Comtrol RocketLinx MP1204-XT User Manual page 83

Item
Admin State
(continued)
RADIUS-Assigned
QoS Enabled
RocketLinx MP1204-XT User Guide: 2000644 Rev. A
Configuration | Security | Network | NAS (Continued)
• MAC-based Auth
Unlike port-based 802.1X, MAC-based authentication is not a standard, but
merely a best-practices method adopted by the industry. In MAC-based
authentication, users are called clients, and the MP1204-XT acts as the
supplicant on behalf of clients. The initial frame (any kind of frame) sent by a
client is snooped by the MP1204-XT, which in turn uses the clients MAC
address as both username and password in the subsequent EAP exchange
with the RADIUS server. The 6-byte MAC address is converted to a string on
the following form xx-xx-xx-xx-xx-xx, that is, a dash (-) is used as separator
between the lower-cased hexadecimal digits. The MP1204-XT only supports
the MD5-Challenge authentication method, so the RADIUS server must be
configured accordingly.
When authentication is complete, the RADIUS server sends a success or
failure indication, which in turn causes the MP1204-XT to open up or block
traffic for that particular client, using the Port Security module. Only then are
frames from the client be forwarded on the MP1204-XT. There are no EAPOL
frames involved in this authentication, and therefore, MAC-based
Authentication has nothing to do with the 802.1X standard.
The advantage of MAC-based authentication over 802.1X-based
authentication is that the clients do not need special supplicant software to
authenticate. The disadvantage is that MAC addresses can be spoofed by
malicious users - equipment whose MAC address is a valid RADIUS user can
be used by anyone. Also, only the MD5-Challenge method is supported. The
maximum number of clients that can be attached to a port can be limited using
the Port Security Limit Control functionality.
When RADIUS-Assigned QoS is both globally enabled and enabled (checked) on a
given port, the switch reacts to QoS Class information carried in the RADIUS
Access-Accept packet transmitted by the RADIUS server when a supplicant is
successfully authenticated. If present and valid, traffic received on the supplicants
port is classified to the given QoS Class. If (re-)authentication fails or the RADIUS
Access-Accept packet no longer carries a QoS Class or its invalid, or the supplicant
is otherwise no longer present on the port, the ports QoS Class is immediately
reverted to the original QoS Class (which may be changed by the administrator in
the meanwhile without affecting the RADIUS-assigned).
This option is only available for single-client modes:
• Port-based 802.1X
• Single 802.1X
RADIUS attributes used in identifying a QoS Class:
• The User-Priority-Table attribute defined in RFC4675 forms the basis for
identifying the QoS Class in an Access-Accept packet.
• Only the first occurrence of the attribute in the packet is considered, and to be
valid, it must follow this rule:
• All 8 octets in the attributes value must be identical and consist of ASCII
characters in the range 0 - 7, which translates into the desired QoS Class in
the range [0; 7].
Security | Network | NAS
Configuration Pages - 83