Manufacture Technology GEFXL2-CSW28KX User Manual page 254

supplicant is connected to a port, the one that comes first when the port's link comes up
will be the first one considered. If that supplicant doesn't provide valid credentials within a
certain amount of time, another supplicant will get a chance. Once a supplicant is
successfully authenticated, only that supplicant will be allowed access. This is the most
secure of all the supported modes. In this mode, the Port Security module is used to
secure a supplicant's MAC address once successfully authenticated.
Multi 802.1X :

In port-based 802.1X authentication, once a supplicant is successfully authenticated on a
port, the whole port is opened for network traffic. This allows other clients connected to the
port (for instance through a hub) to piggy-back on the successfully authenticated client and
get network access even though they really aren't authenticated. To overcome this security
breach, use the Multi 802.1X variant.
Multi 802.1X is really not an IEEE standard, but features many of the same characteristics
as does port-based 802.1X. Multi 802.1X is - like Single 802.1X - not an IEEE standard,
but a variant that features many of the same characteristics. In Multi 802.1X, one or more
supplicants can get authenticated on the same port at the same time. Each supplicant is
authenticated individually and secured in the MAC table using the Port Security module.
In Multi 802.1X it is not possible to use the multicast BPDU MAC address as destination
MAC address for EAPOL frames sent from the switch towards the supplicant, since that
would cause all supplicants attached to the port to reply to requests sent from the switch.
Instead, the switch uses the supplicant's MAC address, which is obtained from the first
EAPOL Start or EAPOL Response Identity frame sent by the supplicant. An exception to
this is when no supplicants are attached. In this case, the switch sends EAPOL Request
Identity frames using the BPDU multicast MAC address as destination - to wake up any
supplicants that might be on the port.
The maximum number of supplicants that can be attached to a port can be limited using
the Port Security Limit Control functionality.
MAC-based Auth.:

Unlike port-based 802.1X, MAC-based authentication is not a standard, but merely a best-
practices method adopted by the industry. In MAC-based authentication, users are called
clients, and the switch acts as the supplicant on behalf of clients. The initial frame (any kind
of frame) sent by a client is snooped by the switch, which in turn uses the client's MAC
address as both username and password in the subsequent EAP exchange with the
RADIUS server. The 6-byte MAC address is converted to a string on the following form "xx-
xx-xx-xx-xx-xx", that is, a dash (-) is used as separator between the lower-cased
hexadecimal digits. The switch only supports the MD5-Challenge authentication method,
so the RADIUS server must be configured accordingly.
When authentication is complete, the RADIUS server sends a success or failure indication,
which in turn causes the switch to open up or block traffic for that particular client, using the
Port Security module. Only then will frames from the client be forwarded on the switch.
There are no EAPOL frames involved in this authentication, and therefore, MAC-based
Authentication has nothing to do with the 802.1X standard.
The advantage of MAC-based authentication over port-based 802.1X is that several clients
can be connected to the same port (e.g. through a 3rd party switch or a hub) and still
require individual authentication, and that the clients don't need special supplicant software
to authenticate. The advantage of MAC-based authentication over 802.1X-based
authentication is that the clients don't need special supplicant software to authenticate. The
disadvantage is that MAC addresses can be spoofed by malicious users - equipment
whose MAC address is a valid RADIUS user can be used by anyone. Also, only the MD5-
Challenge method is supported. The maximum number of clients that can be attached to a
port can be limited using the Port Security Limit Control functionality.
RADIUS-Assigned QoS Enabled :

When RADIUS-Assigned QoS is both globally enabled and enabled (checked) on a given
port, the switch reacts to QoS Class information carried in the RADIUS Access-Accept
packet transmitted by the RADIUS server when a supplicant is successfully authenticated.
If present and valid, traffic received on the supplicant's port will be classified to the given
QoS Class. If (re-)authentication fails or the RADIUS Access-Accept packet no longer
244 Publication date: March, 2012
Revision A1