Interlogix NS3702-24P-4S User Manual User Manual
Page 257
257
authentication.
Force Unauthorized
In this mode, the switch will send one EAPOL Failure frame when the port link
comes up, and any client on the port will be disallowed network access.
Port-based 802.1X
In the 802.1X-world, the user is called the supplicant, the switch is the
authenticator, and the RADIUS server is the authentication server. The
authenticator acts as the man-in-the-middle, forwarding requests and responses
between the supplicant and the authentication server. Frames sent between the
supplicant and the switch are special 802.1X frames, known as EAPOL (EAP
Over LANs) frames. EAPOL frames encapsulate EAP PDUs (RFC3748). Frames
sent between the switch and the RADIUS server are RADIUS packets. RADIUS
packets also encapsulate EAP PDUs together with other attributes like the
switch's IP address, name, and the supplicant's port number on the switch. EAP
is very flexible, in that it allows for different authentication methods, like
MD5-Challenge, PEAP, and TLS. The important thing is that the authenticator
(the switch) doesn't need to know which authentication method the supplicant
and the authentication server are using, or how many information exchange
frames are needed for a particular method. The switch simply encapsulates the
EAP part of the frame into the relevant type (EAPOL or RADIUS) and forwards it.
When authentication is complete, the RADIUS server sends a special packet
containing a success or failure indication. Besides forwarding this decision to the
supplicant, the switch uses it to open up or block traffic on the switch port
connected to the supplicant.
Note
:
Suppose two backend servers are enabled and that the server timeout is
configured to X seconds (using the AAA configuration Page), and suppose that
the first server in the list is currently down (but not considered dead). Now, if the
supplicant retransmits EAPOL Start frames at a rate faster than X seconds, then
it will never get authenticated, because the switch will cancel on-going backend
authentication server requests whenever it receives a new EAPOL Start frame
from the supplicant. And since the server hasn't yet failed (because the X
seconds haven't expired), the same server will be contacted upon the next
backend authentication server request from the switch. This scenario will loop
forever. Therefore, the server timeout should be smaller than the supplicant's