Lantronix
SM24TBT2DPA and SM24TBT2DPB Web User Guide
Port Configuration:
The table has one row for each port on the switch and several columns:
Port:
The port number for which the configuration below applies.
Admin State:
If NAS is globally enabled, this selection controls the port's authentication mode.
These modes are available:
Force Authorized
:
In this mode, the switch will send one EAPOL Success frame
when the port link comes up, and any client on the port will be allowed network
access without authentication.
Force Unauthorized
:
In this mode, the switch will send one EAPOL Failure
frame when the port link comes up, and any client on the port will be disallowed
network access.
Port-based 802.1X
:
In the 802.1X-world, the user is called the supplicant, the
switch is the authenticator, and the RADIUS server is the authentication server.
The authenticator acts as the man-in-the-middle, forwarding requests and responses between the
supplicant and the authentication server. Frames sent between the supplicant and the switch are
special 802.1X frames, known as EAPOL (EAP Over LANs) frames. EAPOL frames encapsulate
EAP PDUs (RFC3748). Frames sent between the switch and the RADIUS server are RADIUS
packets. RADIUS packets also encapsulate EAP PDUs together with other attributes like the switch's
IP address, name, and the supplicant's port number on the switch. EAP is very flexible, in that it
allows for different authentication methods, like MD5-Challenge, PEAP, and TLS. The important thing
is that the authenticator (the switch) doesn't need to know which authentication method the
supplicant and the authentication server are using, or how many information exchange frames are
needed for a particular method. The switch simply encapsulates the EAP part of the frame into the
relevant type (EAPOL or RADIUS) and forwards it.
When authentication is complete, the RADIUS server sends a special packet containing a success or
failure indication. Besides forwarding this decision to the supplicant, the switch uses it to open up or
block traffic on the switch port connected to the supplicant
N
OTE
:
Suppose two backend servers are enabled and that the server timeout is configured
to X seconds (using the AAA configuration page) and suppose that the first server in the list
is currently down (but not considered dead).
Now, if the supplicant retransmits EAPOL Start frames at a rate faster than X seconds, then
it will never get authenticated, because the switch will cancel on-going backend
authentication server requests whenever it receives a new EAPOL Start frame from the
supplicant.
And since the server hasn't yet failed (because the X seconds haven't expired), the same
server will be contacted upon the next backend authentication server request from the
switch. This scenario will loop forever. Therefore, the server timeout should be smaller than
the supplicant's EAPOL Start frame retransmission rate.
Single 802.1X
:
In port-based 802.1X authentication, once a supplicant is successfully authenticated
on a port, the whole port is opened for network traffic. This allows other clients connected to the port
(for instance through a hub) to piggy-back on the successfully authenticated client and get network
access even though they really aren't authenticated. To overcome this security breach, use the
Single 802.1X variant. Single 802.1X is really not an IEEE standard, but features many of the same
characteristics as does port-based 802.1X. In Single 802.1X, at most one supplicant can get
authenticated on the port at a time. Normal EAPOL frames are used in the communication between
the supplicant and the switch. If more than one supplicant is connected to a port, the one that comes
first when the port's link comes up will be the first one considered. If that supplicant doesn't provide
valid credentials within a certain amount of time, another supplicant will get a chance. Once a
supplicant is successfully authenticated, only that supplicant will be allowed access. This is the most
secure of all the supported modes. In this mode, the Port Security module is used to secure a
supplicant's MAC address once successfully authenticated.
Multi 802.1X
:
In port-based 802.1X authentication, once a supplicant is successfully authenticated
on a port, the whole port is opened for network traffic. This allows other clients connected to the port