Instruction Manual
50
[Single 802.1x]
Only one supplicant can be authenticated on the port
at any time. If more than one supplicant is connected
to a port, the one that comes first when the port’s link
comes up will be the first one considered. If the first
supplicant fails to authenticate, the second supplicant
is then considered.
[Multi 802.1X]
One or more supplicants can be authenticated
on the same port at any time. Each supplicant is
authenticated individually and secured in the MAC
table using the Port Security module.
In Multi 802.1X it is not possible to use the multicast
BPDU MAC address as destination MAC address
for EAPOL frames sent from the switch toward the
supplicant, since that would cause all supplicants
attached to the port to reply to the requests sent from
the switch.
[MAC-based Auth]
Unlike port-based 802.1X, MAC-based authentication
is not a standard, rather a best-practice method
adopted by the industry. In MAC-Based
authentication terminology, users are called “clients”,
and the switch acts as the supplicant on behalf of
clients. The initial frame sent by a client is snooped
by the switch, which in turn uses the client’s MAC
address as both user name and password in the
subsquent EAP exchanged with the RADIUS server.
The 6-byte MAC address is converted to a string of
hexadecimal digits, formatted as “xx-xx-xx-xx-xx-
xx”. The switch only supports the MD5-Challenge
authentication method, so the RADIUS server must be
configured accordingly.
When authentication is complete, the RADIUS server
sends a success or failure indication, which in turn
causes the switch to open or block traffic for that
particular client, using the Port Security module. Only
then will frames from the client be forwarded on the
switch.
[RADIUS-Assigned QoS
Enabled]
This feature can be enabled or disabled for a given
port.
[RADIUS-Assigned VLAN
Enabled]
This feature can be enabled or disabled for a given
port.
