About Multi-User Authentication on the DFE

FAQ_User — Wed, 06 Nov 2013 21:50:00 GMT

Article ID: 5468

Products
DFE
N-EOS-PPC
N-EOS-PUC

Protocols/Features
Authentication
MUA
802.1x
MAC Authentication
PWA

Solution
Multi-User Authentication (MUA) is the ability to permit multiple users per port to authenticate using any combination of 802.1x / MAC / PWA+ authentication. This might be required in networks having Access switches which are not authentication-capable. The DFE, both Platinum and Gold series, has had a MUA capability (with differing limitations) since the release of 4.00.50 firmware in April 2004.

> What are the present (f/w 4.x) hard limits for Authenticated Stations?

Platinum:

A maximum of eight authenticated users (802.1x, MAC, PWA+) per fixed copper front panel port for Access modules: 2G4072-52, 7H4382-25, 7H4382-49, 7H4383-49, 7H4202-72, 7H4203-72, 7G4282-41, and 7G4202-60
A maximum of 128 authenticated users (802.1x, MAC, PWA+) per fiber and modular (Mini-GBIC) front panel port for Uplink modules: 7G-6MGBIC, 7G4270-12, 7G4202-30, 7H4284-49, and 7K4290-02
A maximum of 128 authenticated users (802.1x, MAC, PWA+) per Backplane or LAG port for any DFE module type
A maximum of one 802.1x authenticated user per port
A maximum of 1024 authenticated users per module
A maximum of 1024 authenticated users per chassis

Gold:

A maximum of one user and one IP phone per port
A maximum of 1024 users (including IP phones) per chassis

> Can the hard limits be increased?

Yes, for the Platinum series only. Firmware 5.01.58 and higher has the capablity of High-Capacity licensing, expanding the user/port/system density for both Access and Uplink Module front-panel ports. LAG and Backplane ports retain their user density limit of 128. This is all summarized in the table below.

standard w/ N-EOS-PPC w/ N-EOS-PUC*
offering (per module) (per chassis)
4.x, 5.x f/w 5.x f/w 5.x

Users per Port
on Access Modules 8 256 8
1024 (f/w 5.41.25+)

Users per Port
on Uplink Modules 128 256 128
1024 (f/w 5.41.25+)

Users per Port
on LAG/Backplane 128 128 128

Users per module module 1024 module
dependent dependent

Users per system 1024 1024 2048
* Supported in the 2G4072-52, or for 7C111-installed systems, only with firmware 6.01.01.0020 and higher.

A further, very significant change with 5.x is that the "single 802.1x user per port" restriction is removed, for the Platinum series only. Limitations fall within the bounds of current multi-user authentication limits and capacities and those of the expected High-capacity licensing. In other words, 802.1x capability now expands to what is already stated for MAC and PWA limitations.

> What are the present (f/w 4.x) soft limits for Authenticated Stations?

A maximum of 65535 rules (VLAN + Priority) per chassis (57344 rules reserved for standard rules, 8191 rules reserved for policy profile assignment [admin-pid] rules)

Standard rules (L2/L3/L4, IP+Socket, ICMP Type+Code) are designed to assign a VLAN or a CoS (Class of Service) to the traffic they match.
Admin-pid rules (L2/L3/L4, IP+Socket, ICMP Type+Code) are designed to assign a Policy (Profile) to the traffic they match and are used by the VLAN-to-Policy Mapping feature, by the dynamic agents (after authentication returns a result) and to assign a default policy to a port (on the Gold series).
Both standard and admin-pid rules can syslog, trap or disable the port when hit, even if they aren’t assigning VLAN, CoS or Policy (Profile), using the Rule Hit/Accounting feature .

A maximum of 1023 roles per chassis

> Are the soft limits expected to change?

No.

> How do I install the licenses?

To install the N-EOS-PPC:
set license port-capacity <license_key> slot <slot#>
To install the N-EOS-PUC:
set license user-capacity <license_key>

The system must be rebooted after issuing these commands, in order for the license(s) to be applied.

> Are there any configuration guides available?

The best configuration resource available at this time is the DFE Configuration Guide. There is significant effort underway to expand upon this, concentrating on sample configurations.

topic About Multi-User Authentication on the DFE in FAQs

About Multi-User Authentication on the DFE