Table of Contents
Advertisement
many information exchange frames are needed for a particular method. The switch
simply encapsulates the EAP part of the frame into the relevant type (EAPOL or
RADIUS) and forwards it.
When authentication is complete, the RADIUS server sends a special packet
containing a success or failure indication. Besides forwarding this decision to the
supplicant, the switch uses it to open up or block traffic on the switch port connected
to the supplicant.
Note: Suppose two backend servers are enabled and that the server timeout is
configured to X seconds (using the AAA configuration page), and suppose that the
first server in the list is currently down (but not considered dead). Now, if the
supplicant retransmits EAPOL Start frames at a rate faster than X seconds, then it
will never get authenticated, because the switch will cancel on-going backend
authentication server requests whenever it receives a new EAPOL Start frame from
the supplicant. And since the server hasn't yet failed (because the X seconds haven't
expired), the same server will be contacted upon the next backend authentication
server request from the switch. This scenario will loop forever. Therefore, the server
timeout should be smaller than the supplicant's EAPOL Start frame retransmission
rate.
Single 802.1X: In port-based 802.1X authentication, once a supplicant is successfully
authenticated on a port, the whole port is opened for network traffic. This allows
other clients connected to the port (for instance through a hub) to piggy-back on the
successfully authenticated client and get network access even though they really
aren't authenticated. To overcome this security breach, use the Single 802.1X variant.
Single 802.1X is really not an IEEE standard, but features many of the same
characteristics as does port-based 802.1X. In Single 802.1X, at most one supplicant
can get authenticated on the port at a time. Normal EAPOL frames are used in the
communication between the supplicant and the switch. If more than one supplicant is
connected to a port, the one that comes first when the port's link comes up will be the
first one considered. If that supplicant doesn't provide valid credentials within a
certain amount of time, another supplicant will get a chance. Once a supplicant is
successfully authenticated, only that supplicant will be allowed access. This is the
most secure of all the supported modes. In this mode, the Port Security module is
used to secure a supplicant's MAC address once successfully authenticated.
Multi 802.1X: In port-based 802.1X authentication, once a supplicant is successfully
authenticated on a port, the whole port is opened for network traffic. This allows
other clients connected to the port (for instance through a hub) to piggy-back on the
successfully authenticated client and get network access even though they really
-59-
Hide quick links:
Advertisement
Table of Contents
