User`s guide

ManualsBrandsDraytek ManualsNetworkingP2261

191

192

193

194

195

196

197

198

199

200

VigorSwitch P2261 User’s Guide

188

characteristics. In Multi 802.1X, one or more supplicants

can get authenticated on the same port at the same time.

Each supplicant is authenticated individually and secured in

the MAC table using the Port Security module.

In Multi 802.1X it is not possible to use the multicast BPDU

MAC address as destination MAC address for EAPOL

frames sent from the switch towards the supplicant, since

that would cause all supplicants attached to the port to reply

to requests sent from the switch. Instead, the switch uses the

supplicant's MAC address, which is obtained from the first

EAPOL Start or EAPOL Response Identity frame sent by

the supplicant. An exception to this is when no supplicants

are attached. In this case, the switch sends EAPOL Request

Identity frames using the BPDU multicast MAC address as

destination - to wake up any supplicants that might be on

the port.

The maximum number of supplicants that can be attached to

a port can be limited using the Port Security Limit Control

functionality.

MAC-based Auth. - Unlike port-based 802.1X, MAC-based

authentication is not a standard, but merely a best-practices

method adopted by the industry. In MAC-based

authentication, users are called clients, and the switch acts

as the supplicant on behalf of clients. The initial frame (any

kind of frame) sent by a client is snooped by the switch,

which in turn uses the client's MAC address as both

username and password in the subsequent EAP exchange

with the RADIUS server. The 6-byte MAC address is

converted to a string on the following form

"xx-xx-xx-xx-xx-xx", that is, a dash (-) is used as separator

between the lower-cased hexadecimal digits. The switch

only supports the MD5-Challenge authentication method, so

the RADIUS server must be configured accordingly.

When authentication is complete, the RADIUS server sends

a success or failure indication, which in turn causes the

switch to open up or block traffic for that particular client,

using the Port Security module. Only then will frames from

the client be forwarded on the switch. There are no EAPOL

frames involved in this authentication, and therefore,

MAC-based Authentication has nothing to do with the

802.1X standard.

The advantage of MAC-based authentication over

port-based 802.1X is that several clients can be connected to

the same port (e.g. through a 3rd party switch or a hub) and

still require individual authentication, and that the clients

don't need special supplicant software to authenticate. The

advantage of MAC-based authentication over 802.1X-based

authentication is that the clients don't need special

supplicant software to authenticate. The disadvantage is that

MAC addresses can be spoofed by malicious users -

equipment whose MAC address is a valid RADIUS user can

be used by anyone. Also, only the MD5-Challenge method

is supported. The maximum number of clients that can be