Chapter 4: Security

NOTE: Suppose two backend servers are enabled and that the server timeout is configured to X seconds (using the AAA configuration page), and suppose that the first server in the list is currently down (but not considered dead).

Now, if the supplicant retransmits EAPOL Start frames at a rate faster than X seconds, then it will never get authenticated, because the switch will cancel ongoing backend authentication server requests whenever it receives a new EAPOL Start frame from the supplicant.

And since the server hasn't yet failed (because the X seconds haven't expired), the same server will be contacted upon the next backend authentication server request from the switch. This scenario will loop forever. Therefore, the server timeout should be smaller than the supplicant’s EAPOL Start frame retransmission rate.

Single 802.1X: In port-based 802.1X authentication, once a supplicant is successfully authenticated on a port, the whole port is opened for network traffic. This allows other clients connected to the port (for instance through a hub) to piggyback on the successfully authenticated client and get network access even though they really aren't authenticated. To overcome this security breach, use the Single 802.1X variant. Single 802.1X is really not an IEEE standard, but features many of the same characteristics as does port-based 802.1X. In Single 802.1X, at most one supplicant can get authenticated on the port at a time. Normal EAPOL frames are used in the communication between the supplicant and the switch. If more than one supplicant is connected to a port, the one that comes first when the port's link comes up will be the first one considered. If that supplicant doesn’t provide valid credentials within a certain amount of time, another supplicant will get a chance. Once a supplicant is successfully authenticated, only that supplicant will be allowed access. This is the most secure of all the supported modes. In this mode, the Port Security module is used to secure a supplicant's MAC address once successfully authenticated.

Multi 802.1X: In port-based 802.1X authentication, once a supplicant is successfully authenticated on a port, the whole port is opened for network traffic. This allows other clients connected to the port (for instance through a hub) to piggyback on the successfully authenticated client and get network access even though they really aren't authenticated. To overcome this security breach, use the Multi 802.1X variant.

Multi 802.1X is really not an IEEE standard, but features many of the same characteristics as does port-based 802.1X. Multi 802.1X is - like Single 802.1X - not an IEEE standard, but a variant that features many of the same characteristics. In Multi 802.1X, one or more supplicants can get authenticated on the same port at the same time. Each supplicant is authenticated individually and secured in the MAC table using the Port Security module.

In Multi 802.1X it is not possible to use the multicast BPDU MAC address as destination MAC address for EAPOL frames sent from the switch towards the supplicant, since that would cause all supplicants attached to the port to reply to requests sent from the switch. Instead, the switch uses the supplicant's MAC address, which is obtained from the first EAPOL Start or EAPOL Response Identity frame sent by the supplicant. An exception to this is when no supplicants are attached. In this case, the switch sends EAPOL Request Identity frames using the BPDU multicast MAC address as destination to wake up any supplicants that might be on the port.

The maximum number of supplicants that can be attached to a port can be limited using the Port Security Limit Control functionality.

MAC-based Auth.: Unlike port-based 802.1X, MAC-based authentication is not a standard, but merely a best practices method adopted by the industry. In MAC-based authentication, users are called clients, and the switch acts as the supplicant on behalf of clients. The initial frame (any kind of frame) sent by a client is snooped by the switch, which in turn uses the client's MAC address as both username and password in the subsequent EAP exchange with the RADIUS server. The 6-byte MAC address is converted to a string on the following form "xxxx-xx-xx-xx-xx", that is, a dash (-) is used as separator between the lower-cased hexadecimal digits. The switch only supports the MD5-Challenge authentication method, so the RADIUS server must be configured accordingly.

When authentication is complete, the RADIUS server sends a success or failure indication, which in turn causes the switch to open up or block traffic for that particular client, using the Port Security module. Only then will frames from the client be for- warded on the switch. There are no EAPOL frames involved in this authentication, and therefore, MAC-based Authentication has nothing to do with the 802.1X standard.

Page 184

724-746-5500 blackbox.com

LPB2810A

 

 

Page 184
Image 184
Black Box LPB2826A, LPB2810A, LPB2848A, PoE+ Gigabit Managed Switch Eco user manual Security

LPB2848A, LPB2826A, LPB2810A, PoE+ Gigabit Managed Switch Eco specifications

The Black Box PoE+ Gigabit Managed Switch series, including the models LPB2810A, LPB2826A, and LPB2848A, presents a robust solution for businesses looking to enhance their network efficiency and reliability. Designed to support the growing demand for Power over Ethernet (PoE) devices, these switches provide the perfect backbone for modern network infrastructures.

One of the most significant features of this series is its PoE+ capability, which allows it to deliver power and data over a single Ethernet cable. This functionality simplifies cabling and installation, making it easier to deploy PoE devices such as IP cameras, VoIP phones, and wireless access points. The LPB2810A offers 8 PoE+ ports, the LPB2826A ups the ante with 24 ports, and the LPB2848A provides a whopping 48 ports, each capable of delivering up to 30 watts of power per port.

The managed switch system ensures that users can customize and optimize their network performance. With advanced features such as VLAN support, Quality of Service (QoS), and link aggregation, organizations can effectively manage traffic, prioritize critical applications, and potentially enhance overall network security. Furthermore, these switches support Layer 2 and Layer 3 functionalities, which allows for greater flexibility when implementing routing policies.

Another critical aspect of the LPB series is its built-in security features. The switches come equipped with advanced security protocols, including IEEE 802.1X port-based access control, which enables network administrators to authenticate devices before granting access to the network. This significantly reduces the risk of unauthorized access and ensures data integrity across the connected devices.

The Black Box PoE+ Gigabit Managed Switches are designed with reliability and ease of use in mind. Their fanless design promotes silent operation, making them ideal for deployment in both office environments and data centers. Additionally, the switches offer a user-friendly web-based interface and CLI options for straightforward management and configuration, catering to both novice and seasoned network administrators.

In conclusion, the Black Box PoE+ Gigabit Managed Switch series, featuring models LPB2810A, LPB2826A, and LPB2848A, stands out with its power-efficient design, extensive port options, and advanced security measures. These switches are an excellent choice for organizations that require a dependable and scalable networking solution to support their growing Ethernet and PoE device needs.