How to Configure
Devices

In Policy Manager, you can configure devices for authentication, whereby users identify themselves to the network and are given customized access capabilities based on what role they serve in the organization. Policy Manager uses a RADIUS server and an authentication-enabled switch to allow the active role on a port to be dynamically assigned, based on the user's login.

You can configure authentication for a single device or for multiple devices. You can also configure authentication parameters on individual ports (see How to Configure Ports), but you need to configure and enable authentication on the device before any port authentication settings will take effect.

You can configure devices in two ways:

• Using the Device Configuration Wizard: The Device Configuration Wizard is a series of windows that lets you define a configuration, then apply it to the devices of your choosing. You can use this method to configure a single device, but it is especially useful for configuring multiple devices.
• Using the Device Tabs: This method enables you to configure or modify the same options found in the Device Configuration Wizard, but for a selected device, using the right-panel device tabs.

Instructions on:

• Using the Device Configuration Wizard
• Using the Device Tabs
• Turning Off Device Contact on Startup

Using the Device Configuration Wizard

The Device Configuration Wizard is a series of windows enabling you to define an authentication configuration, then apply it to the devices of your choosing. You can elect to configure authentication settings only, RADIUS client/server communication settings, or both. You can also configure MAC Locking, Rule Accounting, and CEP (Convergence End Point) for the devices, and a device-level role for Matrix C1 devices only.

1. From the menu bar, select Tools > Device Configuration Wizard.

Select Options to Configure

2. In the Device Configuration window, select the components you wish to configure.
   • Authentication
     Specify the authentication type(s) you want to configure: Single User, Multi-User, or None. Some devices support multiple authentication types and multiple users (Multi-User Authentication) per port, while others are restricted to only one or two authentication types and a single user per port (Single User Authentication). Refer to the Policy Manager/Firmware Feature Support tables in the Release Notes for information on the authentication types supported by each device type. For more information on the different types of authentication, see Authentication Types.

     	WARNING:	Switching Authentication Types, or changing the Authentication Status from Enabled to Disabled, will log off any currently authenticated users.

   • RADIUS
     Select the options related to the RADIUS server(s) and RADIUS client devices that you want to configure.
     • RADIUS Server(s) - Lets you add or remove the RADIUS servers that will be used for authentication and accounting purposes.
     • RADIUS Client Settings - Lets you configure and enable communication between the device (RADIUS client) and a RADIUS server or servers, for the purposes of authentication and accounting.
     • Application Shared Secret - Lets you set up a password that encrypts communication between Policy Manager and the devices for retrieving and setting RADIUS information.
   • General
     Select the general device options you want to configure.
     • MAC Locking - Lets you enable MAC Locking on devices that support it.
     • Device Level Role (C1 Only) - On Matrix C1 devices, you can set a device-level role that configures the services and rules for all ports on the device. Due to a limitation of the C1 devices, services and rules from the role returned from authentication cannot be applied to the port. The services and rules from this device-level role will be used instead.
     • CEP Role Mapping - Lets you enable the CEP (Convergence End Point) feature on devices that support it. It also lets you select the CEP product types supported on the device, and map a role for each type. Then, when a convergence endpoint (such as an IP phone) connects to the network, the device identifies the type of endpoint and applies the assigned role.
     • Rule Accounting - Lets you enable Rule Accounting on devices that support it. When rule accounting is enabled on a device, each rule keeps a list of the ports on which it has been used. You can view this port information in the Rule Usage tab.
     • Class of Service Mode - Lets you select the Class of Service mode on the devices you are configuring. Classes of service can be assigned as a classification rule action, as part of the definition of an automated service, or as a role default.
     • Invalid Role Action - Lets you specify what happens to a user that gets an unknown or invalid role.
     • RFC3580 VLAN Authorization Status - Lets you enable or disable RFC 3580 VLAN Authorization on devices that support it.

Configure Settings

3. The sequence of windows you see next depends on the selections you made in the Device Configuration window.

   	NOTE:	Each window provides the option to use the current configuration on the device(s), or set a new configuration. If you select Use Current Configuration on Device(s), the default settings in the window are visible, but are unavailable for entry or editing. Keep in mind that these values do not necessarily reflect the current settings on the device.

