Port-based network access control guidelines – Allied Telesis AT-S63 User Manual

Chapter 28: 802.1x Port-based Network Access Control

654

Section IV: Port Security

The instructions for this step are in “Configuring TACACS+” on
page 767.

4. Next, you must configure the port access control settings on the

switch. This involves the following:

ˆ

Specifying the port roles.

ˆ

Configuring 802.1x port parameters.

ˆ

Enabling 802.1x Port-based Network Access Control.

The instructions for this step are found in this chapter.

5. Finally, if you want to use RADIUS accounting to monitor the

supplicants connected to the switch ports, you must configure the
service on the switch, as explained in “Configuring RADIUS
Accounting” on page 669.

Port-based

Network Access

Control

Guidelines

Following are the guidelines for using this feature:

ˆ

Ports operating under port-based access control do not support port
trunking or dynamic MAC address learning.

ˆ

The appropriate port role for a port on an AT-9400 Series switch
connected to an authentication server is None.

ˆ

The authentication server must be a member of the management
VLAN. For information about management VLANs, refer to “Specifying
a Management VLAN” on page 581.

ˆ

Allied Telesyn does not support connecting more than one supplicant
to an authenticator port on the switch. The switch allows only one
supplicant to log on per port.

Note

Connecting multiple supplicants to a switch port set to the
authenticator role does not conform to the IEEE 802.1x standard.
This can introduce security risks and can result in undesired switch
behavior. To avoid this, Allied Telesyn recommends not applying the
authenticator role to a port that is connected to more than one end
node, such as a port connected to another switch or to a hub.

ˆ

If a switch port set to the supplicant role is connected to a port on
another switch that is not set to authenticator, the port, after a timeout
period, assumes that it can send traffic without having to log on.

ˆ

A username and password combination is not tied to the MAC address
of an end node. This allows end users to use the same username and
password when working at different workstations.

ˆ

After a supplicant has successfully logged on, the MAC address of the
end node is added to the switch’s MAC address table as an
authenticated address. It remains in the table until the end user logs off