LevelOne GEP-5070 Manual - Page 94
RADIUS-Assigned QoS Enabled, Further Guidelines for Port Admin State
View all LevelOne GEP-5070 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 94 highlights
CHAPTER 4 | Configuring the Switch Configuring Security password in the subsequent EAP exchange with the RADIUS server. The 6-byte MAC address is converted to a string on the following form "xx-xx-xx-xx-xx-xx", that is, a dash (-) is used as separator between the lower-cased hexadecimal digits. The switch only supports the MD5-Challenge authentication method, so the RADIUS server must be configured accordingly. When authentication is complete, the RADIUS server sends a success or failure indication, which in turn causes the switch to open up or block traffic for that particular client, using the Port Security module. Only then will frames from the client be forwarded on the switch. There are no EAPOL frames involved in this authentication, and therefore, MAC-based Authentication has nothing to do with the 802.1X standard. The advantage of MAC-based authentication over port-based 802.1X is that several clients can be connected to the same port (e.g. through a 3rd party switch or a hub) and still require individual authentication, and that the clients don't need special supplicant software to authenticate. The advantage of MAC-based authentication over 802.1X-based authentication is that the clients don't need special supplicant software to authenticate. The disadvantage is that MAC addresses can be spoofed by malicious users - equipment whose MAC address is a valid RADIUS user can be used by anyone. Also, only the MD5-Challenge method is supported. The maximum number of clients that can be attached to a port can be limited using the Port Security Limit Control functionality. Further Guidelines for Port Admin State ■ Port Admin state can only be set to Force-Authorized for ports participating in the Spanning Tree algorithm (see page 135). ■ When 802.1X authentication is enabled on a port, the MAC address learning function for this interface is disabled, and the addresses dynamically learned on this port are removed from the common address table. ■ Authenticated MAC addresses are stored as dynamic entries in the switch's secure MAC address table. Configured static MAC addresses are added to the secure address table when seen on a switch port (see page 170). Static addresses are treated as authenticated without sending a request to a RADIUS server. ■ When port status changes to down, all MAC addresses are cleared from the secure MAC address table. Static VLAN assignments are not restored. ◆ RADIUS-Assigned QoS Enabled - Enables or disables this feature for a given port. Refer to the description of this feature under the System Configuration section. ◆ RADIUS-Assigned VLAN Enabled - Enables or disables this feature for a given port. Refer to the description of this feature under the System Configuration section. - 94 -