beautypg.com

Authentication server side, Multiple supplicant support, Exclusions and limitations – Extreme Networks 200 Series User Manual

Page 77

background image

Network Login

Summit 200 Series Switch Installation and User Guide

75

Again, any client with a web browser can interoperate using web-based authentication.

Authentication Server Side

The RADIUS server used for authentication has to be EAP-capable. Consider the following when
choosing a RADIUS server:

The types of authentication methods supported on RADIUS, as mentioned above.

Need to support Vendor Specific Attributes (VSA). Some important parameters such as

Extreme-Netlogin-Vlan

(destination vlan for port movement after authentication) and

Extreme-NetLogin-only

(authorization for network login only) are brought back as VSAs.

Need to support both EAP and traditional Username-Password authentication. These are used by
network login and switch console login respectively.

Multiple Supplicant Support

An important enhancement over the IEEE 802.1x standard, is that ExtremeWare supports multiple
clients (supplicants) to be individually authenticated on the same port. Thus it is possible for two client
stations to be connected to the same port, with one being authenticated and the other not. A port's
authentication state is the logical “OR” of the individual MAC's authentication states. In other words, a
port is authenticated if any of its connected clients is authenticated. Multiple clients can be connected to
a single port of authentication server through a hub or layer-2 switch.

Multiple supplicants are supported in ISP mode for both web-based and 802.1x authentication. Multiple
supplicants are not supported in Campus mode.

The choice of web-based versus 802.1x authentication is again on a per-MAC basis. Among multiple
clients on the same port, it is possible that some clients use web-based mode to authenticate, and some
others use 802.1x.

There are certain restrictions for multiple supplicant support:

Web-based mode will not support Campus mode for multiple supplicant because once the first MAC
gets authenticated, the port is moved to a different VLAN and therefore other unauthenticated
clients (which are still in the original VLAN), can't have a layer 3 message transactions with the
authentication server.

Once the first MAC gets authenticated, the port is transitioned to the authenticated state and other
unauthenticated MACs can listen to all data destined to first MAC. This could raise some security
concerns as unauthenticated MACs can listen to all broadcast and multicast traffic directed to a
network login-authenticated port.

Exclusions and Limitations

The following are limitations and exclusions for network login:

All unauthenticated MACs will be seeing broadcasts and multicasts sent to the port if even a single
MAC is authenticated on that port.

Network login must be disabled on a port before that port can be deleted from a VLAN.

In Campus mode, once the port moves to the destination VLAN, the original VLAN for that port is
not displayed.