beautypg.com

1x port-based network access control guidelines – Allied Telesis AT-S62 User Manual

Page 660

background image

Chapter 29: 802.1x Port-based Network Access Control

660

Section VI: Port Security

802.1x Port-based

Network Access

Control

Guidelines

The following are general guidelines to using this feature:

ˆ

Ports operating under port-based access control do not support
dynamic MAC address learning.

ˆ

The appropriate port role for a port on an AT-8500 Series switch
connected to a RADIUS authentication server is None.

ˆ

The authentication server must be a member of the management
VLAN. For information about the management VLAN, refer to
“Specifying a Management VLAN” on page 579.

ˆ

The authentication method of an authenticator port can be either
802.1x username and password combination or MAC address-based,
but not both.

ˆ

A supplicant must have 802.1x client software if the authentication
method of a switch port is 802.1x username and password
combination.

ˆ

A supplicant does not need 802.1x client software if the authentication
method of an authenticator port is MAC address-based.

ˆ

An authenticator port set to the multiple operating mode can handle up
to a maximum of 20 authenticated supplicants at one time.

ˆ

The switch can handle up to a maximum of 480 authenticated
supplicants at one time. The switch stops accepting new
authentications after the maximum is reached and starts accepting
new authentications as supplicants log out or are timed out.

ˆ

An 802.1x username and password combination is not tied to the MAC
address of an end node. This allows end users to use the same
username and password when working at different workstations.

ˆ

After a client has successfully logged on, the MAC address of the end
node is added to the switch’s MAC address table as an authenticated
address. It remains in the table until the client logs off the network or
fails to reauthenticate, at which point the address is removed. The
address is not timed out, even when the node is inactive.

Note

End users of 802.1x Port-based Network Access Control should be
instructed to always log off when they are finished with a work
session. This can prevent an unauthorized individual from accessing
the network through an unattended network workstation.

ˆ

Authenticator and supplicant ports must be untagged ports. They
cannot be tagged ports of any VLAN.

ˆ

The MAC address-based port security setting for an authenticator port
must be Automatic. This restriction does not apply to a supplicant port.
For further information, refer to Chapter 28, “MAC Address-based Port
Security” on page 633.

See also other documents in the category Allied Telesis Computer hardware: