123 - Huawei S1700 Series Web User Manual

S1700 Managed Series Ethernet Switches
Web User Manual
Item
Interface Name
Authentication
Method
Access Type
Acct-Session-ID
Authorized Filter-ID
Authorized
Data-Filter
9.2 802.1X
Switch can provide easy and open access to network resources for the connecting PC.
Although automatic configuration and access is a desirable feature, it also leads unauthorized
user to intrude and access to sensitive network data.
The IEEE 802.1X (dot1X) standard defines a port-based access control procedure that
prevents unauthorized user accessing the network by requiring users to first submit the
authenticated message to authentication server. Access to all switch interfaces in a network
can be centrally controlled from a server, which means that authorized users can use the same
authenticated message for authentication from any point within the network.
This switch uses the Extensible Authentication Protocol over LANs (EAPOL) to exchange
authentication messages between the client and RADIUS authentication server to verify user
identity and access rights. When a client (i.e., Supplicant) connects to a switch interface, the
switch (i.e., Authenticator) responds to an EAPOL identity request. The client provides its
identity (such as a user name) in an EAPOL response to the switch, which forwards to the
RADIUS server. The RADIUS server verifies the client identity and sends an allowed or
rejected message. The client can reject the authentication method and request another,
depending on the settings of client and RADIUS.
The RADIUS sends an accepted or a rejected message after verifying the content. If
authentication is successful, the switch allows the client to access the network. Otherwise,
non-EAP traffic on the interface will be blocked.
Port-based Access Control
Under Port-based access control, once the connected device passes the authentication
successfully, the interface turns to authorized status, and then all the traffic on this interface
will not be limited to the access control until the interface becomes unauthorized. Therefore,
if the network segment connected to the interface is a shared one in which multi network
Issue 05 (2012-10-25)
Description
Display the interface number accessed by online user through
switch.
Display the authentication method of online user.
Display the access type of online user.
The one and only accounting ID number for online users to identify
online user session. It exists in RADIUS accounting messages and
its value is the only constant throughout the RADIUS accounting
period.
Online users bind the ACL number with RADIUS standard
attribute Filter-ID (11). The details can be found in ACL > ACL
Profile.
Online users bind the ACL rules with Huawei private RADIUS
attribute Data-Filter (82). Click the Query button to expand the
details of ACL rules.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
9 Security

123