78
The maximum number of supplicants that can be attached to a port can be limited
using the Port Security Limit Control functionality.
MAC-based Auth.:
Unlike port-based 802.1X, MAC-based authentication is not a standard, but merely
a best-practices method adopted by the industry. In MAC-based authentication,
users are called clients, and the switch acts as the supplicant on behalf of clients.
The initial frame (any kind of frame) sent by a client is snooped by the switch, which
in turn uses the client's MAC address as both username and password in the
subsequent EAP exchange with the RADIUS server. The 6-byte MAC address is
converted to a string on the following form "xx-xx-xx-xx-xx-xx", that is, a dash (-) is
used as separator between the lower-cased hexadecimal digits. The switch only
supports the MD5-Challenge authentication method, so the RADIUS server must be
configured accordingly.
When authentication is complete, the RADIUS server sends a success or failure
indication, which in turn causes the switch to open up or block traffic for that
particular client, using the Port Security module. Only then will frames from the
client be forwarded on the switch. There are no EAPOL frames involved in this
authentication, and therefore, MAC-based Authentication has nothing to do with
the 802.1X standard.
The advantage of MAC-based authentication over port-based 802.1X is that several
clients can be connected to the same port (e.g. through a 3rd party switch or a hub)
and still require individual authentication, and that the clients don't need special
supplicant software to authenticate. The advantage of MAC-based authentication
over 802.1X-based authentication is that the clients don't need special supplicant
software to authenticate. The disadvantage is that MAC addresses can be spoofed
by malicious users - equipment whose MAC address is a valid RADIUS user can be
used by anyone. Also, only the MD5-Challenge method is supported. The maximum
number of clients that can be attached to a port can be limited using the Port
Security Limit Control functionality.
RADIUS-Assigned QoS Enabled :
When RADIUS-Assigned QoS is both globally enabled and enabled (checked) on a
given port, the switch reacts to QoS Class information carried in the RADIUS
Access-Accept packet transmitted by the RADIUS server when a supplicant is
successfully authenticated. If present and valid, traffic received on the supplicant's
port will be classified to the given QoS Class. If (re-)authentication fails or the
To Next Page
Loading...
