beautypg.com

Interlogix NS3502-8P-2S User Manual User Manual

Page 239

background image

IFS NS3502-8P-2S User Manual

239

network access without authentication.

Force Unauthorized

In this mode, the switch will send one EAPOL Failure frame when
the port link comes up, and any client on the port will be
disallowed network access.

Port-based 802.1X

In the 802.1X-world, the user is called the supplicant, the switch
is the authenticator, and the RADIUS server is the authentication
server. The authenticator acts as the man-in-the-middle,
forwarding requests and responses between the supplicant and
the authentication server. Frames sent between the supplicant
and the switch are special 802.1X frames, known as EAPOL (EAP
Over LANs) frames. EAPOL frames encapsulate EAP PDUs
(RFC3748). Frames sent between the switch and the RADIUS
server is RADIUS packets. RADIUS packets also encapsulate EAP
PDUs together with other attributes like the switch's IP address,
name, and the supplicant's port number on the switch. EAP is
very flexible, in that it allows for different authentication
methods, like MD5-Challenge, PEAP, and TLS. The important
thing is that the authenticator (the switch) doesn't need to know
which authentication method the supplicant and the
authentication server are using, or how many information
exchange frames are needed for a particular method. The switch
simply encapsulates the EAP part of the frame into the relevant
type (EAPOL or RADIUS) and forwards it.
When authentication is complete, the RADIUS server sends a
special packet containing a success or failure indication. Besides
forwarding this decision to the supplicant, the switch uses it to
open up or block traffic on the switch port connected to the
supplicant.
Note: Suppose two backend servers are enabled and that the
server timeout is configured to X seconds (using the AAA
configuration page), and suppose that the first server in the list is
currently down (but not considered dead). Now, if the supplicant
retransmits EAPOL Start frames at a rate faster than X seconds,
then it will never get authenticated, because the switch will
cancel on-going backend authentication server requests
whenever it receives a new EAPOL Start frame from the
supplicant. And since the server hasn't yet failed (because the X
seconds haven't expired), the same server will be contacted upon