Manualshelf

ECIS4500 series Web Management Guide R02

ManualsBrandsEdgecore Networks ManualsEnterpriseIndustrial Gigabit Ethernet Switches
71727374757677787980
Command Descriptions
75
Unlike port-based 802.1X, MAC-based authentication is not a standard, but merely a
best-practices method adopted by the industry. In MAC-based authentication, users
are called clients, and the switch acts as the supplicant on behalf of clients. The initial
frame (any kind of frame) sent by a client is snooped by the switch, which in turn uses
the client's MAC address as both username and password in the subsequent EAP
exchange with the RADIUS server. The 6-byte MAC address is converted to a string
on the following form "xx-xx-xx-xx-xx-xx", that is, a dash (-) is used as separator
between the lower-cased hexadecimal digits. The switch only supports the
MD5-Challenge authentication method, so the RADIUS server must be configured
accordingly.
When authentication is complete, the RADIUS server sends a success or failure
indication, which in turn causes the switch to open up or block traffic for that particular
client, using the Port Security module. Only then will frames from the client be
forwarded on the switch. There are no EAPOL frames involved in this authentication,
and therefore, MAC-based Authentication has nothing to do with the 802.1X standard.
The advantage of MAC-based authentication over 802.1X-based authentication is
that the clients don't need special supplicant software to authenticate. The
disadvantage is that MAC addresses can be spoofed by malicious users - equipment
whose MAC address is a valid RADIUS user can be used by anyone. Also, only the
MD5-Challenge method is supported. The maximum number of clients that can be
attached to a port can be limited using the Port Security Limit Control functionality.
RADIUS-Assigned QoS
Enabled
When RADIUS-Assigned QoS is both globally enabled and enabled (checked) on a
given port, the switch reacts to QoS Class information carried in the RADIUS
Access-Accept packet transmitted by the RADIUS server when a supplicant is
successfully authenticated. If present and valid, traffic received on the supplicant's
port will be classified to the given QoS Class. If (re-)authentication fails or the RADIUS
Access-Accept packet no longer carries a QoS Class or it's invalid, or the supplicant is
otherwise no longer present on the port, the port's QoS Class is immediately reverted
to the original QoS Class (which may be changed by the administrator in the
meanwhile without affecting the RADIUS-assigned).
This option is only available for single-client modes, i.e.
• Port-based 802.1X
Single 802.1X
RADIUS attributes used in identifying a QoS Class:
The User-Priority-Table attribute defined in RFC4675 forms the basis for
identifying the QoS Class in an Access-Accept packet.
Only the first occurrence of the attribute in the packet will be considered, and to be