Niveo Professional NGSME16T2H User Manual

Chapter 3: Featuring Configuration

– Web UI

Featuring Configuration

– Web UI

NGSME16T2H User Manual | 76

the authentication server. Frames sent between the supplicant and the switch are

special 802.1X frames, known as EAPOL (EAP Over LANs) frames.

EAPOL frames encapsulate EAP PDUs (RFC3748). Frames sent between the

switch and the RADIUS server are RADIUS packets. RADIUS packets also

encapsulate EAP PDUs together with other attributes like the switch's IP address,

name, and the supplicant's port number on the switch. EAP is very flexible, in that it

allows for different authentication methods, like MD5-CHALLENGE, PEAP, and TLS.

The important thing is that the authenticator (the switch) doesn't need to know which

authentication method the supplicant and the authentication server are using, or

how many information exchange frames are needed for a particular method. The

switch simply encapsulates the EAP part of the frame into the relevant type (EAPOL

or RADIUS) and forwards it.

When authentication is complete, the RADIUS server sends a special packet

containing a success or failure indication. Besides forwarding this decision to the

supplicant, the switch uses it to open up or block traffic on the switch port connected

to the supplicant.

Note: Suppose two backend servers are enabled and that the server timeout is

configured to X seconds (using the AAA configuration page), and suppose that the

first server in the list is currently down (but not considered dead). Now, if the

supplicant retransmits EAPOL Start frames at a rate faster than X seconds, then it

will never get authenticated, because the switch will cancel on-going backend

authentication server requests whenever it receives a new EAPOL Start frame from

the supplicant. And since the server hasn't yet failed (because the X seconds

haven't expired), the same server will be contacted upon the next backend

authentication server request from the switch. This scenario will loop forever.

Therefore, the server timeout should be smaller than the supplicant's EAPOL Start

frame retransmission rate.

Single 802.1X

In port-based 802.1X authentication, once a supplicant is successfully authenticated

on a port, the whole port is opened for network traffic. This allows other clients

connected to the port (for instance through a hub) to piggy-back on the successfully

authenticated client and get network access even though they really aren't

authenticated. To overcome this security breach, use the Single 802.1X variant.

Single 802.1X is really not an IEEE standard, but features many of the same

characteristics as does port-based 802.1X. In Single 802.1X, at most one supplicant