Planet WGSD-10020 User Manual page 227
8-port gigabit + 2 100/1000x sfp managed switch
Hide thumbs
Also See for WGSD-10020:
- User manual (553 pages) ,
- Command manual (433 pages) ,
- Quick installation manual (16 pages)
Table of Contents
Advertisement
successfully authenticated.
Multi 802.1X
In port-based 802.1X authentication, once a supplicant is successfully
authenticated on a port, the whole port is opened for network traffic. This allows
other clients connected to the port (for instance through a hub) to piggy-back on
the successfully authenticated client and get network access even though they
really aren't authenticated. To overcome this security breach, use the Multi
802.1X variant.
Multi 802.1X is really not an IEEE standard, but features many of the same
characteristics as does port-based 802.1X. Multi 802.1X is - like Single 802.1X -
not an IEEE standard, but a variant that features many of the same
characteristics. In Multi 802.1X, one or more supplicants can get authenticated
on the same port at the same time. Each supplicant is authenticated individually
and secured in the MAC table using the Port Security module.
In Multi 802.1X it is not possible to use the multicast BPDU MAC address as
destination MAC address for EAPOL frames sent from the switch towards the
supplicant, since that would cause all supplicants attached to the port to reply to
requests sent from the switch. Instead, the switch uses the supplicant's MAC
address, which is obtained from the first EAPOL Start or EAPOL Response
Identity frame sent by the supplicant. An exception to this is when no supplicants
are attached. In this case, the switch sends EAPOL Request Identity frames
using the BPDU multicast MAC address as destination - to wake up any
supplicants that might be on the port.
The maximum number of supplicants that can be attached to a port can be
limited using the Port Security Limit Control functionality.
MAC-based Auth.
Unlike port-based 802.1X, MAC-based authentication is not a standard, but
merely a best-practices method adopted by the industry. In MAC-based
authentication, users are called clients, and the switch acts as the supplicant on
behalf of clients. The initial frame (any kind of frame) sent by a client is snooped
by the switch, which in turn uses the client's MAC address as both username and
password in the subsequent EAP exchange with the RADIUS server. The 6-byte
MAC address is converted to a string on the following form "xx-xx-xx-xx-xx-xx",
that is, a dash (-) is used as separator between the lower-cased hexadecimal
digits. The switch only supports the MD5-Challenge authentication method, so
the RADIUS server must be configured accordingly.
When authentication is complete, the RADIUS server sends a success or failure
indication, which in turn causes the switch to open up or block traffic for that
227
User's Manual of WGSD-10020 Series
Advertisement
Table of Contents