   If you have selected to configure Authentication
   All the windows you could see are listed below, but only those related to the Authentication type(s) you selected will actually appear:

   • Authentication Configuration window
     This window varies depending on the authentication types you have selected:
     General Authentication Settings - Web-Based
     Select the web-based authentication parameters you wish to configure. These parameters may not be supported on every device. Refer to the Release Notes Policy Manager/Firmware Feature Support tables for information on what features are supported on the various device types.
     • Enhanced Login Mode - Lets you enable the Enhanced Login Mode which causes the authentication web page to be displayed regardless of whether the URL entered into the browser by the end user is the Web Authentication URL or not.
     • Web Authentication URL - Lets you enter the URL for your authentication web page.
     • Web Authentication IP Address - Lets you enter the IP address of your authentication web page server.
     • Web Page Banner - Lets you customize the banner the users see at the top of the authentication web page. For example, you might include your company name and information on what to do if the user has questions or problems. Because this banner also appears in messages that occur during successful login and failed authentication, as well as on the "Radius Busy" screen, it would not be appropriate to include "Welcome to [Your Company]" in the banner.
     • Web Authentication Logo Display Status - Lets you specify whether to show or hide the Enterasys Networks logo on the Web Page Banner.
     • Guest Networking - Lets you enable guest networking which allows any user to access the network and obtain a guest policy without having to know a username or password.
     • Redirect Time - For devices with Enhanced Login Mode enabled. Specifies the amount of time (in seconds) before the end user is redirected from the authentication web page to their requested URL.
     • DNS Server Configuration - Lets you add your DNS domain name and server addresses to support the Enhanced Login Mode.
     General Authentication Settings - MAC-Based
     Select the MAC User Password authentication parameter:
     • MAC User Password - Lets you enter the password to be used for MAC authentication (1-32 characters).
     
     
   • General Authentication Settings window
     Select whether to enable or disable the authentication type (Authentication Status) for the device(s). Leaving the status disabled gives you the ability to configure and reconfigure authentication settings without affecting your network until authentication configuration is complete. If you have selected multiple authentication types, all of the authentication types selected will be enabled or disabled with this one setting.
     

     	WARNING:	Switching Authentication Types, or changing the Authentication Status from Enabled to Disabled, will log off any currently authenticated users.

     	CAUTION:	Setting the authentication status to Enabled will affect communications through the front panel ports. Any front panel being used for management should be set to inactive/default mode before setting authentication status to Enabled. If you elect to enable authentication, an Authentication Status window appears offering you choices for actions that will take effect on front panel ports after the wizard is finished. These options are described in detail in the Authentication Status window. (If you choose the Select Ports to set to Inactive/Default Role option, the Set Authentication Port Mode to Inactive/Default Role window will appear at the end of the wizard after you've selected the devices to which the configuration will apply and clicked Finish.) After making your selection, click OK to return to the Authentication Settings window.

     If you selected Web-Based as an Authentication Type, enable or disable WINS/DNS spoofing for DHCP clients, and select the Authentication Protocol being used.
     
     If you are configuring Multi-User Authentication, you can set the Authentication Type Precedence. This allows you to set the order in which the authentication types will be tried on the device, with the authentication type on the left having the highest precedence (it will be tried first). Select the authentication type you want to position, and use the left or right arrow to arrange the types in the desired order of precedence.
     
     
   • Enhanced Login Mode window (web-based authentication only)
     Enabling this feature causes the authentication web page to be displayed regardless of whether the URL entered into the browser by the end user is the Web Authentication URL or not.
     
     
   • Web Authentication URL window (web-based authentication only)
     Enter the URL for your authentication web page. Users access the authentication web page from a browser using this URL. The http:// is supplied. Alphabetical characters, numerical characters and dashes are allowed as part of the URL, but dots are not. The default URL is secureharbour. The URL needs to be mapped to the Web Authentication IP address in DNS or in the hosts file of each client. It must be resolvable via DNS/WINS, either on the device or at corporate, assuming the Web Authentication mapping has been set up on the corporate DNS/WINS service. This option is grayed out if not supported by the device.
     
