AMX NXA-ENET8-2POE Operation/Reference Manual page 78

Configuring the NXA-ENET8-2POE
Network Access Server Configuration parameters (Cont.)
System Configuration (Cont.)
• Restart
Access to all switch ports in a network can be centrally controlled from a server, which means that authorized
users can use the same credentials for authentication from any point within the network (FIG. 52).
FIG. 52 Using Port Security
This switch uses the Extensible Authentication Protocol over LANs (EAPOL) to exchange authentication
protocol messages with the client, and a remote RADIUS authentication server to verify user identity and
access rights. These backend servers are configured on the AAA menu (see the Specifying Authentication
Servers section on page 84).
When a client (i.e., Supplicant) connects to a switch port, the switch (i.e., Authenticator) responds with an
EAPOL identity request. The client provides its identity (such as a user name) in an EAPOL response to the
switch, which it forwards to the RADIUS server. The RADIUS server verifies the client identity and sends an
access challenge back to the client. The EAP packet from the RADIUS server contains not only the challenge,
but the authentication method to be used. The client can reject the authentication method and request another,
depending on the configuration of the client software and the RADIUS server.
The encryption method used by IEEE 802.1X to pass authentication messages can be MD5 (Message-Digest
5), TLS (Transport Layer Security), PEAP (Protected Extensible Authentication Protocol), or TTLS (Tunneled
Transport Layer Security). However, note that the only encryption method supported by MAC-Based
authentication is MD5. The client responds to the appropriate method with its credentials, such as a password
or certificate. The RADIUS server verifies the client credentials and responds with an accept or reject packet.
If authentication is successful, the switch allows the client to access the network. Otherwise, network access is
denied and the port remains blocked.
The operation of 802.1X on the switch requires the following:



68
Restarts client authentication using one of the methods described below. Note
that the restart buttons are only enabled when the switch's authentication mode is
globally enabled (under System Configuration) and the port's Admin State is an
EAPOL-based or MAC-Based mode. Clicking these buttons will not cause set-
tings changed on the page to take effect.
Reauthenticate - Schedules reauthentication to whenever the quiet-period of the
port runs out (EAPOL-based authentication). For MAC-based authentication,
reauthentication will be attempted immediately. The button only has effect for
successfully authenticated clients on the port and will not cause the clients to get
temporarily unauthorized.
Reinitialize - Forces a reinitialization of the clients on the port and thereby a
reauthentication immediately. The clients will transfer to the unauthorized state
while the reauthentication is in progress.
The switch must have an IP address assigned (page 40).
RADIUS authentication must be enabled on the switch and the IP address of the RADIUS server
specified. Backend RADIUS servers are configured on the Authentication Configuration page
(page 84).
802.1X / MAC-based authentication must be enabled globally for the switch.
NXA-ENET8-2POE Gigabit Ethernet Layer 2 PoE Switch