Implementation Of 802.1X In The Devices; Features Working Together With 802.1X - 3Com MSR 50 Series Configuration Manual

1738 C 92: 802.1
HAPTER X
Implementation of
802.1x in the Devices
n
Features Working
Together with 802.1x
C
ONFIGURATION
multicasts EAP-Request/Identity frames to the supplicant system at an interval
defined by this timer.
Supplicant timeout timer (supp-timeout): Once an authenticator sends an
■
EAP-Request/MD5 Challenge frame to a supplicant, it starts this timer. If this
timer expires but it receives no response from the supplicant, it retransmits the
request.
Server timeout timer (server-timeout): Once an authenticator sends a RADIUS
■
Access-Request packet to the authentication server, it starts this timer. If this
timer expires but it receives no response from the server, it retransmits the
request.
Handshake timer (handshake-period): After a supplicant passes authentication,
■
the authenticator sends to the supplicant handshake requests at this interval to
check whether the supplicant is online. If the authenticator receives no
response after sending the allowed maximum number of handshake requests,
it considers that the supplicant is offline.
Quiet timer (quiet-period): When a supplicant fails the authentication, the
■
authenticator refuses further authentication requests from the supplicant in
this period of time.
The devices extend and optimize the mechanism that the 802.1x protocol specifies
by:
Allowing multiple users to access network services through the same physical
■
port.
Supporting two authentication methods: portbased and macbased. With the
■
portbased method, after the first user of a port passes authentication, all
other users of the port can access the network without authentication, and
when the first user goes offline, all other users get offline at the same time.
With the macbased method, each user of a port must be authenticated
separately, and when an authenticated user goes offline, no other users are
affected.
These extensions can help improve network security and manageability
dramatically.
After an 802.1x supplicant passes authentication, the authentication server sends
authorization information to the authenticator. If the authorization information
contains VLAN authorization information, the authenticator adds the port
connecting the supplicant to the assigned VLAN. This neither changes nor affects
the configurations of the port. The only result is that the assigned VLAN takes
precedence over the manually configured one, that is, the assigned VLAN takes
effect. After the supplicant goes offline, the configured one takes effect.
VLAN assigning
After an 802.1x user passes the authentication, the server will send an
authorization message to the device. If the server is enabled with the VLAN
assigning function, the assigned VLAN information will be included in the
message. The device, depending on the link type of the port used to log in, adds
the port to the assigned VLAN according to the following rules: