LevelOne GSW-4876 User Manual

C

HAPTER

4

| Configuring the Switch

Configuring Security

– 95 –

■

Single 802.1X - At most one supplicant can get authenticated on

the port at a time. If more than one supplicant is connected to a

port, the one that comes first when the port's link comes up will be

the first one considered. If that supplicant doesn't provide valid

credentials within a certain amount of time, another supplicant will

get a chance. Once a supplicant is successfully authenticated, only

that supplicant will be allowed access. This is the most secure of all

the supported modes. In this mode, the Port Security module is

used to secure a supplicant's MAC address once successfully

authenticated.

■

Multi 802.1X - One or more supplicants can get authenticated on

the same port at the same time. Each supplicant is authenticated

individually and secured in the MAC table using the Port Security
module.
In Multi 802.1X it is not possible to use the multicast BPDU MAC

address as the destination MAC address for EAPOL frames sent from

the switch towards the supplicant, since that would cause all

supplicants attached to the port to reply to requests sent from the

switch. Instead, the switch uses the supplicant's MAC address,

which is obtained from the first EAPOL Start or EAPOL Response

Identity frame sent by the supplicant. An exception to this is when

no supplicants are attached. In this case, the switch sends EAPOL

Request Identity frames using the BPDU multicast MAC address as

the destination - to wake up any supplicants that might be on the

port.
The maximum number of supplicants that can be attached to a port

can be limited using the Port Security Limit Control functionality.

■

MAC-based Auth. - Enables MAC-based authentication on the port.

The switch does not transmit or accept EAPOL frames on the port.

Flooded frames and broadcast traffic will be transmitted on the port,

whether or not clients are authenticated on the port, whereas

unicast traffic from an unsuccessfully authenticated client will be

dropped. Clients that are not (or not yet) successfully authenticated

will not be allowed to transmit frames of any kind.
The switch acts as the supplicant on behalf of clients. The initial

frame (any kind of frame) sent by a client is snooped by the switch,

which in turn uses the client's MAC address as both user name and

password in the subsequent EAP exchange with the RADIUS server.

The 6-byte MAC address is converted to a string on the following

form “xx-xx-xx-xx-xx-xx”, that is, a dash (-) is used as separator

between the lower-cased hexadecimal digits. The switch only

supports the MD5-Challenge authentication method, so the RADIUS

server must be configured accordingly.
When authentication is complete, the RADIUS server sends a

success or failure indication, which in turn causes the switch to open

up or block traffic for that particular client, using the Port Security

module. Only then will frames from the client be forwarded on the

switch. There are no EAPOL frames involved in this authentication,

and therefore, MAC-based Authentication has nothing to do with the

802.1X standard.