Table of Contents
Advertisement
Admin State :
If NAS is globally enabled, this selection controls the port's authentication
following modes are available:
Force Authorized :
In this mode, the switch will send one EAPOL Success frame when the port link comes up,
and any client on the port will be allowed network access without authentication.
Force Unauthorized :
In this mode, the switch will send one EAPOL Failure frame when the port link comes up,
and any client on the port will be disallowed network access.
Port-based 802.1X :
In the 802.1X-world, the user is called the supplicant, the switch is the authenticator, and
the RADIUS server is the authentication server. The authenticator acts as the man-in-the-
middle, forwarding requests and responses between the supplicant and the authentication
server. Frames sent between the supplicant and the switch are special 802.1X frames,
known as EAPOL (EAP Over LANs) frames. EAPOL frames encapsulate EAP PDUs
(RFC3748). Frames sent between the switch and the RADIUS server are RADIUS packets.
RADIUS packets also encapsulate EAP PDUs together with other attributes like the
switch's IP address, name, and the supplicant's port number on the switch. EAP is very
flexible, in that it allows for different authentication methods, like MD5-Challenge, PEAP,
and TLS. The important thing is that the authenticator (the switch) doesn't need to know
which authentication method the supplicant and the authentication server are using, or how
many information exchange frames are needed for a particular method. The switch simply
encapsulates the EAP part of the frame into the relevant type (EAPOL or RADIUS) and
forwards it.
When authentication is complete, the RADIUS server sends a special packet containing a
success or failure indication. Besides forwarding this decision to the supplicant, the switch
uses it to open up or block traffic on the switch port connected to the supplicant
Single 802.1X :
In port-based 802.1X authentication, once a supplicant is successfully authenticated on a
port, the whole port is opened for network traffic. This allows other clients connected to the
port (for instance through a hub) to piggy-back on the successfully authenticated client and
get network access even though they really aren't authenticated. To overcome this security
breach, use the Single 802.1X variant.Single 802.1X is really not an IEEE standard, but
features many of the same characteristics as does port-based 802.1X. In Single 802.1X, at
most one supplicant can get authenticated on the port at a time. Normal EAPOL frames are
used in the communication between the supplicant and the switch. If more than one
Suppose two backend servers are enabled and that
N
:
OTE
the server timeout is configured to X seconds (using the
AAA configuration page), and suppose that the first server in
the list is currently down (but not considered dead).
Now, if the supplicant retransmits EAPOL Start frames at a
rate
faster than X seconds, then it will never
authenticated, because the switch will cancel on-going
backend authentication server requests whenever it receives
a new EAPOL Start frame from the supplicant.
And since the server hasn't yet failed (because the X
seconds haven't expired), the same server will be contacted
upon the next backend authentication server request from
the switch. This scenario will loop forever. Therefore, the
server timeout should be smaller than the supplicant's
EAPOL Start frame retransmission rate.
243
mode. The
get
Publication date: March, 2012
Revision A1
Hide quick links:
Advertisement
Table of Contents
