Chapter 4: Web configuration
210
NS3552-8P-2S-V2 User Manual
Overview of MAC-based authentication
Unlike 802.1X, MAC-based authentication is not a standard, but merely a best-
practices method adopted by the industry. In MAC-based authentication, users are
called clients, and the switch acts as the supplicant on behalf of clients. The initial
frame (any kind of frame) sent by a client is snooped by the switch, which in turn uses
the client's MAC address as both username and password in the subsequent EAP
exchange with the RADIUS server. The 6-byte MAC address is converted to a string on
the following form "xx-xx-xx-xx-xx-xx", that is, a dash (-) is used as separator between
the lower-cased hexadecimal digits. The switch only supports the MD5-Challenge
authentication method, so the RADIUS server must be configured accordingly.
When authentication is complete, the RADIUS server sends a success or failure
indication, which in turn causes the switch to open up or block traffic for that particular
client using static entries into the MAC table. Only then will frames from the client be
forwarded on the switch. There are no EAPOL frames involved in this authentication,
therefore MAC-based authentication has nothing to do with the 802.1X standard.
The advantage of MAC-based authentication over 802.1X is that several clients can be
connected to the same port (e.g., through a third party switch or a hub) and still require
individual authentication, and the clients don't need special supplicant software to
authenticate. The disadvantage is that MAC addresses can be spoofed by malicious
users, equipment whose MAC address is a valid RADIUS user that can be used by
anyone, and only the MD5-Challenge method is supported.
The 802.1X and MAC-based authentication configuration consists of two sections, a
system- and a port-wide.
Overview of user authentication
The industrial managed switch may be configured to authenticate users logging into the
system for management access using local or remote authentication methods, such as
telnet and web browser. The industrial managed switch provides secure network
management access using the following options:
• Remote Authentication Dial-in User Service (RADIUS)
• Terminal Access Controller Access Control System Plus ()
• Local user name and privilege level control
RADIUS and are logon authentication protocols that use software running
on a central server to control access to RADIUS-aware or TACACS-aware devices on
the network. An authentication server contains a database of multiple user name /
password pairs with associated privilege levels for each user that requires management
access to the industrial managed switch.
Understanding IEEE 802.1X port-based authentication
The IEEE 802.1X standard defines a client-server-based access control and
authentication protocol that restricts unauthorized clients from connecting to a LAN
through publicly accessible ports. The authentication server authenticates each client
Содержание NS3552-8P-2S-V2
Страница 1: ...NS3552 8P 2S V2 User Manual P N 1073552 EN REV B ISS 25JAN19 ...
Страница 41: ...Chapter 3 Switch management NS3552 8P 2S V2 User Manual 39 ...
Страница 73: ...Chapter 4 Web configuration NS3552 8P 2S V2 User Manual 71 ...
Страница 147: ...Chapter 4 Web configuration NS3552 8P 2S V2 User Manual 145 ...
Страница 153: ...Chapter 4 Web configuration NS3552 8P 2S V2 User Manual 151 Multicast flooding IGMP snooping multicast stream control ...
Страница 511: ......