259
supplicants that might be on the port.
The maximum number of supplicants that can be attached to a port can be
limited using the Port Security Limit Control functionality.
MAC-based Auth.
Unlike port-based 802.1X, MAC-based authentication is not a standard, but
merely a best-practices method adopted by the industry. In MAC-based
authentication, users are called clients, and the switch acts as the supplicant on
behalf of clients. The initial frame (any kind of frame) sent by a client is snooped
by the switch, which in turn uses the client's MAC address as both username and
password in the subsequent EAP exchange with the RADIUS server. The 6-byte
MAC address is converted to a string on the following form "xx-xx-xx-xx-xx-xx",
that is, a dash (-) is used as separator between the lower-cased hexadecimal
digits. The switch only supports the MD5-Challenge authentication method, so
the RADIUS server must be configured accordingly.
When authentication is complete, the RADIUS server sends a success or failure
indication, which in turn causes the switch to open up or block traffic for that
particular client, using the Port Security module. Only then will frames from the
client be forwarded on the switch. There are no EAPOL frames involved in this
authentication, and therefore, MAC-based Authentication has nothing to do with
the 802.1X standard.
The advantage of MAC-based authentication over port-based 802.1X is that
several clients can be connected to the same port (e.g. through a 3rd party
switch or a hub) and still require individual authentication, and that the clients
don't need special supplicant software to authenticate. The advantage of
MAC-based authentication over 802.1X-based authentication is that the clients
don't need special supplicant software to authenticate. The disadvantage is that
MAC addresses can be spoofed by malicious users - equipment whose MAC
address is a valid RADIUS user can be used by anyone. Also, only the
MD5-Challenge method is supported. The maximum number of clients that can
be attached to a port can be limited using the Port Security Limit Control
functionality.
RADIUS-Assigned QoS
Enabled
When RADIUS-Assigned QoS is both globally enabled and enabled (checked)
for a given port, the switch reacts to QoS Class information carried in the
RADIUS Access-Accept packet transmitted by the RADIUS server when a
Содержание NS3702-24P-4S
Страница 1: ...NS3702 24P 4S User Manual P N 1072832 REV 00 01 ISS 14JUL14 ...
Страница 65: ...65 Buttons Click to apply changes Click to undo any changes made locally and revert to previously saved values ...
Страница 102: ...102 Figure 4 5 4 LACP Port Configuration Page Screenshot ...
Страница 119: ...119 Figure 4 6 4 VLAN Membership Status for Static User Page Screenshot ...
Страница 124: ...124 Figure 4 6 6 Private VLAN Membership Configuration page screenshot ...
Страница 135: ...135 VLAN 3 Port 3 Port 6 The screen in Figure 4 6 18 appears Figure 4 6 17 Private VLAN Port Setting ...
Страница 140: ...140 Figure 4 6 21 Group Name to VLAN Mapping Table Page Screenshot ...
Страница 164: ...164 Figure 4 8 2 Multicast Flooding ...
Страница 184: ...184 Figure 4 8 15 MLD Snooping Port Group Filtering Configuration Page Screenshot ...
Страница 204: ...204 Figure 4 9 6 QoS Egress Port Tag Remarking Page Screenshot ...
Страница 209: ...209 QoS Class QoS Class value can be any of 0 7 DPL Drop Precedence Level 0 1 ...
Страница 251: ...251 Figure 4 11 3 Authentication Method Configuration Page Screenshot ...
Страница 286: ...286 Figure 4 11 11 RADIUS Server Configuration Screenshot ...
Страница 290: ...290 Figure 4 11 17 Add User Properties Screen Figure 4 11 18 Add User Properties Screen ...
Страница 298: ...298 non committed changes will be lost ...
Страница 349: ...349 Figure 4 16 2 PoE Configuration Screenshot ...
Страница 355: ...355 Figure 4 16 5 PoE Status Screenshot ...