Overview – Allied Telesis AT-S63 User Manual

Page 363

background image

AT-S63 Management Software Features Guide

Section VIII: Port Security

363

Overview

The AT-S63 Management Software has several different methods for
protecting your network and its resources from unauthorized access. For
instance, Chapter 31, “MAC Address-based Port Security” on page 355,
explains how you can restrict network access using the MAC addresses of
the end nodes of your network.

This chapter explains yet another way. This method, referred to as 802.1x
port-based network access control, uses the RADIUS protocol to control
who can send traffic through and receive traffic from a switch port. The
switch does not allow an end node to send or receive traffic through a port
until the user of the node has by authenticated by a RADIUS server.

The benefit of this type of network security is obvious. You can use it to
prevent unauthorized individuals from connecting a computer to a switch
port or using an unattended workstation to access your network resources.
Only those users designated as valid network users on the RADIUS server
will be permitted to use the switch to access the network.

This port security method uses the RADIUS authentication protocol. The
AT-S63 Management Software is shipped with RADIUS client software. If
you have already read Chapter 37, “TACACS+ and RADIUS Protocols” on
page 429, then
you know that you can use the RADIUS client software on
the switch, along with a RADIUS server on your network, to also create
new manager accounts that control who can manage and change the
AT-S63 parameter on the switch.

Note

RADIUS with Extensible Authentication Protocol (EAP) extensions is
the only supported authentication protocol for 802.1x Port-based
Network Access Control. This feature is not supported with the
TACACS+ authentication protocol. The switch supports only one
authentication protocol at a time. Consequently, if you want to
implement 802.1 Port-based Network Access Control and also
create new manager accounts as explained in Chapter 37,
“TACACS+ and RADIUS Protocols” on page 429,
you must use the
RADIUS protocol.

Following are several terms to keep in mind when you use this feature.

ˆ

Supplicant - A supplicant is an end user or end node that wants to
access the network through a switch port. A supplicant is also referred
to as a client.

ˆ

Authenticator - The authenticator is a port on the switch that prohibits
network access by a supplicant until the supplicant has been validated
by the RADIUS server.