Configuring the ECN330-switch
1451553-KDU 137 365 Uen D 2006-06-16
6.5.6 Configuring 802.1X Port Authentication
Network switches can provide open and easy access to network resources by
simply attaching a client PC. Although this automatic configuration and access
is a desirable feature, it also allows unauthorized personnel to easily intrude and
possibly gain access to sensitive network data.
The IEEE 802.1X (dot1x) standard defines a port-based access control
procedure that prevents unauthorized access to a network by requiring users to
first submit credentials for authentication. Access to all ECN330 ports in a
network can be centrally controlled from a server, which means that authorized
users can use the same credentials for authentication from any point within the
network.
The ECN330-switch uses the Extensible Authentication Protocol over LANs
(EAPOL) to exchange authentication protocol messages with the client, and a
remote RADIUS authentication server to verify user identity and access rights.
When a client (that is, Supplicant) connects to a ECN330 port, the ECN330-
switch (that is, Authenticator) responds with an EAPOL identity request. The
client provides its identity (such as a user name) in an EAPOL response to the
ECN330-switch, which it forwards to the RADIUS server. The RADIUS server
verifies the client identity and sends an access challenge back to the client. The
EAP packet from the RADIUS server contains not only the challenge, but the
authentication method to be used. The client can reject the authentication
method and request another, depending on the configuration of the client
software and the RADIUS server. The authentication method must be MD5. The
client responds to the appropriate method with its credentials, such as a
password or certificate. The RADIUS server verifies the client credentials and
responds with an accept or reject packet. If authentication is successful, the
ECN330-switch allows the client to access the network. Otherwise, network
access is denied and the port remains blocked.
To Next Page
Loading...
