Configuring User Access and Authentication

Context

802.1X is a port-based network access control protocol. It verifies user identities and allows LAN access only on ports where a single 802.1X-capable client (supplicant) has entered authorized user credentials.

As shown in Figure 4-10, the 802.1X authentication system adopts the typical client/server (C/S) architecture and consists of three main components: user client (supplicant), authentication control point (authenticator), and authentication server.

Figure 4-10 Diagram of the 802.1X authentication system

• User client (supplicant): initiates 802.1X authentication by starting the client software. The client must support Extensible Authentication Protocol over LAN (EAPoL).

• Authentication control point (authenticator): a network device that supports 802.1X authentication.

• Authentication server (usually a RADIUS server): carries out authentication, authorization, and accounting on users.

When iMaster NCE-Campus functions as a RADIUS server, see the following table to configure 802.1X authentication on the server.

Configuration Tasks

Reference Links for iMaster NCE-Campus Operations

• Authentication and Authorization Management

Context

Portal authentication is also called web authentication. Generally, Portal authentication websites are referred to as web portals. When a user accesses the Internet, the user must be authenticated on the web portal. If the user fails to be authenticated, the user can access only specified network resources. The user can access other network resources only after passing the authentication.

As shown in Figure 4-11, Portal authentication involves four main components: user client, authentication control point, Portal server, and authentication server.

Figure 4-11 Diagram of the Portal authentication system

• User client: a host that has a browser running the HTTP/HTTPS protocol installed.

• Authentication control point: a network device that supports Portal authentication.

• Portal server: provides free web portal services and authentication GUI for user clients and exchanges authentication information of user clients with access devices.

• Authentication server (usually a RADIUS server): carries out authentication, authorization, and accounting on users.

When iMaster NCE-Campus functions as the Portal server and RADIUS server, the configuration on the Portal authentication server is as follows.

Configuration Tasks

Reference Links for iMaster NCE-Campus Operations

• Authentication and Authorization Management

Context

MAC address authentication controls access permissions of terminals based on their MAC addresses.

As shown in Figure 4-12, the MAC authentication system consists of three main components: user client, authentication control point, and authentication server.

Figure 4-12 Diagram of the MAC address authentication system

• User client: dumb terminals such as printers and IP cameras.

• Authentication control point: a network device that supports MAC address authentication.

• Authentication server (usually a RADIUS server): carries out authentication, authorization, and accounting on users.

When iMaster NCE-Campus functions as the MAC address authentication server, two MAC address authentication modes are available:

• Traditional MAC address authentication: The MAC address of a terminal needs to be manually added on iMaster NCE-Campus to authenticate and authorize the terminal.
• Automatic MAC address authentication: The MAC address of a terminal can be automatically recorded to iMaster NCE-Campus through the terminal identification function. In this way, the terminal can be automatically admitted.

The following table describes how to configure the two MAC address authentication modes on the server side. When enabling terminal identification, you need to enable the terminal identification information reporting function on network devices.

Configuration Tasks

Reference Links for iMaster NCE-Campus Operations

• Authentication and Authorization Management
• Terminal Management