beautypg.com

PLANET MGSW-24160F User Manual

Page 218

background image

User’s Manual of MGSW-24160F

authentication.

Force Unauthorized

In this mode, the switch will send one EAPOL Failure frame when the port link

comes up, and any client on the port will be disallowed network access.

Port-based 802.1X

In the 802.1X-world, the user is called the supplicant, the switch is the

authenticator, and the RADIUS server is the authentication server. The

authenticator acts as the man-in-the-middle, forwarding requests and responses

between the supplicant and the authentication server. Frame sent between the

supplicant and the switch is special 802.1X frame, known as EAPOL (EAP Over

LANs) frames. EAPOL frames encapsulate EAP PDUs (RFC3748). Frame sent

between the switch and the RADIUS server is RADIUS packet. RADIUS packets

also encapsulate EAP PDUs together with other attributes like the switch's IP

address, name, and the supplicant's port number on the switch. EAP is very

flexible, in that it allows for different authentication methods, like MD5-Challenge,

PEAP, and TLS. The important thing is that the authenticator (the switch) doesn't

need to know which authentication method the supplicant and the authentication

server are using, or how many information exchange frames are needed for a

particular method. The switch simply encapsulates the EAP part of the frame into

the relevant type (EAPOL or RADIUS) and forwards it.

When authentication is complete, the RADIUS server sends a special packet

containing a success or failure indication. Besides forwarding this decision to the

supplicant, the switch uses it to open up or block traffic on the switch port

connected to the supplicant.

Note

: Suppose two backend servers are enabled and that the server timeout is

configured to X seconds (using the AAA configuration page), and suppose that

the first server in the list is currently down (but not considered dead). Now, if the

supplicant retransmits EAPOL Start frames at a rate faster than X seconds, then

it will never get authenticated, because the switch will cancel on-going backend

authentication server requests whenever it receives a new EAPOL Start frame

from the supplicant. And since the server hasn't yet failed (because the X

seconds haven't expired), the same server will be contacted upon the next

backend authentication server request from the switch. This scenario will loop

forever. Therefore, the server timeout should be smaller than the supplicant's

EAPOL Start frame retransmission rate.

Single 802.1X

In port-based 802.1X authentication, once a supplicant is successfully

218

See also other documents in the category PLANET Routers: