Configuring Port-Based Security

Linked Diagram Template

To configure 802.1x port-based security for a port

Do one of the following:
- To use the Safe@Office EAP authenticator for authenticating clients, follow the workflow Using the Safe@Office EAP Authenticator for Authentication of Wired Clients.
  You will be referred back to this procedure at the appropriate stage in the workflow, at which point you can continue from the next step.
- To use a RADIUS server for authenticating clients, do the following:
  1. Configure a RADIUS server.
    See Using RADIUS Authentication.
  2. Configure the clients for 802.1x authentication.
    For information, refer to your RADIUS server documentation.
To configure dynamic VLAN assignment, do the following:
1. Add port-based VLAN networks as needed.
  See Adding and Editing Port-Based VLANs.
2. Configure RADIUS option 81 [Tunnel-Private-Group-ID] on the RADIUS server.
  For information, refer to your RADIUS server documentation.
This step is only relevant when using a RADIUS server.
To configure a Quarantine network other than the LAN or DMZ, add a port-based VLAN network.
See Adding and Editing Port-Based VLANs.
Click Network in the main menu, and click the Ports tab.
The Ports page appears.
Next to the desired port, click Edit.
The Port Setup page appears.
In the Port Security drop-down list, select 802.1x.
The Quarantine Network, Authentication Server, and Allow multiple hosts fields are enabled.
Complete the fields using the information in the following table.
Click Apply.
A warning message appears.
Click OK.

Port-Based Security Fields

In this field…	Do this…
Assign to network	Specify how the Safe@Office appliance should handle users who authenticate successfully, by selecting one of the following: A network name. All users who authenticate to this port successfully are assigned to the specified network. From RADIUS. Use dynamic VLAN assignment to assign users to specific networks. This option is only relevant when using a RADIUS server.
Authentication Server	Specify which authentication server you are using, by selecting one of the following: RADIUS. A RADIUS server. Internal User Database. The Safe@Office EAP authenticator.
Quarantine Network	Specify which network should serve as the Quarantine network, by selecting one of the following: A network name. All users for whom authentication to this port fails are assigned to the specified network. None. No Quarantine network is selected.
Allow multiple hosts	To allow multiple hosts to connect to this port, select this option. Normally, 802.1x port-based security allows only a single host to connect to each port. However, when this option is selected, multiple clients can connect to the same port via a hub or switch. Each client on the port must authenticate separately. For information on cascading the Safe@Office appliance to a hub or switch, see Cascading Your Appliance. Note: Enabling this option makes 802.1x port-based security less secure. Therefore, it is recommended to enable this option only in locations where the number of ports are a limiting factor, and where an external 802.1x-capable switch cannot be installed.