Ethernet Port Security / Port-Based Authentication - GE MDS ORBIT MCR Technical Manual

-------------------------------------------------------------------------------------
10.10.10.98 80:c1:6e:f0:3b:7a dynamic reachable
3.8.3

Ethernet port Security / Port-based Authentication

Understanding
Orbit devices support Ethernet-port security using port-based authentication. Port-based authentication
blocks traffic on the front Ethernet port(s) until a RADIUS server determines that the device connected to
the port is allowed to communicate on the network. The Orbit must have a route to the RADIUS server
using another network channel in order for authentication to work. Port-based authentication can be
enabled in either EAP (Extensible Authentication Protocol) mode or MAB (MAC Authentication Bypass)
mode. Both modes require the use of RADIUS server.
In EAP security-mode, the Orbit will block all traffic on the Ethernet port but will still capture EAP
frames. These EAP frames are then forwarded via RADIUS protocol to the configured RADIUS server.
The Orbit is agnostic to the EAP method used between the Peer and RADIUS, so any EAP method can be
used at the peer and RADIUS server (e.g. EAP-TLS). If the RADIUS server can successfully
authenticate the peer connected to the Ethernet port, then it will send a RADIUS-ACCEPT message to the
Orbit. When that message is received the Orbit stops blocking traffic on the Ethernet port.
In MAB security-mode, the Orbit will block all traffic on the Ethernet port but it still captures Ethernet
frame headers so that it can read the source MAC address of ingress traffic. The Orbit sends RADIUS
PAP (Password Authentication Protocol) requests for each MAC address that it captures until it receives a
RADIUS-ACCEPT message from the RADIUS server. When the RADIUS-ACCEPT message is
received the Orbit stops blocking traffic on the Ethernet port. The PAP requests are created with the
following attributes:
Username: the MAC address, without punctuation, of the peer device connected to Ethernet port.
Example: 00063d089883
Password: an encrypted version of the Username
Calling-Station-Id: the same as the Username but with hyphens.
Example: 00-06-3d-08-98-83
In both security-modes, the NAS-IP address in the RADIUS request can be static or dynamic. A static
NAS-IP is used when the Orbit's RADIUS configuration contains the NAS settings. If the static NAS
settings are not set, the Orbit uses one its IP addresses that is able to route to the RADIUS server's
address.
Configuring
Configuration of port authentication first requires a RADIUS server configuration to be added to the
Orbit. For example:
% set system mds-radius servers MyServer address 192.168.10.100 shared-secret
RadiusSharedSecret
% commit
Port authentication can now be enabled on an Ethernet port. For example:
% set interfaces interface ETH1 security security-mode EAP radius-server
MyServer
% commit
MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual 199