Access Lists
Functions
The presence of a RADIUS server in the device config and the fact that this server can be
reached over the network is mandatory for the function of 802.1X.
The method of access control negotiation must be synchronized between Supplicant and
Authentication Server (RADIUS).
The setting
< s e t d o t 1 x r e a u t h e n t i c a t i o n p o r t - d o w n [ n o ] a l l o w >
allows
to configure, whether a port may renegotiate the access following a loss of link.
MAC-Authentication-Bypass (MAB)
If 802.1X is to be used but a Supplicant does not support this, access control can fall back to
MAC-Authentication-Bypass (MAB). This mechanism performed the authentication using the
MAC address of the Supplicants.
To activate MAB configure the setting
< s e t d o t 1 x m a b { … } e n a b l e >
, additional to
< s e t d o t 1 x p o r t c o n t r o l { … } p a e - a u t o >
.
RADIUS Attribute
Format
Example
1 (Username)
12 hexadecimal digits, all low-
ercase, and no punctuation
30b216002f3a
2 (Password)
The username (encrypted)
31(Calling-Station-Id)
6 groups of 2 hexadecimal
digits, all uppercase, and sep-
arated by hyphens
30-B2-16-00-2F-3A
Table 37:
Configuration of the RADIUS server for a Supplicant with MAB
Commands to related 802.1X:
< s e t d o t 1 x [ n o ] e n a b l e >
< s e t d o t 1 x p o r t c o n t r o l { f a s t e t h e r n e t 0 | f o 1 | f o 2 | p o r t 1
| p o r t 2 | p o r t 3 | p o r t 4 } { a u t h - f o r c e | p a e - a u t o | u n a u t h -
< s e t d o t 1 x m a b { p o r t 1 | p o r t 2 | p o r t 3 | p o r t 4 } [ n o ] e n a b l e >
< s e t d o t 1 x r e a u t h e n t i c a t i o n p o r t - d o w n [ n o ] a l l o w >
ADVICE
The setting <set dot1x reauthentication port-down allow> includes the danger that by
plugging in an Ethernet switch or something similar between Supplicant and Authenticator
potential illegal network access is possible. When using a hub the 802.1X authentication
can be recorded.
2.25 Access Lists
2.25.1
Concept
EDS500 devices offer 16 access lists that help to classify Ethernet frames. If at least one
rule from a list matches an Ethernet frame then the linked action is carried out (forwarding,
blocking, change Class-of-Service).
Access lists can either be defined as deny lists (blacklist, allowed is anything outside the
specified criteria) or as permit list (whitelist, allowed is everything from the list).
Default configuration:
Access lists are disabled.
86
1KGT151021
V000 1
Содержание EDS500 Series
Страница 8: ...References Introduction 8 1KGT151021 V000 1 ...
Страница 152: ...Certificate Management Functions 152 1KGT151021 V000 1 ...
Страница 155: ...1KGT151021 V000 1 155 ...