Manualshelf

ECIS4500 series Web Management Guide R02

ManualsBrandsEdgecore Networks ManualsEnterpriseIndustrial Gigabit Ethernet Switches
71727374757677787980
74
server request from the switch. This scenario will loop forever. Therefore, the server
timeout should be smaller than the supplicant's EAPOL Start frame retransmission
rate.
Single 802.1X
In port-based 802.1X authentication, once a supplicant is successfully authenticated
on a port, the whole port is opened for network traffic. This allows other clients
connected to the port (for instance through a hub) to piggy-back on the successfully
authenticated client and get network access even though they really aren't
authenticated. To overcome this security breach, use the Single 802.1X variant.
Single 802.1X is really not an IEEE standard, but features many of the same
characteristics as does port-based 802.1X. In Single 802.1X, at most one supplicant
can get authenticated on the port at a time. Normal EAPOL frames are used in the
communication between the supplicant and the switch. If more than one supplicant is
connected to a port, the one that comes first when the port's link comes up will be the
first one considered. If that supplicant doesn't provide valid credentials within a certain
amount of time, another supplicant will get a chance. Once a supplicant is
successfully authenticated, only that supplicant will be allowed access. This is the
most secure of all the supported modes. In this mode, the Port Security module is
used to secure a supplicant's MAC address once successfully authenticated.
Multi 802.1X
Multi 802.1X is - like Single 802.1X - not an IEEE standard, but a variant that features
many of the same characteristics. In Multi 802.1X, one or more supplicants can get
authenticated on the same port at the same time. Each supplicant is authenticated
individually and secured in the MAC table using the Port Security module.
In Multi 802.1X it is not possible to use the multicast BPDU MAC address as
destination MAC address for EAPOL frames sent from the switch towards the
supplicant, since that would cause all supplicants attached to the port to reply to
requests sent from the switch. Instead, the switch uses the supplicant's MAC address,
which is obtained from the first EAPOL Start or EAPOL Response Identity frame sent
by the supplicant. An exception to this is when no supplicants are attached. In this
case, the switch sends EAPOL Request Identity frames using the BPDU multicast
MAC address as destination - to wake up any supplicants that might be on the port.
The maximum number of supplicants that can be attached to a port can be limited
using the Port Security Limit Control functionality.
MAC-based Auth