KTI Networks KGD-600 manual 802.1X Authentication Port Access Control

Page 26

3.4 802.1X Authentication Port Access Control

For some IEEE 802 LAN environments, it is desirable to restrict access to the services offered by the LAN to those users and devices that are permitted to make use of those services. IEEE 802.1X Port- based network access control function provide a means of authenticating and authorizing devices at- tached to a LAN port that has point-to-point connection characteristics, and of preventing access to that port in cases in which the authentication and authorization process fails. The 802.1X standard relies on the client to provide credentials in order to gain access to the network. The credentials are not based on a hardware address. Instead, they can be either a username/password combination or a certificate. The credentials are not verified by the switch but are sent to a Remote Authentication Dial-In User Service (RADIUS) server, which maintains a database of authentication information. 802.1X consists of three components for authentication exchange, which are as follows:

An 802.1X authenticator: This is the port on the switch that has services to offer to an end device, provided the device supplies the proper credentials.

An 802.1X supplicant: This is the end device; for example, a PC that connects to a switch that is requesting to use the services (port) of the device. The 802.1X supplicant must be able to respond to communicate.

An 802.1X authentication server: This is a RADIUS server that examines the credentials pro- vided to the authenticator from the supplicant and provides the authentication service. The authen- tication server is responsible for letting the authenticator know if services should be granted.

The 802.1X authenticator operates as a go-between with the supplicant and the authentication server to provide services to the network. When a switch is configured as an authenticator, the ports of the switch must then be configured for authorization. In an authenticator-initiated port authorization, a client is powered up or plugs into the port, and the authenticator port sends an Extensible Authentication Protocol (EAP) PDU to the supplicant requesting the identification of the supplicant. At this point in the process, the port on the switch is connected from a physical standpoint; however, the 802.1X process has not authorized the port and no frames are passed from the port on the supplicant into the switching engine. If the PC attached to the switch did not understand the EAP PDU that it was receiving from the switch, it would not be able to send an ID and the port would remain unauthorized. In this state, the port would never pass any user traffic and would be as good as disabled. If the client PC is running the 802.1X EAP, it would respond to the request with its configured ID. (This could be a username/ password combination or a certificate.)

After the switch, the authenticator receives the ID from the PC (the supplicant). The switch then passes the ID information to an authentication server (RADIUS server) that can verify the identifica- tion information. The RADIUS server responds to the switch with either a success or failure message. If the response is a success, the port will be authorized and user traffic will be allowed to pass through the port like any switch port connected to an access device. If the response is a failure, the port will remain unauthorized and, therefore, unused. If there is no response from the server, the port will also remain unauthorized and will not pass any traffic.

-26-

Page 25 Page 27
Image 26
Page 25 Page 27
Contents KGD-600 Page Trademarks Table of Contents Appendix. Factory Default Settings Fiber Connectivity Quality of ServicePlug and Play Web ManagementBasic functions FeaturesIndustrial Features Management functionsProduct Panels LED Indicators SpecificationsMechanical DC Power InputSoftware Management Functions EnvironmentalUnpacking Safety CautionsMounting the Switch on a Wall Din-Rail Mounting Panel Mounting Applying Power Using Terminal BlocksOperation Function Reset ButtonUsing DC Power Jack Network Cables Port Configuration ManagementMaking UTP Connections Auto MDI/MDI-X FunctionMaking Fiber Connection Installing SFP Fiber TransceiverConnecting Fiber Cables Function State Interpretation Configuring IP Address and Password for the SwitchLED Indication User priority Abbreviation#of bits Frame field Pvid Port VIDQoS Function Priority Class Queues Egress Service PolicyPacket Priority Classification Vlan Function 2.1 802.1Q Tag Aware Per port settingKeep Tag Per port setting Vlan OperationIngress Default Tag Per Port Setting Drop Untag Per Port SettingDrop Tag Per Port Setting Packet Tag InformationPacket Forwarding Vlan Group Table ConfigurationVlan Classification Summary of Vlan Function Egress SettingsEgress Tagging Rules 802.1X Authentication Port Access Control Web Browser Login to the Switch UnitStart Browser Software and Making Connection Set IP Address for the System UnitMain Management Menu ConfigurationMaintenance MonitoringConfiguration Description SystemManagement Vlan Summary of the rulesConfiguration Function PortsVlan Configuration Description VLANsPort-based Vlan Mode Example Port-based Vlan ISP ModeMode Operation Advanced Vlan Mode Ingress Default Tag Ingress Settings Received packet type Tag Aware =Tag-ignore Vlan Groups Double Tagged in Advanced Vlan Mode Important Notes for Vlan ConfigurationSwitch Vlan Mode selection Quality of Service QoS Configuration Description1 802.1p Mapping Class 3 ~ ClassDscp Mapping QoS Service Policy Weighted ratio priority Class 3210 = 1111 weighted ratioPort Mirroring 802.1X Configuration Radius IP1 802.1X Re-authentication Parameters Statistics Update Firmware / Configuration Reboot SystemRestore Default Update FirmwareLogout Upload Configuration FileBackup Configuration File Vlan Configuration System ConfigurationPorts Configuration Port-based Vlan Mode settingQuality of Service Configuration QoS 802.1p Mapping802.1X Configuration QoS Service PolicyPort Mirroring Configuration QoS Dscp Mapping
Related manuals
Manual 2 pages 18.65 Kb
Top Page Image Contents