Specifications

Alcatel-Lucent Page 22
OmniSwitch 6850 Series
Authenticated VLANs A-VLANs Authenticated VLANs control user access to network resources based on VLAN assignment and a user
login process; the process is sometimes called user authentication or Layer 2 Authentication. (Another
type of security is device authentication, which is set up through the use of port-binding VLAN
policies or static port assignment. The terms authenticated VLANs (A-VLANs) and Layer 2
Authentication is synonymous. Layer 2 Authentication is different from another feature in the switch
called Authenticated Switch Access, which is used to grant individual users access to manage the
switch. An authenticated network requires several components:
Authentication serversA RADIUS or LDAP server must be configured in the network. The server
contains a database of user information that the switch checks whenever a user tries to authenticate
through the switch. (Note that the local user database on the switch may not be used for Layer 2
authentication.). Backup servers may be configured for the authentication server.
RADIUS or LDAP server: Follow the manufacturer’s instructions for your particular
server. The external server may also be used for Authenticated Switch Access.
RADIUS or LDAP client in the switch: The switch must be set up to communicate with
the RADIUS or LDAP server.
Authentication clients—Authentication clients login through the switch to get access to A-VLANs.
There are three types of clients:
AV-Client. This is an Alcatel-proprietary authentication client. The AV-Client does not
require an IP address prior to authentication. The client software must be installed on the
user’s end station.
Telnet client: Any standard Telnet client can be used. An IP address is required prior to
authentication.
Web browser client: Any standard Web browser can be used (Netscape or Internet
Explorer). An IP address is required prior to authentication.
Authenticated VLANsAt least one authenticated VLAN must be configured.
Authentication port—At least one mobile port must be configured on the switch as an authentication
port. This is the physical port through which authentication clients are attached to the switch.
DHCP ServerA DHCP server can provide IP addresses to clients prior to authentication. After
authentication, any client can obtain an IP address in an authenticated VLAN to which the client is
allowed access. A relay to the server must be set up on the switch.
Authentication agent in the switch—Authentication is enabled when the server(s) and the server
authority mode is specified on the switch.
Note: AVLAN Web Authentication: The Mac OS X 10.3.x is supported for AVLAN web
authentication using JVM-v1.4.2. The maximum number of possible A-VLAN users support is 2,048.
IEEE 802.1X
Note: there is no switch based local database for
IEEE 802.1x authentication.
Here are the limits:
Maximum number of supplicants / non-supplicant
users per system: 1024
Maximum number of non-supplicant users per port:
1024
Maximum number of supplicant users per port: 253
Maximum combined number of supplicant and
non-supplicant users per port: 1024
The system supports up to 1024 authenticated/mobile
mac-addresses.
The system can roughly processes ~200 mac per
seconds.
Physical devices attached to a LAN port on the switch through a point-to-point LAN connection may
be authenticated through the switch through port-based network access control. This control is
available through the IEEE 802.1X standard implemented on the switch. In addition, Interoperability
between Alcatel 802.1x and Sygate Management Server (SMS) and Sygate Enforcer is also supported.
The identity field in Alcatel 802.1x authentication works with all applications that send more than 32
bytes (e.g., Sygate). IEEE 802.1X Specifications:
RFCs Supported:
RFC 2284–PPP Extensible Authentication Protocol (EAP)
RFC 2865–Remote Authentication Dial In User Service (RADIUS)
RFC 2866–RADIUS Accounting
RFC 2867–RADIUS Accounting Modifications for Tunnel Protocol Support
RFC 2868–RADIUS Attributes for Tunnel Protocol Sup-port
RFC 2869–RADIUS Extensions
IEEE Standards Supported:
IEEE 802.1X-2001–Standard for Port-based Network Access Control
802.1X RADIUS Usage Guidelines
The 802.1X standard defines port-based network access controls, and provides the structure for
authenticating physical devices attached to a LAN. It uses the Extensible Authentication Protocol over
LAN (EAPOL). There are three components for 802.1X:
The Supplicant—This is the device connected to the switch. The device may be connected
directly to the switch or via a point-to-point LAN segment. Typically the supplicant is a PC.
The Authenticator Port Access Entity (PAE)—This entity requires authentication from the
supplicant. The authenticator is connected to the supplicant directly or via a point-to-point
LAN segment. The OmniSwitch acts as the authenticator.
The Authentication Server—This component provides the authentication service and
verifies the credentials (username, password, challenge, etc.) of the supplicant. On the
OmniSwitch, only RADIUS servers are currently supported for 802.1X authentication.
Note: IEEE 802.1x Multi-client and Multi-VLAN feature provides the capability to force every user
behind a given port to authenticate and be placed into their own applicable VLAN and allows multiple
VLANs to be properly established on a single port. In other words, multiple supplicants can be
authenticated on a given 802.1x port