User manual

ManualsBrandsLevelOne ManualsNetworkingGEP-5070

100

HAPTER

| Configuring the Switch

Configuring Security

– 93 –

◆ Admin State - If NAS is globally enabled, this selection controls the

port's authentication mode. The following modes are available:

■

Force Authorized - The switch sends one EAPOL Success frame

when the port link comes up. This forces the port to grant access to

all clients, either dot1x-aware or otherwise. (This is the default

setting.)

■

Force Unauthorized - The switch will send one EAPOL Failure

frame when the port link comes up. This forces the port to deny

access to all clients, either dot1x-aware or otherwise.

■

Port-based 802.1X - Requires a dot1x-aware client to be

authorized by the authentication server. Clients that are not dot1x-

aware will be denied access.

■

Single 802.1X - At most one supplicant can get authenticated on

the port at a time. If more than one supplicant is connected to a

port, the one that comes first when the port's link comes up will be

the first one considered. If that supplicant doesn't provide valid

credentials within a certain amount of time, another supplicant will

get a chance. Once a supplicant is successfully authenticated, only

that supplicant will be allowed access. This is the most secure of all

the supported modes. In this mode, the Port Security module is

used to secure a supplicant's MAC address once successfully

authenticated.

■

Multi 802.1X - One or more supplicants can get authenticated on

the same port at the same time. Each supplicant is authenticated

individually and secured in the MAC table using the Port Security

module.

In Multi 802.1X it is not possible to use the multicast BPDU MAC

address as the destination MAC address for EAPOL frames sent from

the switch towards the supplicant, since that would cause all

supplicants attached to the port to reply to requests sent from the

switch. Instead, the switch uses the supplicant's MAC address,

which is obtained from the first EAPOL Start or EAPOL Response

Identity frame sent by the supplicant. An exception to this is when

no supplicants are attached. In this case, the switch sends EAPOL

Request Identity frames using the BPDU multicast MAC address as

the destination - to wake up any supplicants that might be on the

port.

The maximum number of supplicants that can be attached to a port

can be limited using the Port Security Limit Control functionality.

■

MAC-based Auth. - Enables MAC-based authentication on the port.

The switch does not transmit or accept EAPOL frames on the port.

Flooded frames and broadcast traffic will be transmitted on the port,

whether or not clients are authenticated on the port, whereas

unicast traffic from an unsuccessfully authenticated client will be

dropped. Clients that are not (or not yet) successfully authenticated

will not be allowed to transmit frames of any kind.

The switch acts as the supplicant on behalf of clients. The initial

frame (any kind of frame) sent by a client is snooped by the switch,

which in turn uses the client's MAC address as both user name and