User manual
APS User Manual
279
destination MAC address for EAPOL frames sent from the switch towards
the supplicant, since that would cause all supplicants attached to the port to
reply to requests sent from the switch. Instead, the switch uses the
supplicant's MAC address, which is obtained from the first EAPOL Start or
EAPOL Response Identity frame sent by the supplicant. An exception to this
is when no supplicants are attached. In this case, the switch sends EAPOL
Request Identity frames using the BPDU multicast MAC address as
destination - to wake up any supplicants that might be on the port.
The maximum number of supplicants that can be attached to a port can be
limited using the Port Security Limit Control functionality.
MAC-based Auth.: Unlike port-based 802.1X, MAC-based authentication is
not a standard, but merely a best-practices method adopted by the industry.
In MAC-based authentication, users are called clients, and the switch acts as
the supplicant on behalf of clients. The initial frame (any kind of frame) sent
by a client is snooped by the switch, which in turn uses the client's MAC
address as both username and password in the subsequent EAP exchange
with the RADIUS server. The 6-byte MAC address is converted to a string on
the following form "xx-xx-xx-xx-xx-xx", that is, a dash (-) is used as separator
between the lower-cased hexadecimal digits. The switch only supports the
MD5-Challenge authentication method, so the RADIUS server must be
configured accordingly.
When authentication is complete, the RADIUS server sends a success or
failure indication, which in turn causes the switch to open up or block traffic
for that particular client, using the Port Security module. Only then will
frames from the client be forwarded on the switch. There are no EAPOL
frames involved in this authentication, and therefore, MAC-based
Authentication has nothing to do with the 802.1X standard.
The advantage of MAC-based authentication over port-based 802.1X is that
several clients can be connected to the same port (e.g. through a 3rd party
switch or a hub) and still require individual authentication, and that the
clients don't need special supplicant software to authenticate. The
advantage of MAC-based authentication over 802.1X-based authentication
is that the clients don't need special supplicant software to authenticate.
The disadvantage is that MAC addresses can be spoofed by malicious users -
equipment whose MAC address is a valid RADIUS user can be used by
anyone. Also, only the MD5-Challenge method is supported. The maximum
number of clients that can be attached to a port can be limited using the
Port Security Limit Control functionality.