User Manual User Manual
Table Of Contents
- INTRODUCTION
- INSTALLATION
- SWITCH MANAGEMENT
- WEB CONFIGURATION
- Main Web Page
- System
- System Information
- IP Configuration
- IPv6 Configuration
- Users Configuration
- Users Privilege Levels
- NTP Configuration
- UPnP Configuration
- DHCP Relay
- DHCP Relay Statistics
- CPU Load
- _
- System Log
- Detailed Log
- Remote Syslog
- SMTP Configure
- Web Firmware Upgrade
- TFTP Firmware Upgrade
- Configuration Backup
- Configuration Upload
- _
- Factory Default
- _
- System Reboot
- Simple Network Management Protocol
- Port Management
- Link Aggregation
- VLAN
- Spanning Tree Protocol
- Multicast
- Quality of Service
- Access Control Lists
- Access Control List Status
- Access Control List Configuration
- ACE Configuration
- ACL Ports Configuration
- ACL Rate Limiter Configuration
- Understanding IEEE 802.1X Port-Based Authentication
- Authentication Configuration
- Network Access Server Configuration
- Network Access Overview
- Network Access Statistics
- _
- Authentication Server Configuration
- RADIUS Overview
- _
- RADIUS Details
- Windows Platform RADIUS Server Configuration
- 4.11.10 802.1X Client Configuration
- Security
- Address Table
- _
- LLDP
- Network Diagnostics
- Power over Ethernet (GE-DSSG-244-POE / NS3601-24P/4S)
- _
- COMMAND LINE INTERFACE
- Command Line Mode
- _
- System Command
- Stack
- IP Command
- Port Management Command
- MAC Address Table Command
- VLAN Configuration Command
- _
- Private VLAN Configuration Command
- Security Command
- Security Switch User Configuration
- Security Switch User Add
- Security Switch User Delete
- Security Switch Privilege Level Configuration
- Security Switch Privilege Level Group
- Security Switch Privilege Level Current
- Security Switch Auth Configuration
- Security Switch Auth Method
- Security Switch SSH Configuration
- Security Switch SSH Mode
- Security Switch HTTPs Configuration
- Security Switch HTTPs Mode
- Security Switch HTTPs Redirect
- Security Switch Access Configuration
- Security Switch Access Mode
- Security Switch Access Add
- Security Switch Access IPv6 Add
- Security Switch Access Delete
- Security Switch Access Lookup
- Security Switch Access Clear
- Security Switch Access Statistics
- Security Switch SNMP Configuration
- Security Switch SNMP Mode
- Security Switch SNMP Version
- Security Switch SNMP Read Community
- Security Switch SNMP Write Community
- Security Switch SNMP Trap Mode
- Security Switch SNMP Trap Version
- Security Switch SNMP Trap Community
- Security Switch SNMP Trap Destination
- Security Switch SNMP Trap IPv6 Destination
- Security Switch SNMP Trap Authentication Failure
- Security Switch SNMP Trap Link-up
- Security Switch SNMP Trap Inform Mode
- Security Switch SNMP Trap Inform Timeout
- Security Switch SNMP Trap Inform Retry Times
- Security Switch SNMP Trap Probe Security Engine ID
- Security Switch SNMP Trap Security Engine ID
- Security Switch SNMP Trap Security Name
- Security Switch SNMP Engine ID
- Security Switch SNMP Community Add
- Security Switch SNMP Community Delete
- Security Switch SNMP Community Lookup
- Security Switch SNMP User Add
- Security Switch SNMP User Delete
- Security Switch SNMP User Changekey
- Security Switch SNMP User Lookup
- Security Switch SNMP Group Add
- Security Switch SNMP Group Delete
- Security Switch SNMP Group Lookup
- Security Switch SNMP View Add
- Security Switch SNMP View Delete
- Security Switch SNMP View Lookup
- Security Switch SNMP Access Add
- Security Switch SNMP Access Delete
- Security Switch SNMP Access Lookup
- Security Network Psec Switch
- Security Network Psec Port
- Security Network Limit Configuration
- Security Network Limit Mode
- Security Network Limit Aging
- Security Network Limit Agetime
- Security Network Limit Port
- Security Network Limit Limit
- Security Network Limit Action
- Security Network Limit Reopen
- Security Network NAS Configuration
- Security Network NAS Mode
- Security Network NAS State
- Security Network NAS Reauthentication
- Security Network NAS ReauthPeriod
- Security Network NAS EapolTimeout
- Security Network NAS Agetime
- Security Network NAS Holdtime
- Security Network NAS RADIUS_QoS
- Security Network NAS RADIUS_VLAN
- Security Network NAS Guest_VLAN
- Security Network NAS Authenticate
- Security Network NAS Statistics
- Security Network ACL Configuration
- Security Network ACL Action
- Security Network ACL Policy
- Security Network ACL Rate
- Security Network ACL Add
- Security Network ACL Delete
- Security Network ACL Lookup
- Security Network ACL Clear
- Security Network ACL Status
- Security Network DHCP Relay Configuration
- Security Network DHCP Relay Mode
- Security Network DHCP Relay Server
- Security Network DHCP Relay Information Mode
- Security Network DHCP Relay Information Policy
- Security Network DHCP Relay Statistics
- Security Network DHCP Snooping Configuration
- Security Network DHCP Snooping Mode
- Security Network DHCP Snooping Port Mode
- Security Network DHCP Snooping Statistics
- Security Network IP Source Guard Configuration
- Security Network IP Source Guard Mode
- Security Network IP Source Guard Port Mode
- Security Network IP Source Guard Limit
