User manual

ManualsBrandsLevelOne ManualsNetworkingGEP-5070

HAPTER

| Configuring the Switch

Configuring Security

– 87 –

◆ 802.1X / MAC-based authentication must be enabled globally for the

switch.

◆ The Admin State for each switch port that requires client authentication

must be set to 802.1X or MAC-based.

◆ When using 802.1X authentication:

■

Each client that needs to be authenticated must have dot1x client

software installed and properly configured.

■

When using 802.1X authentication, the RADIUS server and 802.1X

client must support EAP. (The switch only supports EAPOL in order

to pass the EAP packets from the server to the client.)

■

The RADIUS server and client also have to support the same EAP

authentication type - MD5, PEAP, TLS, or TTLS. (Native support for

these encryption methods is provided in Windows 7, Windows Vista,

Windows XP, and in Windows 2000 with Service Pack 4. To support

these encryption methods in Windows 95 and 98, you can use the

AEGIS dot1x client or other comparable client software.)

MAC-based authentication allows for authentication of more than one user

on the same port, and does not require the user to have special 802.1X

software installed on his system. The switch uses the client's MAC address

to authenticate against the backend server. However, note that intruders

can create counterfeit MAC addresses, which makes MAC-based

authentication less secure than 802.1X authentication.

PATH

Advanced Configuration, Security, Network, NAS

USAGE GUIDELINES

When 802.1X is enabled, you need to configure the parameters for the

authentication process that runs between the client and the switch (i.e.,

authenticator), as well as the client identity lookup process that runs

between the switch and authentication server. These parameters are

described in this section.

PARAMETERS

These parameters are displayed:

System Configuration

◆ Mode - Indicates if 802.1X and MAC-based authentication are globally

enabled or disabled on the switch. If globally disabled, all ports are

allowed to forward frames.

◆ Reauthentication Enabled - Sets clients to be re-authenticated after

an interval specified by the Re-authentication Period. Re-authentication

can be used to detect if a new device is plugged into a switch port.

(Default: Disabled)

For MAC-based ports, reauthentication is only useful if the RADIUS

server configuration has changed. It does not involve communication