beautypg.com

Interlogix NS3702-24P-4S User Manual User Manual

Page 259

background image

259

supplicants that might be on the port.

The maximum number of supplicants that can be attached to a port can be

limited using the Port Security Limit Control functionality.

MAC-based Auth.

Unlike port-based 802.1X, MAC-based authentication is not a standard, but

merely a best-practices method adopted by the industry. In MAC-based

authentication, users are called clients, and the switch acts as the supplicant on

behalf of clients. The initial frame (any kind of frame) sent by a client is snooped

by the switch, which in turn uses the client's MAC address as both username and

password in the subsequent EAP exchange with the RADIUS server. The 6-byte

MAC address is converted to a string on the following form "xx-xx-xx-xx-xx-xx",

that is, a dash (-) is used as separator between the lower-cased hexadecimal

digits. The switch only supports the MD5-Challenge authentication method, so

the RADIUS server must be configured accordingly.

When authentication is complete, the RADIUS server sends a success or failure

indication, which in turn causes the switch to open up or block traffic for that

particular client, using the Port Security module. Only then will frames from the

client be forwarded on the switch. There are no EAPOL frames involved in this

authentication, and therefore, MAC-based Authentication has nothing to do with

the 802.1X standard.

The advantage of MAC-based authentication over port-based 802.1X is that

several clients can be connected to the same port (e.g. through a 3rd party

switch or a hub) and still require individual authentication, and that the clients

don't need special supplicant software to authenticate. The advantage of

MAC-based authentication over 802.1X-based authentication is that the clients

don't need special supplicant software to authenticate. The disadvantage is that

MAC addresses can be spoofed by malicious users - equipment whose MAC

address is a valid RADIUS user can be used by anyone. Also, only the

MD5-Challenge method is supported. The maximum number of clients that can

be attached to a port can be limited using the Port Security Limit Control

functionality.

RADIUS-Assigned QoS

Enabled

When RADIUS-Assigned QoS is both globally enabled and enabled (checked)

for a given port, the switch reacts to QoS Class information carried in the

RADIUS Access-Accept packet transmitted by the RADIUS server when a

See also other documents in the category Interlogix Accessories communication: