Manualshelf

User Manual

ManualsBrandsMOXA ManualsNext Generationmoxa M5300 Managed Switch Next Generation
121122123124125126127128129130
Moxa’s Managed Switch Next Generation OS (v3.x) User Manual
130
Network Security
This section demonstrates how to configure network security settings, including IEEE802.1X, MAC
Authentication Bypass, Port Security, Traffic Storm Control, Access Control List, and Loop
Protection.
IEEE 802.1X
Port-based IEEE 802.1X Overview
The IEEE 802.1X standard defines a protocol for client/server-based access control and authentication. The
protocol restricts unauthorized clients from connecting to a LAN through ports that are open to the Internet,
and which otherwise would be readily accessible. The purpose of the authentication server is to check each
client that requests access to the port. The client is only allowed access to the port if the client’s permission
is authenticated.
Three components are used to create an authentication mechanism based on 802.1X standards:
Client/Supplicant, Authentication Server, and Authenticator.
Client/Supplicant: The end station that requests access to the LAN and switch services and responds to
the requests from the switch.
Authentication Server: The server that performs the actual authentication of the supplicant.
Authenticator: Edge switch or wireless access point that acts as a proxy between the supplicant and the
authentication server, requesting identity information from the supplicant, verifying the information with the
authentication server, and relaying a response to the supplicant.
The Moxa switch acts as an authenticator in the 802.1X environment. A supplicant and an authenticator
exchange EAPOL (Extensible Authentication Protocol over LAN) frames with each other. We can either use
an external RADIUS server as the authentication server or implement the authentication server in the Moxa
switch by using a Local User Database as the authentication look-up table. When we use an external
RADIUS server as the authentication server, the authenticator and the authentication server exchange EAP
frames.
Authentication can be initiated either by the supplicant or the authenticator. When the supplicant initiates
the authentication process, it sends an EAPOL-Start frame to the authenticator. When the authenticator
initiates the authentication process or when it receives an EAPOL Start frame, it sends an EAP
Request/Identity frame to ask for the username of the supplicant.
How IEEE 802.1X Works
802.1X authentication requires three parties: a supplicant, an authenticator, and an authentication server.
The supplicant is a client device that wishes to connect to the LAN or WLAN. The supplicant can also use the