Port-based network access control guidelines – Allied Telesis AT-S105 User Manual

Chapter 14: 802.1x Port-based Network Access Control

172

Port-based

Network Access

Control

Guidelines

Following are the guidelines for using this feature:

ˆ

When using the RADIUS authentication mode, the appropriate setting
for a port connected to the RADIUS authentication server is Force-
authorized, the default setting. This is because an authentication
server cannot authenticate itself.

ˆ

Ports set to Auto do not support port trunking or dynamic MAC
address learning.

ˆ

The authentication server must be a member of the Default VLAN by
communicating with the switch through a port that is an untagged
member of the Default VLAN.

ˆ

This switch can be configured to support more than one supplicant to
an authenticator port at any time. The switch can allow more than one
supplicant to log on per port.

ˆ

A user name and password combination is not tied to the MAC
address of an end node. This allows end users to use the same user
name and password when working at different workstations.

ˆ

After a supplicant has successfully logged on, the MAC address of the
end node is added to the switch’s MAC address table as an
authenticated address. It remains in the table until the end user logs
off the network. The address is not timed out, even if the end node
becomes inactive.

Note

End users of port-based access control should be instructed to
always log off when they are finished with a work session. This
prevents unauthorized individuals from accessing the network
through unattended network workstations.

ˆ

There should be only one port in the authenticator port control setting
of Auto between a client and the authentication server.

ˆ

Ports used to interconnect switches should be set to the port control
setting of Force-authorized. This is illustrated in Figure 54 on page
173.