Configuring Port and System Security 483
As shown in Figure 19-1, the PowerConnect 7000 Series switch is the
authenticator and enforces the supplicant (a PC) that is attached to an
802.1X-controlled port to be authenticated by an authentication server (a
RADIUS server). The result of the authentication process determines
whether the supplicant is authorized to access services on that controlled
port. PowerConnect switches support authentication using remote RADIUS
or TACACS servers and also support authentication using a local
authentication service.
Supported security methods for communication with remote servers include
MD5, PEAP, EAP-TTL, EAP-TTLS, and EAP-TLS. Only EAP-MD5 is
supported when using the local authentication server (IAS).
For a list of RADIUS attributes that the switch supports, see
"Using RADIUS
Servers to Control Management Access" on page 190
.
What are the 802.1X Port States?
The 802.1X port state determines whether to allow or prevent network traffic
on the port. A port can configured to be in one of the following 802.1X
control modes:
•Auto (default)
•MAC-based
• Force-authorized
• Force-unauthorized.
These modes control the behavior of the port. The port state is either
Authorized or Unauthorized.
If the port is in the authorized state, the port sends and receives normal
traffic without client port-based authentication. When a port is in an
unauthorized state, it ignores supplicant authentication attempts and does
not provide authentication services to the client. By default, when 802.1X is
globally enabled on the switch, all ports are in Auto, which means the port will
be unauthorized until a successful authentication exchange has taken place.
In addition to authorized, unauthorized, and automode, the 802.1X mode of
a port can be MAC based, as the following section describes.
NOTE: Only MAC-Based and Automode actually use 802.1X to authenticate.
Authorized and Unauthorized modes are manual overrides.
To Next Page
Loading...
