User’s Manual of NS3550-24T/4S
207
In this mode, the switch will send one EAPOL Failure frame when the port link
comes up, and any client on the port will be disallowed network access.
Port-based 802.1X
In the 802.1X-world, the user is called the supplicant, the switch is the
authenticator, and the RADIUS server is the authentication server. The
authenticator acts as the man-in-the-middle, forwarding requests and responses
between the supplicant and the authentication server. Frame sent between the
supplicant and the switch is special 802.1X frame, known as EAPOL (EAP Over
LANs) frames. EAPOL frames encapsulate EAP PDUs (RFC3748). Frame sent
between the switch and the RADIUS server is RADIUS packet. RADIUS packets
also encapsulate EAP PDUs together with other attributes like the switch's IP
address, name, and the supplicant's port number on the switch. EAP is very
flexible, in that it allows for different authentication methods, like MD5-Challenge,
PEAP, and TLS. The important thing is that the authenticator (the switch) doesn't
need to know which authentication method the supplicant and the authentication
server are using, or how many information exchange frames are needed for a
particular method. The switch simply encapsulates the EAP part of the frame into
the relevant type (EAPOL or RADIUS) and forwards it.
When authentication is complete, the RADIUS server sends a special packet
containing a success or failure indication. Besides forwarding this decision to the
supplicant, the switch uses it to open up or block traffic on the switch port
connected to the supplicant.
Note
: Suppose two backend servers are enabled and that the server timeout is
configured to X seconds (using the AAA configuration page), and suppose that
the first server in the list is currently down (but not considered dead). Now, if the
supplicant retransmits EAPOL Start frames at a rate faster than X seconds, then it
will never get authenticated, because the switch will cancel on-going backend
authentication server requests whenever it receives a new EAPOL Start frame
from the supplicant. And since the server hasn't yet failed (because the X seconds
haven't expired), the same server will be contacted upon the next backend
authentication server request from the switch. This scenario will loop forever.
Therefore, the server timeout should be smaller than the supplicant's EAPOL Start
frame retransmission rate.
Single 802.1X
In port-based 802.1X authentication, once a supplicant is successfully
authenticated on a port, the whole port is opened for network traffic. This allows
other clients connected to the port (for instance through a hub) to piggy-back on
the successfully authenticated client and get network access even though they
really aren't authenticated. To overcome this security breach, use the Single
802.1X variant.
Single 802.1X is really not an IEEE standard, but features many of the same
characteristics, as does port-based 802.1X. In Single 802.1X, at most one
supplicant can get authenticated on the port at a time. Normal EAPOL frames are
used in the communication between the supplicant and the switch. If more than
one supplicant is connected to a port, the one that comes first when the port's link
comes up will be the first one considered. If that supplicant doesn't provide valid
credentials within a certain amount of time, another supplicant will get a chance.
Once a supplicant is successfully authenticated, only that supplicant will be
allowed access. This is the most secure of all the supported modes. In this mode,
the Port Security module is used to secure a supplicant's MAC address once
successfully authenticated.
Multi 802.1X
In port-based 802.1X authentication, once a supplicant is successfully
authenticated on a port, the whole port is opened for network traffic. This allows
other clients connected to the port (for instance through a hub) to piggy-back on
the successfully authenticated client and get network access even though they
really aren't authenticated. To overcome this security breach, use the Multi 802.1X
variant.
Multi 802.1X is really not an IEEE standard, but features many of the same
characteristics as does port-based 802.1X. Multi 802.1X is - like Single 802.1X -
not an IEEE standard, but a variant that features many of the same
characteristics. In Multi 802.1X, one or more supplicants can get authenticated on
the same port at the same time. Each supplicant is authenticated individually and
secured in the MAC table using the Port Security module.
Содержание IFS NS3550-24T/4S
Страница 1: ...P N 1072569 REV 00 05 ISS 11OCT12 IFS NS3550 24T 4S User Manual ...
Страница 37: ...User s Manual of NS3550 24T 4S 37 ...
Страница 96: ...96 Figure 4 4 6 Port Mirror Configuration Page Screenshot ...
Страница 127: ...User s Manual of NS3550 24T 4S 127 Figure 4 6 10 Port 1 Port 6 VLAN Configuration ...
Страница 151: ...User s Manual of NS3550 24T 4S 151 Figure 4 8 1 Multicast Service Figure 4 8 2 Multicast Flooding ...
Страница 184: ...184 Figure 4 9 14 Voice VLAN Configuration Page Screenshot ...
Страница 204: ...204 Figure 4 11 4 Network Access Server Configuration Page Screenshot ...
Страница 234: ...234 Figure 4 12 1 Port Limit Control Configuration Overview Page Screenshot ...
Страница 250: ...250 Click to undo any changes made locally and revert to previously saved values ...
Страница 297: ...User s Manual of NS3550 24T 4S 297 ...
Страница 388: ...388 Example Show RADIUS statistics SWITCH security aaa statistics ...
Страница 410: ...410 Parameters vid VLAN ID 1 4095 Default Setting disable ...
Страница 441: ...User s Manual of NS3550 24T 4S 441 Example Enable the mirror mode for port 1 4 SWITCH mirror mode 1 4 enable ...