Allied Telesis AT-S63 User Manual

Chapter 31: 802.1x Port-based Network Access Control

736

Section VIII: Port Security

Providing network users with access to their network resources while also
maintaining network security is often achieved through the use of VLANs.
As explained in “VLAN Overview” on page 590, a VLAN is an independent
traffic domain where the traffic generated by the nodes within the VLAN is
restricted to nodes of the same VLAN, unless there is a router or Layer 3
interconnection device. Different users are assigned to different VLANs
depending on their resource requirements and security level.

The problem with a port-based VLAN is that VLAN membership is
determined by the port on the switch to which the device is connected. If a
different device that needs to belong to a different VLAN is connected to a
port, the port must be manually moved to the new VLAN using the
management software.

With 802.1x port-based network access control, you can link a username
and password combination or MAC address to a specific VLAN so that the
switch automatically moves the port to the appropriate VLAN when a client
logs on. This frees the network manager from having to reconfigure
VLANs as end users access the network from different points or where the
same workstation is used by different individuals at different times.

To use this feature, you have to enter a VLAN identifier, along with other
information, when you create a supplicant account on the RADIUS server.
The server passes the identifier to the switch when a user logs on with a
valid username and password combination or MAC address, depending
on the authentication method. The information to provide on the RADIUS
server is outlined in “Supplicant VLAN Attributes on the RADIUS Server”
on page 737.

How the switch responses when it receives VLAN information during the
authentication process can differ depending on the operating mode of the
authenticator port.

Single Operating Mode

Here are the operating characteristics for the switch when an authenticator
port is set to the Single operating mode:

ˆ

If the switch receives a valid VLAN ID or VLAN name from the
RADIUS server, it moves the authenticator port to the designated
VLAN and changes the port to the authorized state. If the piggy-back
mode is disabled, only the authenticated supplicant is allowed to use
the port. All other supplicants are denied entry. If the piggy-back mode
is enabled, all clients are allowed access to the port and the same
VLAN after the initial authentication.

ˆ

If the switch receives an invalid VLAN ID or VLAN name from the
RADIUS server (e.g., the VID of a nonexistent VLAN), it leaves the
port in the unauthorized state to deny access to the port.