iES28TG/iES28GF User Manual
148
iS5 Communications Inc.
5.9.3
NAS (802.1x)
Configuration
This page allows you to configure the IEEE 802.1X and MAC-based authentication system and port
settings.
The IEEE 802.1X standard defines a port-based access control procedure that prevents
unauthorized access to a network by requiring users to first submit credentials for
authentication. One or more central servers (the backend servers
)
determine whether the user is
allowed access to the network. These backend (RADIUS) servers are configured on the "Security →
AAA → AAA" page.
MAC-based authentication allows for authentication of more than one user on the same port, and
does not require the users to have special 802.1X software installed on their system. The switch uses
the users' MAC addresses to authenticate against the backend server. As intruders can create
counterfeit MAC addresses, which makes MAC-based authentication is less secure than 802.1 X
authentications.
Overview of 802.1X (Port-Based) Authentication
In an 802.1X network environment, the user is called the supplicant, the switch is the
authenticator, and the RADIUS server is the authentication server. The switch acts as the man-in-
the-middle, forwarding requests and responses between the supplicant and the authentication server.
Frames sent between the supplicant and the switch are special 802.1X frames, known as EAPOL (EAP
Over LANs) frames which encapsulate EAP PDUs (RFC3748). Frames sent between the switch and the
RADIUS server are RADIUS packets. RADIUS packets also encapsulate EAP PDUs together with other
attributes like the switch's IP address, name, and the supplicant's port number on the switch. EAP is
very flexible as it allows for different authentication methods, like MD5-Challenge, PEAP, and TLS.
The important thing is that the authenticator (the switch) does not need to know which
authentication method the supplicant and the authentication server are using, or how many
information exchange frames are needed for a particular method. The switch simply encapsulates the
EAP part of the frame into the relevant type (EAPOL or RADIUS) and forwards it.
When authentication is complete, the RADIUS server sends a special packet containing a success
or failure indication. Besides forwarding the result to the supplicant, the switch uses it to open up or
block traffic on the switch port connected to the supplicant.
Note: in an environment where two backend servers are enabled, the server timeout is
configured to X seconds (using the authentication configuration page), and the first server in the list
is currently down (but not considered dead) , if the supplicant retransmits EAPOL Start frames at a rate
faster than X seconds, it will never be authenticated because the switch will cancel on-going backend
