Single
8 02.1X:
In
p ort-‐based
8 02.1X
a uthentication,
o nce
a
s upplicant
i s
s uccessfully
a uthenticated
o n
a
p ort,
t he
whole
port
is
opened
for
network
traffic.
This
allows
other
clients
connected
to
the
port
(for
instance
through
a
hub)
to
piggyback
on
the
successfully
authenticated
client
and
get
network
access
even
though
they
really
aren't
authenticated.
To
overcome
this
security
breach,
use
the
Single
802.1X
variant.
Single
802.1X
is
really
not
an
IEEE
standard,
but
features
many
of
the
same
characteristics
as
the
port-‐based
802.1X.
In
Single
802.1X,
at
most
one
supplicant
can
get
authenticated
on
the
port
at
a
time.
Normal
EAPOL
frames
are
used
in
the
communication
between
t he
s upplicant
a nd
t he
s witch.
I f
m ore
t han
o ne
s upplicant
i s
c onnected
t o
a
p ort,
t he
o ne
that
comes
first
when
the
port's
link
comes
up
will
be
the
first
one
considered.
If
that
supplicant
doesn't
provide
valid
credentials
within
a
certain
amount
of
time,
another
supplicant
will
get
a
chance.
O nce
a
s upplicant
i s
s uccessfully
a uthenticated,
o nly
t hat
s upplicant
w ill
b e
a llowed
a ccess.
This
is
the
most
secure
of
all
the
supported
modes.
In
this
mode,
the
Port
Security
module
is
used
to
s ecure
a
s upplicant's
M AC
a ddress
o nce
s uccessfully
a uthenticated.
Multi
8 02.1X:
In
p ort-‐based
8 02.1X
a uthentication,
o nce
a
s upplicant
i s
s uccessfully
a uthenticated
o n
a
p ort,
t he
whole
port
is
opened
for
network
traffic.
This
allows
other
clients
connected
to
the
port
(for
instance
through
a
hub)
to
piggyback
on
the
successfully
authenticated
client
and
get
network
access
even
though
they
really
aren't
authenticated.
To
overcome
this
security
breach,
use
the
Multi
8 02.1X
v ariant.
Multi
802.1X
is
really
not
an
IEEE
standard,
but
features
many
of
the
same
characteristics
as
does
port-‐based
802.1X.
Multi
802.1X
is—
like
Single
802.1X—not
an
IEEE
standard,
but
a
variant
that
features
many
of
the
same
characteristics.
In
Multi
802.1X,
one
or
more
supplicants
can
get
authenticated
o n
t he
s ame
p ort
a t
t he
s ame
t ime.
E ach
s upplicant
i s
a uthenticated
i ndividually
a nd
secured
i n
t he
M AC
t able
u sing
t he
P ort
S ecurity
m odule.
In
Multi
802.1X,
it
is
not
possible
to
use
the
multicast
BPDU
MAC
address
as
destination
MAC
address
for
EAPOL
frames
sent
from
the
switch
towards
the
supplicant,
since
that
would
cause
all
supplicants
a ttached
t o
t he
p ort
t o
r eply
t o
r equests
s ent
f rom
t he
s witch.
I nstead,
t he
s witch
u ses
the
supplicant's
MAC
address,
which
is
obtained
from
the
first
EAPOL
Start
or
EAPOL
Response
Identity
frame
sent
by
the
supplicant.
An
exception
to
this
is
when
no
supplicants
are
attached.
In
this
case,
the
switch
sends
EAPOL
Request
Identity
frames
using
the
BPDU
multicast
MAC
address
as
d estination—
t o
w ake
u p
a ny
s upplicants
t hat
m ight
b e
o n
t he
p ort.
The
maximum
number
of
supplicants
that
can
be
attached
to
a
port
can
be
limited
using
Port
Security
L imit
C ontrol.
MAC-‐based
A uth.:
Unlike
p ort-‐based
8 02.1X,
M AC-‐based
a uthentication
i s
n ot
a
s tandard,
b ut
m erely
a
b est-‐practices
method
adopted
by
the
industry.
In
MAC-‐based
authentication,
users
are
called
clients,
and
the
switch
acts
as
the
supplicant
on
behalf
of
clients.
The
initial
frame
(any
kind
of
frame)
sent
by
a
client
i s
s nooped
b y
t he
s witch,
w hich
i n
t urn
u ses
t he
c lient's
M AC
a ddress
a s
b oth
u sername
a nd
password
in
the
subsequent
EAP
exchange
with
the
RADIUS
server.
The
6-‐byte
MAC
address
is
converted
t o
a
s tring
i n
t he
f orm
" xx-‐xx-‐xx-‐xx-‐xx-‐xx",
t hat
i s,
a
d ash
( -‐)
i s
u sed
a s
s eparator
b etween
the
lower-‐cased
hexadecimal
digits.
The
switch
only
supports
the
MD5-‐Challenge
authentication
method,
s o
t he
R ADIUS
s erver
m ust
b e
c onfigured
a ccordingly.
When
a uthentication
i s
c omplete,
t he
R ADIUS
s erver
s ends
a
s uccess
o r
f ailure
i ndication,
w hich
i n
turn
causes
the
switch
to
open
up
or
block
traffic
for
that
particular
client,
using
the
Port
Security
module.
Only
then
will
frames
from
the
client
be
forwarded
on
the
switch.
There
are
no
EAPOL
frames
i nvolved
i n
t his
a uthentication,
a nd
t herefore
M AC-‐based
A uthentication
h as
n othing
t o
d o
with
t he
8 02.1X
s tandard.
The
advantage
of
MAC-‐based
authentication
over
port-‐based
802.1X
is
that
several
clients
can
be
connected
to
the
same
port
(e.g.,
through
a
3rd
party
switch
or
a
hub)
and
still
require
individual
authentication,
and
that
the
clients
don't
need
special
supplicant
software
to
authenticate.
The
advantage
o f
M AC-‐based
a uthentication
o ver
8 02.1X-‐based
a uthentication
i s
t hat
t he
c lients
d on't
need
special
supplicant
software
to
authenticate.
The
disadvantage
is
that
MAC
addresses
can
be
spoofed
b y
m alicious
u sers—equipment
w hose
M AC
a ddress
i s
a
v alid
R ADIUS
u ser
c an
b e
u sed
b y
anyone.
Also,
only
the
MD5-‐Challenge
method
is
supported.
The
maximum
number
of
clients
that
can
b e
a ttached
t o
a
p ort
c an
b e
l imited
u sing
t he
P ort
S ecurity
L imit
C ontrol
f unctionality.
69
Publication date: Sept, 2015
Revision A1