Filter
Top Products
724-746-5500 | blackbox.com
Page 186
LGB5028A User‘s Manual
724-746-5500 | blackbox.com
Chapter 7: Security
Single 802.1X: In port-based 802.1X authentication, once a supplicant is successfully authenticated on a port, the whole port is
opened for network traffic. This allows other clients connected to the port (for instance through a hub) to piggy-back on the
successfully authenticated client and get network access even though they really aren't authenticated. To overcome this security
breach, use the Single 802.1X variant. Single 802.1X is really not an IEEE standard, but features many of the same characteristics as
does port-based 802.1X. In Single 802.1X, at most one supplicant can get authenticated on the port at a time. Normal EAPOL
frames are used to communcate between the supplicant and the switch. If more than one supplicant is connected to a port, the
one that appears first when the port's link comes up will be the first one considered. If that supplicant doesn't provide valid
credentials within a certain amount of time, another supplicant will get a chance. Once a supplicant is successfully authenticated,
only that supplicant will be allowed access. This is the most secure of all the supported modes. In this mode, the Port Security
module secures a supplicant's MAC address once successfully authenticated.
Multi 802.1X: In port-based 802.1X authentication, once a supplicant is successfully authenticated on a port, the whole port is
opened for network traffic. This allows other clients connected to the port (for instance through a hub) to piggy-back on the
successfully authenticated client and get network access even though they really aren't authenticated. To overcome this security
breach, use the Multi 802.1X variant.
Multi 802.1X is really not an IEEE standard, but features many of the same characteristics as does port-based 802.1X. Multi 802.1X
is—like Single 802.1X—not an IEEE standard, but a variant that features many of the same characteristics. In Multi 802.1X, one or
more supplicants can get authenticated on the same port at the same time. Each supplicant is authenticated individually and
secured in the MAC table using the Port Security module.
In Multi 802.1X it is not possible to use the multicast BPDU MAC address as the destination MAC address for EAPOL frames sent
from the switch towards the supplicant, since that would cause all supplicants attached to the port to reply to requests sent from
the switch. Instead, the switch uses the supplicant's MAC address, which is obtained from the first EAPOL Start or EAPOL
Response Identity frame sent by the supplicant. An exception to this is when no supplicants are attached. In this case, the switch
sends EAPOL Request Identity frames using the BPDU multicast MAC address as the destination—to wake up any supplicants that
might be on the port.
Use the Port Security Limit Control to limit the maximum number of supplicants that can be attached to a port.
MAC-based Auth.: Unlike port-based 802.1X, MAC-based authentication is not a standard, but merely a best-practices method
adopted by the industry. In MAC-based authentication, users are called clients, and the switch acts as the supplicant on behalf of
clients. The initial frame (any kind of frame) sent by a client is snooped by the switch, which in turn uses the client's MAC address
as both username and password in the subsequent EAP exchange with the RADIUS server. The 6-byte MAC address is converted
to a string on the following form "xxxx-xx-xx-xx-xx", that is, a dash (-) is used as separator between the lower-case hexadecimal
digits. The switch only supports the MD5-Challenge authentication method, so the RADIUS server must be configured
accordingly.
When authentication is complete, the RADIUS server sends a success or failure indication, which causes the switch to open up or
block traffic for that particular client, using the Port Security module. Only then will frames from the client be forwarded on the
switch. There are no EAPOL frames involved in this authentication, and therefore, MAC-based authentication has nothing to do
with the 802.1X standard.
The advantage of MAC-based authentication over port-based 802.1X is that several clients can be connected to the same port (for
example, through a third-party switch or a hub) and still require individual authentication. The clients don't need special supplicant
software to authenticate. The disadvantage is that MAC addresses can be spoofed by malicious users—equipment whose MAC
address is a valid RADIUS user can be used by anyone. Also, only the MD5-Challenge method is supported. The maximum num-
ber of clients that can be attached to a port can be limited using Port Security Limit Control.