Allied Telesis AT-S79 General Steps , Network Access Control

AT-S79 Management Software User’s Guide

Section I: Using the Menus Interface 133

As mentioned earlier, the switch itself does not authenticate the user

names and passwords from the clients. That is the responsibility of the

authentication server, which contains the RADIUS server software.

Instead, a switch acts as an intermediary for the authentication server by

denying access to the network by the client until the client has provided a

valid username and password, which the authentication server validates.

General Steps Following are the general steps to implementing 802.1x Port-based

Network Access Control:

1. You must install RADIUS server software on one or more of your

network servers or management stations. Authentication protocol

server software is not available from Allied Telesyn. Funk Software

Steel-Belted Radius and Free Radius have been verified as fully

compatible with the AT-S79 management software.

2. You need to install 802.1x client software on those workstations that

are to be supplicants. Microsoft WinXP client software and Meeting

House Aegis client software have been verified as fully compatible with

the AT-S79 management software.

3. You must configure and activate the RADIUS client software in the

AT-S79 management software. The default setting for the

authentication protocol is disabled. You will need to provide the

following information:

The IP address of a RADIUS servers.

The encryption key used by the authentication server.

For instructions, refer to Chapter 11, “RADIUS Authentication Protocol”

on page 141.

4. You must configure the authenticator port settings, as explained in

“Configuring 802.1x Port-based Network Access Control” on page 136

in this chapter.

Port-based

Network AccessControl

Guidelines

Following are the guidelines for using this feature:

Ports set to Auto do not support port trunking or dynamic MAC address

learning.

The appropriate setting for a port on an AT-GS950/16 or AT-GS950/24

switch connected to an authentication server is Force-authorized, the

default setting. This is because an authentication server cannot

authenticate itself.

The authentication server must be a member of the Default VLAN by

communicating with the switch through a port that is an untagged

member of the Default VLAN.