Introduction Introduction
6-97
Software Reference for SwitchBlade x3100 Series Switches (Access and Security)
6.9 Port Authentication
6.9.1 Introduction
Port authentication can be implemented with the following methods:
• 802.1X - What is described in this section.
• MAC-based authentication - This uses the source MAC address for each frame. When the switch receives
the frame, it generates a RADIUS request for authentication.
• Web-based authentication - A username/password pair is entered from the client’s browser. When the
switch receives the pair, it generates a RADIUS request for authentication.
Note: For release 14.2, only the 802.1X method is supported.
The IEEE Standard 802.1X provides a method of restricting access to networks until they have been authenti-
cated and authorized. 802.1X provides port-based network access control for devices connected to the Ether-
net. Allied Telesis extends the port-based control further by also implementing device-based control. This
allows a network controller to restrict external devices from gaining access to the network behind an 802.1X
controlled port. External devices that wish to access services via a port under 802.1X control must first authen-
ticate themselves and gain authorization before any packets originating from, or destined for, the external device
are allowed to pass through the 802.1X controlled port.
802.1X port access control is achieved by making devices attached to a controlled port authenticate themselves
via communication with an authentication server before these devices are allowed to access the network behind
the controlled port.
The main components of an 802.1X implementation are:
• The Authenticator - the port on this device that wishes to enforce authentication before allowing access to
services that are accessible behind it. The SBx3112 plays this role.
• The Supplicant - the port that wishes to access services offered by the authenticator's system. The suppli-
cant may be a port on a PC or other device connected to the Authenticator.
• The Authentication Server (RADIUS) - a device that uses the authentication credentials supplied by the sup-
plicant, via the authenticator, to determine if the authenticator should grant access to the network. Once
authorized, the Authentication server notifies the Authenticator to allow access.
The switch can be configured to authorize one supplicant or more than one supplicant, as follows:
• Single Host - Only one (single) supplicant to be authorized can be allowed to communicate on the port. The
other supplicant is disallowed.
• Multi Host - When any supplicant succeed authentication, the other supplicants can communicate on the
port. This mode is known as 'Piggyback Mode' also.
• Multi Supplicant - Each supplicant has to be authenticated. Some supplicants are allowed and some suppli-
cants may be disallowed when a supplicant failed to authenticate.
To Next Page
Loading...
