Black Box LPB2910A User Manual page 80

Once the switch considers whether to enter the Guest VLAN, it will first check if this option is
enabled or disabled. If disabled (unchecked, default), the switch will only enter the Guest VLAN if
an E APOL f rame h as n ot b een r eceived o n t he p ort f or t he l ifetime o f t he p ort. I f e nabled ( checked),
the s witch w ill c onsider e ntering t he G uest V LAN e ven i f a n E APOL f rame h as b een r eceived o n t he
port f or t he l ifetime o f t he p ort.
The v alue c an o nly b e c hanged i f t he G uest V LAN o ption i s g lobally e nabled.
Port C onfiguration:

The t able h as o ne r ow f or e ach p ort o n t he s elected s witch a nd a n umber o f c olumns, w hich a re:
 Port:
The p ort n umber t hat t he c onfiguration b elow a pplies t o.
Admin S tate:

If NAS is globally enabled, this selection controls the port's authentication mode. The following
modes a re a vailable:
Force A uthorized:

In t his m ode, t he s witch w ill s end o ne E APOL S uccess f rame w hen t he p ort l ink c omes u p, a nd a ny
client o n t he p ort w ill b e a llowed n etwork a ccess w ithout a uthentication.
Force U nauthorized:

In this mode, the switch will send one EAPOL Failure frame when the port link comes up, and any
client o n t he p ort w ill b e d isallowed n etwork a ccess.
Port-­‐based 8 02.1X:

In the 802.1X-­‐world, the user is called the supplicant, the switch is the authenticator, and the
RADIUS server is the authentication server. The authenticator acts as the man-­‐in-­‐the-­‐middle,
forwarding requests and responses between the supplicant and the authentication server. Frames
sent b etween t he s upplicant a nd t he s witch a re s pecial 8 02.1X f rames, k nown a s E APOL ( EAP O ver
LANs) frames. EAPOL frames encapsulate EAP PDUs (RFC3748). Frames sent between the switch
and the RADIUS server are RADIUS packets. RADIUS packets also encapsulate EAP PDUs together
with other attributes like the switch's IP address, name, and the supplicant's port number on the
switch. EAP is very flexible: it allows for different authentication methods, like MD5-­‐Challenge,
PEAP, and TLS. The important thing is that the authenticator (the switch) doesn't need to know
which a uthentication m ethod t he s upplicant a nd t he a uthentication s erver a re u sing, o r h ow m any
information exchange frames are needed for a particular method. The switch simply encapsulates
the E AP p art o f t he f rame i nto t he r elevant t ype ( EAPOL o r R ADIUS) a nd f orwards i t.
When a uthentication i s c omplete, t he R ADIUS s erver s ends a s pecial p acket c ontaining a s uccess o r
failure indication. Besides forwarding this decision to the supplicant, the switch uses it to open up
or b lock t raffic o n t he s witch p ort c onnected t o t he s upplicant
N : Suppose two backend servers are enabled and that the server
OTE
timeout i s c onfigured t o X s econds ( using t he A AA c onfiguration p age), a nd
suppose that the first server in the list is currently down (but not
considered d ead).
Now, if the supplicant retransmits EAPOL Start frames at a rate faster than
X seconds, then it will never get authenticated, because the switch will
cancel ongoing backend authentication server requests whenever it
receives a n ew E APOL S tart f rame f rom t he s upplicant.
And since the server hasn't yet failed (because the X seconds haven't
expired), the same server will be contacted upon the next backend
authentication server request from the switch. This scenario will loop
forever. Therefore, the server timeout should be smaller than the
supplicant's E APOL S tart f rame r etransmission r ate.
68
Publication date: Sept, 2015
Revision A1