Home » Lantronix Manuals » Hubs & Switches » Lantronix SISPM1040-3166-L » Manual Viewer

Lantronix SISPM1040-3166-L Web User Guide Rev G PDF 14.13 MB - Page 260

Multi 802.1X, MAC-based Auth.

View all Lantronix SISPM1040-3166-L manuals

Add to My Manuals
Save this manual to your list of manuals

Page 260 highlights

Transition Networks SISPM1040-3xxx-L Web User Guide does port-based 802.1X. In Single 802.1X, at most one supplicant can get authenticated on the port at a time. Normal EAPOL frames are used in the communication between the supplicant and the switch. If more than one supplicant is connected to a port, the one that comes first when the port's link comes up will be the first one considered. If that supplicant doesn't provide valid credentials within a certain amount of time, another supplicant will get a chance. Once a supplicant is successfully authenticated, only that supplicant will be allowed access. This is the most secure of all the supported modes. In this mode, the Port Security module is used to secure a supplicant's MAC address once successfully authenticated. Multi 802.1X : In port-based 802.1X authentication, once a supplicant is successfully authenticated on a port, the whole port is opened for network traffic. This allows other clients connected to the port (for instance through a hub) to piggy-back on the successfully authenticated client and get network access even though they really aren't authenticated. To overcome this security breach, use the Multi 802.1X variant. Multi 802.1X is really not an IEEE standard, but features many of the same characteristics as does portbased 802.1X. Multi 802.1X is - like Single 802.1X - not an IEEE standard, but a variant that features many of the same characteristics. In Multi 802.1X, one or more supplicants can get authenticated on the same port at the same time. Each supplicant is authenticated individually and secured in the MAC table using the Port Security module. In Multi 802.1X it is not possible to use the multicast BPDU MAC address as destination MAC address for EAPOL frames sent from the switch towards the supplicant, since that would cause all supplicants attached to the port to reply to requests sent from the switch. Instead, the switch uses the supplicant's MAC address, which is obtained from the first EAPOL Start or EAPOL Response Identity frame sent by the supplicant. An exception to this is when no supplicants are attached. In this case, the switch sends EAPOL Request Identity frames using the BPDU multicast MAC address as destination - to wake up any supplicants that might be on the port. The maximum number of supplicants that can be attached to a port can be limited using the Port Security Limit Control functionality. MAC-based Auth.: Unlike port-based 802.1X, MAC-based authentication is not a standard, but merely a best-practices method adopted by the industry. In MAC-based authentication, users are called clients, and the switch acts as the supplicant on behalf of clients. The initial frame (any kind of frame) sent by a client is snooped by the switch, which in turn uses the client's MAC address as both username and password in the subsequent EAP exchange with the RADIUS server. The 6-byte MAC address is converted to a string on the following form "xx-xx-xx-xx-xx-xx", that is, a dash (-) is used as separator between the lower-cased hexadecimal digits. The switch only supports the MD5-Challenge authentication method, so the RADIUS server must be configured accordingly. When authentication is complete, the RADIUS server sends a success or failure indication, which in turn causes the switch to open up or block traffic for that particular client, using the Port Security module. Only then will frames from the client be forwarded on the switch. There are no EAPOL frames involved in this authentication, and therefore, MAC-based Authentication has nothing to do with the 802.1X standard. 33763 Rev. G https://www.transition.com Page 260 of 496

