Application Guide

ManualsBrandsAntaira Technologies ManualsComputers & AccessoriesAntaira LMX-0800 Industrial-Grade 8-Port Managed Fast Ethernet Switch, DIN-Rail Mount, -10 to 70°C Operating Temperature, Redundant 12 to 48 VDC Power Input

[67]

Software User's

Manual

–

Version 3.0

Admin State

If NAS is globally enabled, this selection controls the port’s authentication mode.

Setting Description

Force

Authorized

In this mode, the switch will send one EAPOL Success frame when the port

link comes up, and any client on the port will be allowed network access

without authentication.

Force

Unauthorized

In this mode, the switch will send one EAPOL Failure frame when the port link

comes up, and any client on the port will be disallowed

network access.

Port-based

802.1X

In the 802.1X-world, the user is called the supplicant, the switch is the

authenticator, and the RADIUS server is the authentication server. The

authenticator acts as the man-in-the-middle, forwarding requests and

responses between the supplicant and the authentication server. Frames sent

between the supplicant and the switch are special 802.1X frames, known as

EAPOL (EAP Over LANs) frames. EAPOL frames encapsulate EAP PDUs

(RFC3748). Frames sent between the switch and the RADIUS server are

RADIUS packets. RADIUS packets also encapsulate EAP PDUs together

with other attributes like the switch's IP address, name, and the supplicant's

port number on the switch. EAP is very flexible, in that it allows for different

authentication methods, like MD5-Challenge, PEAP, and TLS. The important

thing is that the authenticator (the switch) doesn't need to know which

authentication method the supplicant and the authentication server are using,

or how many information exchange frames are needed for a particular

method. The switch simply encapsulates the EAP part of the frame into the

relevant type (EAPOL or RADIUS) and forwards it.

When authentication is complete, the RADIUS server sends a special packet

containing a success or failure indication. Besides forwarding this decision to

the supplicant, the switch uses it to open up or block traffic on the switch port

connected to the supplicant.

NOTE: Suppose two backend servers are enabled and that the server

timeout is configured to X seconds (using the AAA configuration page) and

suppose that the first server in the list is currently down (but not considered

dead). Now, if the supplicant retransmits EAPOL Start frames at a rate faster

than X seconds, then it will never get authenticated, because the switch will

cancel on-going backend authentication server requests whenever it receives

a new EAPOL Start frame from the supplicant. And since the server hasn't yet

failed (because the X seconds haven't expired), the same server will be

contacted upon the next backend authentication server request from the

switch. This scenario will loop forever.

Therefore, the server timeout should be smaller than the supplicant's EAPOL

Start frame retransmission rate.

Single 802.1X

In port-based 802.1X authentication, once a supplicant is successfully

authenticated on a port, the whole port is opened for network traffic. This

allows other clients connected to the port (for instance through a hub) to

piggy-back on the successfully authenticated client and get network access

even though they really aren’t authenticated. To overcome this security

breach, use the Single 802.1X variant.

Single 802.1X is really not an IEEE standard, but features many of the same

characteristics as does port

based 802.1X. In Single 802.1X, at most one