User manual

ManualsBrandsLevelOne ManualsNetworkingGEP-5070

100

HAPTER

| Configuring the Switch

Configuring Security

– 94 –

password in the subsequent EAP exchange with the RADIUS server.

The 6-byte MAC address is converted to a string on the following

form “xx-xx-xx-xx-xx-xx”, that is, a dash (-) is used as separator

between the lower-cased hexadecimal digits. The switch only

supports the MD5-Challenge authentication method, so the RADIUS

server must be configured accordingly.

When authentication is complete, the RADIUS server sends a

success or failure indication, which in turn causes the switch to open

up or block traffic for that particular client, using the Port Security

module. Only then will frames from the client be forwarded on the

switch. There are no EAPOL frames involved in this authentication,

and therefore, MAC-based Authentication has nothing to do with the

802.1X standard.

The advantage of MAC-based authentication over port-based

802.1X is that several clients can be connected to the same port

(e.g. through a 3rd party switch or a hub) and still require individual

authentication, and that the clients don't need special supplicant

software to authenticate. The advantage of MAC-based

authentication over 802.1X-based authentication is that the clients

don't need special supplicant software to authenticate. The

disadvantage is that MAC addresses can be spoofed by malicious

users - equipment whose MAC address is a valid RADIUS user can

be used by anyone. Also, only the MD5-Challenge method is

supported. The maximum number of clients that can be attached to

a port can be limited using the Port Security Limit Control

functionality.

Further Guidelines for Port Admin State

■

Port Admin state can only be set to Force-Authorized for ports

participating in the Spanning Tree algorithm (see page 135).

■

When 802.1X authentication is enabled on a port, the MAC address

learning function for this interface is disabled, and the addresses

dynamically learned on this port are removed from the common

address table.

■

Authenticated MAC addresses are stored as dynamic entries in the

switch's secure MAC address table. Configured static MAC addresses

are added to the secure address table when seen on a switch port

(see page 170). Static addresses are treated as authenticated

without sending a request to a RADIUS server.

■

When port status changes to down, all MAC addresses are cleared

from the secure MAC address table. Static VLAN assignments are

not restored.

◆ RADIUS-Assigned QoS Enabled - Enables or disables this feature for

a given port. Refer to the description of this feature under the System

Configuration section.

◆ RADIUS-Assigned VLAN Enabled - Enables or disables this feature

for a given port. Refer to the description of this feature under the

System Configuration section.