PLANET WGSD-10020 User Manual

User’s Manual of WGSD-10020 Series

227

successfully authenticated.



Multi 802.1X

In port-based 802.1X authentication, once a supplicant is successfully

authenticated on a port, the whole port is opened for network traffic. This allows

other clients connected to the port (for instance through a hub) to piggy-back on

the successfully authenticated client and get network access even though they

really aren't authenticated. To overcome this security breach, use the Multi

802.1X variant.

Multi 802.1X is really not an IEEE standard, but features many of the same

characteristics as does port-based 802.1X. Multi 802.1X is - like Single 802.1X -

not an IEEE standard, but a variant that features many of the same

characteristics. In Multi 802.1X, one or more supplicants can get authenticated

on the same port at the same time. Each supplicant is authenticated individually

and secured in the MAC table using the Port Security module.

In Multi 802.1X it is not possible to use the multicast BPDU MAC address as

destination MAC address for EAPOL frames sent from the switch towards the

supplicant, since that would cause all supplicants attached to the port to reply to

requests sent from the switch. Instead, the switch uses the supplicant's MAC

address, which is obtained from the first EAPOL Start or EAPOL Response

Identity frame sent by the supplicant. An exception to this is when no supplicants

are attached. In this case, the switch sends EAPOL Request Identity frames

using the BPDU multicast MAC address as destination - to wake up any

supplicants that might be on the port.

The maximum number of supplicants that can be attached to a port can be

limited using the Port Security Limit Control functionality.



MAC-based Auth.

Unlike port-based 802.1X, MAC-based authentication is not a standard, but

merely a best-practices method adopted by the industry. In MAC-based

authentication, users are called clients, and the switch acts as the supplicant on

behalf of clients. The initial frame (any kind of frame) sent by a client is snooped

by the switch, which in turn uses the client's MAC address as both username and

password in the subsequent EAP exchange with the RADIUS server. The 6-byte

MAC address is converted to a string on the following form "xx-xx-xx-xx-xx-xx",

that is, a dash (-) is used as separator between the lower-cased hexadecimal

digits. The switch only supports the MD5-Challenge authentication method, so

the RADIUS server must be configured accordingly.

When authentication is complete, the RADIUS server sends a success or failure

indication, which in turn causes the switch to open up or block traffic for that