared Secret: Retype the shared secret to confirm.

	NOTE:	If you are configuring multiple RADIUS servers, the same server shared secret must be used for each RADIUS server. This is because most Policy Manager devices (RADIUS clients) only support one shared secret. Matrix N-Series devices with firmware version 5.0 or above are an exception to this, as these devices do support a unique shared secret for each server.

RADIUS Server Priority: Select the order in which the RADIUS server will be checked, as compared to the other RADIUS servers on the device. The lower the number, the higher the priority.

If this is the only RADIUS server you are adding, click OK. If you are adding another RADIUS server for backup or for another reason, click Apply and repeat steps 4 and 5.
On the RADIUS tab, click the Apply button in the RADIUS Server(s) section.
In the Client Settings section, toggle the RADIUS Client Status field to Enabled, and click the Apply button in the Client Settings section.

Configuring Authentication on Devices

Now, use Policy Manager to configure authentication on each device. The steps you will use depend on the authentication type(s) you are configuring. Some devices support multiple authentication types and multiple users (Multi-User Authentication) per port, while others are restricted to only one or two authentication types and single users per port (Single User Authentication). Refer to the Policy Manager/Firmware Feature Support tables in the Release Notes for information on the authentication types supported by each device type. Configure the appropriate authentication types as follows (see the Help topic Authentication Tab (Device) for more information).

Web-Based Authentication

In the left-panel Network Elements tab, select the device.
In the right panel, select the Authentication tab and make the following selections in the General Settings section:
Authentication Type: Single User Web-Based or Multi-User Web-Based
Authentication Status: Enabled
For devices that support multi-authentication types, you can set the Multi-User Authentication Type Precedence. This allows you to set the order in which the authentication types will be tried on the device, with the authentication type on the left having the highest precedence (it will be tried first). Select the authentication type you want to position, and use the left or right arrow to arrange the types in the desired order of precedence.
Click the Apply button in the General Settings section.
In the Web Authentication section, select the General tab and select/enter the following information:
Enhanced Login Mode: Enable this feature, if desired. (This option is grayed out if not supported on the device.)
Logo Display Status: Select Show or Hide, as desired. (This option is grayed out if not supported on the device.)
WINS/DNS Spoofing: Select Enabled. (This option is grayed out if not supported on the device.)
Authentication Protocol: Select PAP
Web Authentication URL: Enter the URL for your authentication web page. (This option is grayed out if not supported on the device.) The Enterasys default name for the web authentication URL is "secureharbour," but you can enter your own URL, if desired.
Web Authentication IP Address: Enter the IP address of your authentication web page server.
Click the Apply button on the General tab.
Still in the Web Authentication section, select the Web Login tab and modify the Web Page Banner the end users will see at the top of the authentication web page so that it fits your needs. For example, you might include your company name and information on what to do if the user has questions or problems. Because this banner also appears in messages that occur during successful logon and failed authentication, as well as on the "Radius Busy" screen, it would not be appropriate to include "Welcome to [Your Company]" in the banner.
Click the Apply button on the Web Login tab.
Repeat until all of your RADIUS client devices have been configured. If you are configuring multiple devices, you may want to use the Device Configuration Wizard.

802.1X Authentication

In the left-panel Network Elements tab, select the device.
In the right panel, select the Authentication tab and make the following selections in the General Settings section:
Authentication Type: Single User 802.1X or Multi-User 802.1X
Authentication Status: Enabled
For devices that support multi-authentication types, you can set the Multi-User Authentication Type Precedence. This allows you to set the order in which the authentication types will be tried on the device, with the authentication type on the left having the highest precedence (it will be tried first). Select the authentication type you want to position, and use the left or right arrow to arrange the types in the desired order of precedence.
Click the Apply button in the General Settings section.
Repeat until all of your RADIUS client devices have been configured. If you are configuring multiple devices, you may want to use the Device Configuration Wizard.

MAC Authentication

In the left-panel Network Elements tab, select the device.
In the right panel, select the Authentication tab and make the following selections in the General Settings section:
Authentication Type: Single User MAC or Multi-User MAC
Authentication Status: Enabled
For devices that support multi-authentication types, you can set the Multi-User Authentication Type Precedence. This allows you to set the order in which the authentication types will be tried on the device, with the authentication type on the left having the highest precedence (it will be tried first). Select the authentication type you want to position, and use the left or right arrow to arrange the types in the desired order of precedence.
Click the Apply button in the General Settings section.
In the MAC Authentication Settings area, specify the MAC authentication password that will be used for that device.
Click the Apply button.
Repeat until all of your RADIUS client devices have been configured. If you are configuring multiple devices, you may want to use the Device Configuration Wizard.

