Table of Contents
Advertisement
Linksys
Authentication Server
An authentication server performs the actual authentication of the client . The
authentication server for the device is a RADIUS authentication server with EAP
extensions .
Port Administrative Authentication States
The port administrative state determines whether the client is granted access
to the network .
The port administrative state can be configured in the Port Authentication
page . The following values are available:
•
Force Authorized Port authentication is disabled and the port transmits
all traffic in accordance with its static configuration without requiring
any authentication . The switch sends the 802 .1x EAP-packet with the EAP
success message inside when it receives the 802 .1x EAPOL-start message .
This is the default state .
•
Force Unauthorized Port authentication is disabled and the port transmits
all traffic via the guest VLAN . For more information see Defining Host and
Session Authentication . The switch sends 802 .1x EAP packets with EAP
failure messages inside when it receives 802 .1x EAPOL- Start messages .
Auto Enables 802 .1 x authentications in accordance with the configured
•
port host mode and authentication methods configured on the port . Port
Host Modes
Ports can be placed in the following port host modes (configured in the Host
Authentication page):
•
Multi-Host Mode
A port is authorized if there is at least one authorized client .
When a port is unauthorized and a guest VLAN is enabled, untagged traffic
is remapped to the guest VLAN . Tagged traffic is dropped unless it belongs
to the guest VLAN .When a port is authorized, untagged and tagged traffic
from all hosts connected to the port is bridged, based on the static VLAN
membership port configuration .
You can specify that untagged traffic from the authorized port will be
remapped to a VLAN that is assigned by a RADIUS server during the
authentication process . Tagged traffic is dropped unless it belongs to the
RADIUS-assigned VLAN . Radius VLAN assignment on a port is set in the Port
Authentication page .
•
Multi-Sessions Mode
Unlike multi-host modes, a port in the multi-session mode does not have
an authentication status . This status is assigned to each client connected
to the port . This mode requires a TCAM lookup . Since Layer 3 mode
switches (see Multi-Sessions Mode Support) do not have a TCAM lookup
allocated for multi-sessions mode, they support a limited form of multi-
sessions mode, which does not support guest VLAN and RADIUS VLAN
attributes . The maximum number of authorized hosts allowed on the port
is configured in the Port Authentication page .
802.1x-Based Authentication
The device supports the 802 .1x authentication mechanism, as described in the
standard, to authenticate and authorize 802 .1x supplicants .
The 802 .1x-based authenticator relays transparent EAP messages between
802 .1x supplicants and authentication servers . The EAP messages between
supplicants and the authenticator are encapsulated into the 802 .1x messages,
and the EAP messages between the authenticator and authentication servers
are encapsulated into the RADIUS messages .
Common Tasks
Workflow 1: To enable 802.1x authentication on a port:
STEP 1 Click Configuration > Security > Network Control > Feature
Configuration .
STEP 2 Enable Port-based Authentication .
STEP 3 Select the Authentication Method .
Chapter 12 Security
50
Advertisement
Table of Contents
