Chapter 4: Web configuration
NS3552-8P-2S-V2 User Manual
219
Object
Description
use the Single 802.1X variant.
Single 802.1X is really not an IEEE standard, but features many of the same
characteristics as does port-based 802.1X. In Single 802.1X, at most one
supplicant can get authenticated on the port at a time. Normal EAPOL
frames are used in the communication between the supplicant and the
switch. If more than one supplicant is connected to a port, the one that
comes first when the port's link comes up will be the first one considered. If
that supplicant doesn't provide valid credentials within a certain amount of
time, another supplicant will get a chance. After a supplicant is successfully
authenticated, only that supplicant will be allowed access. This is the most
secure of all the supported modes. In this mode, the Port Security module is
used to secure a supplicant's MAC address after successful authentication.
Multi 802.1X
Multi 802.1X is, like Single 802.1X, not an IEEE standard but a variant that
features many of the same characteristics. In Multi 802.1X, one or more
supplicants can get authenticated on the same port at the same time. Each
supplicant is authenticated individually and secured in the MAC table using
the port security module.
In Multi 802.1X, it is not possible to use the multicast BPDU MAC address as
destination MAC address for EAPOL frames sent from the switch towards
the supplicant, since that would cause all supplicants attached to the port to
reply to requests sent from the switch. Instead, the switch uses the
supplicant's MAC address, which is obtained from the first EAPOL Start or
EAPOL Response Identity frame sent by the supplicant. An exception to this
is when no supplicants are attached. In this case, the switch sends EAPOL
request identity frames using the BPDU multicast MAC address as
destination to wake up any supplicants that might be on the port.
The maximum number of supplicants that can be attached to a port can be
limited using the port security limit control functionality.
MAC-based authentication
Unlike port-based 802.1X, MAC-based authentication is not a standard, but
merely a best practices method adopted by the industry. In MAC-based
authentication, users are called clients, and the switch acts as the supplicant
on behalf of clients. The initial frame (any kind of frame) sent by a client is
snooped by the switch, which in turn uses the client's MAC address as both
username and password in the subsequent EAP exchange with the RADIUS
server. The 6-byte MAC address is converted to a string in the format "xx-xx-
xx-xx-xx-xx", that is, a dash (-) is used as separator between the lower-
cased hexadecimal digits. The switch only supports the MD5-Challenge
authentication method, so the RADIUS server must be configured
accordingly.
When authentication is complete, the RADIUS server sends a success or
failure indication, which in turn causes the switch to open up or block traffic
for that particular client, using the port security module. Only then will frames
from the client be forwarded on the switch. There are no EAPOL frames
involved in this authentication, therefore MAC-based authentication has
nothing to do with the 802.1X standard.
The advantage of MAC-based authentication over port-based 802.1X is that
several clients can be connected to the same port (e.g., through a third party
switch or a hub) and still require individual authentication, and that the
clients don't need special supplicant software to authenticate. The
advantage of MAC-based authentication over 802.1X-based authentication
is that the clients don't need special supplicant software to authenticate. The
disadvantage is that MAC addresses can be spoofed by malicious users -
equipment whose MAC address is a valid RADIUS user can be used by
Содержание NS3552-8P-2S-V2
Страница 1: ...NS3552 8P 2S V2 User Manual P N 1073552 EN REV B ISS 25JAN19 ...
Страница 41: ...Chapter 3 Switch management NS3552 8P 2S V2 User Manual 39 ...
Страница 73: ...Chapter 4 Web configuration NS3552 8P 2S V2 User Manual 71 ...
Страница 147: ...Chapter 4 Web configuration NS3552 8P 2S V2 User Manual 145 ...
Страница 153: ...Chapter 4 Web configuration NS3552 8P 2S V2 User Manual 151 Multicast flooding IGMP snooping multicast stream control ...
Страница 511: ......