Table of Contents
Advertisement
KVM over IP User Manual
credentials within a certain amount of time, another supplicant will get a
chance. Once a supplicant is successfully authenticated, only that
supplicant will be allowed access. This is the most secure of all the
supported modes. In this mode, the Port Security module is used to secure
a supplicant's MAC address once successfully authenticated.
Multi 802.1X:
In port-based 802.1X authentication, once a supplicant is successfully
authenticated on a port, the whole port is opened for network traffic. This
allows other clients connected to the port (for instance through a hub) to
piggy-back on the successfully authenticated client and get network access
even though they really aren't authenticated. To overcome this security
breach, use the Multi 802.1X variant.
Multi 802.1X is really not an IEEE standard, but features many of the
same characteristics as does port-based 802.1X. Multi 802.1X is - like
Single 802.1X - not an IEEE standard, but a variant that features many of
the same characteristics. In Multi 802.1X, one or more supplicants can get
authenticated on the same port at the same time. Each supplicant is
authenticated individually and secured in the MAC table using the Port
Security module.
In Multi 802.1X it is not possible to use the multicast BPDU MAC address
as destination MAC address for EAPOL frames sent from the switch
towards the supplicant, since that would cause all supplicants attached to
the port to reply to requests sent from the switch. Instead, the switch uses
the supplicant's MAC address, which is obtained from the first EAPOL
Start or EAPOL Response Identity frame sent by the supplicant. An
exception to this is when no supplicants are attached. In this case, the
switch sends EAPOL Request Identity frames using the BPDU multicast
MAC address as destination - to wake up any supplicants that might be on
the port.
The maximum number of supplicants that can be attached to a port can be
limited using the Port Security Limit Control functionality.
MAC-based Auth.:
Unlike port-based 802.1X, MAC-based authentication is not a standard,
but merely a best-practices method adopted by the industry. In MAC-
based authentication, users are called clients, and the switch acts as the
supplicant on behalf of clients. The initial frame (any kind of frame) sent
by a client is snooped by the switch, which in turn uses the client's MAC
address as both username and password in the subsequent EAP exchange
with the RADIUS server. The 6-byte MAC address is converted to a string
286
Advertisement
Table of Contents
