Quidway S1700 Series Ethernet Switches
Web User Manual 9 Security Measures
Issue 01 (2011-11-17) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd
83
server, which means that authorized users can use the same credentials for authentication from
any point within the network.
This switch uses the Extensible Authentication Protocol over LANs (EAPOL) to exchange
authentication protocol messages with the client, and a remote RADIUS authentication server
to verify user identity and access rights. When a client (i.e., Supplicant) connects to a switch
port, the switch (i.e., Authenticator) responds with an EAPOL identity request. The client
provides its identity (such as a user name) in an EAPOL response to the switch, which it
forwards to the RADIUS server. The RADIUS server verifies the client identity and sends an
access challenge back to the client. The EAP packet from the RADIUS server contains not
only the challenge, but the authentication method to be used. The client can reject the
authentication method and request another, depending on the configuration of the client
software and the RADIUS server. The encryption method used to pass authentication
messages can be MD5 (Message-Digest 5), TLS (Transport Layer Security), PEAP (Protected
Extensible Authentication Protocol), or TTLS (Tunneled Transport Layer Security). The client
responds to the appropriate method with its credentials, such as a password or certificate. The
RADIUS server verifies the client credentials and responds with an accept or reject packet. If
authentication is successful, the switch allows the client to access the network. Otherwise,
non-EAP traffic on the port is blocked or assigned to a guest VLAN based on the
“intrusion-action” setting. In “multi-host” mode, only one host connected to a port needs to
pass authentication for all other hosts to be granted network access. Similarly, a port can
become unauthorized for allhosts if one attached host fails re-authentication or sends an
EAPOL logoff message.
9.6.1 Configuring 802.1x Global Settings
Use the Security > Port Authentication (Configure Global) page to configure IEEE 802.1X
port authentication. The 802.1X protocol must be enabled globally for the switch system
before port settings are active.
To configure global settings for 802.1X:
1. Click Security, Port Authentication.
2. Select Configure Global from the Step list.
3. Enable 802.1X globally for the switch.
4. Click Apply
Figure 9-10 Configuring Global Settings for 802.1x Port Authentication
To Next Page
Loading...
Need help?
General