ORiNG DGS-7084GCP-AIO_S SERIES User Manual page 97

DGS-7084GCP-AIO_S SERIES User's Manual
EAPOL Start frame from the supplicant. And since the server hasn't yet failed (because the X
seconds haven't expired), the same server will be contacted upon the next backend
authentication server request from the switch. This scenario will loop forever. Therefore, the
server timeout should be smaller than the supplicant's EAPOL Start frame retransmission rate.
Overview of MAC-Based Authentication
Unlike 802.1X, MAC-based authentication is not a standard, but merely a best-practices
method adopted by the industry. In MAC-based authentication, users are called clients, and
the switch acts as the supplicant on behalf of clients. The initial frame (any kind of frame) sent
by a client is snooped by the switch, which in turn uses the client's MAC address as both
username and password in the subsequent EAP exchange with the RADIUS server. The
6-byte MAC address is converted to a string on the following form "xx-xx-xx-xx-xx-xx", that is, a
dash (-) is used as separator between the lower-cased hexadecimal digits. The switch only
supports the MD5-Challenge authentication method, so the RADIUS server must be
configured accordingly.
When authentication is complete, the RADIUS server sends a success or failure indication,
which in turn causes the switch to open up or block traffic for that particular client, using static
entries into the MAC Table. Only then will frames from the client be forwarded on the switch.
There are no EAPOL frames involved in this authentication, and therefore, MAC-based
Authentication has nothing to do with the 802.1X standard.
The advantage of MAC-based authentication over 802.1X is that several clients can be
connected to the same port (e.g. through a 3rd party switch or a hub) and still require individual
authentication, and that the clients don't need special supplicant software to authenticate. The
disadvantage is that MAC addresses can be spoofed by malicious users, equipment whose
MAC address is a valid RADIUS user can be used by anyone, and only the MD5-Challenge
method is supported.
The 802.1X and MAC-Based Authentication configuration consists of two sections, a system-
and a port-wide
ORing Industrial Networking Corp 96