beautypg.com

PLANET WGSD-10020 User Manual

Page 228

background image

User’s Manual of WGSD-10020 Series

228

particular client, using the Port Security module. Only then will frames from the

client be forwarded on the switch. There are no EAPOL frames involved in this

authentication, and therefore, MAC-based Authentication has nothing to do with

the 802.1X standard.

The advantage of MAC-based authentication over port-based 802.1X is that

several clients can be connected to the same port (e.g. through a 3rd party

switch or a hub) and still require individual authentication, and that the clients

don't need special supplicant software to authenticate. The advantage of

MAC-based authentication over 802.1X-based authentication is that the clients

don't need special supplicant software to authenticate. The disadvantage is that

MAC addresses can be spoofed by malicious users - equipment whose MAC

address is a valid RADIUS user can be used by anyone. Also, only the

MD5-Challenge method is supported. The maximum number of clients that can

be attached to a port can be limited using the Port Security Limit Control

functionality.

RADIUS-Assigned QoS
Enabled

When RADIUS-Assigned QoS is both globally enabled and enabled (checked)

for a given port, the switch reacts to QoS Class information carried in the

RADIUS Access-Accept packet transmitted by the RADIUS server when a

supplicant is successfully authenticated. If present and valid, traffic received on

the supplicant's port will be classified to the given QoS Class. If

(re-)authentication fails or the RADIUS Access-Accept packet no longer carries a

QoS Class or it's invalid, or the supplicant is otherwise no longer present on the

port, the port's QoS Class is immediately reverted to the original QoS Class

(which may be changed by the administrator in the meanwhile without affecting

the RADIUS-assigned).

This option is only available for single-client modes, i.e.

Port-based 802.1X

• Single 802.1X
RADIUS attributes used in identifying a QoS Class:

Refer to the written documentation for a description of the RADIUS attributes

needed in order to successfully identify a QoS Class. The User-Priority-Table

attribute defined in RFC4675 forms the basis for identifying the QoS Class in an

Access-Accept packet.

Only the first occurrence of the attribute in the packet will be considered, and to

be valid, it must follow this rule:

All 8 octets in the attribute's value must be identical and consist of ASCII

characters in the range '0' - '3', which translates into the desired QoS Class in the

range [0; 3].

This manual is related to the following products:
See also other documents in the category PLANET Routers: