Security Measures
146
Instruction Manual - NXA-ENET8-POE+
Multiple profiles can be specified in the Filter-ID attribute by using a semicolon to separate each profile.
For example, the
service-policy-in=pp1;rate-limit-input=100
attribute specifies that the diffserv profile name is
pp1
, and
the ingress rate limit profile value is 100 kbps.
If duplicate profiles are passed in the Filter-ID attribute, then only the first profile is used.
For example, if the attribute is
service-policy-in=p1;service-policy-in=p2
, then the switch applies only the DiffServ profile
p1
.
Any unsupported profiles in the Filter-ID attribute are ignored.
For example, if the attribute is
map-ip-dscp=2:3;service-policy-in=p1
, then the switch ignores the
map-ip-dscp
profile.
When authentication is successful, the dynamic QoS information may not be passed from the RADIUS server due to one of
the following conditions (authentication result remains unchanged):
The Filter-ID attribute cannot be found to carry the user profile.
The Filter-ID attribute is empty.
The Filter-ID attribute format for dynamic QoS assignment is unrecognizable (cannot recognize the whole Filter-ID
attribute).
Dynamic QoS assignment fails and the authentication result changes from success to failure when the following conditions
occur:
Illegal characters found in a profile value (for example, a non-digital character in an 802.1p profile value).
Failure to configure the received profiles on the authenticated port.
When the last user logs off on a port with a dynamic QoS assignment, the switch restores the original QoS configuration for
the port.
When a user attempts to log into the network with a returned dynamic QoS profile that is different from users already
logged on to the same port, the user is denied access.
While a port has an assigned dynamic QoS profile, any manual QoS configuration changes only take effect after all users
have logged off the port.
Configuring Global Settings for Network Access
MAC address authentication is configured on a per-port basis, however there are two configurable parameters that apply globally
to all ports on the switch. Use the Security > Network Access (Configure Global) page to configure MAC address authentication
aging and re-authentication time.
The following table lists the options on this page:
Perform these steps to configure aging status and re-authentication time for MAC address authentication:
1.
Click
Security
>
Network Access
.
2.
Select
Configure Global
from the Step list.
3.
Enable or disable aging for secure addresses, and modify the re-authentication time as required.
4.
Click
Apply
.
Security - Network Access Options
Aging Status
Enables aging for authenticated MAC addresses stored in the secure MAC address table. (Default:
Disabled)
This parameter applies to authenticated MAC addresses configured by the MAC Address
Authentication process described in this section, as well as to any secure MAC addresses
authenticated by 802.1x, regardless of the 802.1x Operation Mode (Single-Host, Multi-Host, or
MAC-Based authentication as described on page 174).
Authenticated MAC addresses are stored as dynamic entries in the switch's secure MAC address
table and are removed when the aging time expires.
The maximum number of secure MAC addresses supported for the switch system is 1024.
FIG. 173
Configuring Global Settings for Network Access