KTI Networks KGS-1064-HP User Manual page 60

Web management interface

Hide thumbs Also See for KGS-1064-HP:

User manual (34 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

page of 240

/ 240
Contents
Table of Contents
Bookmarks

Table of Contents

aren't authenticated. To overcome this security breach, use the Multi 802.1X variant.

Multi 802.1X is really not an IEEE standard, but features many of the same

characteristics as does port-based 802.1X. Multi 802.1X is - like Single 802.1X - not

an IEEE standard, but a variant that features many of the same characteristics. In

Multi 802.1X, one or more supplicants can get authenticated on the same port at the

same time. Each supplicant is authenticated individually and secured in the MAC

table using the Port Security module.

In Multi 802.1X it is not possible to use the multicast BPDU MAC address as

destination MAC address for EAPOL frames sent from the switch towards the

supplicant, since that would cause all supplicants attached to the port to reply to

requests sent from the switch. Instead, the switch uses the supplicant's MAC address,

which is obtained from the first EAPOL Start or EAPOL Response Identity frame

sent by the supplicant. An exception to this is when no supplicants are attached. In

this case, the switch sends EAPOL Request Identity frames using the BPDU

multicast MAC address as destination - to wake up any supplicants that might be on

the port.

The maximum number of supplicants that can be attached to a port can be limited

using the Port Security Limit Control functionality.

MAC-based Auth.: Unlike port-based 802.1X, MAC-based authentication is not a

standard, but merely a best-practices method adopted by the industry. In MAC-based

authentication, users are called clients, and the switch acts as the supplicant on behalf

of clients. The initial frame (any kind of frame) sent by a client is snooped by the

switch, which in turn uses the client's MAC address as both username and password

in the subsequent EAP exchange with the RADIUS server. The 6-byte MAC address

is converted to a string on the following form "xx-xx-xx-xx-xx-xx", that is, a dash (-)

is used as separator between the lower-cased hexadecimal digits. The switch only

supports the MD5-Challenge authentication method, so the RADIUS server must be

configured accordingly.

When authentication is complete, the RADIUS server sends a success or failure

indication, which in turn causes the switch to open up or block traffic for that

particular client, using the Port Security module. Only then will frames from the

client be forwarded on the switch. There are no EAPOL frames involved in this

authentication, and therefore, MAC-based Authentication has nothing to do with the

802.1X standard.

The advantage of MAC-based authentication over port-based 802.1X is that several

clients can be connected to the same port (e.g. through a 3rd party switch or a hub)

and still require individual authentication, and that the clients don't need special

-60-

Table of Contents

Show Quick Links

Quick Links:
Start Browser Software and Making Connection
Login to the Switch Unit
Ports

Hide quick links:

Table of Contents

KTI Networks KGS-1064-HP User Manual page 60

Hide quick links:

Related Manuals for KTI Networks KGS-1064-HP

Related Products for KTI Networks KGS-1064-HP

Table of Contents