Comtrol RocketLinx MP1204-XT User Manual page 82

Security | Network | NAS
Item
Admin State
(continued)
82 - Configuration Pages
Configuration | Security | Network | NAS (Continued)
• Single 802.1X
In port-based 802.1X authentication, once a supplicant is successfully
authenticated on a port, the whole port is opened for network traffic. This
allows other clients connected to the port (for instance through a hub) to piggy-
back on the successfully authenticated client and get network access even
though they really are not authenticated. To overcome this security breach,
use the Single 802.1X variant.
Single 802.1X is really not an IEEE standard, but features many of the same
characteristics as does port-based 802.1X. In Single 802.1X, at most one
supplicant can get authenticated on the port at a time. Normal EAPOL frames
are used in the communication between the supplicant and the MP1204-XT. If
more than one supplicant is connected to a port, the one that comes first when
the ports link comes up is the first one considered. If that supplicant does not
provide valid credentials within a certain amount of time, another supplicant
gets a chance. Once a supplicant is successfully authenticated, only that
supplicant is allowed access. This is the most secure of all the supported
modes. In this mode, the Port Security module is used to secure a supplicants
MAC address once successfully authenticated.
• Multi 802.1X
Multi 802.1X is like Single 802.1X not an IEEE standard, but a variant that
features many of the same characteristics. In Multi 802.1X, one or more
supplicants can get authenticated on the same port at the same time. Each
supplicant is authenticated individually and secured in the MAC table using
the Port Security module.
In Multi 802.1X it is not possible to use the multicast BPDU MAC address as
destination MAC address for EAPOL frames sent from the switch towards the
supplicant, since that would cause all supplicants attached to the port to reply
to requests sent from the MP1204-XT. Instead, the MP1204-XT uses the
supplicants MAC address, which is obtained from the first EAPOL Start or
EAPOL Response Identity frame sent by the supplicant. An exception to this is
when no supplicants are attached. In this case, the MP1204-XT sends EAPOL
Request Identity frames using the BPDU multicast MAC address as
destination - to wake up any supplicants that might be on the port.
The maximum number of supplicants that can be attached to a port can be
limited using the Port Security Limit Control functionality.
RocketLinx MP1204-XT User Guide: 2000644 Rev. A