77
In port-based 802.1X authentication, once a supplicant is successfully authenticated
on a port, the whole port is opened for network traffic. This allows other clients
connected to the port (for instance through a hub) to piggy-back on the
successfully authenticated client and get network access even though they really
aren't authenticated. To overcome this security breach, use the Single 802.1X variant.
Single 802.1X is really not an IEEE standard, but features many of the same
characteristics as does port-based 802.1X. In Single 802.1X, at most one supplicant
can get authenticated on the port at a time. Normal EAPOL frames are used in the
communication between the supplicant and the switch. If more than one supplicant
is connected to a port, the one that comes first when the port's link comes up will
be the first one considered. If that supplicant doesn't provide valid credentials
within a certain amount of time, another supplicant will get a chance. Once a
supplicant is successfully authenticated, only that supplicant will be allowed access.
This is the most secure of all the supported modes. In this mode, the Port Security
module is used to secure a supplicant's MAC address once successfully
authenticated.
Multi 802.1X :
In port-based 802.1X authentication, once a supplicant is successfully authenticated
on a port, the whole port is opened for network traffic. This allows other clients
connected to the port (for instance through a hub) to piggy-back on the
successfully authenticated client and get network access even though they really
aren't authenticated. To overcome this security breach, use the Multi 802.1X variant.
Multi 802.1X is really not an IEEE standard, but features many of the same
characteristics as does port-based 802.1X. Multi 802.1X is - like Single 802.1X - not
an IEEE standard, but a variant that features many of the same characteristics. In
Multi 802.1X, one or more supplicants can get authenticated on the same port at
the same time. Each supplicant is authenticated individually and secured in the MAC
table using the Port Security module.
In Multi 802.1X it is not possible to use the multicast BPDU MAC address as
destination MAC address for EAPOL frames sent from the switch towards the
supplicant, since that would cause all supplicants attached to the port to reply to
requests sent from the switch. Instead, the switch uses the supplicant's MAC address,
which is obtained from the first EAPOL Start or EAPOL Response Identity frame sent
by the supplicant. An exception to this is when no supplicants are attached. In this
case, the switch sends EAPOL Request Identity frames using the BPDU multicast
MAC address as destination - to wake up any supplicants that might be on the port.
To Next Page
Loading...
