Manualshelf

Handbook

ManualsBrandsNEC ManualsBlade ServersNEC N8406-026 10Gb L3 Switch
31323334353637383940
Error! Use the Home tab to apply 見出し 1 to the text that you want to appear here. 40
Port-based Network Access and traffic control
Port-based Network Access control
Port-based Network Access control provides a means of authenticating and authorizing devices
attached to a LAN port that has point-to-point connection characteristics. It prevents access to ports that
fail authentication and authorization. This feature provides security to all ports of the 10Gb switch (except
the management port 17).
The following topics are discussed in this section:
Extensible Authentication Protocol over LAN
802.1x Authentication Process
802.1x Port States
Supported RADIUS Attributes
Configuration Guidelines
Extensible authentication protocol over LAN (EAPoL)
The switch can provide user-level security for its ports using the IEEE 802.1x protocol, which is a more
secure alternative to other methods of port-based network access control. Any device attached to an
802.1x-enabled port that fails authentication is prevented access to the network and denied services
offered through that port.
The 802.1x standard describes port-based network access control using Extensible Authentication
Protocol over LAN (EAPoL). EAPoL provides a means of authenticating and authorizing devices attached
to a LAN port that has point-to-point connection characteristics and of preventing access to that port in
cases of authentication and authorization failures.
EAPoL is a client-server protocol that has the following components:
Supplicant or Client : The Supplicant is a device that requests network access and provides the
required credentials (user name and password) to the Authenticator and the Authentication Server.
Authenticator : The Authenticator enforces authentication and controls access to the network. The
Authenticator grants network access based on the information provided by the Supplicant and the
response from the Authentication Server. The Authenticator acts as an intermediary between the
Supplicant and the Authentication Server: requesting identity information from the client, forwarding
that information (encapsulated in RADIUS packets) to the Authentication Server for validation,
relaying the server‘s responses to the client, and authorizing network access based on the results of
the authentication exchange. The switch acts as an Authenticator.
Authentication ServerThe Authentication Server validates the credentials provided by the
Supplicant to determine if the Authenticator should grant access to the network. The Authentication
Server may be co-located with the Authenticator. The switch relies on external RADIUS servers for
authentication.
Upon a successful authentication of the client by the server, the 802.1x-controlled port transitions from
unauthorized to authorized state, and the client is allowed full access to services through the port. When
the client sends an EAPOL-Logoff message to the authenticator, the port will transition from authorized to
unauthorized state.
802.1x authentication process
The clients and authenticators communicate using Extensible Authentication Protocol (EAP), which was
originally designed to run over PPP, and for which the IEEE 802.1x Standard has defined an encapsulation
method over Ethernet frames, called EAP over LAN (EAPOL).