The Safe@Office appliance supports the IEEE 802.1x standard for secure authentication of users and devices that are directly attached to Safe@Office appliance's LAN and DMZ ports, as well as the wireless LAN. Authentication can be performed either by an external RADIUS server, or by the Safe@Office appliance's built-in EAP authenticator. For information on the Safe@Office EAP authenticator, see Using the Safe@Office EAP Authenticator.
When an 802.1x security scheme is implemented for a port, users attempting to connect to that port are required to authenticate using their network user name and password. The Safe@Office appliance sends the user's credentials to the configured authentication server, and if authentication succeeds, a connection is established. If the user fails to authenticate, the port is physically isolated from other ports on the gateway.
If desired, you can specify how users should be handled after successful or failed authentication. Users who authenticate successfully on a specific port are assigned to the network with which that port is associated. For example, if the port is assigned to the DMZ network, all users who authenticate successfully on that port are assigned to the DMZ network.
When using a RADIUS server for authentication, you can assign authenticated users to specific network segments, by configuring dynamic VLAN assignment on the RADIUS server. Upon successful authentication, the RADIUS server sends RADIUS option 81 [Tunnel-Private-Group-ID] to the Safe@Office appliance, indicating to which network segment the user should be assigned. For example, if a member of the Accounting team connects to a network port and attempts to log in, the Safe@Office appliance relays the information to the RADIUS server, which replies with RADIUS option 81 and the value “Accounting”. The appliance then assigns the user’s port to the Accounting network, granting the user access to all the resources of the Accounting team.
The Safe@Office appliance also enables you to automatically assign users to a “Quarantine” network when authentication fails. All Quarantine network security and network rules will apply to those users. For example, you can create security rules allowing users on the Quarantine network to access the Internet and blocking them from accessing sensitive company resources. You can also configure Traffic Shaper to grant members of the Quarantine network a lower amount of bandwidth than authorized users.
You can choose to exclude specific network objects from 802.1x port-based security enforcement. Excluded network objects will be able to connect to the Safe@Office appliance's ports and access the network without authenticating. For information on excluding network objects from 802.1x port-based security enforcement, see Using Network Objects.