Table of Contents
Advertisement
Falcon R-Class | User Guide
Single 802.1X
115
IP address, name, and the supplicant's port number on the switch. EAP
is very flexible, in that it allows for different authentication methods,
likeMD5-Challenge,PEAP, and TLS. The important thing is that the
authenticator (the switch) does not need to know which
authentication method the supplicant and the authentication server
are using, or how many information exchange frames are needed for
a particular method. The switch simply encapsulates the EAP part of
the frame into the relevant type (EAPOL or RADIUS) and forwards it.
When authentication is complete, the RADIUS server sends a special
packet containing a success or failure indication. Besides forwarding
this decision to the supplicant, the switch uses it to open or block
traffic on the switch port connected to the supplicant.
Note: Suppose two backend servers are enabled and that the server
timeout is configured to X seconds (using the AAA configuration
page) and suppose that the first server in the list is currently down
(but not considered dead). Now, if the supplicant retransmits EAPOL
Start frames at a rate faster than X seconds, then it will never get
authenticated, because the switch will cancel on-going backend
authentication server requests whenever it receives a new EAPOL
Start frame from the supplicant. And since the server has not yet
failed (because the X seconds have not expired), the same server will
be contacted upon the next backend authentication server request
from the switch. This scenario will loop forever. Therefore, the
server timeout should be smaller than the supplicant's EAPOL Start
frame retransmission rate.
In port-based 802.1X authentication, once a supplicant is successfully
authenticated on a port, the whole port is opened for network traffic.
This allows other clients connected to the port (for instance through
a hub) to piggy-back on the successfully authenticated client and get
network access even though they really are not authenticated. To
overcome this security breach, use the Single 802.1X variant.
Single 802.1X is not an IEEE standard, but features many of the same
characteristics as does port-based 802.1X. In Single 802.1X, at most
one supplicant can get authenticated on the port at a time. Normal
EAPOL frames are used in the communication between the supplicant
and the switch. If more than one supplicant is connected to a port, the
one that comes first when the port's link comes up will be the first one
considered.
If that supplicant does not provide valid credentials within a certain
amount of time, another supplicant will get a chance. Once a
supplicant is successfully authenticated, only that supplicant will be
allowed access. This is the most secure of all the supported modes. In
this mode, the Port Security module is used to secure a supplicant's
MAC address once successfully authenticated
- Quick Links:
- Table of Contents
- Falcon-Rx
Hide quick links:
Advertisement
Table of Contents
