beautypg.com

Interlogix NS3550-2T-8S User Manual User Manual

Page 239

background image

IFS NS3552-8P-2S AND NS3550-2T-8S User Manual

239

The page includes the following fields:

System Configuration

Object

Description

Mode

Indicates if NAS is globally enabled or disabled on the switch. If globally disabled,
all ports are allowed forwarding of frames.

Reauthentication

Enabled

If checked, successfully authenticated supplicants/clients are reauthenticated
after the interval specified by the Reauthentication Period. Reauthentication for
802.1X-enabled ports can be used to detect if a new device is plugged into a
switch port or if a supplicant is no longer attached.

For MAC-based ports, reauthentication is only useful if the RADIUS server
configuration has changed. It does not involve communication between the switch
and the client, and therefore doesn't imply that a client is still present on a port.

Reauthentication

Period

Determines the period, in seconds, after which a connected client must be
reauthenticated. This is only active if the Reauthentication Enabled checkbox is
checked. Valid values are in the range 1 to 3600 seconds.

EAPOL Timeout

Determines the time between retransmission of Request Identity EAPOL frames.
Valid values are in the range 1 to 255 seconds. This has no effect for MAC-based
ports.

Aging Period

This setting applies to the following modes, i.e. modes using the Port Security
functionality to secure MAC addresses:

Single 802.1X

Multi 802.1X

MAC-Based Auth.

When the NAS module uses the Port Security module to secure MAC addresses,
the Port Security module needs to check for activity on the MAC address in
question at regular intervals and free resources if no activity is seen within a given
period of time. This parameter controls exactly this period and can be set to a
number between 10 and 1000000 seconds.
If reauthentication is enabled and the port is in a 802.1X-based mode, this is not
so critical, since supplicants that are no longer attached to the port will get
removed upon the next reauthentication, which will fail. But if reauthentication is
not enabled, the only way to free resources is by aging the entries.
For ports in MAC-based Auth. mode, reauthentication doesn't cause direct
communication between the switch and the client, so this will not detect whether
the client is still attached or not, and the only way to free any resources is to age
the entry.

Hold Time

This setting applies to the following modes, i.e. modes using the Port Security
functionality to secure MAC addresses:

Single 802.1X

Multi 802.1X

MAC-Based Auth.

If a client is denied access - either because the RADIUS server denies the client
access or because the RADIUS server request times out (according to the
timeout specified on the "Configuration

→Security→AAA" page) - the client is put

on hold in the Unauthorized state. The hold timer does not count during an
on-going authentication.
In MAC-based Auth. mode, the switch will ignore new frames coming from the
client during the hold time.
The Hold Time can be set to a number between 10 and 1000000 seconds.

RADIUS-Assigned QoS

Enabled

RADIUS-assigned QoS provides a means to centrally control the traffic class to
which traffic coming from a successfully authenticated supplicant is assigned on
the switch. The RADIUS server must be configured to transmit special RADIUS
attributes to take advantage of this feature (see RADIUS-Assigned QoS Enabled
below for a detailed description).
The "RADIUS-Assigned QoS Enabled" checkbox provides a quick way to globally
enable/disable RADIUS-server assigned QoS Class functionality. When checked,
the individual ports' ditto setting determines whether RADIUS-assigned QoS
Class is enabled for that port. When unchecked, RADIUS-server assigned QoS

This manual is related to the following products: