i3 International S81 User Manual page 52

Maximum Re The number of times the switch transmits an EAPOL Request Identity frame without response
Autherization Count before considering entering the Guest VLAN iS adjusted with this setting. The value can only be
changed if the Guest VLAN option is globally enabled.
Valid values are in the range [1; 255]
Allow Guest VLAN if The switch remembers if an EAPOL frame has been received on the port for the life-time of the
EAPOL Seen port. Once the switch considers whether to enter the Guest VLAN, it will first check if this option is
enabled or disabled. If disabled (unchecked; default), the switch will only enter the Guest VLAN if
an EAPOL frame has not been received on the port for the life-time of the "If enabled"
(checked) the switch will consider entering the Guest VLAN even if an EAPOL frame has been
received on the port for the life-time of the port.
The value can only be changed if the Guest VLAN option is globally enabled.
Port Configuration The table has one row for each port on the selected switch and a number of columns, which are:
Port: The port number for which the configuration below applies.
Admin State: If NAS is globally enabled, this selection controls the port's authentication mode.
The following modes are available.
Force Authorized: In this mode, the switch will send one EAPOL Success frame when the port
link comes up, and any client on the port will be allowed network access without authentication.
Force Unauthorized: In this mode, the switch will send one EAPOL Failure frame when the port
link comes up, and any client on the port will be disallowed network access.
Port-Based 802.1X In the 802.1X-world, the user is called the supplicant, the switch is the authenticator, and the
RADIUS server is the authentication server. The authenticator acts as the man-in-the-
middle, forwarding requests and responses between the supplicant and the authentication
server. Frames sent between the supplicant and the switch are special 802.1X frames,
known as EAPOL (EAP Over LANs) frames. EAPOL frames encapsulate EAP PDUs (RFC3748).
Frames sent between the switch and the RADIUS server are RADIUS packets. RADIUS
packets also encapsulate EAP PDUs together with other attributes like the switch's IP address,
name, and the supplicant's port number on the switch. EAP is very flexible, in that it allows
for different authentication methods, like MD5-Challenge, PEAP, and TLS. The important thing
is that the authenticator (the switch) doesn't need to know which authentication method the
supplicant and the authentication server are using, or how many information exchange
frames are needed for a particular method. The switch simply encapsulates the EAP part of
the frame into the relevant type (EAPOL or RADIUS) and forwards it.
When authentication is complete, the RADIUS server sends a special packet containing a
success or failure indication. Besides forwarding this decision to the supplicant, the switch
uses it to open up or block traffic on the switch port connected to the supplicant.
NOTE: Suppose two backend servers are enabled and that the server timeout is configured to X seconds (using the AAA
configuration page), and suppose that the first server in the list is currently down (but not considered dead). If the
supplicant retransmits EAPOL Start frames at a rate faster than X seconds, then it will never get authenticated, because
the switch will cancel on-going backend authentication server requests whenever it receives a new EAPOL Start frame
from the supplicant.
And since the server hasn't yet failed (because the X seconds haven't expired), the same server will be contacted upon
the next backend authentication server request from the switch. This scenario will loop forever. Therefore, the server
timeout should be smaller than the supplicant's EAPOL Start frame retransmission rate.
Single 802.1X In port-based 802.1X authentication, once a supplicant is successfully authenticated on a port,
the whole port is opened for network traffic. This allows other clients connected to the port (for
instance through a hub) to piggy-back on the successfully authenticated client and get network
access even though they really aren't authenticated. To overcome this security breach, use the
Single 802.1X variant. Single 802.1X is really not an IEEE standard, but features many of the
same characteristics as does port-based 802.1X. In Single 802.1X, at most one supplicant can
get authenticated on the port at a time. Normal EAPOL frames are used in the communication
between the supplicant and the switch. If more than one supplicant is connected to a port,
the one that comes first when the port's link comes up will be the first one considered. If that
supplicant doesn't provide valid credentials within a certain amount of time, another
supplicant will get a chance. Once a supplicant is successfully authenticated, only that
supplicant will be allowed access. This is the most secure of all the supported modes. In this
mode, the Port Security module is used to secure a supplicant's MAC address once successfully
authenticated.
51