Survey the Network
4-6 Design Planning
Similarto802.1X,web‐basedauthenticationrequirestheinputofcredentialsandisnormallyused
onuser‐centricend‐systems thathaveaconceptofanassociateduser,suchasaPC.Therefore,this
authenticationmethodisinappropriateformachine‐centricdevicessuchasprintersandIP
cameras.
Notethatweb‐
basedauthenticationisauser‐initiatedauthenticationmethodwheretheusermust
manuallybeginthenetworkloginprocessbyopeningawebbrowserandenteringcredentials.
Thisuser‐initiatedmethodpreventsseamlessnetworkconnectivitybecausetheendusermust
initiatethereauthenticationafterassessmentiscomplete.
SinceEnterasysNAConlyacts
asapass‐throughtoanupstreamRADIUSServer,itismandatory
thatafullauthenticationdeploymentisconfiguredonthenetworkifweb‐basedauthentica tionis
used.
MACAuthentication
MACauthenticationauthenticatesthesourceMACaddressofanend‐systemandgrantsthe
appropriatelevelofaccessbyvalidatingtheMAC
addressontheRADIUSauthenticationserver.
Thisauthenticationmethodonlyrequiresthattheend‐systemgenerateapacket;itrequiresno
specialsoftwareontheend‐system.
Unlike802.1Xandweb‐basedauthentication,MACauthenticationcanbeusedtoauthenticate
machine‐centricend‐systemsthathavenoconceptofanassociated
user,suchasaprinterorIP
camera.
Withthisauthenticationmethod,EnterasysNACcanactasapass‐throughtoanupstream
RADIUSServerorcanlocallyauthorizeMACauthenticationattempts.Therefore,ifafull
authenticationdeploymenthasnotbeenconfiguredonthenetwork,MACauthenticationshould
beused.
End-System Capabilities
Whenauthenticationisconfiguredonthenetwork,itisimportanttoconsiderend‐system
capabilitiesandtheirabilitytointeractwiththeauthentication process.Machine‐centricend‐
systemsthatdonotpossessan802.1Xsupplicant,suchasIPcamerasandprinters,mayonlybe
capableofMACauthenticatingtothenetwork.
Somehuman‐centricend‐systemssuchasPCs,
maybecapableof802.1Xandweb‐basedauthenticationwhileotherPCsnotinstalledwithan
802.1Xsupplicant,areonlycapableofweb‐basedauthentication.Ifend‐systemsareimplementing
802.1Xandweb‐basedauthentication,EnterasysNACshould leveragetheseauthentication
methods
forend‐systemdetection.Forend‐systemsnotimplementing802.1Xorweb‐based
authentication,MAC‐basedauthenticationcanbeenabledontheseswitchports.
Support of Multiple Authentication Methods
Inordertosupportanenterprisenetworkconsistingofadiverseenvironmentofmachine‐centric
andhuman‐centricdevices,itisimportantthattheintelligentedgeofthenetworksupportsthe
concurrentenablingofmultipleauthenticationmethods,allatthesametimeonthesameswitch
port.Someintelligentswitchesmay
notsupporttheenablingofmultipleauthenticationmethods
concurrentlyonasingleport.Forexample,MACand802.1Xauthenticationmaybeconcurrently
enabledonaporttoaccountforthefactthatatrusteduser,guestuser,orIPphonemayconnectto
thisport.Theabilitytosupportmultiple
authenticationmethodsconcurrentlyonaportiseven
moreimportantforenvironmentswheremobilityofdevicesaroundthenetworkisessentialfor
ensuringbusinesscontinuity.
Support for Multiple End-System Connection
Itisimportanttoknow whethermultipleend‐systemconnectionissupportedbytheintelligent
edgeofthenetwork.Iftheintelligentedgedevicesonlysupporttheauthenticationofoneend‐