Allied Telesis AT-S39 User Manual

AT-S39 User’s Guide

207

Note

Connecting multiple supplicants to a port set to the authenticator
role does not conform to the IEEE 802.1x standard, can introduce
security risks, and can result in undesirable switch behavior. To
avoid this, Allied Telesyn recommends not using the authenticator
role on a port that is connected to more than one end node, such as
a port connected to another switch or a hub.

❑ A username and password combination is not tied to the MAC

address of an end node. This allows end users to use the same
username and password when working at different workstations.

❑ Once a supplicant has successfully logged on, the MAC address of

the end node is added to the switch’s MAC address table as an
authenticated address. It remains in the table until the end user
logs off the network or does not respond to a reauthentication
request. Only then is the address removed. The address is not
timed out, even if the end node becomes inactive.

Note

End users of port-based access control should be instructed to
always log off when they are finished with a work session. This will
prevent unauthorized individuals from accessing the network
through unattended network workstations.

❑ You cannot use the MAC address port security feature, described

in Chapter 6, Port Security on page 76, on ports that are set to
the Authenticator role.

❑ There can be only one port in the authenticator role between a

supplicant and the authentication server.

❑ The Authentication Menu for configuring the RADIUS client

software has the selection “1 - Server-based Authentication.” This
option does not apply to the 802.1x port-based access control,
but only to new manager accounts, as described in Chapter 17,
TACACS+ and RADIUS Protocols on page 192. It does not need
to be toggled to Enabled for the switch to use the RADIUS
configuration information. If you want to use 802.1x port-based
access control but not create new manager accounts, you can
leave the menu selection as disabled.