i3 International Cortex S243 User Manual page 53

Multi 802.1X In port-based 802.1X authentication, once a supplicant is successfully authenticated on a port,
the whole port is opened for network traffic. This allows other clients connected to the port (for
instance through a hub) to piggy-back on the successfully authenticated client and get network
access even though they really aren't authenticated. To overcome this security breach, use the
Multi 802.1X variant.
Multi 802.1X is really not an IEEE standard, but features many of the same characteristics as
does port-based 802.1X. Multi 802.1X is - like Single 802.1X - not an IEEE standard, but a
variant that features many of the same characteristics. In Multi 802.1X, one or more
supplicants can get authenticated on the same port at the same time. Each supplicant is
authenticated individually and secured in the MAC table using the Port Security module.
In Multi 802.1X it is not possible to use the multicast BPDU MAC address as destination MAC
address for EAPOL frames sent from the switch towards the supplicant, since that would
cause all supplicants attached to the port to reply to requests sent from the switch. Instead,
the switch uses the supplicant's MAC address, which is obtained from the first EAPOL Start
or EAPOL Response Identity frame sent by the supplicant. An exception to this is when no
supplicants are attached. In this case, the switch sends EAPOL Request Identity frames using
the BPDU multicast MAC address as destination - to wake up any supplicants that might be
on the port.
The maximum number of supplicants that can be attached to a port can be limited using the Port
Security Limit Control functionality.
Mac-Based Unlike port-based 802.1X, MAC-based authentication is not a standard, but merely a
Authentication best-practices method adopted by the industry. In MAC-based authentication, users are
called clients, and the switch acts as the supplicant on behalf of clients. The initial frame
(any kind of frame) sent by a client is snooped by the switch, which in turn uses the client's
MAC address as both username and password in the subsequent EAP exchange with the
RADIUS server. The 6-byte MAC address is converted to a string on the following form "xx-
xx-xx-xx-xx-xx", that is, a dash (-) is used as separator between the lower-cased hexadecimal
digits. The switch only supports the MD5-Challenge authentication method, so the RADIUS server
must be configured accordingly.
When authentication is complete, the RADIUS server sends a success or failure indication, which
in turn causes the switch to open up or block traffic for that particular client, using the Port
Security module. Only then will frames from the client be forwarded on the switch. There
are no EAPOL frames involved in this authentication, and therefore, MAC-based
Authentication has nothing to do with the 802.1X standard.
The advantage of MAC-based authentication over port-based 802.1X is that several clients can
be connected to the same port (e.g. through a 3rd party switch or a hub) and still require individual
authentication, and that the clients don't need special supplicant software to authenticate.
The advantage of MAC-based authentication over 802.1X-based authentication is that the
clients don't need special supplicant software to authenticate. The disadvantage is that MAC
addresses can be spoofed by malicious users - equipment whose MAC address is a valid
RADIUS user can be used by anyone. Also, o n l y t h e method is supported. The maximum
number of clients that can be attached to a port can be limited using the Port Security Limit
Control functionality.
Radius-Assigned When RADIUS-Assigned QoS is both globally enabled and enabled (checked) on a given port,
QoS Enabled the switch reacts to QoS Class information carried in the RADIUS Access-Accept packet
transmitted by the RADIUS server when a supplicant is successfully authenticated. If present and
valid, traffic received on the supplicant's port will be classified to the given QoS Class. If
(re-)authentication fails or the RADIUS Access-Accept packet no longer carries a QoS Class or
it's invalid, or the supplicant is otherwise no longer present on the port, the port's QoS Class is
immediately reverted to the original QoS Class (which may be changed by the administrator in
the meanwhile without affecting the RADIUS-assigned).
This option is only available for single-client modes, i.e:
Port-based 802.1X and Single 802.1X.
RADIUS attributes used in identifying a QoS Class:
Refer to the written documentation for a description of the RADIUS attributes needed in
order to successfully identify a QoS Class. The User-Priority-Table attribute defined in
RFC4675 forms the basis for identifying the QoS Class in an Access-Accept packet.
Only the first occurrence of the attribute in the packet will be considered, and to be valid, it
52