Planet SGSW-24040 User Manual page 231

User's Manual of SGSW-24040 / 24240 Series
Unlike port-based 802.1X, MAC-based authentication is not a standard, but
merely a best-practices method adopted by the industry. In MAC-based
authentication, users are called clients, and the switch acts as the supplicant on
behalf of clients. The initial frame (any kind of frame) sent by a client is snooped
by the switch, which in turn uses the client's MAC address as both username and
password in the subsequent EAP exchange with the RADIUS server. The 6-byte
MAC address is converted to a string on the following form "xx-xx-xx-xx-xx-xx",
that is, a dash (-) is used as separator between the lower-cased hexadecimal
digits. The switch only supports the MD5-Challenge authentication method, so
the RADIUS server must be configured accordingly.
When authentication is complete, the RADIUS server sends a success or failure
indication, which in turn causes the switch to open up or block traffic for that
particular client, using the Port Security module. Only then will frames from the
client be forwarded on the switch. There are no EAPOL frames involved in this
authentication, and therefore, MAC-based Authentication has nothing to do with
the 802.1X standard.
The advantage of MAC-based authentication over port-based 802.1X is that
several clients can be connected to the same port (e.g. through a 3rd party
switch or a hub) and still require individual authentication, and that the clients
don't need special supplicant software to authenticate. The advantage of
MAC-based authentication over 802.1X-based authentication is that the clients
don't need special supplicant software to authenticate. The disadvantage is that
MAC addresses can be spoofed by malicious users - equipment whose MAC
address is a valid RADIUS user can be used by anyone. Also, only the
MD5-Challenge method is supported. The maximum number of clients that can
be attached to a port can be limited using the Port Security Limit Control
functionality.
 RADIUS-Assigned QoS
When RADIUS-Assigned QoS is both globally enabled and enabled (checked)
for a given port, the switch reacts to QoS Class information carried in the
Enabled
RADIUS Access-Accept packet transmitted by the RADIUS server when a
supplicant is successfully authenticated. If present and valid, traffic received on
the supplicant's port will be classified to the given QoS Class. If
(re-)authentication fails or the RADIUS Access-Accept packet no longer carries a
QoS Class or it's invalid, or the supplicant is otherwise no longer present on the
port, the port's QoS Class is immediately reverted to the original QoS Class
(which may be changed by the administrator in the meanwhile without affecting
the RADIUS-assigned).
This option is only available for single-client modes, i.e.
• Port-based 802.1X
210