User manual

ManualsBrandsAlloy ManualsComputer equipmentAPS-48T4SFP

271

272

273

274

275

276

277

278

279

280

APS User Manual

277

frame when the port link comes up, and any client on the port will be

allowed network access without authentication.

Force Unauthorized: In this mode, the switch will send one EAPOL Failure

frame when the port link comes up, and any client on the port will be

disallowed network access.

Port-based 802.1X: In the 802.1X-world, the user is called the supplicant,

the switch is the authenticator, and the RADIUS server is the authentication

server. The authenticator acts as the man-in-the-middle, forwarding

requests and responses between the supplicant and the authentication

server. Frames sent between the supplicant and the switch are special

802.1X frames, known as EAPOL (EAP over LANs) frames. EAPOL frames

encapsulate EAP PDUs (RFC3748). Frames sent between the switch and the

RADIUS server are RADIUS packets. RADIUS packets also encapsulate EAP

PDUs together with other attributes like the switch's IP address, name, and

the supplicant's port number on the switch. EAP is very flexible, in that it

allows for different authentication methods, like MD5-Challenge, PEAP, and

TLS. The important thing is that the authenticator (the switch) doesn't need

to know which authentication method the supplicant and the authentication

server are using, or how many information exchange frames are needed for

a particular method. The switch simply encapsulates the EAP part of the

frame into the relevant type (EAPOL or RADIUS) and forwards it.

When authentication is complete, the RADIUS server sends a special packet

containing a success or failure indication. Besides forwarding this decision to

the supplicant, the switch uses it to open up or block traffic on the switch

port connected to the supplicant

NOTE: Suppose two backend servers are enabled and that the

server timeout is configured to X seconds (using the AAA

configuration page), and suppose that the first server in the list is

currently down (but not considered dead).

Now, if the supplicant retransmits EAPOL Start frames at a rate

faster than X seconds, then it will never get authenticated, because

the switch will cancel on-going backend authentication server

requests whenever it receives a new EAPOL Start frame from the

supplicant.

And since the server hasn't yet failed (because the X seconds

haven't expired), the same server will be contacted upon the next

backend authentication server request from the switch. This