802.1X+MAC Authentication

In the left-panel Network Elements tab, select the device.
In the right panel, select the Authentication tab and make the following selections in the General Settings section:
Authentication Type: Single User 802.1X+MAC
Authentication Status: Enabled
Click the Apply button in the General Settings section.
In the MAC Authentication Settings area, specify the MAC authentication password that will be used for that device.
Click the Apply button in the MAC Authentication Settings section.
Repeat until all of your RADIUS client devices have been configured. If you are configuring multiple devices, you may want to use the Device Configuration Wizard.

Testing Authentication

Upon completion of the steps in this document and any additional steps contained in the Configuration Supplements that are applicable to your authentication type, you will need to test your authentication configuration. This section provides two testing scenarios: one for web-based authentication and one for 802.1X authentication.

If your tests are successful, you can go on to create your remaining roles and services, referring to your plan and to the Help topics How to Create a Role and How to Create a Service as needed.

If your test is unsuccessful and you have issues you cannot resolve by reviewing the configuration steps in this document, contact Enterasys Technical Support for assistance.

Testing Web-Based Authentication

In order to test your web-based authentication configuration, you will use Policy Manager to create one of the roles from the plan you worked out earlier. You do not need to create the role's services and classification rules at this time; only the role name is required for the test.

NOTE: Because Multi-User Web-Based Authentication does not support the Active/Discard port mode, you must configure your device with Single User Web-Based Authentication in order to perform the following Active/Discard mode test.

Preparation

Decide on the role you want to test. It might be helpful to test the role that is assigned to your own user ID.
Create the role as follows:
1. In Policy Manager, select the Roles tab in the left panel.
2. Right-click the Roles folder, and select Create Role.
3. Type the role name in the highlighted box and press Enter.
4. Click Enforce on the toolbar, review the effects of enforcing on the Enforce Preview window if it is enabled, then click Enforce on that window. This writes the role to the devices, making them aware of the role's existence, but it does not associate the role with any port.
Select the Network Elements tab in the left panel.
Expand the device to see its ports.
Select a port to use as an Active/Discard mode port.
1. In the right panel, select the Authentication Configuration tab.
2. In the Port Mode area, set the port as follows:
  Authentication Behavior: Active
  Unauthenticated Behavior: Discard
Select a port to use as an Active/Default Role mode port.
1. In the right panel, select the Authentication Configuration tab.
2. In the Port Mode area, set the port as follows:
  Authentication Behavior: Active
  Unauthenticated Behavior: Default Role
3. Assign a default role to the port by right-clicking the port and selecting Set Default Role.
4. Select the role you created earlier, and click OK. Now the role is associated with the port.
To confirm that the ports are set correctly, select the right-panel Ports tab for the device and view the Default Role and Port Mode columns for the ports you just configured.

Testing Active/Discard Mode

	NOTE:	Because Multi-User Web-Based Authentication does not support the Active/Discard port mode, you must configure your device with Single User Web-Based Authentication in order to perform the following Active/Discard mode test.

Active/Discard mode means that authentication is enabled on the port, and unauthenticated traffic is not allowed. For this test, the Active/Discard mode port should behave as follows, as displayed on the Ports tab for the device:

Prior to user login, the Default Role for the port is <None>, and the Current Role for the port is also <None>.
After successful login, the Default Role for the port is still <None>, but the Current Role for the port becomes the user's assigned role.
After the user logs out, the Default Role is still <None> and the Current Role reverts to <None>.

	NOTE:	This test assumes the end user workstation is configured as a DHCP client. If your end users use static IP addresses, they must be on the 192.168.0.0 network (with a mask of 255.255.0.0) or have a route to it. Otherwise, they will not be able to access the login screen for authentication.

