ProLiant BL p-Class GbE2 Interconnect Switch Application Guide
Port-based Network Access and traffic control 43
Table 8 EAP support for RADIUS attributes
# Attribute Attribute Value A-R A-A A-C A-R
31 Calling-Station-ID The MAC address of the supplicant
encoded as an ASCII string in canonical
format, e.g. 00034B436206.
1 0 0 0
79 EAP-Message Encapsulated EAP packets from the
supplicant to the authentication server
(Radius) and vice-versa. The authenticator
relays the decoded packet to both devices.
1+ 1+ 1+ 1+
80 Message-
Authenticator
Always present whenever an EAP-Message
attribute is also included. Used to integrity-
protect a packet.
1 1 1 1
87 NAS-Port-ID Name assigned to the authenticator port,
e.g. Server1_Port3
1 0 0 0
EAPoL configuration guidelines
When configuring EAPoL, consider the following guidelines:
• The 802.1x port-based authentication is currently supported only in point-to-point configurations, that is,
with a single supplicant connected to an 802.1x-enabled switch port.
• When 802.1x is enabled, a port has to be in the authorized state before any other Layer 2 feature can be
operationally enabled. For example, the STG state of a port is operationally disabled while the port is in
the unauthorized state.
• The 802.1x supplicant capability is not supported. Therefore, none of its ports can connect successfully to
an 802.1x-enabled port of another device, such as another switch, that acts as an authenticator, unless
access control on the remote port is disabled or is configured in forced-authorized mode. For example, if a
GbE2 Interconnect switch is connected to another GbE2 Interconnect Switch, and if 802.1x is enabled on
both switches, the two connected ports must be configured in force-authorized mode.
• The 802.1x standard has optional provisions for supporting dynamic virtual LAN assignment via RADIUS
tunneling attributes, for example, Tunnel-Type (=VLAN), Tunnel-Medium-Type (=802), and Tunnel-Private-
Group-ID (=VLAN id). These attributes are not supported and might affect 802.1x operations. Other
unsupported attributes include Service-Type, Session-Timeout, and Termination-Action.
RADIUS accounting service for 802.1x-authenticated devices or users is not supported.
Configuration changes performed using SNMP and the standard 802.1x MIB take effect immediately.
Port-based traffic control
Port-based traffic control prevents GbE2 Interconnect Switch ports from being disrupted by LAN storms. A LAN
storm occurs when data packets flood the LAN, which can cause the network to become congested and slow
down. Errors in the protocol-stack implementation or in the network configuration can cause a LAN storm.
You can enable port-based traffic control separately for each of the following traffic types:
• Broadcast—packets with destination MAC address ff:ff:ff:ff:ff:ff
• Multicast—packets that have MAC addresses with the least significant bit of their first octet set to one
• Destination Lookup Failed (DLF) —packets with unknown destination MAC address, that are treated like
broadcast packets
With Port-based Traffic Control enabled, the port monitors incoming traffic of each type noted above. If the traffic
exceeds a configured threshold, the port blocks traffic that exceeds the threshold until the traffic flow falls back
within the threshold.
The GbE2 supports separate traffic-control thresholds for broadcast, multicast, and DLF traffic. The traffic
threshold is measured in number of frames per second.
NOTE: All ports that belong to a trunk must have the same traffic-control settings.