Antaira Technologies - Industrial Ethernet Switches
LNX-2012G-SFP Series User Manual V1.0
66
how many information exchange frames are needed for a
particular method. The switch simply encapsulates the EAP
part of the frame into the relevant type (EAPOL or RADIUS)
and forwards it.
When authentication is complete, the RADIUS server sends
a special packet containing a success or failure indication.
Besides forwarding this decision to the supplicant, the
switch uses it to open up or block traffic on the switch port
connected to the supplicant.
Note: Suppose two backend servers are enabled and that
the server timeout is configured to X seconds (using the
AAA configuration page), and suppose that the first server
in the list is currently down (but not considered dead). Now,
if the supplicant retransmits EAPOL Start frames at a rate
faster than X seconds, then it will never get authenticated,
because the switch will cancel on-going backend
authentication server requests whenever it receives a new
EAPOL Start frame from the supplicant. And since the
server hasn't yet failed (because the X seconds haven't
expired), the same server will be contacted upon the next
backend authentication server request from the switch. This
scenario will loop forever. Therefore, the server timeout
should be smaller than the supplicant's EAPOL Start frame
retransmission rate.
Single 802.1X
In port-based 802.1X authentication, once a supplicant is
successfully authenticated on a port, the whole port is
opened for network traffic. This allows other clients
connected to the port (for instance through a hub) to piggy-
back on the successfully authenticated client and get
network
access
even
though
they
really
aren't
authenticated. To overcome this security breach, use the
Single 802.1X variant.
Single 802.1X is really not an IEEE standard, but features
many of the same characteristics as does port-based
802.1X. In Single 802.1X, at most one supplicant can get
authenticated on the port at a time. Normal EAPOL frames
