Table of Contents
Advertisement
on the following form "xx-xx-xx-xx-xx-xx", that is, a dash (-) is used as
separator between the lower-cased hexadecimal digits. The switch only
supports the MD5-Challenge authentication method, so the RADIUS
server must be configured accordingly.
When authentication is complete, the RADIUS server sends a success or
failure indication, which in turn causes the switch to open up or block
traffic for that particular client, using the Port Security module. Only then
will frames from the client be forwarded on the switch. There are no
EAPOL frames involved in this authentication, and therefore, MAC-based
Authentication has nothing to do with the 802.1X standard.
The advantage of MAC-based authentication over port-based 802.1X is
that several clients can be connected to the same port (e.g. through a 3rd
party switch or a hub) and still require individual authentication, and that
the clients don't need special supplicant software to authenticate. The
advantage of MAC-based authentication over 802.1X-based
authentication is that the clients don't need special supplicant software to
authenticate. The disadvantage is that MAC addresses can be spoofed by
malicious users - equipment whose MAC address is a valid RADIUS user
can be used by anyone. Also, only the MD5-Challenge method is
supported. The maximum number of clients that can be attached to a port
can be limited using the Port Security Limit Control functionality.
RADIUS-Assigned QoS Enabled:
When RADIUS-Assigned QoS is both globally enabled and enabled (checked)
on a given port, the switch reacts to QoS Class information carried in the
RADIUS Access-Accept packet transmitted by the RADIUS server when a
supplicant is successfully authenticated. If present and valid, traffic received
on the supplicant's port will be classified to the given QoS Class.If (re-
)authentication fails or the RADIUS Access-Accept packet no longer carries a
QoS Class or it's invalid, or the supplicant is otherwise no longer present on the
port, the port's QoS Class is immediately reverted to the original QoS Class
(which may be changed by the administrator in the meanwhile without
affecting the RADIUS-assigned).
This option is only available for single-client modes, i.e.
• Port-based 802.1X
• Single 802.1X
RADIUS attributes used in identifying a QoS Class:
The User-Priority-Table attribute defined in RFC4675 forms the basis for
identifying the QoS Class in an Access-Accept packet.
Only the first occurrence of the attribute in the packet will be considered, and
Chapter 12. Security
287
Advertisement
Table of Contents
