1x port-based network access control guidelines – Allied Telesis AT-S63 User Manual
Page 734

Chapter 31: 802.1x Port-based Network Access Control
734
Section VII: Port Security
802.1x Port-based
Network Access
Control
Guidelines
The following are general guidelines to using this feature:
Ports operating under port-based access control do not support 
dynamic MAC address learning.
The appropriate port role for a port on an AT-9400 Series switch 
connected to a RADIUS authentication server is None.
The authentication server must be a member of the management 
VLAN. For information about the management VLAN, refer to 
“Specifying a Management VLAN” on page 631.
The authentication method of an authenticator port can be either 
802.1x username and password combination or MAC address-based, 
but not both.
A supplicant must have 802.1x client software if the authentication 
method of a switch port is 802.1x username and password 
combination.
A supplicant does not need 802.1x client software if the authentication 
method of an authenticator port is MAC address-based.
An authenticator port set to the multiple operating mode can handle up 
to a maximum of 20 authenticated supplicants at one time.
The switch can handle up to a maximum of 480 authenticated 
supplicants at one time. The switch stops accepting new 
authentications after the maximum is reached and starts accepting 
new authentications as supplicants log out or are timed out.
An 802.1x username and password combination is not tied to the MAC 
address of an end node. This allows end users to use the same 
username and password when working at different workstations.
After a client has successfully logged on, the MAC address of the end 
node is added to the switch’s MAC address table as an authenticated 
address. It remains in the table until the client logs off the network or 
fails to reauthenticate, at which point the address removed. The 
address is not timed out, even if the node becomes inactive.
Note
End users of 802.1x Port-based Network Access Control should be 
instructed to always log off when they are finished with a work 
session. This prevents unauthorized individuals from accessing the 
network through unattended network workstations.
Authenticator and supplicant ports must be untagged ports. They 
cannot be tagged ports of any VLAN.
The MAC address port security setting for an authenticator port must 
be Automatic. This restriction does not apply to a supplicant port. For 
further information, refer to Chapter 30, “MAC Address-based Port 
Security” on page 707.
