Application Guide
[68]
Software User's
Manual
–
Version 3.0
supplicant can get authenticated on the port at a time. Normal EAPOL frames
are used in the communication between the supplicant and the switch. If
more than one supplicant is connected to a port, the one that comes first
when the port’s link comes up will be the first one considered. If that
supplicant doesn’t provide valid credentials within a certain amount of time,
another supplicant will get a chance. Once a supplicant is successfully
authenticated, only that supplicant will be allowed access. This is the most
secure of all the supported modes. In this mode, the Port Security module is
used to secure a supplicant’s
MAC address once successfully authenticated.
Multi 802.1X
Multi 802.1X is - like Single 802.1X - not an IEEE standard, but a variant that
features many of the same characteristics. In Multi 802.1X, one or more
supplicants can get authenticated on the same port at the same time. Each
supplicant is authenticated individually and secured in the MAC table using
the Port Security module.
In Multi 802.1X, it is not possible to use the multicast BPDU MAC address as
destination MAC address for EAPOL frames sent from the switch towards the
supplicant, since that would cause all supplicants attached to the port to reply
to requests sent from the switch. Instead, the switch uses the supplicant’s
MAC address, which is obtained from the first EAPOL Start or EAPOL
Response.
Identity frame sent by the supplicant. An exception to this is when no
supplicants are attached. In this case, the switch sends EAPOL Request
Identity frames using the BPDU multicast MAC address as destination - to
wake up any supplicants that might be on the port.
The maximum number of supplicants that can be attached to a port can be
limited using the Port Security Limit Control functionality.
MAC-based
Auth.
Unlike port-based 802.1X, MAC-based authentication is not a standard, but
merely a best-practice method adopted by the industry. In MAC-based
authentication, users are called clients, and the switch acts as the supplicant
on behalf of clients. The initial frame (any kind of frame) sent by a client is
snooped by the switch, which in turn uses the client’s MAC address as both
username and password in the subsequent EAP exchange with the RADIUS
server. The 6-byte MAC address is converted to a string on the following form
“xx-xx-xx-xx-xx-xx”, that is a dash (-) is used as separator between the lower-
cased hexadecimal digits. The switch only supports the MD5-Challenge
authentication method, so the RADIUS server must be configured
accordingly.
When authentication is complete, the RADIUS server sends a success or
failure indication, which in turn causes the switch to open up or block traffic
for that particular client, using the Port Security module. Only then will frames
from the client be forwarded on the switch. There are no EAPOL frames
involved in this authentication, and therefore, MAC-based Authentication has
nothing to do with the 802.1X standard.
The advantage of MAC-based authentication over 802.1X-based
authentication is that the clients don’t need special supplicant software to
authenticate. The disadvantage is that MAC addresses can be spoofed by
malicious users - equipment whose MAC address is a valid RADIUS user can
be used by anyone. Also, only the MD5
-
Challenge method is supported. The