Port-based network access control guidelines – Allied Telesis AT-S63 User Manual

Page 626

Advertising
background image

Chapter 29: 802.1x Port-based Network Access Control

626

Section IV: Security

❑ The IP addresses of up to three RADIUS servers.

❑ The encryption key used by the authentication servers.

The instructions for this step are in ”Configuring RADIUS” on page
654.

4. Next, you must configure the port access control settings on the

switch. This involves the following:

❑ Specifying the port roles.

❑ Configuring 802.1x port parameters.

❑ Enabling 802.1x Port-based Network Access Control.

The instructions for this step are found in this chapter.

5. Finally, if you want to use RADIUS accounting to monitor the

supplicants connected to the switch ports, you must configure the
service on the switch, as explained in ”Configuring RADIUS
Accounting” on page 641.

Port-based

Network Access

Control

Guidelines

Following are the guidelines for using this feature:

❑ Ports operating under port-based access control do not support

port trunking or dynamic MAC address learning.

❑ The appropriate port role for a port on an AT-9400 Series switch

connected to an authentication server is None.

❑ The authentication server must be a member of the management

VLAN. For information about management VLANs, refer to
”Specifying a Management VLAN” on page 461.

❑ Allied Telesyn does not support connecting more than one

supplicant to an authenticator port on the switch. The switch
allows only one supplicant to log on per port.

Note

Connecting multiple supplicants to a switch port set to the
authenticator role does not conform to the IEEE 802.1x standard.
This can introduce security risks and can result in undesired switch
behavior. To avoid this, Allied Telesyn recommends not applying
the authenticator role to a port that is connected to more than one
end node, such as a port connected to another switch or to a hub.

❑ If a switch port set to the supplicant role is connected to a port on

another switch that is not set to authenticator, the port, after a
timeout period, assumes that it can send traffic without having to

Advertising
Popular Brands
Popular manuals