Table of Contents
Advertisement
| Configuring the Switch
C
4
HAPTER
Configuring Security
System Configuration
Mode - Indicates if 802.1X and MAC-based authentication are globally
◆
enabled or disabled on the switch. If globally disabled, all ports are
allowed to forward frames.
Reauthentication Enabled - Sets clients to be re-authenticated after
◆
an interval specified by the Re-authentication Period. Re-authentication
can be used to detect if a new device is plugged into a switch port.
(Default: Disabled)
For MAC-based ports, reauthentication is only useful if the RADIUS
server configuration has changed. It does not involve communication
between the switch and the client, and therefore does not imply that a
client is still present on a port (see Age Period below).
◆
Reauthentication Period - Sets the time period after which a
connected client must be re-authenticated. (Range: 1-3600 seconds;
Default: 3600 seconds)
EAPOL Timeout - Sets the time the switch waits for a supplicant
◆
response during an authentication session before retransmitting a
Request Identify EAPOL packet. (Range: 1-255 seconds; Default: 30
seconds)
Aging Period - The period used to calculate when to age out a client
◆
allowed access to the switch through Single 802.1X, Multi 802.1X, and
MAC-based authentication as described below. (Range: 10-1000000
seconds; Default: 300 seconds)
When the NAS module uses the Port Security module to secure MAC
addresses, the Port Security module needs to check for activity on the
MAC address in question at regular intervals and free resources if no
activity is seen within the given age period.
If reauthentication is enabled and the port is in a 802.1X-based mode,
this is not so critical, since supplicants that are no longer attached to
the port will get removed upon the next reauthentication, which will
fail. But if reauthentication is not enabled, the only way to free
resources is by aging the entries.
For ports in MAC-based Auth. mode, reauthentication does not cause
direct communication between the switch and the client, so this will not
detect whether the client is still attached or not, and the only way to
free any resources is to age the entry.
Hold Time - The time after an EAP Failure indication or RADIUS
◆
timeout that a client is not allowed access. This setting applies to ports
running Single 802.1X, Multi 802.1X, or MAC-based authentication.
(Range: 10-1000000 seconds; Default: 10 seconds)
If the RADIUS server denies a client access, or a RADIUS server
request times out (according to the timeout specified on the AAA menu
on
page
109), the client is put on hold in the Unauthorized state. In this
state, the hold timer does not count down during an on-going
authentication.
– 80 –
Hide quick links:
Advertisement
Table of Contents
