beautypg.com

PLANET WGSD-10020HP User Manual

Page 224

background image

User’s Manual of WGSD-10020 Series

packets also encapsulate EAP PDUs together with other attributes like the

switch's IP address, name, and the supplicant's port number on the switch. EAP

is very flexible, in that it allows for different authentication methods, like

MD5-Challenge, PEAP, and TLS. The important thing is that the authenticator

(the switch) doesn't need to know which authentication method the supplicant

and the authentication server are using, or how many information exchange

frames are needed for a particular method. The switch simply encapsulates the

EAP part of the frame into the relevant type (EAPOL or RADIUS) and forwards it.

When authentication is complete, the RADIUS server sends a special packet

containing a success or failure indication. Besides forwarding this decision to the

supplicant, the switch uses it to open up or block traffic on the switch port

connected to the supplicant.

Note

:

Suppose two backend servers are enabled and that the server timeout is

configured to X seconds (using the AAA configuration Page), and suppose that

the first server in the list is currently down (but not considered dead). Now, if the

supplicant retransmits EAPOL Start frames at a rate faster than X seconds, then

it will never get authenticated, because the switch will cancel on-going backend

authentication server requests whenever it receives a new EAPOL Start frame

from the supplicant. And since the server hasn't yet failed (because the X

seconds haven't expired), the same server will be contacted upon the next

backend authentication server request from the switch. This scenario will loop

forever. Therefore, the server timeout should be smaller than the supplicant's

EAPOL Start frame retransmission rate.

Single 802.1X

In port-based 802.1X authentication, once a supplicant is successfully

authenticated on a port, the whole port is opened for network traffic. This allows

other clients connected to the port (for instance through a hub) to piggy-back on

the successfully authenticated client and get network access even though they

really aren't authenticated. To overcome this security breach, use the Single

802.1X variant.

Single 802.1X is really not an IEEE standard, but features many of the same

characteristics as does port-based 802.1X. In Single 802.1X, at most one

supplicant can get authenticated on the port at a time. Normal EAPOL frames are

used in the communication between the supplicant and the switch. If more than

one supplicant is connected to a port, the one that comes first when the port's link

comes up will be the first one considered. If that supplicant doesn't provide valid

credentials within a certain amount of time, another supplicant will get a chance.

Once a supplicant is successfully authenticated, only that supplicant will be

224