     
   • Web Authentication IP Address window (web-based authentication only)
     Enter the IP address of your authentication web page server. If you have specified a Web Authentication URL, the IP address needs to be mapped to the  URL in DNS or in the hosts file of each client.
     
     
   • Login Web Page Banner window (web-based authentication only)
     Enter any information you want to convey to your users at the top of your authentication web page. For example, you might enter your company name, and information on what to do if the user has questions or problems. The Default button allows you to reset the banner to default text provided in a text file (pwa_banner.txt). Initially, the default banner text is the Enterasys contact information. However, you can customize the text for your network by editing the pwa_banner.txt file, located in the top level of the Policy Manager install directory.
     
     
   • Web Authentication Logo Display Status window (web-based authentication only)
     Specify whether to show or hide the Enterasys Networks logo on your authentication web page.
     
     
   • DNS Server Configuration window (web-based authentication only)
     Configure your DNS domain name and server addresses to support the Enhanced Login Mode on Matrix E1 devices. Enter your local DNS Domain Name (for example, Enterasys.com), and your local DNS Server IP addresses. Enter an IP address and click Add to add a server address. Select an address and click Remove to remove an address from the list. Addresses are used in the order they are listed.
     
     
   • Guest Networking window (web-based authentication only)
     Guest networking allows any user to access the network and obtain a guest policy without having to know a username or password. The user accesses the authentication web page, where the username and password fields are automatically filled in, allowing them to log in as a guest. If the user does not want to log in as a guest, they can type in their valid username and password to log in.

     	NOTE:	Guest networking is designed for networks using web-based authentication, with port mode set to Active/Discard.

     Make the following guest networking selections:
     -- Guest Networking Status: Use the drop-down list to specify guest networking status:
     • Disable -- Guest networking will be unavailable.
     • Local Auth -- Guest Networking will be enabled. The user accesses the authentication web page where the username field is automatically filled in with the specified Guest Name. Once the user submits the login page using this guest name, the default policy of that port becomes the active policy. The port mode must be set to Active/Discard mode.
     • RADIUS Auth -- Guest Networking will be enabled. The user accesses the login web page, where the username field is automatically filled in with the specified Guest Name, and the password field is masked out with asterisks. Once the user submits the login page using these credentials, the value of the Guest Password will be used for authentication. Following successful authentication from the RADIUS server, the port will apply the policy returned from the RADIUS server. The port mode must be set to Active/Discard mode.
     -- Guest Name: Enter the guest name. This is the username that Guest Networking will use to authenticate users, and is displayed automatically on the login web page.
     -- Guest Password: If you have selected RADIUS Auth, enter the guest password that will be used for authentication.
     
     
   • Redirect Time window (web-based authentication only)
     This setting applies to devices with Enhanced Login Mode enabled. Enter the amount of time (in seconds) before the end user is redirected from the authentication web page to their requested URL. Click the Default button to enter the default value of 30 seconds.
     
     An endstation using DHCP requires time to transition from the temporary IP address issued by the authentication process to the official IP address issued by the network. Redirect Time specifies the amount of time allowed for the end station to complete this process and begin using its official IP address. The default value of 30 seconds is adequate for most networks; however, some networks may require a longer or shorter time period. If the Redirect Time is not long enough, the browser times out while attempting to load the requested URL. In networks that only use static IP addresses, a Redirect Time of 5 to 10 seconds is usually sufficient; a value of less than 5 seconds is not recommended.
     
     For example, if a user (in Enhanced Login Mode and a Redirect Time of 30 seconds) enters the URL of "http://enterasys.com", they will be presented the authentication web page. When the user successfully authenticates into the network, they will see a login success page that displays "Welcome to the Network. Completing network connections. You will be redirected to http://enterasys.com in approximately 30 seconds".
     
     
   • MAC User Password window
     Enter the password that will be passed to the RADIUS server for MAC authentication (1-32 characters).

