Network Login Overview
ExtremeWare XOS 11.3 Concepts Guide
347
Disadvantages of Web-Based Authentication:
â—Ź The login process involves manipulation of IP addresses and must be done outside the scope of a
normal computer login process. It is not tied to a Windows login. The client must bring up a login
page and initiate a login.
â—Ź Supplicants cannot be re-authenticated transparently. They cannot be re-authenticated from the
authenticator side.
â—Ź This method is not as effective in maintaining privacy protection.
Advantages of MAC-Based Authentication:
â—Ź Works with any operating system or network enabled device.
â—Ź Works silently. The user, client, or device does not know that it gets authenticated.
â—Ź Ease of management. A set of devices can easily be grouped by the vendor part of the MAC address.
Disadvantages of MAC-Based Authentication:
â—Ź There is no re-authentication mechanism. The FDB aging timer determines the logout.
â—Ź Security is based on the MAC address of the client, so the network is more vulnerable to spoofing
attacks.
Advantages of 802.1x Authentication:
â—Ź In cases where the 802.1x is natively supported, login and authentication happens transparently.
â—Ź Authentication happens at Layer 2. It does not involve getting a temporary IP address and
subsequent release of the address to obtain a permanent IP address.
â—Ź Allows for periodic, transparent re-authentication of supplicants.
Disadvantages of 802.1x Authentication:
â—Ź 802.1x native support is available only on newer operating systems, such as Windows XP.
â—Ź 802.1x requires an EAP-capable RADIUS Server. Most current RADIUS servers support EAP, so this
is not a major disadvantage.
â—Ź Transport Layer Security (TLS) and Tunneled TLS (TTLS) authentication methods involve Public Key
Infrastructure (PKI), which adds to the administrative requirements.
Multiple Supplicant Support
An important enhancement over the IEEE 802.1x standard is that ExtremeWare XOS supports multiple
clients (supplicants) to be individually authenticated on the same port. This feature makes it possible for
two or more client stations to be connected to the same port, with some being authenticated while
others are not. A port's authentication state is the logical “OR” of the individual MAC's authentication
states. In other words, a port is authenticated if any of its connected clients is authenticated. Multiple
clients can be connected to a single port of authentication server through a hub or layer-2 switch.
Multiple supplicants are supported in ISP mode for both web-based and 802.1x authentication. On the
BlackDiamond 10K switch, multiple supplicants are supported in Campus mode only if all supplicants
move to the same VLAN. On the BlackDiamond 8800 family of switches and the Summit X450 switch,
multiple supplicants are supported in Campus mode if you configure and enable netlogin MAC-based
VLANs. Netlogin MAC-based VLANs are not supported on the BlackDiamond 10K switch or 10 Gigabit
Ethernet ports. For more information, see “Configuring Netlogin MAC-Based VLANs—BlackDiamond
8800 Family of Switches and the Summit X450 Switch Only” on page 372.
To Next Page
Loading...
Need help?
General
