Chapter
3: Web Management
Security - Network - NAS (Network Access Server)
PoE Switch User Manual | 79
Frames sent between the supplicant and the switch are special 802.1X frames, known as
EAPOL (EAP Over LANs) frames. EAPOL frames encapsulate EAP PDUs (RFC3748).
Frames sent between the switch and the RADIUS server are RADIUS packets. RADIUS
packets also encapsulate EAP PDUs together with other attributes like the switch's IP
address, name, and the supplicant's port number on the switch. EAP is very flexible, in that it
allows for different authentication methods, like MD5-Challenge, PEAP, and TLS. The
important thing is that the authenticator (the switch) doesn't need to know which
authentication method the supplicant and the authentication server are using, or how many
information exchange frames are needed for a particular method. The switch simply
encapsulates the EAP part of the frame into the relevant type (EAPOL or RADIUS) and
forwards it.
When authentication is complete, the RADIUS server sends a special packet containing a
success or failure indication. Besides forwarding this decision to the supplicant, the switch
uses it to open up or block traffic on the switch port connected to the supplicant.
Note: Suppose two backend servers are enabled and that the server timeout is configured to
X seconds (using the AAA configuration page), and suppose that the first server in the list is
currently down (but not considered dead). Now, if the supplicant retransmits EAPOL Start
frames at a rate faster than X seconds, then it will never get authenticated, because the
switch will cancel on-going backend authentication server requests whenever it receives a
new EAPOL Start frame from the supplicant. And since the server hasn't yet failed (because
the X seconds haven't expired), the same server will be contacted upon the next backend
authentication server request from the switch. This scenario will loop forever. Therefore, the
server timeout should be smaller than the supplicant's EAPOL Start frame retransmission
rate.
Single 802.1X
In port-based 802.1X authentication, once a supplicant is successfully authenticated on a
port, the whole port is opened for network traffic. This allows other clients connected to the
port (for instance through a hub) to piggy-back on the successfully authenticated client and
get network access even though they really aren't authenticated. To overcome this security
breach, use the Single 802.1X variant.
Single 802.1X is really not an IEEE standard, but features many of the same characteristics
as does port-based 802.1X. In Single 802.1X, at most one supplicant can get authenticated
on the port at a time. Normal EAPOL frames are used in the communication between the
supplicant and the switch. If more than one supplicant is connected to a port, the one that
comes first when the port's link comes up will be the first one considered. If that supplicant
