iES12G
User’s
Manual
UM-iES12G-1.72.2-EN.docx
Pages 126 of 166
© 2020 IS5 COMMUNICATIONS INC. ALL RIGHTS RESERVED
NAS (802.1x)
Network Access Server Configuration
This page allows the user to configure the IEEE 802.1X and MAC-based authentication system and
port settings. Network Access Server stands for NAS.
The IEEE 802.1X standard defines a port-based access control procedure that prevents
unauthorized access to a network by requiring users to first submit credentials for authentication.
One or more central servers (the backend servers
)
determine whether the user is allowed access
to the network. They are configured at "Security
→
AAA
→
AAA" page.
MAC-based authentication allows for authentication of more than one user on the same port, and
does not require the users to have special 802.1X software installed on their system. The switch uses
the users' MAC addresses to authenticate against the backend server. As intruders can create
counterfeit MAC addresses, which makes MAC-based authentication is less secure than 802.1 X
authentications.
Overview of 802.1X (Port-Based) Authentication
In an 802.1X network environment, the user is called the supplicant, the switch is the authenticator,
and the RADIUS server is the authentication server. The switch acts as the man-in-the-middle,
forwarding requests and responses between the supplicant and the authentication server. Frames
sent between the supplicant and the switch are special 802.1X frames, known as EAPOL (EAP Over
LANs) frames which encapsulate EAP PDUs [2] (RFC3748). Frames sent between the switch and
the RADIUS server are RADIUS packets. RADIUS packets also encapsulate EAP PDUs together with
other attributes like the switch's IP address, name, and the supplicant's port number on the switch.
EAP is very flexible as it allows for different authentication methods, like MD5-Challenge, PEAP,
and TLS. The important thing is that the authenticator (the switch) does not need to know which
authentication method the supplicant and the authentication server are using, or how many
information exchange frames are needed for a particular method. The switch simply encapsulates
the EAP part of the frame into the relevant type (EAPOL or RADIUS) and forwards it.
When authentication is complete, the RADIUS server sends a special packet containing a success
or failure indication. Besides forwarding the result to the supplicant, the switch uses it to open up or
block traffic on the switch port connected to the supplicant.
Note: in an environment where two backend servers are enabled, the server timeout is configured to X
seconds (using the authentication configuration page), and the first server in the list is currently down
(but not considered dead) , if the supplicant retransmits EAPOL Start frames at a rate faster than X
seconds, it will never be authenticated because the switch will cancel on-going backend authentication
server requests whenever it receives a new EAPOL Start frame from the supplicant. Since the server has
not failed (because the X seconds have not expired), the same server will be contacted when the next
back-end authentication server requests from the switch. This scenario will loop forever. Therefore, the
server timeout should be smaller than the supplicant's EAPOL Start frame retransmission rate.