Advanced Port-Based Authentication - Alcatel OmniStack LS 6248 User Manual

3
Configuring the Switch
• Supplicants — Specifies the host connected to the authenticated port requesting
to access the system services.
• Authentication Server — Specifies the server that performs the authentication on
behalf of the authenticator, and indicates whether the supplicant is authorized to
access system services.
The RADIUS server verifies the client identity and sends an access challenge back
to the client. The EAP packet from the RADIUS server contains not only the
challenge, but the authentication method to be used. The client can reject the
authentication method and request another, depending on the configuration of the
client software and the RADIUS server.
The RADIUS server verifies the client credentials and responds with an accept or
reject packet. If authentication is successful, the switch allows the client to access
the network. Otherwise, network access is denied and the port remains blocked.
Port-based authentication creates two access states:
• Controlled Access — Permits communication between the supplicant and the
system, if the supplicant is authorized.
• Uncontrolled Access — Permits uncontrolled communication regardless of the
port state.
The device currently supports port-based authentication via RADIUS servers.

Advanced Port-Based Authentication

Advanced port-based authentication enables multiple hosts to be attached to a
single port. Advanced port-based authentication requires only one host to be
authorized for all hosts to have system access. If the port is unauthorized, all
attached hosts are denied access to the network.
Advanced port-based authentication also enables user-based authentication.
Specific VLANs in the device are always available, even if specific ports attached to
the VLAN are unauthorized. For example, Voice over IP does not require
authentication, while data traffic requires authentication. VLANs for which
authorization is not required can be defined. Unauthenticated VLANs are available
to users, even if the ports attached to the VLAN are defined as authorized.
Advanced port-based authentication is implemented in the following modes:
• Single Host Mode — Only the authorized host can access the port.
• Multiple Host Mode — Multiple hosts can be attached to a single port. Only one
host must be authorized for all hosts to access the network. If the host
authentication fails, or an EAPOL-logoff message is received, all attached clients
are denied access to the network.
• Multiple Sessions Mode - Multiple sessions mode enables number of specific
hosts that has been authorized to get access to the port. Filtering is based on the
source MAC address.
• Guest VLANs — Provides limited network access to authorized ports. If a port is
denied network access via port-based authorization, but the Guest VLAN is
enabled, the port receives limited network access. For example, a network
154