1x port-based network access control guidelines – Allied Telesis AT-S63 User Manual
Page 732
Chapter 31: 802.1x Port-based Network Access Control
732
Section VII: Port Security
3. You must configure and activate the RADIUS client software in the
AT-S63 management software. The default setting for the
authentication protocol is disabled. You will need to provide the
following information:
The IP addresses of up to three RADIUS servers.
The encryption key used by the authentication servers.
The instructions for this step are in “Configuring RADIUS” on
page 836.
4. Next, you must configure the port access control settings on the
switch. This involves the following:
Specifying the port roles.
Configuring 802.1x port parameters.
Enabling 802.1x Port-based Network Access Control.
The instructions for this step are found in this chapter.
5. Finally, if you want to use RADIUS accounting to monitor the clients
connected to the switch ports, you must configure the service on the
switch, as explained in “Configuring RADIUS Accounting” on
page 746.
802.1x Port-based
Network Access
Control
Guidelines
The following are general guidelines to using this feature:
Ports operating under port-based access control do not support
dynamic MAC address learning.
The appropriate port role for a port on an AT-9400 Series switch
connected to an authentication server is None.
The authentication server must be a member of the management
VLAN. For information about management VLANs, refer to “Specifying
a Management VLAN” on page 633.
If a switch port set to the supplicant role is connected to a port on
another switch that is not set to the authenticator role, the port, after a
timeout period, assumes that it can send traffic without having to log
on.
A username and password combination is not tied to the MAC address
of an end node. This allows end users to use the same username and
password when working at different workstations.
After a client has successfully logged on, the MAC address of the end
node is added to the switch’s MAC address table as an authenticated
address. It remains in the table until the client logs off the network or
fails to reauthenticate, at which point the address removed. The
address is not timed out, even if the node becomes inactive.