FibroLAN Falcon-RX/812/G/A User Manual page 116

Falcon R-Class | User Guide
Multi 802.1X
MAC-based Auth.
116
Multi 802.1X is - like Single 802.1X - not an IEEE standard, but a variant
that features many of the same characteristics. In Multi 802.1X, one
or more supplicants can get authenticated on the same port at the
same time. Each supplicant is authenticated individually and secured
in the MAC table using the Port Security module.
In Multi 802.1X it is not possible to use the multicast BPDU MAC
address as destination MAC address for EAPOL frames sent from the
switch towards the supplicant, since that would cause all supplicants
attached to the port to reply to requests sent from the switch. Instead,
the switch uses the supplicant's MAC address, which is obtained from
the first EAPOL Start or EAPOL Response Identity frame sent by the
supplicant.
An exception to this is when no supplicants are attached. In this case,
the switch sends EAPOL Request Identity frames using the BPDU
multicast MAC address as destination - to wake up any supplicants
that might be on the port. The maximum number of clients that can
be attached to a port can be limited using the Port Security Limit
Control functionality.
Unlike port-based 802.1X, MAC-based authentication is not a
standard, but merely a best-practices method adopted by the
industry. In MAC-based authentication, users are called clients, and
the switch acts as the supplicant on behalf of clients.
The initial frame (any kind of frame) sent by a client is snooped by the
switch, which in turn uses the client's MAC address as both username
and password in the subsequent EAP exchange with the RADIUS
server. The 6-byte MAC address is converted to a string on the
following form "xx-xx-xx-xx-xx-xx", that is, a dash (-) is used as
separator between the lower-cased hexadecimal digits. The switch
only supports the MD5-Challengeauthentication method, so the
RADIUS server must be configured accordingly.
When authentication is complete, the RADIUS server sends a success
or failure indication, which in turn causes the switch to open up or
block traffic for that particular client, using the Port Security module.
Only then will frames from the client be forwarded on the switch.
There are no EAPOL frames involved in this authentication, and
therefore, MAC-based Authentication has nothing to do with the
802.1X standard.
The advantage of MAC-based authentication over port-based 802.1X
is that several clients can be connected to the same port (e.g., through
a 3rd party switch or a hub) and still require individual authentication,
and that the clients do not need special supplicant software to
authenticate.
The advantage of MAC-based authentication over 802.1X-based
authentication is that the clients do not need special supplicant
software to authenticate.
The disadvantage is that MAC addresses can be spoofed by malicious
users - equipment whose MAC address is a valid RADIUS user can be
used by anyone. Also, only the MD5-Challenge method is supported.