83
USAGE GUIDELINES
When 802.1X is enabled, you need to configure the parameters for the authentication
process that runs between the client and the switch (i.e., authenticator), as well as the client
identity lookup process that runs between the switch and authentication server. These
parameters are described in this section.
PARAMETERS
These parameters are displayed:
System Configuration
◆
Mode
- Indicates if 802.1X and MAC-based authentication are globally enabled or
disabled on the switch. If globally disabled, all ports are allowed to forward frames.
◆
Reauthentication Enabled
–
Sets clients to be re-authenticated after an interval specified
by the Re-authentication Period. Re-authentication can be used to detect if a new device
is plugged into a switch port. (Default: Disabled)
For MAC-based ports, reauthentication is only useful if the RADIUS server configuration
has changed. It does not involve communication between the switch and the client, and
therefore does not imply that a client is still present on a port (see Age Period below).
◆
Reauthentication Period
–
Sets the time period after which a connected client must be
re-authenticated. (Range: 1-3600 seconds; Default: 3600 seconds)
◆
EAPOL Timeout
–
Sets the time the switch waits for a supplicant response during an
authentication session before retransmitting a Request Identify EAPOL packet. (Range: 1-
255 seconds; Default: 30 seconds)
◆
Aging Period
–
The period used to calculate when to age out a client allowed access to
the switch through Single 802.1X, Multi 802.1X, and MAC-based authentication as
described below. (Range: 10-1000000 seconds; Default: 300 seconds)
When the NAS module uses the Port Security module to secure MAC addresses, the Port
Security module needs to check for activity on the MAC address in question at regular
intervals and free resources if no activity is seen within the given age period.
If reauthentication is enabled and the port is in a 802.1X-based mode, this is not so critical,
since supplicants that are no longer attached to the port will get removed upon the next
reauthentication, which will fail. But if reauthentication is not enabled, the only way to free
resources is by aging the entries.
For ports in MAC-based Auth. mode, reauthentication does not cause direct
communication between the switch and the client, so this will not detect whether the client
is still attached or not, and the only way to free any resources is to age the entry.
◆
Hold Time
–
The time after an EAP Failure indication or RADIUS timeout that a client is
not allowed access. This setting applies to ports running Single 802.1X, Multi 802.1X, or
Содержание GEP-1070
Страница 80: ...80 authentication from any point within the network...
Страница 168: ...168...
