ZyXEL Communications MGS3600-24F User Manual page 291

F M
RONT ATTER
complete, the RADIUS server sends a special packet containing a success or failure indication. Besides forwarding this decision to the
supplicant, the switch uses it to open up or block traffic on the switch port connected to the supplicant.
Note:
Suppose two backend servers are enabled and that the server timeout is configured to X seconds (using the AAA configuration page), and
suppose that the first server in the list is currently down (but not considered dead). Now, if the supplicant retransmits EAPOL Start frames at
a rate faster than X seconds, then it will never get authenticated, because the switch will cancel on-going backend authentication server
requests whenever it receives a new EAPOL Start frame from the supplicant. And since the server hasn't yet failed (because the X seconds
haven't expired), the same server will be contacted upon the next backend authentication server request from the switch. This scenario will
loop forever. Therefore, the server timeout should be smaller than the supplicant's EAPOL Start frame retransmission rate.
Single 802.1X: In port-based 802.1X authentication, once a supplicant is successfully authenticated on a port, the whole port is opened

for network traffic. This allows other clients connected to the port (for instance through a hub) to piggy-back on the successfully authen-
ticated client and get network access even though they really aren't authenticated. To overcome this security breach, use the Single
802.1X variant.Single 802.1X is really not an IEEE standard, but features many of the same characteristics as does port-based 802.1X.
In Single 802.1X, at most one supplicant can get authenticated on the port at a time. Normal EAPOL frames are used in the communica-
tion between the supplicant and the switch. If more than one supplicant is connected to a port, the one that comes first when the port's
link comes up will be the first one considered. If that supplicant doesn't provide valid credentials within a certain amount of time, another
supplicant will get a chance. Once a supplicant is successfully authenticated, only that supplicant will be allowed access. This is the
most secure of all the supported modes. In this mode, the Port Security module is used to secure a supplicant's MAC address once suc-
cessfully authenticated.
Multi 802.1X: In port-based 802.1X authentication, once a supplicant is successfully authenticated on a port, the whole port is opened

for network traffic. This allows other clients connected to the port (for instance through a hub) to piggy-back on the successfully authen-
ticated client and get network access even though they really aren't authenticated. To overcome this security breach, use the Multi
802.1X variant. Multi 802.1X is really not an IEEE standard, but features many of the same characteristics as does port-based 802.1X.
Multi 802.1X is - like Single 802.1X - not an IEEE standard, but a variant that features many of the same characteristics. In Multi 802.1X,
one or more supplicants can get authenticated on the same port at the same time. Each supplicant is authenticated individually and
secured in the MAC table using the Port Security module. In Multi 802.1X it is not possible to use the multicast BPDU MAC address as
destination MAC address for EAPOL frames sent from the switch towards the supplicant, since that would cause all supplicants attached
to the port to reply to requests sent from the switch. Instead, the switch uses the supplicant's MAC address, which is obtained from the
first EAPOL Start or EAPOL Response Identity frame sent by the supplicant. An exception to this is when no supplicants are attached. In
this case, the switch sends EAPOL Request Identity frames using the BPDU multicast MAC address as destination - to wake up any
MGS3600-24F/XGS3600-26F/XGS3600-28F 8-18 U ' G
SER S UIDE