Manualshelf

ECIS4500 series Web Management Guide R02

ManualsBrandsEdgecore Networks ManualsEnterpriseIndustrial PoE+ Gigabit Ethernet Switches
71727374757677787980
Command Descriptions
73
following modes are available:
Force Authorized
In this mode, the switch will send one EAPOL Success frame when the port link
comes up, and any client on the port will be allowed network access without
authentication.
Force Unauthorized
In this mode, the switch will send one EAPOL Failure frame when the port link comes
up, and any client on the port will be disallowed network access.
Port-based 802.1X
In the 802.1X-world, the user is called the supplicant, the switch is the authenticator,
and the RADIUS server is the authentication server. The authenticator acts as the
man-in-the-middle, forwarding requests and responses between the supplicant and
the authentication server. Frames sent between the supplicant and the switch are
special 802.1X frames, known as EAPOL (EAP Over LANs) frames. EAPOL frames
encapsulate EAP PDUs (RFC3748). Frames sent between the switch and the
RADIUS server are RADIUS packets. RADIUS packets also encapsulate EAP PDUs
together with other attributes like the switch's IP address, name, and the supplicant's
port number on the switch. EAP is very flexible, in that it allows for different
authentication methods, like MD5-Challenge, PEAP, and TLS. The important thing is
that the authenticator (the switch) doesn't need to know which authentication method
the supplicant and the authentication server are using, or how many information
exchange frames are needed for a particular method. The switch simply encapsulates
the EAP part of the frame into the relevant type (EAPOL or RADIUS) and forwards it.
When authentication is complete, the RADIUS server sends a special packet
containing a success or failure indication. Besides forwarding this decision to the
supplicant, the switch uses it to open up or block traffic on the switch port connected
to the supplicant.
Note: Suppose two backend servers are enabled and that the server timeout is
configured to X seconds (using the AAA configuration page), and suppose that the
first server in the list is currently down (but not considered dead). Now, if the
supplicant retransmits EAPOL Start frames at a rate faster than X seconds, then it will
never get authenticated, because the switch will cancel on-going backend
authentication server requests whenever it receives a new EAPOL Start frame from
the supplicant. And since the server hasn't yet failed (because the X seconds haven't
expired), the same server will be contacted upon the next backend authentication