Nas Admin State - Comtrol RocketLinx MP1204-XT User Manual

Item
The VLAN ID that NAS has put the port in. The field is blank, if the Port VLAN ID
is not overridden by NAS.
Port VLAN ID
•
•

NAS Admin State

If NAS is globally enabled, this selection controls the port's authentication mode. The following modes are
available:
• Force Authorized - In this mode, the MP1204-XT sends one EAPOL Success frame when the port link
comes up, and any client on the port will be allowed network access without authentication.
• Force Unauthorized - In this mode, the MP1204-XT sends one EAPOL Failure frame when the port link
comes up, and any client on the port will be disallowed network access.
• Port-based 802.1X - In the 802.1X-world, the user is called the supplicant, the switch is the authenticator,
and the RADIUS server is the authentication server. The authenticator acts as the man-in-the-middle,
forwarding requests and responses between the supplicant and the authentication server. Frames sent
between the supplicant and the switch are special 802.1X frames, known as EAPOL (EAP Over LANs)
frames. EAPOL frames encapsulate EAP PDUs (RFC3748). Frames sent between the switch and the
RADIUS server are RADIUS packets. RADIUS packets also encapsulate EAP PDUs together with other
attributes like the switch's IP address, name, and the supplicant's port number on the switch. EAP is very
flexible, in that it allows for different authentication methods, like MD5-Challenge, PEAP, and TLS. The
important thing is that the authenticator (the switch) doesn't need to know which authentication method
the supplicant and the authentication server are using, or how many information exchange frames are
needed for a particular method. The switch simply encapsulates the EAP part of the frame into the
relevant type (EAPOL or RADIUS) and forwards it.
When authentication is complete, the RADIUS server sends a special packet containing a success or
failure indication. Besides forwarding this decision to the supplicant, the switch uses it to open up or block
traffic on the switch port connected to the supplicant.
Note: Suppose two backend servers are enabled and that the server timeout is configured to X seconds
(using the AAA configuration page), and suppose that the first server in the list is currently down
(but not considered dead). Now, if the supplicant retransmits EAPOL Start frames at a rate faster
than X seconds, then it will never get authenticated, because the switch will cancel on-going
backend authentication server requests whenever it receives a new EAPOL Start frame from the
supplicant. And since the server hasn't yet failed (because the X seconds haven't expired), the same
server will be contacted upon the next backend authentication server request from the switch. This
scenario will loop forever. Therefore, the server timeout should be smaller than the supplicant's
EAPOL Start frame retransmission rate.
• Single 802.1X - In port-based 802.1X authentication, once a supplicant is successfully authenticated on a
port, the whole port is opened for network traffic. This allows other clients connected to the port (for
instance through a hub) to piggy-back on the successfully authenticated client and get network access
even though they really aren't authenticated. To overcome this security breach, use the Single 802.1X
variant.
Single 802.1X is really not an IEEE standard, but features many of the same characteristics as does port-
based 802.1X. In Single 802.1X, at most one supplicant can get authenticated on the port at a time.
Normal EAPOL frames are used in the communication between the supplicant and the switch. If more
than one supplicant is connected to a port, the one that comes first when the port's link comes up will be
the first one considered. If that supplicant doesn't provide valid credentials within a certain amount of
time, another supplicant will get a chance. Once a supplicant is successfully authenticated, only that
supplicant will be allowed access. This is the most secure of all the supported modes. In this mode, the
Port Security module is used to secure a supplicant's MAC address once successfully authenticated.
• Multi 802.1X
Multi 802.1X is - like Single 802.1X - not an IEEE standard, but a variant that features many of the same
characteristics. In Multi 802.1X, one or more supplicants can get authenticated on the same port at the
RocketLinx MP1204-XT User Guide: 2000644 Rev. A
Monitor | Security | Network | NAS | Switch (Continued)
If the VLAN ID is assigned by the RADIUS server, (RADIUS-assigned) is
appended to the VLAN ID. Read more about RADIUS-assigned VLANs here.
If the port is moved to the Guest VLAN, (Guest) is appended to the VLAN ID.
Security | Network | NAS | Switch
Monitor Pages - 205