AMX NXA-ENET8-2POE Operation/Reference Manual page 77

Network Access Server Configuration parameters (Cont.)
Port Configuration (Cont.)
• Admin State
(Cont.)
• RADIUS-Assigned
QoS Enabled
• RADIUS-Assigned
VLAN Enabled
• Guest VLAN
Enabled
• Port State
NXA-ENET8-2POE Gigabit Ethernet Layer 2 PoE Switch
• MAC-based Auth. - Enables MAC-based authentication on the port. The switch
does not transmit or accept EAPOL frames on the port. Flooded frames and
broadcast traffic will be transmitted on the port, whether or not clients are
authenticated on the port, whereas unicast traffic from an unsuccessfully
authenticated client will be dropped. Clients that are not (or not yet) successfully
authenticated will not be allowed to transmit frames of any kind.
The switch acts as the supplicant on behalf of clients. The initial frame (any kind
of frame) sent by a client is snooped by the switch, which in turn uses the client's
MAC address as both user name and password in the subsequent EAP
exchange with the RADIUS server.
The 6-byte MAC address is converted to a string on the following form
xx-xx-xx-xx-xx-xx, that is, a dash (-) is used as separator between the lower-
cased hexadecimal digits. The switch only supports the MD5-Challenge
authentication method, so the RADIUS server must be configured accordingly.
When authentication is complete, the RADIUS server sends a success or failure
indication, which in turn causes the switch to open up or block traffic for that
particular client, using the Port Security module. Only then will frames from the
client be forwarded on the switch. There are no EAPOL frames involved in this
authentication, and therefore, MAC-based Authentication has nothing to do with
the 802.1X standard.
The advantage of MAC-based authentication over port-based 802.1X is that
several clients can be connected to the same port (e.g. through a 3rd party
switch or a hub) and still require individual authentication, and that the clients
don't need special supplicant software to authenticate. The advantage of MAC-
based authentication over 802.1X-based authentication is that the clients don't
need special supplicant software to authenticate. The disadvantage is that MAC
addresses can be spoofed by malicious users - equipment whose MAC address
is a valid RADIUS user can be used by anyone. Also, only the MD5-Challenge
method is supported. The maximum number of clients that can be attached to a
port can be limited using the Port Security Limit Control functionality.
Enables or disables this feature for a given port. Refer to the description of this
feature under the System Configuration section.
Enables or disables this feature for a given port. Refer to the description of this
feature under the System Configuration section.
Enables or disables this feature for a given port. Refer to the description of this
feature under the System Configure section.
The current state of the port:
Globally Disabled - 802.1X and MAC-based authentication are globally
disabled. (This is the default state.)
Link Down - 802.1X or MAC-based authentication is enabled, but there is no
link on the port.
Authorized - The port is in Force Authorized mode, or a single-supplicant mode
and the supplicant is authorized.
Unauthorized - The port is in Force Unauthorized mode, or a single-supplicant
mode and the supplicant is not successfully authorized by the RADIUS server.
X Auth/Y Unauth - The port is in a multi-supplicant mode. X clients are currently
authorized and Y are unauthorized.
Configuring the NXA-ENET8-2POE
67