C
HAPTER
4
| Configuring the Switch
Configuring 802.1X Port Authentication
– 84 –
USAGE GUIDELINES
When 802.1X is enabled, you need to configure the parameters for the
authentication process that runs between the client and the switch (i.e.,
authenticator), as well as the client identity lookup process that runs
between the switch and authentication server. These parameters are
described in this section.
PARAMETERS
The following parameters are displayed on the Port Security Configuration
page:
System Configuration
◆ Mode - Indicates if 802.1X and MAC-based authentication are globally
enabled or disabled on the switch. If globally disabled, all ports are
allowed to forward frames.
◆ Reauthentication Enabled - Sets the client to be re-authenticated
after the interval specified by the Re-authentication Period. Re-
authentication can be used to detect if a new device is plugged into a
switch port. (Default: Disabled)
For MAC-based ports, reauthentication is only useful if the RADIUS
server configuration has changed. It does not involve communication
between the switch and the client, and therefore does not imply that a
client is still present on a port (see Age Period below).
◆ Reauthentication Period - Sets the time period after which a
connected client must be re-authenticated. (Range: 1-3600 seconds;
Default: 3600 seconds)
◆ EAP Timeout - Sets the time the switch waits for a supplicant
response during an authentication session before retransmitting an EAP
packet. (Range: 1-255; Default: 30 seconds)
◆ Age Period - The period used to calculate when to age out a client
allowed access to the switch through MAC-based authentication as
described below. (Range: 10-1000000 seconds; Default: 300 seconds)
Suppose a client is connected to a 3rd party switch or hub, which in
turn is connected to a port on this switch that is running MAC-based
authentication, and suppose the client gets successfully authenticated.
Now assume that the client powers down his PC. What should make the
switch forget about the authenticated client? Reauthentication will not
solve this problem, since this doesn't require the client to be present,
as discussed under Reauthentication Enabled above. The solution is
aging out authenticated clients.
A timer is started when the client gets authenticated. After half the age
period, the switch starts looking for frames sent by the client. If
another half age period elapses and no frames are seen, the client is
considered removed from the system, and it will have to authenticate
again the next time a frame is seen from it. If, on the other hand, the
client transmits a frame before the second half of the age period
To Next Page
Loading...
