Chapter 10: 802.1x Port-based Network Access Control

ˆForce-unauthorized - Places the port in the unauthorized state, ignoring all attempts by the client to authenticate. This port control setting blocks all users from accessing the network through the port and is similar to disabling a port and can be used to secure a port from use. The port continues to forward EAPOL packets, but discards all other packets, including multicast and broadcast packets.

ˆForce-authorized - Disables IEEE 802.1x port-based authentication and causes the port to transition to the authorized state without any authentication exchange required. The port transmits and receives normal traffic without 802.1x-based authentication of the client. This is the default setting. Use this port control setting for those ports where there are network devices that are not to be authenticated.

Figure 34 illustrates the concept of the authenticator port control settings.

Port 23

802.1x Port Control:

Setting: Force-unauthorized

Port 2

802.1x Port Control

Setting: Auto

Supplicant with 802.1x Client Software

Port 18

802.1x Port Control:

Setting: Force-authorized

RADIUS

Authentication

Server

Figure 34. Example of the Authenticator Role

ˆPort 2 is set to Auto. The end node connected to the port must use its 802.1x client software and provide a username and password to send or receive traffic from the switch.

ˆPort 18 is set to the Force-authorized setting so that the end node connected to the port does not have to provide a user name or password to send or receive traffic from the switch. In the example, the node is the RADIUS authentication server. Since the server cannot authenticate itself, its port must be set to Force-authorized in order for it to pass traffic through the port.

ˆPort 23 is set to Force-unauthorized to prevent anyone for using the port.

132

Section I: Using the Menus Interface

Page 131 Page 133
Page 132
Image 132
Allied Telesis AT-S79 manual Radius
Page 131 Page 133
Top Page Image Contents