Table of Contents
Advertisement
PDUs together with other attributes like the switch's IP address, name, and
the supplicant's port number on the switch. EAP is very flexible, in that it
allows for different authentication methods, like MD5-Challenge, PEAP,
and TLS. The important thing is that the authenticator (the switch) doesn't
need to know which authentication method the supplicant and the
authentication server are using, or how many information exchange frames
are needed for a particular method. The switch simply encapsulates the
EAP part of the frame into the relevant type (EAPOL or RADIUS) and
forwards it.
When authentication is complete, the RADIUS server sends a special
packet containing a success or failure indication. Besides forwarding this
decision to the supplicant, the switch uses it to open up or block traffic on
the switch port connected to the supplicant
Note: Suppose two backend servers are enabled and that the server timeout is
configured to X seconds (using the AAA configuration page), and
suppose that the first server in the list is currently down (but not
considered dead).
Now, if the supplicant retransmits EAPOL Start frames at a rate faster
than X seconds, then it will never get authenticated, because the switch
will cancel on-going backend authentication server requests whenever
it receives a new EAPOL Start frame from the supplicant.
And since the server hasn't yet failed (because the X seconds haven't
expired), the same server will be contacted upon the next backend
authentication server request from the switch. This scenario will loop
forever. Therefore, the server timeout should be smaller than the
supplicant's EAPOL Start frame retransmission rate.
Single 802.1X:
In port-based 802.1X authentication, once a supplicant is successfully
authenticated on a port, the whole port is opened for network traffic. This
allows other clients connected to the port (for instance through a hub) to
piggy-back on the successfully authenticated client and get network access
even though they really aren't authenticated. To overcome this security
breach, use the Single 802.1X variant. Single 802.1X is really not an IEEE
standard, but features many of the same characteristics as does port-based
802.1X. In Single 802.1X, at most one supplicant can get authenticated on
the port at a time. Normal EAPOL frames are used in the communication
between the supplicant and the switch. If more than one supplicant is
connected to a port, the one that comes first when the port's link comes up
will be the first one considered. If that supplicant doesn't provide valid
Chapter 12. Security
285
Advertisement
Table of Contents
