IFS NS3502-8P-2S User Manual
241
secured in the MAC table using the Port Security module.
In Multi 802.1X it is not possible to use the multicast BPDU MAC
address as destination MAC address for EAPOL frames sent from
the switch towards the supplicant, since that would cause all
supplicants attached to the port to reply to requests sent from
the switch. Instead, the switch uses the supplicant's MAC
address, which is obtained from the first EAPOL Start or EAPOL
Response Identity frame sent by the supplicant. An exception to
this is when no supplicants are attached. In this case, the switch
sends EAPOL Request Identity frames using the BPDU multicast
MAC address as destination - to wake up any supplicants that
might be on the port.
The maximum number of supplicants that can be attached to a
port can be limited using the Port Security Limit Control
functionality.
MAC-based Auth.
Unlike port-based 802.1X, MAC-based authentication is not a
standard, but merely a best-practices method adopted by the
industry. In MAC-based authentication, users are called clients,
and the switch acts as the supplicant on behalf of clients. The
initial frame (any kind of frame) sent by a client is snooped by the
switch, which in turn uses the client's MAC address as both
username and password in the subsequent EAP exchange with
the RADIUS server. The 6-byte MAC address is converted to a
string on the following form "xx-xx-xx-xx-xx-xx", that is, a dash (-)
is used as separator between the lower-cased hexadecimal digits.
The switch only supports the MD5-Challenge authentication
method, so the RADIUS server must be configured accordingly.
When authentication is complete, the RADIUS server sends a
success or failure indication, which in turn causes the switch to
open up or block traffic for that particular client, using the Port
Security module. Only then will frames from the client be
forwarded on the switch. There are no EAPOL frames involved in
this authentication, and therefore, MAC-based Authentication
has nothing to do with the 802.1X standard.
The advantage of MAC-based authentication over port-based
802.1X is that several clients can be connected to the same port
(e.g. through a 3rd party switch or a hub) and still require
individual authentication, and that the clients don't need special
supplicant software to authenticate. The advantage of