Profile Overrides - Security Configuration (AP Only)

About this task

To override Ethernet Ports security settings:

Procedure

  1. Select the Security tab.
    The security screen displays.
    Click to expand in new window
    Profile Overrides - Interface - Ethernet Ports - Security
    GUID-2EDC8EA0-5468-4770-81DD-DC2B3D506CCC-low.png

  2. Refer to the Access Control field. As part of the Ethernet port‘s security configuration, Inbound IP and MAC address firewall rules are required.

    MAC Inbound Firewall Rules

    Use the drop-down menu to select the MAC inbound firewall rules to apply to this profile‘s Ethernet port configuration. The firewall inspects MAC traffic flows and detects attacks typically not visible to traditional wired firewall appliances.

    IPv4 Inbound Firewall Rules

    Use the drop-down menu to select the IPv4 specific firewall rules to apply to this profile‘s Ethernet port configuration. IPv4 is a connectionless protocol for packet switched networking. IPv4 operates as a best effort delivery method, as it does not guarantee delivery, and does not ensure proper sequencing or duplicate delivery (unlike (TCP). IPv4 hosts can use link local addressing to provide local connectivity.

    IPv6 Inbound Firewall Rules

    Use the drop-down menu to select the IPv6 specific firewall rules to apply to this profile‘s Ethernet port configuration. IPv6 is the latest revision of the Internet Protocol designed to replace IPv4. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons.

  3. Refer to the Trust field to define or override the following:

    Trust ARP Responses

    Select this option to enable ARP trust on this port. ARP packets received on this port are considered trusted, and the information from these packets is used to identify rogue devices within the network. This option is disabled by default.

    Trust DHCP Responses

    Select this option to enable DHCP trust on this port. If enabled, only DHCP responses are trusted and forwarded on this port, and a DHCP server can be connected only to a DHCP trusted port. This option is enabled by default.

    ARP header Mismatch Validation

    Select this option to enable a mismatch check for the source MAC in both the ARP and Ethernet header. This option is disabled by default.

    Trust 802.1p COS values

    Select this option to enable 802.1p COS values on this port. This option is enabled by default.

    Trust IP DSCP

    Select this option to enable IP DSCP values on this port. This option is enabled by default.

    Note

    Note

    Some vendor solutions with VRRP enabled send ARP packets with Ethernet SMAC as a physical MAC and inner ARP SMAC as VRRP MAC. If this configuration is enabled, a packet is allowed, even when a conflict exists.

  4. Set the following IPv6 Settings:

    Trust ND Requests

    Select this option to enable the trust of neighbor discovery requests required on an IPv6 network on this Ethernet port. This option is disabled by default.

    Trust DHCPv6 Responses

    Select this option to trust all DHCPv6 responses on this Ethernet port. DHCPv6 is a networking protocol for configuring IPv6 hosts with IP addresses, IP prefixes, or other configuration attributes required on an IPv6 network. This option is enabled by default.

    ND Header Mismatch Validation

    Select this option to enable a mismatch check for the source MAC within the ND header and Link Layer Option. This option is disabled by default.

    RA Guard

    Select this option to enable router advertisements or ICMPv6 redirects from this Ethernet port. This option is enabled by default.

  5. Set the following 802.1X Settings:

    Host Mode

    Set the port mode for 802.1X authentication. The options are:
    • single-host - Select to bridge traffic from a single authenticated host.

    • multi-host - Select to bridge traffic from any host to this port. The default setting is single-host.

    Guest VLAN

    Specify a guest VLAN for this port from 1 - 4094. This is the VLAN traffic is bridged on if this port is unauthorized and the guest VLAN is globally enabled.

    Port Control

    Set the way in which the port bridges traffic. The options are:
    • Automatic – The port is set to the state as received from the authentication server.

    • force-authorized – Any traffic on the port is considered authenticated and is bridged as configured. This the default setting.

    • force-unauthorized – Any traffic on the port is considered unauthenticated and is not bridged.

    Reauthenticate

    Select this option to enable or disable reauthentication. Reauthentication is primarily used to refresh the current state of the selected port. When enabled the device is forced to reauthenticate. When this happens, the port is still considered authenticated. If reauthentication fails, the port is considered unauthorized and devices using the port are denied access.

    Max Reauthenticate Count

    Set the number of reauthentication attempts (1-10) when a port tries to reauthenticate and fails. Once this count exceeds, the port is considered unauthorized. The default setting is 2.

    Quiet Period

    Set the duration in seconds where no attempt is made to reauthenticate a controlled port. Set a value from 0 - 65535 seconds. The default setting is 60 seconds.

    Reauthenticate Period

    Set the duration after which a controlled port is forced to reauthenticate. Set a value from 0 - 65535 seconds. The default setting is 3600 seconds.

    Port MAC Authentication

    Enables MAC address authentication on the selected port. When enabled, a port‘s MAC address is authenticated, as only one MAC address is supported per wired port. When successfully authenticated, packets from the source are processed. Packets from all other sources are dropped. Port MAC authentication is supported on WiNG devices. Port MAC authentication may be enabled on ports in conjunction with Wired 802.1x settings for a MAC Authentication AAA policy. This option is disabled by default.

  6. In the 802.1x supplicant (client) feature field, click Enable to enable a username and password pair used when authenticating users on this port. Provide the credentials.

    Click Show to expose the characters in the Password field.

  7. Click OK to save the changes and overrides made to the Ethernet port's security configuration.

    Click Reset to revert to the last saved configuration.