AMX NXA-ENET8-2POE Instruction Manual page 63

Network Access Server Conf iguration Parameters (Cont.)
Port Conf iguration (Cont.)
• RADIUS-Assigned
QoS Enabled
• RADIUS-Assigned
VLAN Enabled
• Guest VLAN
Enabled
• Port State
• Restart
Access to all switch ports in a network can be centrally controlled from a server, which means that authorized users can use the
same credentials for authentication from any point within the network (FIG. 52).
Using Port Security
FIG. 52
This switch uses the Extensible Authentication Protocol over LANs (EAPOL) to exchange authentication protocol messages with the
client, and a remote RADIUS authentication server to verify user identity and access rights. These backend servers are configured
on the AAA menu (see the Specifying Authentication Servers section on page 74).
When a client (i.e., Supplicant) connects to a switch port, the switch (i.e., Authenticator) responds with an EAPOL identity request.
The client provides its identity (such as a user name) in an EAPOL response to the switch, which it forwards to the RADIUS server.
The RADIUS server verifies the client identity and sends an access challenge back to the client. The EAP packet from the RADIUS
server contains not only the challenge, but the authentication method to be used. The client can reject the authentication method
and request another, depending on the configuration of the client software and the RADIUS server.
The encryption method used by IEEE 802.1X to pass authentication messages can be MD5 (Message-Digest 5), TLS (Transport
Layer Security), PEAP (Protected Extensible Authentication Protocol), or TTLS (Tunneled Transport Layer Security). However, note
that the only encryption method supported by MAC-Based authentication is MD5. The client responds to the appropriate method
with its credentials, such as a password or certificate. The RADIUS server verifies the client credentials and responds with an
accept or reject packet.
If authentication is successful, the switch allows the client to access the network. Otherwise, network access is denied and the port
remains blocked.
NXA-ENET8-2POE - Instruction Manual
Enables or disables this feature for a given port. Refer to the description of this feature under the System
Configuration section.
Enables or disables this feature for a given port. Refer to the description of this feature under the System
Configuration section.
Enables or disables this feature for a given port. Refer to the description of this feature under the System Configure
section.
The current state of the port:
Globally Disabled - 802.1X and MAC-based authentication are globally disabled. (This is the default state.)
Link Down - 802.1X or MAC-based authentication is enabled, but there is no link on the port.
Authorized - The port is in Force Authorized mode, or a single-supplicant mode and the supplicant is
authorized.
Unauthorized - The port is in Force Unauthorized mode, or a single-supplicant mode and the supplicant is not
successfully authorized by the RADIUS server.
X Auth/Y Unauth - The port is in a multi-supplicant mode. X clients are currently authorized and Y are
unauthorized.
Restarts client authentication using one of the methods described below. Note that the restart buttons are only
enabled when the switch's authentication mode is globally enabled (under System Configuration) and the port's
Admin State is an EAPOL-based or MAC-Based mode. Clicking these buttons will not cause settings changed on
the page to take effect.
Reauthenticate - Schedules reauthentication to whenever the quiet-period of the port runs out (EAPOL-based
authentication). For MAC-based authentication, reauthentication will be attempted immediately. The button
only has effect for successfully authenticated clients on the port and will not cause the clients to get
temporarily unauthorized.
Reinitialize - Forces a reinitialization of the clients on the port and thereby a reauthentication immediately. The
clients will transfer to the unauthorized state while the reauthentication is in progress.
Configuring the NXA-ENET8-2POE
61