beautypg.com

Allied Telesis AT-S62 User Manual

Page 471

background image

AT-S62 User’s Guide

Section VI: Port Security

471

Note

Connecting multiple supplicants to a port set to the authenticator
role does not conform to the IEEE 802.1x standard, can introduce
security risks, and can result in undesirable switch behavior. To
avoid this, Allied Telesyn recommends not using the authenticator
role on a port that is connected to more than one end node, such as
a port connected to another switch or a hub.

❑ A username and password combination is not tied to the MAC

address of an end node. This allows end users to use the same
username and password when working at different workstations.

❑ Once a supplicant has successfully logged on, the MAC address of

the end node is added to the switch’s MAC address table as an
authenticated address. It remains in the table until the end user
logs off the network or does not respond to a reauthentication
request. Only then is the address removed. The MAC aging time
does not apply to authenticated MAC addresses.

Note

End users of port-based access control should be instructed to
always log off when they are finished with a work session. This will
prevent unauthorized individuals from accessing the network
through unattended network workstations.

❑ You cannot use the MAC address port security feature, described

in Chapter 23, MAC Address Security on page 454, on ports that
are set to the authenticator or supplicant role. A port’s MAC
address security level must be Automatic.

❑ There should be only one port in the authenticator role between

a supplicant and the authentication server.

❑ The Authentication Menu for configuring the RADIUS client

software has the selection “1 - Server-based Authentication.” This
option does not apply to the 802.1x port-based access control,
but only to new manager accounts, as described in Chapter 29,
RADIUS and TACACS+ Authentication Protocols on page 552. It
does not need to be toggled to Enabled for the switch to use the
RADIUS configuration information. If you want to use 802.1x port-
based access control but not use new manager accounts, the
menu selection should be set to disabled.

See also other documents in the category Allied Telesis Computer hardware: