16/24-Port PoE Switch
©r------------------'
• Client is the user terminal device which requires for LAN access, which is authenticated by
the device end in the LAN. The client has to install client software which supports 802.1x
authentication.
• Device end is the network device which controls client access in the LAN, it is located
between client and authentication server, which provides LAN access port for customers
(physical port or logical port), and it implements authentication upon the connected client
via interaction with server.
• Authentication server is used to implement authentication, authorization and billing,
generally it is RADIUS (Remote Authentication Dial-In User Service) server. Authentication
server can verify the legality of client according to the client authentication information sent
by device end, and inform the device of verification results, it is decided by device end
whether it allows client access or not. The role of authentication server can be replaced by
device in some small-scale network environment, which means that the device realizes
local authentication, authorization and billing upon the client.
6.7.2 802.1xAuthentication Controlled/Uncontrolled Port
The LAN access ports provided by device for client can be divided into two logical ports which
are controlled port and uncontrolled port. Any frame which arrived the port can be displayed
on both controlled port and uncontrolled port.
• The uncontrolled port is always in the status of bidirectional connection, which is mainly
used to transmit authentication packet and make sure that the client can always send or
receive authentication packet.
• The controlled port is always in the status of bidirectional connection under authorization
status, which is used to transmit business packet; it is forbidden to receive any packet from
client when it is in the unauthorized status.
6. 7 .3 Trigger Mode of 802.1 x Authentication
The authentication process of 802.1x is actively launched by client, it can be launched by
device as well.
1. Client Active Trigger Mode
• Multicast trigger: the client actively send authentication request packet to device in order
to trigger authentication, the destination address of the packet is the multicast MAC address
01-80-C2-00-00-03.
• Broadcast trigger: the client actively send authentication request packet to device in order
to trigger authentication, the destination address of the packet is the broadcast MAC
address. The mode is able to solve the problem that the device fails to receive authentication
request from client because some devices fail to support the multicast packet above in the
network.
2. Device Active Trigger Mode
The device active trigger mode is used to support the client which is unable to actively send
authentication request packet, there are two types of device active trigger authentication:
• Multicast trigger: The device actively sends request packet of identity type to trigger
authentication to client at regular interval (it is 30s by default).
• Unicast trigger: when the device receives unknown packet from source MAC address, it
will actively send Identity-typed request packet to the MAC address unicast in order to
trigger authentication. It will send the packet again if the device fails to receive client
response within the setting duration.
6. 7 .4 Port Authorized Status
It can control if the port accessed users need to visit network source via authentication by
configuring authorized status for the port. The port supports three following authorized states:
• Authorized-force: It means that the port is always in the authorized status, which allows
users to visit network source without authentication.
• Unauthorized-force: it means that the port is always in the unauthorized status, which
doesn't allow authentication for users. The device won't provide authentication service for
the client which is accessed to the port.
• Port based 802.1x: it means that the port initial status is unauthorized status, which doesn't
allow users to visit network source; The port will be switched to authorized status if the users
pass authentication, and it will users to visit network source.
Config Example:
1.Network Requirement
The client IP is 192.168.1.1/24 segment, authentication server IP is 192.168.1.100, and it is
required to be authenticated by authentication server when all the ports of device are accessed.
2.Config Steps
(1) Enable authentication function, all ports are enabled based on 802.1x authentication,
which is shown in Figure 6-34.
a
Figure 6-34
Glob1lyEN1bled
Glob1t,'Enabled
GlobalyEnabled
GlobalyEnabltd
Glob1lyEnobled
Glob1lyEnabled
GlobllyENlbled
GlobalyEnabled
Global)'Enabled
Global)'E""bled
Glob11)'EN1bled
Globalt)'Ena
Globat,'El'lllbled
(2) Configure the address of authentication server, which is shown in Figure 6-35.
