Chapter 33: 802.1x Port-based Network Access Control
394
Section VIII: Port Security
Supplicant and VLAN Associations
One of the challenges to managing a network is accommodating end
users that roam. These are individuals whose work requires that they
access the network resources from different points at different times. The
difficulty arises in providing them with access to the same network
resources and, conversely, restricting them from unauthorized areas,
regardless of the workstation from where they access the network. A
closely related issue is where a workstation is employed at various times
by different individuals with unique requirements in terms of network
resources and security levels.
Providing network users with access to their network resources while also
maintaining network security is often achieved through the use of VLANs.
As explained in “Overview” on page 271, a VLAN is an independent traffic
domain where the traffic generated by the nodes within the VLAN is
restricted to nodes of the same VLAN, unless there is a router or Layer 3
device. Different users are assigned to different VLANs depending on their
resource requirements and security levels.
The problem with a port-based VLAN is that VLAN membership is
determined by the port on the switch to which the device is connected. If a
different device that needs to belong to a different VLAN is connected to
the port, the port must be manually moved to the new VLAN using the
management software.
With 802.1x port-based network access control, you can link a username
and password combination or MAC address to a specific VLAN so that the
switch automatically moves the port to the appropriate VLAN when a client
logs on. This frees the network manager from having to reconfigure
VLANs as end users access the network from different points or where the
same workstation is used by different individuals at different times.
To use this feature, you have to enter a VLAN identifier, along with other
information, when you create a supplicant account on the RADIUS server.
The server passes the identifier to the switch when a user logs on with a
valid username and password combination or MAC address, depending
on the authentication method. The information to provide on the RADIUS
server is outlined in “Supplicant VLAN Attributes on the RADIUS Server”
on page 395.
How the switch responses when it receives VLAN information during the
authentication process can differ depending on the operating mode of the
authenticator port.
Содержание AT-S63
Страница 14: ...Figures 14 ...
Страница 18: ...Tables 18 ...
Страница 28: ...28 Section I Basic Operations ...
Страница 58: ...Chapter 1 Overview 58 ...
Страница 76: ...Chapter 2 AT 9400Ts Stacks 76 Section I Basic Operations ...
Страница 96: ...Chapter 5 MAC Address Table 96 Section I Basic Operations ...
Страница 114: ...Chapter 8 Port Mirror 114 Section I Basic Operations ...
Страница 116: ...116 Section II Advanced Operations ...
Страница 146: ...Chapter 12 Access Control Lists 146 Section II Advanced Operations ...
Страница 176: ...Chapter 14 Quality of Service 176 Section II Advanced Operations ...
Страница 196: ...196 Section III Snooping Protocols ...
Страница 204: ...Chapter 18 Multicast Listener Discovery Snooping 204 Section III Snooping Protocols ...
Страница 216: ...Chapter 20 Ethernet Protection Switching Ring Snooping 216 Section III Snooping Protocols ...
Страница 218: ...218 Section IV SNMPv3 ...
Страница 234: ...234 Section V Spanning Tree Protocols ...
Страница 268: ...268 Section VI Virtual LANs ...
Страница 306: ...Chapter 27 Protected Ports VLANs 306 Section VI Virtual LANs ...
Страница 320: ...320 Section VII Internet Protocol Routing ...
Страница 360: ...Chapter 30 BOOTP Relay Agent 360 Section VII Routing ...
Страница 370: ...Chapter 31 Virtual Router Redundancy Protocol 370 Section VII Routing ...
Страница 372: ...372 Section VIII Port Security ...
Страница 402: ...Chapter 33 802 1x Port based Network Access Control 402 Section VIII Port Security ...
Страница 404: ...404 Section IX Management Security ...
Страница 436: ...Chapter 36 PKI Certificates and SSL 436 Section IX Management Security ...
Страница 454: ...Chapter 38 TACACS and RADIUS Protocols 454 Section IX Management Security ...
Страница 462: ...Chapter 39 Management Access Control List 462 Section IX Management Security ...
Страница 504: ...Appendix B SNMPv3 Configuration Examples 504 Security Model Security Level Storage Type SNMPv3 Parameters Continued ...
Страница 532: ...Appendix D MIB Objects 532 ...