Multiple Supplicant Support - Extreme Networks ExtremeWare XOS Guide Manual

Security
A Windows XP 802.1x supplicant can be authenticated as a computer or as a user. Computer
authentication requires a certificate installed in the computer certificate store, and user authentication
requires a certificate installed in the individual user's certificate store.
By default, the Windows XP machine performs computer authentication as soon as the computer is
powered on, or at link-up when no user is logged into the machine. User authentication is performed at
link-up when the user is logged in.
Windows XP also supports guest authentication, but this is disabled by default. Refer to relevant
Microsoft documentation for further information. The Windows XP machine can be configured to
perform computer authentication at link-up even if user is logged in.
Authentication Server Side
The RADIUS server used for authentication must be EAP-capable. Consider the following when
choosing a RADIUS server:
Types of authentication methods supported on RADIUS, as mentioned previously.
●
Need to support Vendor Specific Attributes (VSA). Parameters such as
●
(destination vlan for port movement after authentication) and
(authorization for network login only) are brought back as VSAs.
Need to support both EAP and traditional username-password authentication. These are used by
●
network login and switch console login respectively.

Multiple Supplicant Support

An important enhancement over the IEEE 802.1x standard, is that ExtremeWare supports multiple
clients (supplicants) to be individually authenticated on the same port. This feature makes it possible for
two client stations to be connected to the same port, with one being authenticated and the other not. A
port's authentication state is the logical "OR" of the individual MAC's authentication states. In other
words, a port is authenticated if any of its connected clients is authenticated. Multiple clients can be
connected to a single port of authentication server through a hub or layer-2 switch.
Multiple supplicants are supported in ISP mode for both web-based and 802.1x authentication. In
Campus mode multiple supplicants are only supported if all supplicants move to the same VLAN.
The choice of web-based versus 802.1x authentication is again on a per-MAC basis. Among multiple
clients on the same port, it is possible that some clients use web-based mode to authenticate, and some
others use 802.1x.
NOTE
With multiple supplicant support, after the first MAC is authenticated, the port is transitioned to the authenticated
state and other unauthenticated MACs can listen to all data destined for the first MAC. This could raise some
security concerns as unauthenticated MACs can listen to all broadcast and multicast traffic directed to a Network
Login-authenticated port.
ExtremeWare XOS 11.1 Concepts Guide
Extreme-Netlogin-Vlan
Extreme-NetLogin-only
232