   If you have selected to configure RADIUS
   All the windows you could see are listed below, but only those related to the RADIUS options you selected will actually appear:

   • RADIUS Server(s) window
     Add or remove RADIUS servers to use for authentication and accounting purposes. The order in which the servers are listed is the order of priority for the servers; the device will try to communicate with the RADIUS server at the top of the list first.
     -- To add a RADIUS server: Click Add to open the Add RADIUS Server window, where you will specify the information required for communication between the devices and the RADIUS server.
     -- To remove a RADIUS server: Select the server in the table and click Remove.

     	NOTE:	Setting a new configuration for RADIUS servers will remove/replace any RADIUS servers currently configured on the device(s).

   • RADIUS Client Settings window
     Make the following RADIUS client selections:
     -- RADIUS Client Status: Enable or disable the RADIUS client. If enabled, the device becomes a RADIUS client and will communicate with a RADIUS server whenever a user logs on to a port on the device, as long as the port itself is enabled for authentication and the device is set up as a client on the RADIUS server. The default is Disabled.
     -- Number of Retry Attempts: Enter the number of attempts the RADIUS client will make in contacting each RADIUS server before giving up and trying the next RADIUS server on the list. Valid values are 1-65535.
     -- Retry Timeout Duration (seconds): Enter the number of seconds to wait for the RADIUS server to respond before trying again. Valid values are 1-65535.
     -- Client Accounting Status: Enable or disable RADIUS Accounting for SNMPv3 devices that support it. RADIUS Accounting is used by a device (the RADIUS client) to save accounting data on a RADIUS server. If enabled, an accounting session starts after the user is successfully authenticated by a RADIUS server. The default is Disabled.
     -- Accounting Update Interval (minutes): Enter the number of minutes between accounting updates, when collected accounting data is sent from the device (RADIUS client) to the RADIUS server. Valid values are 1-65535. It is recommended that the value be greater than 10 minutes, and careful consideration should be given to its impact on network traffic.
     
     
   • Application Shared Secret window
     Select from the following choices the application shared secret you want to be used for communication between Policy Manager and the device when setting or retrieving RADIUS information.
     --Auto-Generate an application shared secret: If you want the system to generate a secure key automatically, select this button.
     -- Use the following application shared secret: If you want to create your own shared secret, select this button and type in a 32-character string with optional dashes or spaces, typically xxxx-xxxx-xxxx-xxxx-xxxx-xxxx-xxxx-xxxx.
     -- Use the default application shared secret: If you want to use the default application shared secret, click this button. This is not recommended, as it is less secure than a non-default shared secret.
     

     	WARNING:	It is important to remember the Application Shared Secret, since the shared secret specified in Policy Manager must match the shared secret on the device in order to change the shared secret.  If you delete and recreate the device model, you will have to supply the correct Application Shared Secret in the device's RADIUS tab in order to retrieve or input RADIUS settings in the RADIUS tab. If you're using an Auto-Generated or User-Defined Application Shared Secret and you clear NVRAM on the device, you will need to go to the RADIUS tab for the device in Policy Manager and change the Application Shared Secret back to "Default" in order to regain access to the RADIUS information in that tab. Once Policy Manager and the device are using the same (Default) Application Shared Secret, then the Application Shared Secret can be changed to be either Auto-Generated or User-Defined.

   If you have selected General:
   All the windows you could see are listed below, but only those related to the options you selected will actually appear:

   • MAC Locking window
     Configure MAC Locking status on the device. Setting MAC Locking to Enabled will allow the device to lock MAC addresses to all ports that have the MAC Locking feature enabled.
     
     
   • Device Level Role (C1 Only) window
     Use the drop-down list to select a device-level role that configures the services and rules for all ports on the device. Select the Clear the current default role option to set the device-level role back to <None>.
     
     
   • CEP Role Mapping window
     Configure the CEP status on the device. Then, use the Add button to select the CEP product types supported on the device, and map a role for each type.
     
