Specifications
Table Of Contents
- Table of Contents
- Preface Template Formats
- Web-based (GUI) Configuration
- Configuration
- Device Information
- System Information
- Serial Port Settings
- IP Address Settings
- IPv6 Address Settings
- IPv6 Route Settings
- IPv6 Neighbor Settings
- Port Configuration Folder
- Static ARP Settings
- User Accounts
- System Log Configuration Folder
- DHCP Relay Folder
- MAC Address Aging Time
- Web Settings
- Telnet Settings
- CLI Paging Settings
- Firmware Information
- SNTP Settings Folder
- SMTP Settings Folder
- SNMP Settings Folder
- Layer 2 Features
- Jumbo Frame
- VLANs
- 802.1Q Static VLAN
- Q-in-Q Folder
- 802.1v Protocol VLAN Folder
- GVRP Settings
- Asymmetric VLAN Settings
- MAC-based VLAN Settings
- PVID Auto Assign Settings
- Port Trunking
- LACP Port Settings
- Traffic Segmentation
- IGMP Snooping Folder
- MLD Snooping Settings
- Port Mirror
- Loopback Detection Settings Page
- Spanning Tree Folder
- Forwarding & Filtering Folder
- LLDP Folder
- Quality of Service (QoS)
- Security
- Access Control List (ACL)
- Monitoring
- Save and Tools
- System Log Entries
- Trap List
Chapter 5: Security
Extreme Networks EAS 100-24t Switch Software Manual
108
Client
Authentication Process
The implementation of 802.1X allows network administrators to choose between two types of Access
Control used on the Switch, which are:
1 Port-Based Access Control – This method requires only one user to be authenticated per port by a
remote RADIUS server to allow the remaining users on the same port access to the network.
2 Host-Based Access Control – Using this method, the Switch will automatically learn up to a
maximum of 16 MAC addresses by port and set them in a list. Each MAC address must be
authenticated by the Switch using a remote RADIUS server before being allowed access to the
Network.
Understanding 802.1X Port-based and Host-based Network Access Control
The original intent behind the development of 802.1X was to leverage the characteristics of point-to-
point in LANs. As any single LAN segment in such infrastructures has no more than two devices
attached to it, one of which is a Bridge Port. The Bridge Port detects events that indicate the attachment
of an active device at the remote end of the link, or an active device becoming inactive. These events
can be used to control the authorization state of the Port and initiate the process of authenticating the
attached device if the Port is unauthorized. This is the Port-Based Network Access Control.
The Client is simply the end station that
wishes to gain access to the LAN or switch
services. All end stations must be running
software that is compliant with the 802.1X
protocol. For users running Windows XP and
Windows Vista, that software is included
within the operating system. All other users
are required to attain 802.1X client software
from an outside source. The Client will
request access to the LAN or Switch through
EAPOL packets and, in turn will respond to
requests from the Switch.
Utilizing the three roles stated above, the
802.1X protocol provides a stable and secure
way of authorizing and authenticating users
attempting to access the network. Only
EAPOL traffic is allowed to pass through the
specified port before a successful
authentication is made. This port is “locked”
until the point when a Client with the correct
username and password (and MAC address if
802.1X is enabled by MAC address) is granted
access and therefore successfully “unlocks”
the port. Once unlocked, normal traffic is
allowed to pass through the port. The
following figure displays a more detailed
explanation of how the authentication process
is completed between the three roles stated
above.