beautypg.com

Guidelines, Guidelines 6 – Allied Telesis AT-8100 Series User Manual

Page 1076

background image

Chapter 71: 802.1x Port-based Network Access Control

1076

Guidelines

Here are the general guidelines to this feature:

Ports operating under port-based access control do not support
dynamic MAC address learning.

A port that is connected to a RADIUS authentication server must
not be set to the authenticator role because an authentication
server cannot authenticate itself.

The authentication method of an authenticator port can be either
802.1x or MAC address-based, but not both.

A supplicant connected to an authenticator port set to the 802.1x
authentication method must have 802.1x client software.

A supplicant does not need 802.1x client software if the
authentication method of an authenticator port is MAC address-
based.

The maximum number of supported supplicants on the entire
switch is 208.

An 802.1x username and password combination is not tied to the
MAC address of an end node. This allows end users to use the
same username and password when working at different
workstations.

After a supplicant has successfully logged on, the MAC address of
the end node is added to the switch’s MAC address table as an
authenticated address. It remains in the table until the supplicant
logs off the network or fails to reauthenticate, at which point the
address is removed. The address is not timed out, even if the node
becomes inactive.

Note

End users of 802.1x port-based network access control should be
instructed to always log off when they are finished with a work
session. This can prevent unauthorized individuals from accessing
the network through unattended network workstations.

Authenticator ports cannot use MAC address-based port security.
For further information, refer to Chapter 69, “MAC Address-based
Port Security” on page 1037.

Authenticator ports cannot be members of static port trunks, LACP
port trunks, or a port mirror.

A port set to the supplicant role and connected to another port that
is not set to the authenticator role will begin to forward traffic after a
timeout period and without logging on.

Authenticator ports cannot use GVRP.

See also other documents in the category Allied Telesis Computer hardware: