ORiNG DGS-7084GCP-AIO_S SERIES User Manual page 96

DGS-7084GCP-AIO_S SERIES User's Manual
This page allows you to configure the IEEE 802.1X and MAC-based authentication system and
port settings.
The IEEE 802.1X standard defines a port-based access control procedure that prevents
unauthorized access to a network by requiring users to first submit credentials for
authentication. One or more central servers, the backend servers, determine whether the user
is allowed access to the network. These backend (RADIUS) servers are configured on the
Authentication configuration page.
MAC-based authentication allows for authentication of more than one user on the same port,
and doesn't require the user to have special 802.1X software installed on his system. The
switch uses the user's MAC address to authenticate against the backend server. Intruders can
create counterfeit MAC addresses, which makes MAC-based authentication less secure than
802.1 X authentications.
Overview of 802.1X (Port-Based) Authentication
In the 802.1X-world, the user is called the supplicant, the switch is the authenticator, and the
RADIUS server is the authentication server. The switch acts as the man-in-the-middle,
forwarding requests and responses between the supplicant and the authentication server.
Frames sent between the supplicant and the switch is special 802.1X frames, known as
EAPOL (EAP Over LANs) frames. EAPOL frames encapsulate EAP PDUs (RFC3748).
Frames sent between the switch and the RADIUS server is RADIUS packets. RADIUS packets
also encapsulate EAP PDUs together with other attributes like the switch's IP address, name,
and the supplicant's port number on the switch. EAP is very flexible, in that it allows for
different authentication methods, like MD5-Challenge, PEAP, and TLS. The important thing is
that the authenticator (the switch) doesn't need to know which authentication method the
supplicant and the authentication server are using, or how many information exchange frames
are needed for a particular method. The switch simply encapsulates the EAP part of the frame
into the relevant type (EAPOL or RADIUS) and forwards it.
When authentication is complete, the RADIUS server sends a special packet containing a
success or failure indication. Besides forwarding this decision to the supplicant, the switch
uses it to open up or block traffic on the switch port connected to the supplicant.
Note: Suppose two backend servers are enabled and that the server timeout is configured to X
seconds (using the Authentication configuration page), and suppose that the first server in the
list is currently down (but not considered dead). Now, if the supplicant retransmits EAPOL Start
frames at a rate faster than X seconds, then it will never get authenticated, because the switch
will cancel on-going backend authentication server requests whenever it receives a new
ORing Industrial Networking Corp 95