Filter
Top Products
AT-S63 Management Software Features Guide
Section VIII: Port Security 361
Assigning unique username and password combinations to your
network users and requiring the users to provide the information when
they initially send traffic through the switch can enhance network
security by limiting network access to only those supplicants who have
been assigned valid combinations. Another advantage is that the
authentication is not tied to any specific computer or node. An end user
can log on from any system and still be verified by the RADIUS server
as a valid user of the switch and network.
This authentication method requires 802.1x client software on the
supplicant nodes.
MAC address-based authentication
An alternative method is to use the MAC address of a node as the
username and password combination for the device. The client is not
prompted for this information. Rather, the switch extracts the source
MAC address from the initial frames received from a supplicant and
automatically sends the MAC address as both the username and
password of the supplicant to the RADIUS server for authentication.
The advantage to this approach is that the supplicant need not have
802.1x client software. The disadvantage is that because the client is
not prompted for a username and password combination, it does not
guard against an unauthorized individual from gaining access to the
network through an unattended network node or by counterfeiting a
valid network MAC address.
Operational Settings
A port in the authenticator role can have one of three possible operational
settings:
Auto - Activates port-based authentication. The port begins in the
unauthorized state, forwarding only EAPOL frames and discarding all
other traffic. The authentication process begins when the link state of
the port changes or the port receives an EAPOL-Start packet from a
supplicant. The switch requests the identity of the client and begins
relaying authentication messages between the client and the RADIUS
authentication server. After the supplicant is validated by the RADIUS
server, the port begins forwarding all traffic to and from the supplicant.
This is the default setting for an authenticator port.
Force-authorized - Disables IEEE 802.1X port-based authentication
and automatically places the port in the authorized state without any
authentication exchange required. The port transmits and receives
normal traffic without authenticating the client.