To test your authentication configuration in Active/Discard mode:

Before the user is authenticated, verify that the Active/Discard port you configured earlier does not allow unauthenticated traffic to pass in either direction.
Configure a user machine to be a DHCP client and connect it to the Active/Discard port.
On the Ports tab, look at the Default Role and Current Role for the selected port. They should both be <None>.
On the user machine, confirm that you can get the correct IP address, as follows:
Windows: Open a DOS window and enter: ipconfig /renew
Solaris: At the prompt, enter: ifconfig le0 dhcp
The IP address should be 192.168.1.[port number] where [port number] is the port number on the device to which the user machine is connected. End users who use DHCP receive this temporary IP address from the device. This IP address provides access to the authentication login web page. If authentication is successful, the user can obtain a permanent IP address from the DHCP server.
On the user machine, open your Netscape or Internet Explorer browser.
If you are using Netscape, disable the proxy (unless you have performed one of the other proxy configuration procedures in Browser Requirements, earlier).
Bring up the authentication login web page URL that you entered in the Web Authentication section of the Authentication tab.

Type in the user name and password for the user being tested, and click Login to Network. Within a few seconds, you should see the message Welcome to the Network.
If the Welcome message does not appear, check the following:

Make sure you entered the user name and password correctly in the RADIUS server.
If the message "Access is Denied" appears, it could mean the device cannot reach the RADIUS server. Possible causes include:
- The device's IP address has not been properly entered in the RADIUS server
- The device has not been enabled as a RADIUS client
- The RADIUS server has not been properly specified on the device
- The correct client UDP port for the RADIUS server has not been specified in Policy Manager

Other possible causes of the "Access is Denied" message include:

The wrong user/password combination was entered
The user is not in the database
The wrong authentication protocol has been specified (PAP vs. CHAP) on the device.
The wrong shared secret has been specified on the device

	NOTES:	-- If you have configured multiple RADIUS servers, the same shared secret must be used for each RADIUS server. This is because RADIUS clients (Policy Manager devices) only support one shared secret. -- In the event of errors, the RADIUS server log for today's date may assist in troubleshooting. For Funk RADIUS servers, this file is located in the Service directory in your RADIUS server installation area. For Microsoft Authentication servers, view this information in the Event Viewer.

To confirm that your authentication was successful, do the following:
- To see that the role was assigned to the port, in Policy Manager, look at the Ports tab for the device again. The Default Role should say <None>, and the Current Role should be the one assigned to the user who just logged on.
- To see that the user machine has the new IP address, issue the ipconfig /all (Windows) or ifconfig le0 dhcp (Solaris) command at the command prompt.
- To see that the user is a client in the DHCP IP address scope, on the DHCP services machine open the DHCP Manager, double-click Local Machine, and double-click the scope. The Active Lease window opens to show you the active DHCP clients.
On the user machine, return to the web authentication URL and log off the network. To confirm that your role is no longer active on the port, return to the Policy Manager Ports tab for the device and note that the Current Role for the port again says <None>.
Verify again that the port does not allow unauthenticated traffic to pass in either direction.

Testing Active/Default Role Mode

Active/Default Role mode means that authentication has been enabled on the port, but a default role will apply in the absence of an authenticated user. A user does not need to authenticate to access the (usually limited) services provided by the default role. However, a user may opt to authenticate in order to access the (possibly more robust) services provided by his or her own role. For this test, the Active/Default Role mode port should behave as follows, as displayed on the Ports tab for the device:

Prior to user login, the Default Role for the port is whatever role has been assigned as the default in Policy Manager, and the Current Role is the same as the Default Role.
After successful login, the Default Role remains the assigned default role for the port, but the Current Role becomes the user's role.
After the user logs off, the Current Role reverts to the Default Role.

	NOTE:	This test assumes the user has a static IP address. End users who use static IP addresses must be on the 192.168.0.0 network (with a mask of 255.255.0.0) or have a route to it. Otherwise, they will not be able to access the login screen for authentication.

To test your authentication configuration in Active/Default Role mode:

Connect a user machine to the Active/Default Role port to which you assigned the default role earlier.
In Policy Manager, on the Ports tab for the device, confirm that the Default Role and Current Role for that port are identical.
On the user machine, bring up the authentication login web page URL that you entered in the Web Authentication section of the Authentication tab.
Type in the user name and password, and click Login to Network. Within a few seconds, you should see the message Welcome to the Network.
If the Welcome message does not appear, refer to the suggestions under step 8 in the previous section.
In Policy Manager, look at the Ports tab for the device again. The Default Role should be the role you assigned as the default for the port, but the Current Role should be the one assigned to the user who just logged on.
On the user machine, return to the web authentication login page and log off the network. To confirm that the role for the port has reverted to the default, return to the Policy Manager Ports tab for the device and note that the Current Role for the port is again the same as the Default Role.