- Security Network IP Source Guard Entry
- Security Network IP Source Guard Status
- Security Network ARP Inspection Configuration
- Security Network ARP Inspection Mode
- Security Network ARP Inspection Port Mode
- Security Network ARP Inspection Entry
- Security Network ARP Inspection Status
- Security AAA Configuration
- Security AAA Timeout
- Security AAA Deadtime
- Security AAA RADIUS
- Security AAA ACCT_RADIUS
- Security AAA TACACS+
- Security AAA Statistics
- Security Switch User Configuration
- Spanning Tree Protocol Command
- STP Configuration
- STP Version
- STP Tx Hold
- STP MaxHops
- STP MaxAge
- STP FwdDelay
- STP CName
- STP BPDU Filter
- STP BPDU Guard
- STP Recovery
- STP Status
- STP MSTI Priority
- STP MSTI Map
- STP MSTI Add
- STP Port Configuration
- STP Port Mode
- STP Port Edge
- STP Port AutoEdge
- STP Port P2P
- STP Port RestrictedRole
- STP Port RestrictedTcn
- STP Port bpduGuard
- STP Port Statistic
- STP Port Mcheck
- STP MSTI Port Configuration
- STP MSTI Port Cost
- STP MSTI Port Priority
- STP Configuration
- Multicast Configuration Command
- Link Aggregation Command
- Link Aggregation Control Protocol Command
- LLDP Command
- LLDPMED Command
- Power over Ethernet Command
- Quality of Service Command
- Mirror Command
- Configuration Command
- Firmware Command
- UPnP Command
- MVR Command
- Voice VLAN Command
- SMTP Command
- Show Command
- Show ACL Configuration
- Show Link Aggregation Configuration
- Show IGMP Configuration
- Show IP Configuration
- Show LACP Configuration
- Show LLDP Configuration
- Show MAC Configuration
- Show Mirror Configuration
- Show PoE Configuration
- Show Port Configuration
- Show Private VLAN Configuration
- Show QoS Configuration
- Show SNMP Configuration
- Show Stack Configuration
- Show System Configuration
- Show VLAN Configuration
- Show STP Configuration
- Show ACL Configuration
- SWITCH OPERATION
- POWER OVER ETHERNET OVERVIEW
- TROUBLE SHOOTING
- APPENDEX A
- APPENDEX B : GLOSSARY
- APPENDIX C: Local User Privilege Level Table
IFS NS3601-24P/4S GE-DSSG-244 and 244-POE User Manual
174
switch acts as an intermediary (proxy) between the client and the authentication server, requesting identity information from
the client, verifying that information with the authentication server, and relaying a response to the client. The switch includes
the RADIUS client, which is responsible for encapsulating and decapsulating the Extensible Authentication Protocol (EAP)
frames and interacting with the authentication server. When the switch receives EAPOL frames and relays them to the
authentication server, the Ethernet header is stripped and the remaining EAP frame is re-encapsulated in the RADIUS
format. The EAP frames are not modified or examined during encapsulation, and the authentication server must support
EAP within the native frame format. When the switch receives frames from the authentication server, the server's frame
header is removed, leaving the EAP frame, which is then encapsulated for Ethernet and sent to the client.
Authentication Initiation and Message Exchange
The switch or the client can initiate authentication. If you enable authentication on a port by using the dot1x port-control auto
interface configuration command, the switch must initiate authentication when it determines that the port link state transitions from
down to up. It then sends an EAP-request/identity frame to the client to request its identity (typically, the switch sends an initial
identity/request frame followed by one or more requests for authentication information). Upon receipt of the frame, the client
responds with an EAP-response/identity frame.
However, if during bootup, the client does not receive an EAP-request/identity frame from the switch, the client can initiate
authentication by sending an EAPOL-start frame, which prompts the switch to request the client's identity
If 802.1X is not enabled or supported on the network access device, any EAPOL frames from the
client are dropped. If the client does not receive an EAP-request/identity frame after three attempts
to start authentication, the client transmits frames as if the port is in the authorized state. A port in
the authorized state effectively means that the client has been successfully authenticated.
When the client supplies its identity, the switch begins its role as the intermediary, passing EAP frames between the client and the
authentication server until authentication succeeds or fails. If the authentication succeeds, the switch port becomes authorized.
The specific exchange of EAP frames depends on the authentication method being used. “Figure 4-11-2” shows a message
exchange initiated by the client using the One-Time-Password (OTP) authentication method with a RADIUS server.
Figure 4-11-2 EAP message exchange
Ports in Authorized and Unauthorized States
The switch port state determines whether or not the client is granted access to the network. The port starts in the unauthorized state.
While in this state, the port disallows all ingress and egress traffic except for 802.1X protocol packets. When a client is successfully
authenticated, the port transitions to the authorized state, allowing all traffic for the client to flow normally.