Section	Page
Safety Warnings and Cautions:	2
Chapter 1 - Introduction	10
1-1 Key Features	10
1-2 About This Manual	10
1-3 Related Manuals	10
Chapter 2 – Web User Interface	11
2-1 Initial Login	11
2-2 Webpage Controls	12
Webpage Messages	13
Chapter 3 - System Configuration	14
3-1 System Information	14
3-2 IP Address	16
3-2.1 Settings	16
3-2.2 Advanced Settings	18
3-2.3 Status	22
3-3 System Time	24
3-4 LLDP	27
3-4.2 LLDP-MED Configuration	30
3-4.3 LLDP Neighbor	36
3-4.4 LLDP-MED Neighbor	38
3-4.5 LLDP Neighbor PoE	41
3-4.6 LLDP Neighbor EEE	42
3-4.7 LLDP Statistics	44
3-5 UPnP	46
Chapter 4 – Port Management	48
4-1 Port Configuration	48
4-2 Port Statistics	50
4-3 Detailed Port Statistics	51
4-3 SFP Port Info	53
4-4 Energy Efficient Ethernet	55
4-5 Link Aggregation	56
4-5.1 Static Configuration	56
4-5.2 Aggregation Status	58
4-5.3 LACP Configuration	59
4-5.4 System Status	61
4-5.5 Internal Status	62
4-5.6 Neighbor Status	64
4-5.7 Port Status	66
4-6 Loop Protection	67
4-6.1 Configuration	67
4-6.2 Status	69
4-7 UDLD	70
4-7.1 UDLD Configuration	70
4-7.2 UDLD Status	72
Chapter 5 - PoE Management	74
5-1 PoE Configuration	74
5-2 PoE Management > PoE Status	77
5-3 PoE Management > PoE Power Delay	79
5-4 PoE Management > PoE Auto Checking	80
PoE Auto Checking “AutoFill” Feature	81
5-5 PoE Management > PoE Scheduling Profile	82
Chapter 6 – VLAN Management	83
6-1 VLAN Configuration	83
6-2 VLAN Membership	87
6-3 VLAN Port Status	89
6-4 VLAN Name Configuration	91
6-4 MAC-based VLAN	92
6-4.1 Configuration	92
6-4.2 Status	94
6-5 Protocol-based VLAN	95
6-5.1 Protocol to Group	95
6-5.2 Group to VLAN	97
6-6 VCL IP Subnet-based VLAN Configuration	99
6-7 GVRP	100
6-8 Private VLAN	102
6-9 Port Isolation	103
6-10 Voice VLAN	104
6-10.1 Configuration	104
6-10.2 OUI	106
Chapter 7 – Ethernet Services	107
7-1 Ports	107
7-2 EVC Port Configuration	109
7-3 EVC Encapsulation Configuration	111
7-4 EVC L2CP Profile Configuration	112
7-5 EVC L2CP Port Configuration	113
7-6 EVC CoS ID Policer Configuration	114
7-7 EVC Configuration	116
7-8 ECE Configuration	121
7-9 EVC Statistics	131
Chapter 8 – Performance Monitor	133
8-1 PM Session and Storage Configuration	133
8-2 PM Transfer Configuration	134
8-3 Performance Monitor Loss Measurement Statistics	136
8-4 Performance Monitor Delay Measurement Statistics	138
8-5 Performance Monitor EVC Statistics	141
8-6 Performance Monitor Measurement Interval Information	143
Chapter 9 – Quality of Service (QoS)	145
9-1 Port Classification	145
9-2 Port Policers	148
9-3 Port Shapers	150
9-4 Storm Control	152
9-5 Port Schedulers	154
9-6 Port PCP Remarking	155
9-7 DSCP	158
9-7.1 Port DSCP	158
9-7.2 DSCP Translation	160
9-7.3 DSCP Classification	162
9-7.4 DSCP-Based QoS	163
9-8 QoS Control List	164
9-8.1 Configuration	164
9-8.2 Status	168
9-9 QoS Statistics	170
9-10 WRED	171
Chapter 10 – HqoS (Hierarchical Quality of Service)	174
10-1 HqoS Port Configuration	174
10-2 Add New HqoS Entry	175
Chapter 11 – Spanning Tree	180
11-1 STP Configuration	180
11-2 MSTI Configuration	183
11-3 STP Status	189
11-4 Port Statistics	192
Chapter 12 – MAC Address Tables	193
12-1 Configuration	193
12-2 Information	196
Chapter 13 – Multicast	198
13-1 IGMP Snooping	198
13-1.1 Basic Configuration	198
13-1.2 VLAN Configuration	200
13-1.3 Status	202
13-1.4 Groups Information	204
13-1.5 IGMP SFM Information	206
13-2 MLD Snooping	208
13-2.1 Basic Configuration	208
13-2.2 VLAN Configuration	211
13-2.3 Status	213
13-2.4 Groups Information	215
13-2.5 MLD SFM Information	217
13-3 MVR	219
10-3.1 Basic Configuration	219
13-3.2 Statistics	222
13-3.3 Groups Information	223
13-3.4 SFM Information	224
13-4 Multicast Filtering Profile	226
13-4.1 Filtering Profile Table	226
13-4.2 Filtering Address Entry	229
Chapter 14 – DHCP	231
14-1 Snooping	231
14-1.1 Configuration	231
14-1.2 Snooping Table	233
14-1.3 Detailed Statistics	234
14-2 Relay	236
14-2.1 Configuration	236
14-2.2 Statistics	238
14-3 Server	240
14-3.1 Configuration	240