Testing 802.1X Authentication

In order to test your 802.1X authentication configuration, you will use Policy Manager to create one of the roles from the plan you worked out earlier. You do not need to create the role's services and classification rules at this time; only the role name is required for the test.

After creating the role, you will enforce it (write it to the device). You will then configure the port mode on one port to be Active/Discard and another to be Active/Default Role. Finally, you will attempt to log in to both ports as one of the users you mapped to the role on the RADIUS server.

NOTE: Be sure to complete the additional configuration steps in the 802.1X Authentication Configuration Supplement prior to performing this test.

	NOTE:	Be sure to complete the additional configuration steps in the 802.1X Authentication Configuration Supplement prior to performing this test.

Preparation

Decide on the role you want to test. It might be helpful to test the role that is assigned to your own user ID.
Create the role as follows:
1. In Policy Manager, select the Roles tab in the left panel.
2. Right-click the Roles folder, and select Create Role.
3. Type the role name in the highlighted box and press Enter.
4. Click Enforce on the toolbar, review the effects of enforcing on the Enforce Preview window if it is enabled, then click Enforce on that window. This writes the role to the devices, making them aware of the role's existence, but it does not associate the role with any port.
Select the Network Elements tab in the left panel.
Double-click a device to see its ports.
Select a port to use as an Active/Discard mode port.
1. In the right panel, select the Authentication Configuration tab.
2. In the Port Mode area, set the port as follows:
  Authentication Behavior: Active
  Unauthenticated Behavior: Discard
3. If you have configured Single User 802.1X or 802.1X+MAC authentication types, Active/Discard mode requires that any default role set on the port is cleared. If you have set a default role for this port, you will be prompted to clear it.
Select a port to use as an Active/Default Role mode port.
1. In the right panel, select the Authentication Configuration tab.
2. In the Port Mode area, set the port as follows:
  Authentication Behavior: Active
  Unauthenticated Behavior: Default Role
3. If you have configured Single User 802.1X or 802.1X+MAC authentication types, Active/Default Role mode requires that you set a default role on the port, and you will be prompted to assign a role. Otherwise, you must assign a default role to the port by right-clicking the port and selecting Set Default Role.
4. Select the role you created earlier, and click OK. Now the role is associated with the port.
To confirm that the ports are set correctly, select the right-panel Ports tab for the device and view the Default Role and Port Mode columns for the ports you just configured.

Testing Active/Discard Mode

Prior to user login, the Default Role for the port is <None>, and the Current Role for the port is also <None>.
After successful login, the Default Role for the port is still <None>, but the Current Role for the port becomes the user's assigned role.
After the user logs off, the Default Role is still <None> and the Current Role reverts to <None>.

To test your authentication configuration in Active/Discard mode:

Before the user is authenticated, verify that the Active/Discard mode port you configured earlier does not allow unauthenticated traffic to pass in either direction.
Connect a user machine to the port.
On the Ports tab, look at the Default Role and Current Role for the selected port. They should both be <None>.
On the user machine, log on to the network.
In Policy Manager, look at the Ports tab for the device again. The Default Role should be <None>, but the Current Role should be the one assigned to the user who just logged on.
On the user machine, log off the network. To confirm that your role is no longer active on the port, return to the Ports tab for the device and note that the Current Role for the port again says <None>.
Verify again that the port does not allow unauthenticated traffic to pass in either direction.

Testing Active/Default Mode

Prior to user login, the Default Role for the port is whatever role has been assigned as the default in Policy Manager, and the Current Role is the same as the Default Role.
After successful login, the Default Role remains the assigned default role for the port, but the Current Role becomes the user's role.
After the user logs off, the Current Role reverts to the Default Role.

To test your authentication configuration in Active/Default Role mode:

Connect a user machine to the Active/Default Role mode port to which you assigned the default role earlier.
In Policy Manager, on the Ports tab for the device, confirm that the Default Role and Current Role for that port are identical.
On the user machine, log on to the network.
In Policy Manager, look at the Ports tab for the device again. The Default Role should be the role you assigned as the default for the port, but the Current Role should be the one assigned to the user who just logged on.
On the user machine, log off the network. To confirm that the role for the port has reverted to the default, return to the Policy Manager Ports tab for the device and note that the Current Role for the port is again the same as the Default Role.

Related Information

For information on related concepts:

For information on related tasks:

For information on related windows: