Web-Based, Mac-Based, And 802.1X Authentication - Extreme Networks ExtremeWare XOS Guide Manual

Network Login

Web-Based, MAC-Based, and 802.1x Authentication

Authentication is handled as a web-based process, MAC-based process, or as described in the
IEEE 802.1x specification. Web-based network login does not require any specific client software and can
work with any HTTP-compliant web browser. By contrast, 802.1x authentication may require additional
software installed on the client workstation, making it less suitable for a user walk-up situation, such as
a cyber-café or coffee shop.
authentication.
MAC-based authentication is used for supplicants that do not support a network login mode, or
supplicants that are not aware of the existence of such security measures, for example an IP phone.
If a MAC address is detected on a MAC-based enabled network login port, an authentication request is
sent once to the AAA application. AAA tries to authenticate the MAC address against the configured
Remote Authentication Dial In User Server (RADIUS) server and its configured parameters (timeout,
retries, and so on) or the configured local database.
The credentials used for this are the supplicant's MAC address in ASCII representation and a locally
configured password on the switch. If no password is configured the MAC address is also used as the
password. You can also group MAC addresses together using a mask.
Dynamic Host Control Protocol (DHCP) is required for web-based network login because the
underlying protocol used to carry authentication request-response is HTTP. The client requires an IP
address to send and receive HTTP packets. Before the client is authenticated, however, the only
connection that exists is to the authenticator. As a result, the authenticator must be furnished with a
temporary DHCP server to distribute the IP address.
The switch responds to DHCP requests for unauthenticated clients when DHCP parameters such as
dhcp-address-range
answer DHCP requests following authentication if DHCP is enabled on the specified VLAN. If netlogin
clients are required to obtain DHCP leases from an external DHCP server elsewhere on the network,
DHCP should not be enabled on the VLAN.
The DHCP allocation for network login has a short time duration of 10 seconds and is intended to
perform web-based network login only. As soon as the client is authenticated, it is deprived of this
address. The client must obtain an operational address from another DHCP server in the network.
DHCP is not required for 802.1x, because 802.1x uses only Layer 2 frames (EAPOL) or MAC-based
network login.
URL redirection (applicable to web-based mode only) is a mechanism to redirect any HTTP request to
the base URL of the authenticator when the port is in unauthenticated mode. In other words, when the
user tries to log in to the network using the browser, the user is first redirected to the network login
page. Only after a successful login is the user connected to the network. URL redirection requires that
the switch is configured with a DNS client.
Web-based, MAC-based, and 802.1x authentication each have advantages and disadvantages, as
summarized next.
Advantages of Web-Based Authentication:
Works with any operating system that is capable of obtaining an IP address using DHCP. There is no
●
need for special client side software; only a web browser is needed.
1. A workstation running Windows 2000 Service Pack 4 or Windows XP supports 802.1x natively and does not
require additional authentication software.
346
1
Extreme Networks supports a smooth transition from web-based to 802.1x
and are configured on the netlogin VLAN. The switch can also
dhcp-options
ExtremeWare XOS 11.3 Concepts Guide