Table of Contents
Advertisement
F
M
RONT
ATTER
supplicants that might be on the port. The maximum number of supplicants that can be attached to a port can be limited using the Port
Security Limit Control functionality.
MAC-based Auth.:
adopted by the industry. In MAC-based authentication, users are called clients, and the switch acts as the supplicant on behalf of clients.
The initial frame (any kind of frame) sent by a client is snooped by the switch, which in turn uses the client's MAC address as both user-
name and password in the subsequent EAP exchange with the RADIUS server. The 6-byte MAC address is converted to a string on the
following form xx-xx-xx-xx-xx-xx, that is, a dash (-) is used as separator between the lower-cased hexadecimal digits. The switch only
supports the MD5-Challenge authentication method, so the RADIUS server must be configured accordingly. When authentication is
complete, the RADIUS server sends a success or failure indication, which in turn causes the switch to open up or block traffic for that
particular client, using the Port Security module. Only then will frames from the client be forwarded on the switch. There are no EAPOL
frames involved in this authentication, and therefore, MAC-based Authentication has nothing to do with the 802.1X standard. The advan-
tage of MAC-based authentication over port-based 802.1X is that several clients can be connected to the same port (e.g. through a 3rd
party switch or a hub) and still require individual authentication, and that the clients don't need special supplicant software to authenti-
cate. The advantage of MAC-based authentication over 802.1X-based authentication is that the clients don't need special supplicant
software to authenticate. The disadvantage is that MAC addresses can be spoofed by malicious users - equipment whose MAC address
is a valid RADIUS user can be used by anyone. Also, only the MD5-Challenge method is supported. The maximum number of clients
that can be attached to a port can be limited using the Port Security Limit Control functionality.
RADIUS-Assigned QoS Enabled:
When RADIUS-Assigned QoS is both globally enabled and enabled (checked) on a given port, the switch reacts to QoS Class information
carried in the RADIUS Access-Accept packet transmitted by the RADIUS server when a supplicant is successfully authenticated. If present
and valid, traffic received on the supplicant's port will be classified to the given QoS Class. If (re-)authentication fails or the RADIUS Access-
Accept packet no longer carries a QoS Class or it's invalid, or the supplicant is otherwise no longer present on the port, the port's QoS Class
immediately reverts to the original QoS Class (which may be changed by the administrator in the meanwhile without affecting the RADIUS-
assigned QoS Class). This option is only available for Port-based 802.1X and Single 802.1X modes.
RADIUS attributes used in identifying a QoS Class
Refer to the written documentation for a description of the RADIUS attributes needed in order to successfully identify a QoS Class. The
User-Priority-Table attribute defined in RFC4675 forms the basis for identifying the QoS Class in an Access-Accept packet. Only the first
occurrence of the attribute in the packet will be considered, and to be valid all 8 octets in the attribute's value must be identical and consist
of ASCII characters in the range '0' to '3', which translates into the desired QoS Class in the range 0 to 3.
RADIUS-Assigned VLAN Enabled:
MGS3600-24F/XGS3600-26F/XGS3600-28F
Unlike port-based 802.1X, MAC-based authentication is not a standard, but merely a best-practices method
8-19
U
'
G
SER
S
UIDE
- Quick Links:
- Switch Access and Login
Hide quick links:
Advertisement
Chapters
Table of Contents
