User manual

ManualsBrandsLevelOne ManualsNetworkingGEP-5070

HAPTER

| Configuring the Switch

Configuring Security

– 88 –

between the switch and the client, and therefore does not imply that a

client is still present on a port (see Age Period below).

◆ Reauthentication Period - Sets the time period after which a

connected client must be re-authenticated. (Range: 1-3600 seconds;

Default: 3600 seconds)

◆ EAPOL Timeout - Sets the time the switch waits for a supplicant

response during an authentication session before retransmitting a

Request Identify EAPOL packet. (Range: 1-255 seconds; Default: 30

seconds)

◆ Aging Period - The period used to calculate when to age out a client

allowed access to the switch through Single 802.1X, Multi 802.1X, and

MAC-based authentication as described below. (Range: 10-1000000

seconds; Default: 300 seconds)

When the NAS module uses the Port Security module to secure MAC

addresses, the Port Security module needs to check for activity on the

MAC address in question at regular intervals and free resources if no

activity is seen within the given age period.

If reauthentication is enabled and the port is in a 802.1X-based mode,

this is not so critical, since supplicants that are no longer attached to

the port will get removed upon the next reauthentication, which will

fail. But if reauthentication is not enabled, the only way to free

resources is by aging the entries.

For ports in MAC-based Auth. mode, reauthentication does not cause

direct communication between the switch and the client, so this will not

detect whether the client is still attached or not, and the only way to

free any resources is to age the entry.

◆ Hold Time - The time after an EAP Failure indication or RADIUS

timeout that a client is not allowed access. This setting applies to ports

running Single 802.1X, Multi 802.1X, or MAC-based authentication.

(Range: 10-1000000 seconds; Default: 10 seconds)

If the RADIUS server denies a client access, or a RADIUS server

request times out (according to the timeout specified on the AAA menu

on page 117), the client is put on hold in the Unauthorized state. In this

state, the hold timer does not count down during an on-going

authentication.

In MAC-based Authentication mode, the switch will ignore new frames

coming from the client during the hold time.

◆ RADIUS-Assigned QoS Enabled - RADIUS-assigned QoS provides a

means to centrally control the traffic class to which traffic coming from

a successfully authenticated supplicant is assigned on the switch. The

RADIUS server must be configured to transmit special RADIUS

attributes to take advantage of this feature.

The RADIUS-Assigned QoS Enabled checkbox provides a quick way to

globally enable/disable RADIUS-server assigned QoS Class

functionality. When checked, the individual port settings determine