TGPS-9164GT-M12 Series User
Manual
ORing Industrial Networking Corp
126
Other Info
This section contains information about the state of the server and the
latest
round-trip
time.
5.8.6 NAS (802.1x)
A NAS (Network Access Server) is an access gateway between an external communications
network and an internal network. For example, when the user dials into the ISP, he/she will be
given access to the Internet after being authorized by the access server. The authentication
between the client and the server include IEEE 802.1X- and MAC-based.
The IEEE 802.1X standard defines a port-based access control procedure that prevents
unauthorized access to a network by requiring users to first submit credentials for
authentication. One or more backend servers (RADIUS
)
determine whether the user is allowed
access to the network.
MAC-based authentication allows for authentication of more than one user on the same port,
and does not require the users to have special 802.1X software installed on their system. The
switch uses the users' MAC addresses to authenticate against the backend server. As
intruders can create counterfeit MAC addresses, MAC-based authentication is less secure
than 802.1X authentication.
Overview of 802.1X (Port-Based) Authentication
In an 802.1X network environment, the user is called the supplicant, the switch is the
authenticator, and the RADIUS server is the authentication server. The switch acts as the
man-in-the-middle, forwarding requests and responses between the supplicant and the
authentication server. Frames sent between the supplicant and the switch are special 802.1X
frames, known as EAPOL (EAP Over LANs) frames which encapsulate EAP PDUs (RFC3748).
Frames sent between the switch and the RADIUS server are RADIUS packets. RADIUS
packets also encapsulate EAP PDUs together with other attributes like the switch's IP address,
name, and the supplicant's port number on the switch. EAP is very flexible as it allows for
different authentication methods, like MD5-Challenge, PEAP, and TLS. The important thing is
that the authenticator (the switch) does not need to know which authentication method the
supplicant and the authentication server are using, or how many information exchange frames
are needed for a particular method. The switch simply encapsulates the EAP part of the frame