General steps, Port-based network access control guidelines – Allied Telesis AT-S79 User Manual
Page 111

AT-S79 Management Software User’s Guide
Section I: Using the Menus Interface
111
As mentioned earlier, the switch itself does not authenticate the user 
names and passwords from the clients. That is the responsibility of the 
authentication server, which contains the RADIUS server software. 
Instead, a switch acts as an intermediary for the authentication server by 
denying access to the network by the client until the client has provided a 
valid username and password, which the authentication server validates.
General Steps
Following are the general steps to implementing 802.1x Port-based 
Network Access Control:
1. You must install RADIUS server software on one or more of your
network servers or management stations. Authentication protocol 
server software is not available from Allied Telesyn. Funk Software 
Steel-Belted Radius and Free Radius have been verified as fully 
compatible with the AT-S79 management software.
2. You need to install 802.1x client software on those workstations that
are to be supplicants. Microsoft WinXP client software and Meeting 
House Aegis client software have been verified as fully compatible with 
the AT-S79 management software.
3. You must configure and activate the RADIUS client software in the
AT-S79 management software. The default setting for the 
authentication protocol is disabled. You will need to provide the 
following information: 
The IP address of a RADIUS servers.
The encryption key used by the authentication server.
For instructions, refer to Chapter 10, “RADIUS Authentication Protocol” 
on page 119.
4. You must configure the authenticator port settings, as explained in
“Configuring 802.1x Port-based Network Access Control” on page 114 
in this chapter.
Port-based
Network Access
Control
Guidelines
Following are the guidelines for using this feature:
Ports set to Auto do not support port trunking or dynamic MAC address 
learning.
The appropriate setting for a port on an AT-GS950/16 or AT-GS950/24 
switch connected to an authentication server is Force-authorized, the 
default setting. This is because an authentication server cannot 
authenticate itself.
The authentication server must be a member of the Default VLAN by 
communicating with the switch through a port that is an untagged 
member of the Default VLAN.
