Authentication - ifs NS4702-24P-4X-V2 User Manual

• Click Reset to undo any changes made locally and revert to previously saved
values.

Authentication

This section describes user access and management control for the managed switch,
including user access and management control. The following main topics are covered:
• IEEE 802.1X port-based network access control
• MAC-based authentication
• User authentication
Overview of 802.1X (port-based) authentication
In 802.1X, the user is called the supplicant, the switch is the authenticator, and the
RADIUS server is the authentication server. The switch acts as the man-in-the-middle,
forwarding requests and responses between the supplicant and the authentication
server. Frames sent between the supplicant and the switch are special 802.1X EAPOL
(EAP Over LANs) frames. EAPOL frames encapsulate EAP PDUs (RFC3748). Frames
sent between the switch and the RADIUS server are RADIUS packets. RADIUS
packets also encapsulate EAP PDUs together with other attributes like the switch's IP
address, name, and the supplicant's port number on the switch. EAP is very flexible in
that it allows for different authentication methods like MD5-Challenge, PEAP, and TLS.
The authenticator (switch) doesn't need to know which authentication method the
supplicant and the authentication server are using, or how many information exchange
frames are needed for a particular method. The switch simply encapsulates the EAP
part of the frame into the relevant type (EAPOL or RADIUS) and forwards it.
When authentication is complete, the RADIUS server sends a special packet containing
a success or failure indication. Besides forwarding this decision to the supplicant, the
switch uses it to open up or block traffic on the switch port connected to the supplicant.
Overview of MAC-based authentication
Unlike 802.1X, MAC-based authentication is not a standard, but merely a best-
practices method adopted by the industry. In MAC-based authentication, users are
called clients, and the switch acts as the supplicant on behalf of clients. The initial
frame (any kind of frame) sent by a client is snooped by the switch, which in turn uses
the client's MAC address as both username and password in the subsequent EAP
exchange with the RADIUS server. The 6-byte MAC address is converted to a string on
the following form "xx-xx-xx-xx-xx-xx", that is, a dash (-) is used as separator between
the lower-cased hexadecimal digits. The switch only supports the MD5-Challenge
authentication method, so the RADIUS server must be configured accordingly.
When authentication is complete, the RADIUS server sends a success or failure
indication, which in turn causes the switch to open up or block traffic for that particular
client using static entries into the MAC table. Only then will frames from the client be
NS4702-24P-4X-V2 Managed Switch User Manual
Chapter 4: Web configuration
247