Alcatel-Lucent 7342 - Port-Based Authentication; 802.1 X Support Assumptions

To Next Page

To Previous Page

4 — ONT software and security features

4-8 July 2008 Alcatel-Lucent 7342 ISAM FTTU ONT R04.05.06

ONT Product Information Manual Edition 01 3FE 51892 AAAA TCZZA

Port-based authentication

There are two MAC configuration scenarios for authentication:

• When MAXMAC is 1, the first MAC address to be authenticated is learned on the

bridge port for the duration of session timeout (not the FDB aging timeout). The

MAC address is learned on all VLANs configured on the bridge port. No other

MAC addresses are learned.

• When MAXMAC is greater than 1, MAC learning occurs after authentication is

successful. All MAC addresses are learned dynamically and age out using the

FDB aging timer. The system responds with EAP-Success message if other users

on the port try to authenticate after the port is authorized for traffic.

When the authenticated user logs out, the system performs the following actions:

• closes the port for traffic

• stops accounting for the port

• sends an identity request as multicast over the port to invite any potential users of

the port for authentication

• opens the port for traffic again only after a successful authentication

• sends new identity requests only after the held period expires if the authentication

fails

• sends periodic identity request messages until the port is authenticated

• does not require re-authentication

• flushes the FDB entries that correspond to the port

When the maximum MAC value on a bridge port is changed by the operator to a

lower value, the system performs the following actions:

• flushes all the forward database (FDB) entries on the port

• closes the associated ONT UNI for data traffic

• sends identity request as multicast over the port in order to invite any potential

users of the port for authentication

• opens the port for traffic after successful authentication

802.1x support assumptions

The 7342 ISAM FTTU supports 802.1x authentication based on the following

assumptions:

• Authentication is supported only on LAN ports at the ONT and not for the plain

old telephone system (POTS) lines.

• Authentication is performed on an ONT UNI basis. The highest priority GPON

encapsulation module (GEM) port ID that is configured on the user network

interface (UNI) is used for authentication.

• There is no local authentication for 802.1x when the RADIUS server fails.