     
   • Rule Accounting window
     When rule accounting is enabled on a device, each rule keeps a list of the ports on which it has been used. You can view this port information in the rule's Rule Usage tab. In addition, you can enable certain auto-clear operations that determine when to clear ports from a rule's Rule Usage tab.
     • Clear Rule Usage on Port Link-Status Change - Clears rule usage data when the port has a link-status change.
     • Clear Rule Usage Port Role Change - Clears rule usage data when the port's role changes.
     • Clear Rule Usage on Interval - Clears rule usage data at a set interval. Enter the desired interval (in minutes).
     
     
     
   • Class of Service Mode window
     Select the Class of Service mode for the device. Policy Manager supports two modes of class of service, with each mode providing a different rate limit functionality. See Getting Started with Class of Service for more information on the two modes. You can also select an option to disable rate limits on the devices you are configuring.
     • Rate Limits Disabled - Select this option if you want rate limits disabled on the device. This means that any priority-based rate limits will not be written to the device on enforce, and any role-based rate limits will not be included in roles written to the device on enforce.
     • Role-Based Rate Limits/Transmit Queue Configuration - Select this mode if you want to configure role-based rate limits and transmit queues on the device. See Defining Role-Based Rate Limits and How to Configure Transmit Queues for more information.
     • Priority-Based Rate Limits - Select this mode if you want to configure priority-based rate limits on the device. Priority-based rate limits add to the amount of time it takes to enforce and verify roles. Once you've created your rate limits and enforced them, you may want to disable rate limits so that it takes less time to enforce. See Defining Priority-Based Rate Limits for more information.
     
     
     
   • Invalid Role Action
     Select the action you would like taken if an authenticated user is assigned an unknown or invalid role:
     • Apply Default - Apply the default role to the user.
     • Discard - Drop the packets for this user.
     
     
     
   • RFC3580 VLAN Authorization Status window
     Enable or disable RFC 3580 VLAN Authorization on the device. Enabling VLAN Authorization allows you to configure Authentication-Based VLAN to Role Mapping as a way to assign a role to a user during the authentication process, based on a VLAN ID. For more information, see VLAN to Role Mapping in the Concepts Help topic. To configure Authentication-Based VLAN to Role Mapping, use the role's Mappings tab and/or the VLAN's General tab.

Select Devices

4. In the Device Selection window, select the device(s) to which you want this configuration to apply.
5. Click Finish.

	NOTE:	If you elected to enable authentication as part of the device configuration, and chose the "Select Ports to set to Inactive/Default Role" option, the Set Authentication State to Inactive/Default Role window now appears. Make your selections and click OK to complete the wizard.

Using the Device Tabs

Configuring a device using the device tabs enables you to set up or modify the same options found in the Device Configuration Wizard, but for a selected device, using the right-panel device tabs.

	NOTE:	When you create or import a device, Policy Manager determines whether or not authentication is enabled on the device. If so, the appropriate Authentication Type is displayed in the device's Authentication tab, with the Authentication Status set to Enabled.  If no authentication is enabled on the device, Policy Manager displays the previous Authentication Type setting for the device if there was one, or Authentication Type: Web-Based if not.

To configure a device using the device tabs:

1. In the left-panel Network Elements tab, select the device you want to configure. Use the right-panel tabs to configure the device.
2. Select the Authentication tab and fill out the tab as required. Be sure to click Apply in any part of the tab you change.
3. Select the RADIUS tab and fill out the tab as required.
4. To enable MAC Locking, select the MAC Locking tab and configure the options as desired.
5. In the right panel, select the Role/Rule tab and configure a device-level role (Matrix C1 devices only) or enable Rule Accounting as desired.
6. To enable CEP (Convergence End Point), select the CEP tab and configure the options as desired.
7. Select the General tab and choose your Class of Service mode.

Turning Off Device Contact on Startup

Related Information

• Authentication
• MAC Locking

• How to Configure Ports
• Authentication Configuration Guide

• Add RADIUS Server Window
• Authentication Configuration Tab
• CEP Tab (Device)
• Port Usage Tab (Device)
• Port Usage Tab (Port)
• RADIUS Tab (Device)
• Startup View Options Window