D-Link DMS-3130 User Manual - Page 339

DMS-3130 Series Multi-Gigabit L3 Stackable Managed Switch Web UI Reference Guide • Port-based Access Control - This method requires only one user to be authenticated per port by a remote RADIUS server to allow the remaining users on the same port access to the network. • Host-based Access Control - Using this method, the Switch will automatically learn up to a maximum of 1000 MAC addresses by port and set them in a list. Each MAC address must be authenticated by the Switch using a remote RADIUS server before being allowed access to the Network. Understanding 802.1X Port-based and Host-based Network Access Control The original intent behind the development of 802.1X was to leverage the characteristics of point-to-point in LANs. As any single LAN segment in such infrastructures has no more than two devices attached to it, one of which is a Bridge Port. The Bridge Port detects events that indicate the attachment of an active device at the remote end of the link, or an active device becoming inactive. These events can be used to control the authorization state of the Port and initiate the process of authenticating the attached device if the Port is unauthorized. This is the Port-based Network Access Control. Port-based Network Access Control Once the connected device has successfully been authenticated, the Port then becomes Authorized, and all subsequent traffic on the Port is not subject to access control restriction until an event occurs that causes the Port to become Unauthorized. Hence, if the Port is actually connected to a shared media LAN segment with more than one attached device, successfully authenticating one of the attached devices effectively provides access to the LAN for all devices on the shared segment. Clearly, the security offered in this situation is open to attack. Ethernet Switch RADIUS Server 802.1X Client 802.1X 802.1X Client Client 802.1X Client 802.1X Client 802.1X Client 802.1X Client ... 802.1X Client 802.1X Client Network access controlled port Network access uncontrolled port Figure 9-10 Example of Typical Port-based Configuration Host-based Network Access Control In order to successfully make use of 802.1X in a shared media LAN segment, it would be necessary to create "logical" Ports, one for each attached device that required access to the LAN. The Switch would regard the single physical Port connecting it to the shared media segment as consisting of a number of distinct logical Ports, each logical Port being independently controlled from the point of view of EAPOL exchanges and authorization state. The Switch learns each attached devices' individual MAC addresses, and effectively creates a logical Port that the attached device can then use to communicate with the LAN via the Switch. 328