14-3.2 Status	241
Chapter 15 – Security	243
15-1 Management	243
15-1.1 Account	243
15-1.2 Privilege Levels	247
15-1.3 Auth Method	249
15-1.4 Access Method	252
15-1.5 HTTPS	254
15-2 802.1X	256
15-2.1 Configuration	256
15-2.2 Status	264
15-3 IP Source Guard	270
15-3.1 Configuration	270
15-3.2 Static Table	272
15-3.3 Dynamic Table	273
15-4 ARP Inspection	275
15-4.1 Configuration	275
15-4.2 VLAN Configuration	277
15-4.3 Static Table	279
12-4.4 Dynamic Table	280
15-5 Port Security	282
12-5.1 Configuration	282
15-5.2 Status	285
15-6 RADIUS	288
15-6.1 Configuration	288
15-6.2 Status	291
15-7 TACACS+	296
Chapter 16 – Access Control	298
16-1 Ports Configuration	298
16-2 Rate Limiters	300
16-3 Access Control List	302
16-4 ACL Status	313
Chapter 17 – SNMP	316
17-1 SNMPv1/v2c Configuration	316
17-2 SNMPv3	318
17-2.1 Communities	318
17-2.2 Users	319
17-2.3 Groups	321
17-2.4 Views	322
17-2.5 Access	323
17-3 RMON Statistics	325
17-3.1 Configuration	325
17-3.2 Status	326
17-4 RMON History	328
17-4.1 Configuration	328
17-4.2 Status	329
17-5 RMON Alarm	331
17-5.1 Configuration	331
17-5.2 Status	333
17-6 RMON Event	335
17-6.1 Configuration	335
17-6.2 Status	336
Chapter 18 – MEP	337
18-1 MEP Configuration	337
18-2 MEP Configuration Page	340
18-2.1 Fault Management	345
18-2.2Performance Monitoring	350
Chapter 19 – ERPS	357
19-1 Ethernet Ring Protection Switching	357
19-2 ERPS Instance Configuration	360
19-3 RPL Configuration	361
19-4 Sub-Ring Configuration	361
19-5 Instance Command	361
19-6 ERPS VLAN Configuration	362
Chapter 20 – EPS	364
20-1 EPS Configuration	364
Chapter 21 – Rapid Ring	369
21-1 Configuration	369
Chapter 22 – MRP	370
22-1 Configuration	370
22-2 Status	374
Chapter 23 – PTP	376
23-1 Configuration	376
23-2 Status	387
Chapter 24 – Event Notification	389
24-1 SNMP Trap	389
24-2 eMail	392
24-3 Log	394
24-3.1 Syslog	394
24-3.2 View Log	395
24-4 Digital I/O	397
24-5 Event Configuration	398
24-6 Port Event Setting	400
Chapter 25 – Diagnostics	402
25-1 Ping	402
25-2 Traceroute	404
25-3 Cable Diagnostics	406
25-4 Mirroring	408
25-5 sFlow	410
25-5.1 Configuration	410
25-5.2 Statistics	413
25-6 Traffic Test	415
25-6.1 Y.1564	415
Y.1564 Profile Overview	416
Y.1564 Profile Configuration	417
Y.1564 Report Overview	423
Y.1564 Test Start	424
25-6.2 RFC2544	427
23-6.2.1 RFC Profile Overview	427
25-6.2.2 RFC2544 Profile Configuration	428
25-6.2.3 RFC2544 Reports	433
25-6.2.4 RFC2544 Test Start	434
25-6.3 Traffic Test Loop	438
Traffic Test Loop Configuration	440
Chapter 26 – Maintenance	443
26-1 Configuration	443
26-1.1 Save startup-config	443
26-1.2 Backup	444
26-1.3 Restore	446
26-1.4 Activate	448
26-1.5 Delete	450
26-2 Restart Device	451
26-3 Factory Defaults	452
26-4 Firmware	453
24-4.1 Firmware Upgrade	453
26-4.2 Firmware Selection	454
Chapter 27- DMS (Device Management System)	455
27-1 About DMS	455
27-2 DMS Mode - DMS Controller Switch	455
27-3 DMS Controller Switch and Managed Devices	456
27-4 DMS > DMS Mode	456
27-5 DMS > Management > Map API Key	458
27-6 DMS > Management > Device List	459
27-7 DMS > Graphical Monitoring	461
27-7.1 DMS > Graphical Monitoring > Topology View	461
PoE Auto Checking “AutoFill” Feature	467
27-7.2 DMS > Graphical Monitoring > Floor View	468
27-7.3 DMS > Graphical Monitoring > Map View	471
27-8 DMS > Maintenance	475
27-8.1 DMS > Maintenance > Floor Image	475
27-8.2 DMS > Maintenance > Diagnostics	477
27-8.2 DMS > Maintenance > Traffic Monitor	479
27-8.3 DMS Firmware Upgrade Procedure	483
27-9 DMS Troubleshooting	485
Chapter 28 - Service, Warranty, Tech Support, Contact, and Compliance Information	486
Appendix A – DHCP Per Port Configuration	487
DHCP Per Port Mode and IP Configuration	488
Appendix B – MRP Configuration	490
MRP Description	490
MRP Operation	490
MRP Sample Setup	491
MRP Pre-Requisites (General)	491
MRP Web UI Configuration	492
Example 1: MRP Manager Re-Config (Web UI)	494
Example 2: Non-Blocking MRC State Recognized by MRM (Web UI)	495

