257
authentication.
Force Unauthorized
In this mode, the switch will send one EAPOL Failure frame when the port link
comes up, and any client on the port will be disallowed network access.
Port-based 802.1X
In the 802.1X-world, the user is called the supplicant, the switch is the
authenticator, and the RADIUS server is the authentication server. The
authenticator acts as the man-in-the-middle, forwarding requests and responses
between the supplicant and the authentication server. Frames sent between the
supplicant and the switch are special 802.1X frames, known as EAPOL (EAP
Over LANs) frames. EAPOL frames encapsulate EAP PDUs (RFC3748). Frames
sent between the switch and the RADIUS server are RADIUS packets. RADIUS
packets also encapsulate EAP PDUs together with other attributes like the
switch's IP address, name, and the supplicant's port number on the switch. EAP
is very flexible, in that it allows for different authentication methods, like
MD5-Challenge, PEAP, and TLS. The important thing is that the authenticator
(the switch) doesn't need to know which authentication method the supplicant
and the authentication server are using, or how many information exchange
frames are needed for a particular method. The switch simply encapsulates the
EAP part of the frame into the relevant type (EAPOL or RADIUS) and forwards it.
When authentication is complete, the RADIUS server sends a special packet
containing a success or failure indication. Besides forwarding this decision to the
supplicant, the switch uses it to open up or block traffic on the switch port
connected to the supplicant.
Note
:
Suppose two backend servers are enabled and that the server timeout is
configured to X seconds (using the AAA configuration Page), and suppose that
the first server in the list is currently down (but not considered dead). Now, if the
supplicant retransmits EAPOL Start frames at a rate faster than X seconds, then
it will never get authenticated, because the switch will cancel on-going backend
authentication server requests whenever it receives a new EAPOL Start frame
from the supplicant. And since the server hasn't yet failed (because the X
seconds haven't expired), the same server will be contacted upon the next
backend authentication server request from the switch. This scenario will loop
forever. Therefore, the server timeout should be smaller than the supplicant's
Содержание NS3702-24P-4S
Страница 1: ...NS3702 24P 4S User Manual P N 1072832 REV 00 01 ISS 14JUL14 ...
Страница 65: ...65 Buttons Click to apply changes Click to undo any changes made locally and revert to previously saved values ...
Страница 102: ...102 Figure 4 5 4 LACP Port Configuration Page Screenshot ...
Страница 119: ...119 Figure 4 6 4 VLAN Membership Status for Static User Page Screenshot ...
Страница 124: ...124 Figure 4 6 6 Private VLAN Membership Configuration page screenshot ...
Страница 135: ...135 VLAN 3 Port 3 Port 6 The screen in Figure 4 6 18 appears Figure 4 6 17 Private VLAN Port Setting ...
Страница 140: ...140 Figure 4 6 21 Group Name to VLAN Mapping Table Page Screenshot ...
Страница 164: ...164 Figure 4 8 2 Multicast Flooding ...
Страница 184: ...184 Figure 4 8 15 MLD Snooping Port Group Filtering Configuration Page Screenshot ...
Страница 204: ...204 Figure 4 9 6 QoS Egress Port Tag Remarking Page Screenshot ...
Страница 209: ...209 QoS Class QoS Class value can be any of 0 7 DPL Drop Precedence Level 0 1 ...
Страница 251: ...251 Figure 4 11 3 Authentication Method Configuration Page Screenshot ...
Страница 286: ...286 Figure 4 11 11 RADIUS Server Configuration Screenshot ...
Страница 290: ...290 Figure 4 11 17 Add User Properties Screen Figure 4 11 18 Add User Properties Screen ...
Страница 298: ...298 non committed changes will be lost ...
Страница 349: ...349 Figure 4 16 2 PoE Configuration Screenshot ...
Страница 355: ...355 Figure 4 16 5 PoE Status Screenshot ...