Allied Telesis AT-S63 User Manual

AT-S63 Management Software Menus Interface User’s Guide

Section VII: Port Security

721

authentication is not tied to any specific computer or node. An end user
can log on from any system and still be verified by the RADIUS server
as a valid user of the switch and network.

This authentication method requires 802.1x client software on the
supplicant nodes.

ˆ

MAC address-based authentication

An alternative method is to use the MAC address of a node as the
username and password combination for the device. The client is not
prompted for this information. Rather, the switch extracts the source
MAC address from the initial frames received from a supplicant and
automatically sends the MAC address as both the username and
password of the supplicant to the RADIUS server for authentication.

The advantage to this approach is that the supplicant need not have
802.1x client software. The disadvantage is that because the client is
not prompted for a username and password combination, it does not
guard against an unauthorized individual from gaining access to the
network through an unattended network node or by counterfeiting a
valid network MAC address.

Operational Settings

A port in the authenticator role can have one of three possible operational
settings:

ˆ

Auto - Activates port-based authentication. The port begins in the
unauthorized state, forwarding only EAPOL frames and discarding all
other traffic. The authentication process begins when the link state of
the port changes or the port receives an EAPOL-Start packet from a
supplicant. The switch requests the identity of the client and begins
relaying authentication messages between the client and the RADIUS
authentication server. After the supplicant is validated by the RADIUS
server, the port begins forwarding all traffic to and from the supplicant.
This is the default setting for an authenticator port.

ˆ

Force-authorized - Disables IEEE 802.1X port-based authentication
and automatically places the port in the authorized state without any
authentication exchange required. The port transmits and receives
normal traffic without authenticating the client.

Note

A supplicant connected to an authenticator port set to force-
authorized must have 802.1x client software if the port is configured
for the 802.1x authentication mode. Though this setting precludes
an authentication exchange, the supplicant must still have the client
software. Supplicants without 802.1 client software cannot forward
traffic through an authenticator port set to force-authorized.