Niveo Professional NGSME16T2H User Manual

Page 77

Advertising
background image

Chapter 3: Featuring Configuration

– Web UI

Featuring Configuration

– Web UI

NGSME16T2H User Manual | 77

can get authenticated on the port at a time. Normal EAPOL frames are used in the

communication between the supplicant and the switch. If more than one supplicant

is connected to a port, the one that comes first when the port's link comes up will be

the first one considered. If that supplicant doesn't provide valid credentials within a

certain amount of time, another supplicant will get a chance. Once a supplicant is

successfully authenticated, only that supplicant will be allowed access. This is the

most secure of all the supported modes. In this mode, the Port Security module is

used to secure a supplicant's MAC address once successfully authenticated.

Multi 802.1X

Multi 802.1X is - like Single 802.1X - not an IEEE standard, but a variant that

features many of the same characteristics.In Multi 802.1X, one or more supplicants

can get authenticated on the same port at the same time. Each supplicant is

authenticated individually and secured in the MAC table using the Port Security

module.

In Multi 802.1X it is not possible to use the multicast BPDU MAC address as

destination MAC address for EAPOL frames sent from the switch towards the

supplicant, since that would cause all supplicants attached to the port to reply to

requests sent from the switch. Instead, the switch uses the supplicant's MAC

address, which is obtained from the first EAPOL Start or EAPOL Response Identity

frame sent by the supplicant. An exception to this is when no supplicants are

attached. In this case, the switch sends EAPOL Request Identity frames using the

BPDU multicast MAC address as destination - to wake up any supplicants that might

be on the port.

The maximum number of supplicants that can be attached to a port can be limited

using the Port Security Limit Control functionality.MAC-based Auth.

Unlike port-based 802.1X, MAC-based authentication is not a standard, but merely

a best-practices method adopted by the industry. In MAC-based authentication,

users are called clients, and the switch acts as the supplicant on behalf of clients.

The initial frame (any kind of frame) sent by a client is snooped by the switch, which

in turn uses the client's MAC address as both username and password in the

subsequent EAP exchange with the RADIUS server. The 6-byte MAC address is

converted to a string on the following form "xx-xx-xx-xx-xx-xx", that is, a dash (-) is

used as separator between the lower-cased hexadecimal digits. The switch only

supports the MD5-Challenge authentication method, so the RADIUS server must be

configured accordingly.

Advertising
This manual is related to the following products: