Allied Telesis AT-S101 User Manual

Chapter 14: 802.1x Port-based Network Access Control

162

ˆ

The authentication server must be a member of the Default VLAN by
communicating with the switch through a port that is an untagged
member of the Default VLAN.

ˆ

Allied Telesis does not support connecting more than one supplicant to
an authenticator port on the switch. The switch allows only one
supplicant to log on per port.

Note

Connecting multiple supplicants to a port set to the Auto setting
does not conform to the IEEE 802.1x standard. This can introduce
security risks and can result in undesirable switch behavior. To
avoid this, Allied Telesis recommends use the Force-authorized
setting of the Port Control feature on ports that are connected to
more than one end node, such as a port connected to another
switch or to a hub.

ˆ

A username and password combination is not tied to the MAC address
of an end node. This allows end users to use the same username and
password when working at different workstations.

ˆ

After a supplicant has successfully logged on, the MAC address of the
end node is added to the switch’s MAC address table as an
authenticated address. It remains in the table until the end user logs off
the network. The address is not timed out, even if the end node
becomes inactive.

Note

End users of port-based access control should be instructed to
always log off when they are finished with a work session. This
prevents unauthorized individuals from accessing the network
through unattended network workstations.

ˆ

There should be only one port in the authenticator port control setting
of Auto between a client and the authentication server.

ˆ

Ports used to interconnect switches should be set to the port control
setting of Force-authorized. This is illustrated in Figure 50 on page
163.