User’s Manual
261
MD5-Challenge, PEAP, and TLS. The important thing is that the authenticator
(the switch) doesn't need to know which authentication method the supplicant
and the authentication server are using, or how many information exchange
frames are needed for a particular method. The switch simply encapsulates the
EAP part of the frame into the relevant type (EAPOL or RADIUS) and forwards it.
When authentication is complete, the RADIUS server sends a special packet
containing a success or failure indication. Besides forwarding this decision to the
supplicant, the switch uses it to open up or block traffic on the switch port
connected to the supplicant.
Note
:
Suppose two backend servers are enabled and that the server timeout is
configured to X seconds (using the AAA configuration page), and suppose that
the first server in the list is currently down (but not considered dead). Now, if the
supplicant retransmits EAPOL Start frames at a rate faster than X seconds, then
it will never get authenticated, because the switch will cancel on-going backend
authentication server requests whenever it receives a new EAPOL Start frame
from the supplicant. And since the server hasn't yet failed (because the X
seconds haven't expired), the same server will be contacted upon the next
backend authentication server request from the switch. This scenario will loop
forever. Therefore, the server timeout should be smaller than the supplicant's
EAPOL Start frame retransmission rate.
Single 802.1X
In port-based 802.1X authentication, once a supplicant is successfully
authenticated on a port, the whole port is opened for network traffic. This allows
other clients connected to the port (for instance through a hub) to piggy-back on
the successfully authenticated client and get network access even though they
really aren't authenticated. To overcome this security breach, use the Single
802.1X variant.
Single 802.1X is really not an IEEE standard, but features many of the same
characteristics as does port-based 802.1X. In Single 802.1X, at most one
supplicant can get authenticated on the port at a time. Normal EAPOL frames are
used in the communication between the supplicant and the switch. If more than
one supplicant is connected to a port, the one that comes first when the port's link
comes up will be the first one considered. If that supplicant doesn't provide valid
credentials within a certain amount of time, another supplicant will get a chance.
Once a supplicant is successfully authenticated, only that supplicant will be
allowed access. This is the most secure of all the supported modes. In this mode,
the Port Security module is used to secure a supplicant's MAC address once
Содержание IGS-10020
Страница 1: ...User s Manual...
Страница 31: ...User s Manual 31 IGS 10020PT IGS 10020PT Dimensions W x D x H 72 x 107 x 152mm...
Страница 32: ...User s Manual 32 IGS 10020HPT IGS 10020HPT Dimensions W x D x H 72 x 107 x 152mm...
Страница 33: ...User s Manual 33 IGS 10080MFT IGS 10080MFT Dimensions W x D x H 72 x 107x 152mm...
Страница 34: ...User s Manual 34 IGS 12040MT IGS 12040MT Dimensions W x D x H 72 x 107 x 152mm...
Страница 35: ...User s Manual 35 IGS 20040MT IGS 20040MT Dimensions W x D x H 72 x 107 x 152mm...
Страница 36: ...User s Manual 36 IGS 20160HPT IGS 20160HPT Dimensions W x D x H 84 x 107 x 152mm...
Страница 46: ...User s Manual 46 Figure 2 16 IGS 10080MFT Upper Panel Figure 2 17 IGS 12040MT Upper Panel...
Страница 47: ...User s Manual 47 Figure 2 18 IGS 20040MT Upper Panel Figure 2 19 IGS 20160HPT Upper Panel...
Страница 181: ...User s Manual 181 Figure 4 8 2 Multicast Flooding Figure 4 8 3 IGMP Snooping Multicast Stream Control...