beautypg.com

General steps, Network access control guidelines, General steps network access control guidelines – Allied Telesis AT-S84 User Manual

Page 171

background image

AT-S84 Management Software User’s Guide

Section I: Using the Menus Interface

171

As mentioned earlier, the switch itself does not authenticate the user
names and passwords from the clients. That is the responsibility of the
authentication server, which contains the RADIUS server software.
Instead, a switch acts as an intermediary for the authentication server by
denying access to the network by the client until the client has provided a
valid username and password, which the authentication server validates.

General Steps

Following are the general steps to implementing 802.1x Network Access
Control:

1. You must install RADIUS server software on one or more of your

network servers or management stations. Authentication protocol
server software is not available from Allied Telesis.

2. You need to install 802.1x client software on those workstations that

are to be supplicants.

3. You must configure and activate the RADIUS client software in the

AT-S84 management software. The default setting for the
authentication protocol is disabled. You will need to provide the
following information:

ˆ

The IP address of a RADIUS servers.

ˆ

The encryption key used by the authentication server.

For instructions, refer to Chapter 13, “RADIUS Authentication Protocol”
on page 179.

4. You must configure the authenticator port settings, as explained in

“Configuring 802.1x Network Access Control” on page 174 in this
chapter.

Network Access

Control

Guidelines

Following are the guidelines for using this feature:

ˆ

Ports set to Auto do not support port trunking or dynamic MAC address
learning.

ˆ

The appropriate setting for a port on an AT-8000/8POE Fast Ethernet
Switch connected to an authentication server is Force-authorized, the
default setting. This is because an authentication server cannot
authenticate itself.

ˆ

The authentication server must be a member of the Default VLAN by
communicating with the switch through a port that is an untagged
member of the Default VLAN.

ˆ

Allied Telesis does not support connecting more than one supplicant to
an authenticator port on the switch. The switch allows only one
supplicant to log on per port.