Extreme Networks ExtremeWare XOS Guide Manual page 229

If a MAC address is detected on a MAC-based enabled network login port, an authentication request
will be sent once to the AAA application. AAA tries to authenticate the MAC address against the
configured radius server and its configured parameters (timeout, retries, etc.).
The credentials used for this are the supplicant's MAC address in ASCII representation, and a locally
configured password on the switch. If no password is configured the MAC address is also used as the
password. You can also group MAC addresses together using a mask.
DHCP is required for web-based network login because the underlying protocol used to carry
authentication request-response is HTTP. The client requires an IP address to send and receive HTTP
packets. Before the client is authenticated, however, the only connection exists is to the authenticator. As
a result, the authenticator must be furnished with a temporary DHCP server to distribute the IP
address.
The switch responds to DHCP requests for unauthenticated clients when DHCP parameters such as
and
dhcp-address-range
answer DHCP requests following authentication if DHCP is enabled on the specified VLAN. If netlogin
clients are required to obtain DHCP leases from an external DHCP server elsewhere on the network,
DHCP should not be enabled on the VLAN.
The DHCP allocation for network login has a short time duration of 10 seconds and is intended to
perform web-based network login only. As soon as the client is authenticated, it is deprived of this
address. The client must obtain a operational address from another DHCP server in the network. DHCP
is not required for 802.1x, because 802.1x uses only Layer 2 frames (EAPOL).
URL redirection (applicable to web-based mode only) is a mechanism to redirect any HTTP request to
the base URL of the authenticator when the port is in unauthenticated mode. In other words, when the
user tries to log in to the network using the browser, the user is first redirected to the network login
page. Only after a successful login is the user connected to the network. URL redirection requires that
the switch is configured with a DNS client.
Web-based and 802.1x authentication each have advantages and disadvantages, as summarized next.
Advantages of 802.1x Authentication:
In cases where the 802.1x is natively supported, login and authentication happens transparently.
●
Authentication happens at Layer 2. It does not involve getting a temporary IP address and
●
subsequent release of the address to obtain a more permanent IP address.
Allows for periodic, transparent, re-authorization of supplicants.
●
Disadvantages of 802.1x Authentication:
802.1x native support is available only on newer operating systems, such as Windows XP.
●
802.1x requires an EAP-capable RADIUS Server. Most current RADIUS servers support EAP, so this
●
is not a major disadvantage.
TLS authentication method involves Public Key Infrastructure, which adds to the administrative
●
requirements.
TTLS is still a Funk/Certicom IETF draft proposal, not a fully accepted standard. It is easy to deploy
●
and administer.
Advantages of Web-based Authentication:
Works with any operating system that is capable of obtaining an IP address using DHCP. There is no
●
need for special client side software; only a web browser is needed.
ExtremeWare XOS 11.1 Concepts Guide
are configured on the Netlogin VLAN. The switch can also
dhcp-options
Network Login
229