SMC Networks SMCGS10P-SMART Management Manual page 86

| Configuring the Switch
C 4
HAPTER
Configuring Security
The maximum number of supplicants that can be attached to a port
can be limited using the Port Security Limit Control functionality.
MAC-based Auth. - Enables MAC-based authentication on the port.
■
The switch does not transmit or accept EAPOL frames on the port.
Flooded frames and broadcast traffic will be transmitted on the port,
whether or not clients are authenticated on the port, whereas
unicast traffic from an unsuccessfully authenticated client will be
dropped. Clients that are not (or not yet) successfully authenticated
will not be allowed to transmit frames of any kind.
The switch acts as the supplicant on behalf of clients. The initial
frame (any kind of frame) sent by a client is snooped by the switch,
which in turn uses the client's MAC address as both user name and
password in the subsequent EAP exchange with the RADIUS server.
The 6-byte MAC address is converted to a string on the following
form "xx-xx-xx-xx-xx-xx", that is, a dash (-) is used as separator
between the lower-cased hexadecimal digits. The switch only
supports the MD5-Challenge authentication method, so the RADIUS
server must be configured accordingly.
When authentication is complete, the RADIUS server sends a
success or failure indication, which in turn causes the switch to open
up or block traffic for that particular client, using the Port Security
module. Only then will frames from the client be forwarded on the
switch. There are no EAPOL frames involved in this authentication,
and therefore, MAC-based Authentication has nothing to do with the
802.1X standard.
The advantage of MAC-based authentication over port-based
802.1X is that several clients can be connected to the same port
(e.g. through a 3rd party switch or a hub) and still require individual
authentication, and that the clients don't need special supplicant
software to authenticate. The advantage of MAC-based
authentication over 802.1X-based authentication is that the clients
don't need special supplicant software to authenticate. The
disadvantage is that MAC addresses can be spoofed by malicious
users - equipment whose MAC address is a valid RADIUS user can
be used by anyone. Also, only the MD5-Challenge method is
supported. The maximum number of clients that can be attached to
a port can be limited using the Port Security Limit Control
functionality.
Further Guidelines for Port Admin State
Port Admin state can only be set to Force-Authorized for ports
■
participating in the Spanning Tree algorithm (see
When 802.1X authentication is enabled on a port, the MAC address
■
learning function for this interface is disabled, and the addresses
dynamically learned on this port are removed from the common
address table.
Authenticated MAC addresses are stored as dynamic entries in the
■
switch's secure MAC address table. Configured static MAC addresses
are added to the secure address table when seen on a switch port
– 86 –
page 125).