PLANET SGSW-24040 User Manual

User’s Manual of SGSW-24040 / 24240 Series

227

In this mode, the switch will send one EAPOL Failure frame when the port link

comes up, and any client on the port will be disallowed network access.

Port-based 802.1X

In the 802.1X-world, the user is called the supplicant, the switch is the

authenticator, and the RADIUS server is the authentication server. The

authenticator acts as the man-in-the-middle, forwarding requests and responses

between the supplicant and the authentication server. Frames sent between the

supplicant and the switch are special 802.1X frames, known as EAPOL (EAP

Over LANs) frames. EAPOL frames encapsulate EAP PDUs (RFC3748). Frames

sent between the switch and the RADIUS server are RADIUS packets. RADIUS

packets also encapsulate EAP PDUs together with other attributes like the

switch's IP address, name, and the supplicant's port number on the switch. EAP

is very flexible, in that it allows for different authentication methods, like

MD5-Challenge, PEAP, and TLS. The important thing is that the authenticator

(the switch) doesn't need to know which authentication method the supplicant

and the authentication server are using, or how many information exchange

frames are needed for a particular method. The switch simply encapsulates the

EAP part of the frame into the relevant type (EAPOL or RADIUS) and forwards it.

When authentication is complete, the RADIUS server sends a special packet

containing a success or failure indication. Besides forwarding this decision to the

supplicant, the switch uses it to open up or block traffic on the switch port

connected to the supplicant.

Note: Suppose two backend servers are enabled and that the server timeout is

configured to X seconds (using the AAA configuration page), and suppose that

the first server in the list is currently down (but not considered dead). Now, if the

supplicant retransmits EAPOL Start frames at a rate faster than X seconds, then

it will never get authenticated, because the switch will cancel on-going backend

authentication server requests whenever it receives a new EAPOL Start frame

from the supplicant. And since the server hasn't yet failed (because the X

seconds haven't expired), the same server will be contacted upon the next

backend authentication server request from the switch. This scenario will loop

forever. Therefore, the server timeout should be smaller than the supplicant's

EAPOL Start frame retransmission rate.

Single 802.1X

In port-based 802.1X authentication, once a supplicant is successfully

authenticated on a port, the whole port is opened for network traffic. This allows

other clients connected to the port (for instance through a hub) to piggy-back on

the successfully authenticated client and get network access even though they