Match case Limit results 1 per page

Transition Networks

SISPM1040-3xxx-L Web User Guide

33763 Rev. G

https://www.transition.com

Page

260

496

does port-based 802.1X. In Single 802.1X, at most one supplicant can get authenticated on the port at a

time. Normal EAPOL frames are used in the communication between the supplicant and the switch. If

more than one supplicant is connected to a port, the one that comes first when the port's link comes up

will be the first one considered. If that supplicant doesn't provide valid credentials within a certain

amount of time, another supplicant will get a chance. Once a supplicant is successfully authenticated,

only that supplicant will be allowed access. This is the most secure of all the supported modes. In this

mode, the Port Security module is used to secure a supplicant's MAC address once successfully

authenticated.

Multi 802.1X

: In port-based 802.1X authentication, once a supplicant is successfully authenticated on a

port, the whole port is opened for network traffic. This allows other clients connected to the port (for

instance through a hub) to piggy-back on the successfully authenticated client and get network access

even though they really aren't authenticated. To overcome this security breach, use the Multi 802.1X

variant.

Multi 802.1X is really not an IEEE standard, but features many of the same characteristics as does port-

based 802.1X. Multi 802.1X is - like Single 802.1X - not an IEEE standard, but a variant that features many

of the same characteristics. In Multi 802.1X, one or more supplicants can get authenticated on the same

port at the same time. Each supplicant is authenticated individually and secured in the MAC table using

the Port Security module.

In Multi 802.1X it is not possible to use the multicast BPDU MAC address as destination MAC address for

EAPOL frames sent from the switch towards the supplicant, since that would cause all supplicants

attached to the port to reply to requests sent from the switch. Instead, the switch uses the supplicant's

MAC address, which is obtained from the first EAPOL Start or EAPOL Response Identity frame sent by the

supplicant. An exception to this is when no supplicants are attached. In this case, the switch sends EAPOL

Request Identity frames using the BPDU multicast MAC address as destination - to wake up any

supplicants that might be on the port.

The maximum number of supplicants that can be attached to a port can be limited using the Port Security

Limit Control functionality.

MAC-based Auth.

: Unlike port-based 802.1X, MAC-based authentication is not a standard, but merely a

best-practices method adopted by the industry. In MAC-based authentication, users are called clients,

and the switch acts as the supplicant on behalf of clients. The initial frame (any kind of frame) sent by a

client is snooped by the switch, which in turn uses the client's MAC address as both username and

password in the subsequent EAP exchange with the RADIUS server. The 6-byte MAC address is converted

to a string on the following form "xx-xx-xx-xx-xx-xx", that is, a dash (-) is used as separator between the

lower-cased hexadecimal digits. The switch only supports the MD5-Challenge authentication method, so

the RADIUS server must be configured accordingly.

When authentication is complete, the RADIUS server sends a success or failure indication, which in turn

causes the switch to open up or block traffic for that particular client, using the Port Security module.

Only then will frames from the client be forwarded on the switch. There are no EAPOL frames involved in

this authentication, and therefore, MAC-based Authentication has nothing to do with the 802.1X

standard.