beautypg.com

NETGEAR AV Line M4250 GSM4210PX 8-Port Gigabit PoE+ Compliant Managed AV Switch with SFP (220W) User Manual

Page 556

background image

• Multi-Domain: One data client and one voice client can be authenticated on the

port. After authentication succeeds, the data and voice clients are granted access.
As an example, use this option when an IP phone is connected to a NAS port and
a laptop is connected to the hub port of the IP phone. Both devices must be
authenticated to access the network services behind the NAS. The voice and data
domains are segregated. (The RADIUS server attribute Cisco-AVPair =
device-traffic-class=voice is used to identify a voice client.)

• Multi-Auth: One voice client and multiple data clients can be authenticated on

the port. After authentication succeeds, access is granted to all clients.
As an example, use this option when a network of laptops and an IP phone are
connected to a NAS port via a hub.

• Multi-Domain-Multi-Host: Initially, one voice client and one data client can be

authenticated on the port. After the data client is authenticated, access is granted
to all clients connected to the port and they are considered data clients.
As an example, use this option when an IP phone is connected to a NAS port and
a virtual machine (VM) controller is connected to the hub port of the IP phone.
The VM controller hosts multiple VMs. Both the VM controller and the IP phone
must be authenticated to access the network services behind the NAS. The voice
and data domains are segregated. After the VM controller is authenticated, traffic
is allowed from all VMs hosted by the VM controller. Note that if the data client is
authenticated first, the voice client can be authenticated only using 802.1x.

9. From the MAB menu, select to enable or disable MAC-based authentication bypass

(MAB) for 802.1x unaware clients.
MAB functions only if the port control mode is MAC-based. The default selection is
Disable.

10. From the MAB Auth Type menu, select a MAB authentication option:

• EAP-MD5: The MD5 hash of the MAC address is sent as the password in the EAP

message (Radius Attribute 79) to the authentication server.

• PAP: The MAC address of the client is sent as the password, similar to the format

of Attribute 1, in clear text as part of the User-Password message (Radius Attribute
2).

• CHAP: A randomly generated 16-octet challenge is sent as the CHAP-Challenge

message (Radius Attribute 60) along with the CHAP-Password message (Radius
Attribute 3). The CHAP ID is a unique number that is used to identify the session.
The MAC address of the client is retrieved and formatted using the configured
Attribute 1 format. Then, this information is used as a secret to derive the
information for the CHAP-Password message. The information for the
CHAP-Password message is calculated as MD5 (with the CHAP-ID, secret, and
CHAP-Challenge).

Main User Manual

556

Manage Switch Security

AV Line of Fully Managed Switches M4250 Series Main User Manual