Table of Contents
Advertisement
Single 802.1X - At most one supplicant can get authenticated on
■
the port at a time. If more than one supplicant is connected to a
port, the one that comes first when the port's link comes up will be
the first one considered. If that supplicant doesn't provide valid
credentials within a certain amount of time, another supplicant will
get a chance. Once a supplicant is successfully authenticated, only
that supplicant will be allowed access. This is the most secure of all
the supported modes. In this mode, the Port Security module is
used to secure a supplicant's MAC address once successfully
authenticated.
Multi 802.1X - One or more supplicants can get authenticated on
■
the same port at the same time. Each supplicant is authenticated
individually and secured in the MAC table using the Port Security
module.
In Multi 802.1X it is not possible to use the multicast BPDU MAC
address as the destination MAC address for EAPOL frames sent from
the switch towards the supplicant, since that would cause all
supplicants attached to the port to reply to requests sent from the
switch. Instead, the switch uses the supplicant's MAC address,
which is obtained from the first EAPOL Start or EAPOL Response
Identity frame sent by the supplicant. An exception to this is when
no supplicants are attached. In this case, the switch sends EAPOL
Request Identity frames using the BPDU multicast MAC address as
the destination - to wake up any supplicants that might be on the
port.
The maximum number of supplicants that can be attached to a port
can be limited using the Port Security Limit Control functionality.
MAC-based Auth. - Enables MAC-based authentication on the port.
■
The switch does not transmit or accept EAPOL frames on the port.
Flooded frames and broadcast traffic will be transmitted on the port,
whether or not clients are authenticated on the port, whereas
unicast traffic from an unsuccessfully authenticated client will be
dropped. Clients that are not (or not yet) successfully authenticated
will not be allowed to transmit frames of any kind.
The switch acts as the supplicant on behalf of clients. The initial
frame (any kind of frame) sent by a client is snooped by the switch,
which in turn uses the client's MAC address as both user name and
password in the subsequent EAP exchange with the RADIUS server.
The 6-byte MAC address is converted to a string on the following
form "xx-xx-xx-xx-xx-xx", that is, a dash (-) is used as separator
between the lower-cased hexadecimal digits. The switch only
supports the MD5-Challenge authentication method, so the RADIUS
server must be configured accordingly.
When authentication is complete, the RADIUS server sends a
success or failure indication, which in turn causes the switch to open
up or block traffic for that particular client, using the Port Security
module. Only then will frames from the client be forwarded on the
switch. There are no EAPOL frames involved in this authentication,
and therefore, MAC-based Authentication has nothing to do with the
802.1X standard.
– 95 –
| Configuring the Switch
C
4
HAPTER
Configuring Security
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
