AMX NXA-ENET8-2POE Instruction Manual page 62

Network Access Server Conf iguration Parameters (Cont.)
System Conf iguration (Cont.)
• Guest VLAN ID
• Max. Reauth.
Count
• Allow Guest VLAN
if EAPOL Seen
Port Conf iguration
• Port
• Admin State
NXA-ENET8-2POE - Instruction Manual
This is the value that a port's Port VLAN ID is set to if a port is moved into the Guest VLAN.
• It is only changeable if the Guest VLAN option is globally enabled.
• Range: 1-4095.
The number of times that the switch transmits an EAPOL Request Identity frame without receiving a response
before adding a port to the Guest VLAN. The value can only be changed if the Guest VLAN option is globally
enabled. (Range: 1-255)
The switch remembers if an EAPOL frame has been received on the port for the lifetime of the port. Once the switch
considers whether to enter the Guest VLAN, it will first check if this option is enabled or disabled.
• If disabled (the default), the switch will only enter the Guest VLAN if an EAPOL frame has not been received on
the port for the lifetime of the port.
• If enabled, the switch will consider entering the Guest VLAN even if an EAPOL frame has been received on the
port for the lifetime of the port. The value can only be changed if the Guest VLAN option is globally enabled.
Port identifier.
If NAS is globally enabled, this selection controls the port's authentication mode. The following modes are
available:
• Force Authorized - The switch sends one EAPOL Success frame when the port link comes up. This forces the
port to grant access to all clients, either dot1x-aware or otherwise. (This is the default setting.)
• Force Unauthorized - The switch will send one EAPOL Failure frame when the port link comes up. This forces
the port to deny access to all clients, either dot1x-aware or otherwise.
• Port-based 802.1X - Requires a dot1x-aware client to be authorized by the authentication server. Clients that
are not dot1xaware will be denied access.
• Single 802.1X - At most one supplicant can get authenticated on the port at a time. If more than one supplicant
is connected to a port, the one that comes first when the port's link comes up will be the first one considered. If
that supplicant doesn't provide valid credentials within a certain amount of time, another supplicant will get a
chance. Once a supplicant is successfully authenticated, only that supplicant will be allowed access. This is the
most secure of all the supported modes. In this mode, the Port Security module is used to secure a supplicant's
MAC address once successfully authenticated.
• Multi 802.1X - One or more supplicants can get authenticated on the same port at the same time. Each
supplicant is authenticated individually and secured in the MAC table using the Port Security module.
In Multi 802.1X it is not possible to use the multicast BPDU MAC address as the destination MAC address for
EAPOL frames sent from the switch towards the supplicant, since that would cause all supplicants attached to
the port to reply to requests sent from the switch. Instead, the switch uses the supplicant's MAC address, which
is obtained from the first EAPOL Start or EAPOL Response Identity frame sent by the supplicant.
An exception to this is when no supplicants are attached. In this case, the switch sends EAPOL Request Identity
frames using the BPDU multicast MAC address as the destination - to wake up any supplicants that might be on
the port.
The maximum number of supplicants that can be attached to a port can be limited using the Port Security Limit
Control functionality.
• MAC-based Auth. - Enables MAC-based authentication on the port. The switch does not transmit or accept
EAPOL frames on the port. Flooded frames and broadcast traffic will be transmitted on the port, whether or not
clients are authenticated on the port, whereas unicast traffic from an unsuccessfully authenticated client will be
dropped. Clients that are not (or not yet) successfully authenticated will not be allowed to transmit frames of
any kind.
The switch acts as the supplicant on behalf of clients. The initial frame (any kind of frame) sent by a client is
snooped by the switch, which in turn uses the client's MAC address as both user name and password in the
subsequent EAP exchange with the RADIUS server.
The 6-byte MAC address is converted to a string on the following form xx-xx-xx-xx-xx-xx, that is, a dash (-) is
used as separator between the lower-cased hexadecimal digits. The switch only supports the MD5-Challenge
authentication method, so the RADIUS server must be configured accordingly.
When authentication is complete, the RADIUS server sends a success or failure indication, which in turn causes
the switch to open up or block traffic for that particular client, using the Port Security module. Only then will
frames from the client be forwarded on the switch. There are no EAPOL frames involved in this authentication,
and therefore, MAC-based Authentication has nothing to do with the 802.1X standard.
The advantage of MAC-based authentication over port-based 802.1X is that several clients can be connected to
the same port (e.g. through a 3rd party switch or a hub) and still require individual authentication, and that the
clients don't need special supplicant software to authenticate. The advantage of MAC-based authentication over
802.1X-based authentication is that the clients don't need special supplicant software to authenticate. The
disadvantage is that MAC addresses can be spoofed by malicious users - equipment whose MAC address is a
valid RADIUS user can be used by anyone. Also, only the MD5-Challenge method is supported. The maximum
number of clients that can be attached to a port can be limited using the Port Security Limit Control
functionality.
Configuring the NXA-ENET8-2POE
60