LevelOne GSW-4876 User Manual

C

HAPTER

4

| Configuring the Switch

Configuring Security

– 90 –

MAC address in question at regular intervals and free resources if no

activity is seen within the given age period.
If reauthentication is enabled and the port is in a 802.1X-based mode,

this is not so critical, since supplicants that are no longer attached to

the port will get removed upon the next reauthentication, which will

fail. But if reauthentication is not enabled, the only way to free

resources is by aging the entries.
For ports in MAC-based Auth. mode, reauthentication does not cause

direct communication between the switch and the client, so this will not

detect whether the client is still attached or not, and the only way to

free any resources is to age the entry.

◆

Hold Time - The time after an EAP Failure indication or RADIUS

timeout that a client is not allowed access. This setting applies to ports

running Single 802.1X, Multi 802.1X, or MAC-based authentication.

(Range: 10-1000000 seconds; Default: 10 seconds)
If the RADIUS server denies a client access, or a RADIUS server

request times out (according to the timeout specified on the AAA menu

on

page 119

), the client is put on hold in the Unauthorized state. In this

state, the hold timer does not count down during an on-going

authentication.
In MAC-based Authentication mode, the switch will ignore new frames

coming from the client during the hold time.

◆

RADIUS-Assigned QoS Enabled - RADIUS-assigned QoS provides a

means to centrally control the traffic class to which traffic coming from

a successfully authenticated supplicant is assigned on the switch. The

RADIUS server must be configured to transmit special RADIUS

attributes to take advantage of this feature.
The RADIUS-Assigned QoS Enabled checkbox provides a quick way to

globally enable/disable RADIUS-server assigned QoS Class

functionality. When checked, the individual port settings determine

whether RADIUS-assigned QoS Class is enabled for that port. When

unchecked, RADIUS-server assigned QoS Class is disabled for all ports.
When RADIUS-Assigned QoS is both globally enabled and enabled for a

given port, the switch reacts to QoS Class information carried in the

RADIUS Access-Accept packet transmitted by the RADIUS server when

a supplicant is successfully authenticated. If present and valid, traffic

received on the supplicant’s port will be classified to the given QoS

Class. If (re-)authentication fails or the RADIUS Access-Accept packet

no longer carries a QoS Class or it's invalid, or the supplicant is

otherwise no longer present on the port, the port's QoS Class is

immediately reverted to the original QoS Class (which may be changed

by the administrator in the meanwhile without affecting the RADIUS-

assigned setting).
This option is only available for single-client modes, i.e. port-based

802.1X and Single 802.1X.