User Manual
User Manual rev. 1.0. Feb. 2016
79
MAC address as both username and password in the subsequent EAP exchange with the
RADIUS server. The 6-byte MAC address is converted to a string on the following form
"xx-xx-xx-xx-xx-xx", that is, a dash (-) is used as separator between the lower-cased
hexadecimal digits. The switch only supports the MD5-Challenge authentication method, so
the RADIUS server must be configured accordingly.
When authentication is complete, the RADIUS server sends a success or failure indication,
which in turn causes the switch to open up or block traffic for that particular client, using the
Port Security module. Only then will frames from the client be forwarded on the switch.
There are no EAPOL frames involved in this authentication, and therefore, MAC-based
Authentication has nothing to do with the 802.1X standard.
The advantage of MAC-based authentication over port-based 802.1X is that several clients
can be connected to the same port (e.g. through a 3rd party switch or a hub) and still require
individual authentication, and that the clients don't need special supplicant software to
authenticate. The advantage of MAC-based authentication over 802.1X-based
authentication is that the clients don't need special supplicant software to authenticate. The
disadvantage is that MAC addresses can be spoofed by malicious users - equipment whose
MAC address is a valid RADIUS user can be used by anyone. Also, only the
MD5-Challenge method is supported. The maximum number of clients that can be attached
to a port can be limited using the Port Security Limit Control functionality.
RADIUS-Assigned QoS Enabled :
When RADIUS-Assigned QoS is both globally enabled and enabled (checked) on a given
port, the switch reacts to QoS Class information carried in the RADIUS Access-Accept
packet transmitted by the RADIUS server when a supplicant is successfully authenticated. If
present and valid, traffic received on the supplicant's port will be classified to the given QoS
Class. If (re-)authentication fails or the RADIUS Access-Accept packet no longer carries a
QoS Class or it's invalid, or the supplicant is otherwise no longer present on the port, the
port's QoS Class is immediately reverted to the original QoS Class (which may be changed
by the administrator in the meanwhile without affecting the RADIUS-assigned).
This option is only available for single-client modes, i.e.
• Port-based 802.1X
• Single 802.1X
RADIUS attributes used in identifying a QoS Class:
Refer to the written documentation for a description of the RADIUS attributes needed in
order to successfully identify a QoS Class. The User-Priority-Table attribute defined in
RFC4675 forms the basis for identifying the QoS Class in an Access-Accept packet.
Only the first occurrence of the attribute in the packet will be considered, and to be valid, it
must follow this rule:
• All 8 octets in the attribute's value must be identical and consist of ASCII characters in the
range '0' - '3', which translates into the desired QoS Class in the range [0; 3].
RADIUS-Assigned VLAN Enabled :
When RADIUS-Assigned VLAN is both globally enabled and enabled (checked) for a given
port, the switch reacts to VLAN ID information carried in the RADIUS Access-Accept packet
transmitted by the RADIUS server when a supplicant is successfully authenticated. If
present and valid, the port's Port VLAN ID will be changed to this VLAN ID, the port will be
set to be a member of that VLAN ID, and the port will be forced into VLAN unaware mode.
Once assigned, all traffic arriving on the port will be classified and switched on the
RADIUS-assigned VLAN ID.
If (re-)authentication fails or the RADIUS Access-Accept packet no longer carries a VLAN
ID or it's invalid, or the supplicant is otherwise no longer present on the port, the port's
VLAN ID is immediately reverted to the original VLAN ID (which may be changed by the
administrator in the meanwhile without affecting the RADIUS-assigned).
This option is only available for single-client modes, i.e.
• Port-based 802.1X
• Single 802.1X