Authentication methods for authenticator ports 4, Authentication methods for authenticator ports – Allied Telesis AT-FS970M Series User Manual

Chapter 69: 802.1x Port-based Network Access Control

1044

Authentication Methods for Authenticator Ports

Authenticator ports support two authentication methods:



802.1x username and password combination

This authentication mode requires that the supplicants be assigned
unique username and password combinations or digital certificates
on the RADIUS server. A supplicant must provide the information
either manually or automatically when initially passing traffic
through an authenticator port and during reauthentications. The
802.1x client software on the supplicant either prompts the user for
the necessary information or provides the information
automatically.

Assigning unique username and password combinations to your
network users and requiring the users to provide the information
when they initially send traffic through the switch can enhance
network security by limiting network access to only those
supplicants who have been assigned valid combinations. Another
advantage is that the authentication is not tied to any specific
computer or node. An end user can log on from any system and
still be verified by the RADIUS server as a valid user of the switch
and network.

This authentication method requires 802.1x client software on the
supplicant nodes.



MAC address-based authentication

An alternative method is to use the source MAC format as the
username and password combination for the device, for example:
00-00-01-00-00-00. The supplicant is not prompted for this
information. Rather, the switch extracts the source MAC address
from the initial frames received from a node and automatically
sends it as both the username and password of the node to the
RADIUS server for authentication.

The advantage to this approach is that the supplicant need not
have 802.1x client software. The disadvantage is that because the
supplicant is not prompted for a username and password
combination, it does not guard against an unauthorized individual
from gaining access to the network through an unattended network
node or by counterfeiting a valid network MAC address.