Interlogix NS3550-8T-2S User Manual User Manual

User’s Manual of NS3550-8T-2S

205

EAPOL Response Identity frame sent by the supplicant. An exception to this
is when no supplicants are attached. In this case, the switch sends EAPOL
Request Identity frames using the BPDU multicast MAC address as
destination - to wake up any supplicants that might be on the port.

The maximum number of supplicants that can be attached to a port can be
limited using the Port Security Limit Control functionality.



MAC-based Auth.

Unlike port-based 802.1X, MAC-based authentication is not a standard, but
merely a best-practices method adopted by the industry. In MAC-based
authentication, users are called clients, and the switch acts as the supplicant
on behalf of clients. The initial frame (any kind of frame) sent by a client is
snooped by the switch, which in turn uses the client's MAC address as both
username and password in the subsequent EAP exchange with the RADIUS
server. The 6-byte MAC address is converted to a string on the following
form "xx-xx-xx-xx-xx-xx", that is, a dash (-) is used as separator between the
lower-cased hexadecimal digits. The switch only supports the
MD5-Challenge authentication method, so the RADIUS server must be
configured accordingly.

When authentication is complete, the RADIUS server sends a success or
failure indication, which in turn causes the switch to open up or block traffic
for that particular client, using the Port Security module. Only then will
frames from the client be forwarded on the switch. There are no EAPOL
frames involved in this authentication, and therefore, MAC-based
Authentication has nothing to do with the 802.1X standard.

The advantage of MAC-based authentication over port-based 802.1X is that
several clients can be connected to the same port (e.g. through a 3rd party
switch or a hub) and still require individual authentication, and that the
clients don't need special supplicant software to authenticate. The
advantage of MAC-based authentication over 802.1X-based authentication
is that the clients don't need special supplicant software to authenticate. The
disadvantage is that MAC addresses can be spoofed by malicious users -
equipment whose MAC address is a valid RADIUS user can be used by
anyone. Also, only the MD5-Challenge method is supported. The maximum
number of clients that can be attached to a port can be limited using the Port
Security Limit Control functionality.

 RADIUS-Assigned QoS

Enabled

When RADIUS-Assigned QoS is both globally enabled and enabled (checked)
for a given port, the switch reacts to QoS Class information carried in the
RADIUS Access-Accept packet transmitted by the RADIUS server when a
supplicant is successfully authenticated. If present and valid, traffic received on
the supplicant's port will be classified to the given QoS Class. If
(re-)authentication fails or the RADIUS Access-Accept packet no longer carries a
QoS Class or it's invalid, or the supplicant is otherwise no longer present on the
port, the port's QoS Class is immediately reverted to the original QoS Class
(which may be changed by the administrator in the meanwhile without affecting
the RADIUS-assigned).
This option is only available for single-client modes, i.e.
• Port-based 802.1X

• Single 802.1X
RADIUS attributes used in identifying a QoS Class:

Refer to the written documentation for a description of the RADIUS attributes
needed in order to successfully identify a QoS Class. The User-Priority-Table
attribute defined in RFC4675 forms the basis for identifying the QoS Class in an
Access-Accept packet.

Only the first occurrence of the attribute in the packet will be considered, and to
be valid, it must follow this rule:

All 8 octets in the attribute's value must be identical and consist of ASCII
characters in the range '0' - '3', which translates into the desired QoS Class in the
range [0; 3].

 RADIUS-Assigned

VLAN Enabled

When RADIUS-Assigned VLAN is both globally enabled and enabled (checked)
for a given port, the switch reacts to VLAN ID information carried in the RADIUS
Access-Accept packet transmitted by the RADIUS server when a supplicant is
successfully authenticated. If present and valid, the port's Port VLAN ID will be
changed to this VLAN ID, the port will be set to be a member of that VLAN ID,
and the port will be forced into VLAN unaware mode. Once assigned, all traffic