Interlogix NS3550-8T-2S User Manual User Manual

User’s Manual of NS3550-8T-2S

204

responses between the supplicant and the authentication server. Frames
sent between the supplicant and the switch are special 802.1X frames,
known as EAPOL (EAP Over LANs) frames. EAPOL frames encapsulate
EAP PDUs (RFC3748). Frames sent between the switch and the RADIUS
server are RADIUS packets. RADIUS packets also encapsulate EAP PDUs
together with other attributes like the switch's IP address, name, and the
supplicant's port number on the switch. EAP is very flexible, in that it allows
for different authentication methods, like MD5-Challenge, PEAP, and TLS.
The important thing is that the authenticator (the switch) doesn't need to
know which authentication method the supplicant and the authentication
server are using, or how many information exchange frames are needed for
a particular method. The switch simply encapsulates the EAP part of the
frame into the relevant type (EAPOL or RADIUS) and forwards it.

When authentication is complete, the RADIUS server sends a special packet
containing a success or failure indication. Besides forwarding this decision to
the supplicant, the switch uses it to open up or block traffic on the switch port
connected to the supplicant.

Note

: Suppose two backend servers are enabled and that the server timeout

is configured to X seconds (using the AAA configuration page), and suppose
that the first server in the list is currently down (but not considered dead).
Now, if the supplicant retransmits EAPOL Start frames at a rate faster than X
seconds, then it will never get authenticated, because the switch will cancel
on-going backend authentication server requests whenever it receives a
new EAPOL Start frame from the supplicant. And since the server hasn't yet
failed (because the X seconds haven't expired), the same server will be
contacted upon the next backend authentication server request from the
switch. This scenario will loop forever. Therefore, the server timeout should
be smaller than the supplicant's EAPOL Start frame retransmission rate.



Single 802.1X

In port-based 802.1X authentication, once a supplicant is successfully
authenticated on a port, the whole port is opened for network traffic. This
allows other clients connected to the port (for instance through a hub) to
piggy-back on the successfully authenticated client and get network access
even though they really aren't authenticated. To overcome this security
breach, use the Single 802.1X variant.

Single 802.1X is really not an IEEE standard, but features many of the same
characteristics as does port-based 802.1X. In Single 802.1X, at most one
supplicant can get authenticated on the port at a time. Normal EAPOL
frames are used in the communication between the supplicant and the
switch. If more than one supplicant is connected to a port, the one that
comes first when the port's link comes up will be the first one considered. If
that supplicant doesn't provide valid credentials within a certain amount of
time, another supplicant will get a chance. Once a supplicant is successfully
authenticated, only that supplicant will be allowed access. This is the most
secure of all the supported modes. In this mode, the Port Security module is
used to secure a supplicant's MAC address once successfully authenticated.



Multi 802.1X

In port-based 802.1X authentication, once a supplicant is successfully
authenticated on a port, the whole port is opened for network traffic. This
allows other clients connected to the port (for instance through a hub) to
piggy-back on the successfully authenticated client and get network access
even though they really aren't authenticated. To overcome this security
breach, use the Multi 802.1X variant.

Multi 802.1X is really not an IEEE standard, but features many of the same
characteristics as does port-based 802.1X. Multi 802.1X is - like Single
802.1X - not an IEEE standard, but a variant that features many of the same
characteristics. In Multi 802.1X, one or more supplicants can get
authenticated on the same port at the same time. Each supplicant is
authenticated individually and secured in the MAC table using the Port
Security module.

In Multi 802.1X it is not possible to use the multicast BPDU MAC address as
destination MAC address for EAPOL frames sent from the switch towards
the supplicant, since that would cause all supplicants attached to the port to
reply to requests sent from the switch. Instead, the switch uses the
supplicant's MAC address, which is obtained from the first EAPOL Start or