Guidelines – Allied Telesis AT-S63 User Manual

Page 441

background image

AT-S63 Management Software Features Guide

Section VIII: Port Security

441

Guidelines

The following are general guidelines to using this feature:

Ports operating under port-based access control do not support
dynamic MAC address learning.

The appropriate port role for a port on the AT-9400 Switch connected
to a RADIUS authentication server is None.

The authentication method of an authenticator port can be either
802.1x username and password combination or MAC address-based,
but not both.

A supplicant must have 802.1x client software if the authentication
method of a switch port is 802.1x username and password
combination.

A supplicant does not need 802.1x client software if the authentication
method of an authenticator port is MAC address-based.

An authenticator port set to the multiple operating mode can support
up to a maximum of 320 authenticated supplicants at one time.

The switch can handle up to a maximum of 480 authenticated
supplicants at one time. The switch stops accepting new
authentications after the maximum is reached and starts accepting
new authentications as supplicants log out or are timed out.

An 802.1x username and password combination is not tied to the MAC
address of an end node. This allows end users to use the same
username and password when working at different workstations.

After a client has successfully logged on, the MAC address of the end
node is added to the switch’s MAC address table as an authenticated
address. It remains in the table until the client logs off the network or
fails to reauthenticate, at which point the address is removed. The
address is not timed out, even if the node becomes inactive.

Note

End users of 802.1x port-based network access control should be
instructed to always log off when they are finished with a work
session. This can prevent unauthorized individuals from accessing
the network through unattended network workstations.

Authenticator and supplicant ports must be untagged ports. They
cannot be tagged ports of any VLAN.

The MAC address-based port security setting for an authenticator port
must be Automatic. This restriction does not apply to a supplicant port.
For further information, refer to Chapter 35, “MAC Address-based Port
Security” on page 415.