Authentication
Use this screen to configure authentication servers and policies to validate access to ports on the Nebula Device using the Nebula cloud authentication server or an external RADIUS server.
Network traffic from clients will be denied when the Nebula cloud authentication server (NCAS) cannot be reached.NCAS Disconnect Behavior
The following figure shows an example Nebula Device with ports enabled for MAC authentication. Clients 1 and 2 (C1, C2) passes MAC authentication (authorized). Client 3 (C3) fails MAC authentication (not authorized).
MAC Authentication Application
Click Switch > Configure > Authentication to access this screen.
Switch > Configure > Authentication
The following table describes the labels in this screen.
Label | Description |
|---|---|
Authentication Server | |
Server type | Select External radius server to have both IEEE 802.1x (WPA-Enterprise) authentication and MAC-based authentication. The Nebula Device sends a request message to a RADIUS server in order to authenticate clients. The administrator must enter the IP address of the RADIUS server. The default port is 1812. Make sure to configure VLAN for the Nebula Device before enabling VLAN assignment in the external RADIUS server.Select Nebula cloud authentication to have MAC-based authentication only. The Nebula Device sends HTTPS message to NCAS (Nebula Cloud Authentication Server) to authenticate clients. The default port is 443. See Set Up MAC Authentication With NCAS (for Nebula Switches only) for the steps in setting up MAC authentication with NCAS. Blocked clients do not appear in the Nebula Device MAC address table. The Nebula Device re-authenticates blocked clients when: • 5 minutes after blocked client failed authentication • Blocked client disconnects and reconnects to the Nebula Device port. The Blocked client in the Site-wide > Monitor > Clients > Client list screen has a higher priority than MAC-based authentication.All network traffic from clients will be denied when the NCAS cannot be reached. |
The following fields appear when you select External radius server as the Server type. | |
 | Click the icon of a rule and drag the rule up or down to change the order. |
Host | Enter the IP address of the external RADIUS server. |
Port | Enter the port of the RADIUS server for authentication (default 1812). |
Secret | Enter a password (up to 32 alphanumeric characters) as the key to be shared between the external RADIUS server and the Nebula Device. |
 | Click the remove icon to delete the entry. |
Add | Click this button to create a new RADIUS server entry. |
Authentication policy | You apply the policy to a port in Switch > Configure > Switch ports: Edit (a selected port). |
Password for MAC-Base Auth | Enter the password the Nebula Device sends along with the MAC address of a client for authentication with the RADIUS server. You can enter up to 32 printable ASCII characters. |
Name | Enter a descriptive name for the policy. |
Auth. type | Select MAC-Base if you want to validate access to the ports based on the MAC address and password of the client. Select 802.1X if you want to validate access to the ports based on the user name and password provided by the client. 802.1X is not supported when you select Nebula cloud authentication in Server type. |
Guest VLAN | A guest VLAN is a pre-configured VLAN on the Nebula Device that allows non-authenticated users to access limited network resources through the Nebula Device. Enter the number that identifies the guest VLAN. |
Port security | Click On to enable port security on the ports. Otherwise, select Off to disable port security on the ports. |
MAC limitation | This field is configurable only when you enable port security. Specify the maximum number of MAC addresses that may be learned on a port. |
Auth. ports | This shows the number of the Nebula Device ports to which this policy is applied. |
| Click the remove icon to delete the profile. |
Add | Click this button to create a new policy. |