Asante Technologies 35160 Switch User Manual


 
51
Note: The IC35160 802.1X implementation supports following clients:
Windows XP (Microsoft)
Windows 2000 + SP4 (Microsoft)
The IC35160 802.1X implementation supports following RADIUS servers:
Internet Authentication Service (Microsoft)
The IEEE 802.1X Supplicant (or client) is the network access device requesting LAN services. The
Authenticator is the network access point that has authentication enabled, and can be a wireless access
point or LAN switch ports. The Authentication server performs the authentication, permitting or denying
access to the network based on the client’s user name and password. The 802.1X standard specifies a
Remote Authentication Dial-in User Service (RADIUS) server that supports the following:
RFC 2284 PPP Extensible Authentication Protocol (EAP)
RFC 2865 that Remote Authentication Dial-In User Service (RADIUS)
RFC 2869 RADIUS Extensions
Extensible Authentication Protocol (EAP) is the protocol that is used between the client and the
authenticator. The 802.1X standard specifies encapsulation methods for transmitting EAP messages.
Protocol Access Entity (PAE) is the 802.1X logical component of the client and authenticator that exchange
EAP messages.
Since 802.1X is a perimeter security technology, network administrators should continue to deploy existing
security policies to control network traffic. Port-based access control will deny unauthorized network access,
but it will not control network traffic from authorized users. This may be a concern for network administrators
that want to secure network areas with the use of existing methods including VLANs, ACLs or MAC filtering
where it is required.
Most 802.1X client implementations and some authenticator implementations use reserved group MAC
address to communicate. MAC Bridges that are aware of such reserved group addresses will not propagate
the EAPOL packets sent to such addresses. In these cases, the client will always be unauthorized because
the switch cannot receive EAP responses from it.
The switch port through which the authenticator (the IC35160) communicates with the RADIUS server
should be set to “Force Authenticated” or “No 802.1X”. Otherwise the authenticator cannot get a RADIUS
response and all clients will be unauthorized.
From the Security Menu, type x to access the 802.1X Configuration Menu.