Chapter 4: Security

The advantage of MAC-based authentication over port-based 802.1X is that several clients can be connected to the same port (e.g. through a third party switch or a hub) and still require individual authentication, and that the clients don't need special supplicant software to authenticate. The advantage of MAC-based authentication over 802.1X-based authentication is that the clients don't need special supplicant software to authenticate. The disadvantage is that MAC addresses can be spoofed by malicious users—equipment whose MAC address is a valid RADIUS user can be used by anyone. Also, only the MD5-Challenge method is supported. The maximum number of clients that can be attached to a port can be limited using the Port Security Limit Control functionality.

RADIUS-Assigned QoS Enabled: When RADIUS-Assigned QoS is both globally enabled and enabled (checked) on a given port, the switch reacts to QoS Class information carried in the RADIUS Access-Accept packet transmitted by the RADIUS server when a supplicant is successfully authenticated. If present and valid, traffic received on the supplicant's port will be classified to the given QoS Class. If (re-)authentication fails or the RADIUS Access-Accept packet no longer carries a QoS Class or it's invalid, or the supplicant is otherwise no longer present on the port, the port's QoS Class is immediately reverted to the original QoS Class (which may be changed by the administrator in the meanwhile without affecting the RADIUS assigned).

This option is only available for single-client modes, i.e.

-Port-based 802.1X

-Single 802.1X

RADIUS attributes used in identifying a QoS Class:

Refer to the written documentation for a description of the RADIUS attributes needed to successfully identify a QoS Class. The User-Priority-Table attribute defined in RFC4675 forms the basis for identifying the QoS Class in an Access-Accept packet.

Only the first occurrence of the attribute in the packet will be considered, and to be valid, it must follow this rule:

-All 8 octets in the attribute's value must be identical and consist of ASCII characters in the range '0' - '3', which translates into the desired QoS Class in the range [0; 3].

RADIUS-Assigned VLAN Enabled: When RADIUS-Assigned VLAN is both globally enabled and enabled (checked) for a given port, the switch reacts to VLAN ID information carried in the RADIUS Access-Accept packet transmitted by the RADIUS server when a supplicant is successfully authenticated. If present and valid, the port's Port VLAN ID will be changed to this VLAN ID, the port will be set to be a member of that VLAN ID, and the port will be forced into VLAN unaware mode. Once assigned, all traffic arriving on the port will be classified and switched on the RADIUS-assigned VLAN ID.

If (re-)authentication fails or the RADIUS Access-Accept packet no longer carries a VLAN ID or it's invalid, or the supplicant is otherwise no longer present on the port, the port's VLAN ID is immediately reverted to the original VLAN ID (which may be changed by the administrator in the meanwhile without affecting the RADIUS-assigned).

This option is only available for single-client modes, i.e.

-Port-based 802.1X

-Single 802.1X

For troubleshooting VLAN assignments, use the "Monitor --> VLANs --> VLAN Membership and VLAN Port" pages. These pages show which modules have (temporarily) overridden the current Port VLAN configuration.

RADIUS attributes used in identifying a VLAN ID: RFC2868 and RFC3580 form the basis for the attributes used in identifying a VLAN ID in an Access-Accept packet. The following criteria are used:

- The Tunnel-Medium-Type, Tunnel-Type, and Tunnel-Private-Group-ID attributes must all be present at least once in the Access- Accept packet.

-The switch looks for the first set of these attributes that have the same Tag value and fulfill the following requirements (if Tag == 0 is used, the Tunnel-Private-Group-ID does not need to include a Tag):

- Value of Tunnel-Medium-Type must be set to “IEEE-802“ (ordinal 6).

LPB2810A

724-746-5500 blackbox.com

Page 185

 

 

Page 185
Image 185
Black Box LPB2810A, LPB2826A, LPB2848A, PoE+ Gigabit Managed Switch Eco user manual Security

LPB2848A, LPB2826A, LPB2810A, PoE+ Gigabit Managed Switch Eco specifications

The Black Box PoE+ Gigabit Managed Switch series, including the models LPB2810A, LPB2826A, and LPB2848A, presents a robust solution for businesses looking to enhance their network efficiency and reliability. Designed to support the growing demand for Power over Ethernet (PoE) devices, these switches provide the perfect backbone for modern network infrastructures.

One of the most significant features of this series is its PoE+ capability, which allows it to deliver power and data over a single Ethernet cable. This functionality simplifies cabling and installation, making it easier to deploy PoE devices such as IP cameras, VoIP phones, and wireless access points. The LPB2810A offers 8 PoE+ ports, the LPB2826A ups the ante with 24 ports, and the LPB2848A provides a whopping 48 ports, each capable of delivering up to 30 watts of power per port.

The managed switch system ensures that users can customize and optimize their network performance. With advanced features such as VLAN support, Quality of Service (QoS), and link aggregation, organizations can effectively manage traffic, prioritize critical applications, and potentially enhance overall network security. Furthermore, these switches support Layer 2 and Layer 3 functionalities, which allows for greater flexibility when implementing routing policies.

Another critical aspect of the LPB series is its built-in security features. The switches come equipped with advanced security protocols, including IEEE 802.1X port-based access control, which enables network administrators to authenticate devices before granting access to the network. This significantly reduces the risk of unauthorized access and ensures data integrity across the connected devices.

The Black Box PoE+ Gigabit Managed Switches are designed with reliability and ease of use in mind. Their fanless design promotes silent operation, making them ideal for deployment in both office environments and data centers. Additionally, the switches offer a user-friendly web-based interface and CLI options for straightforward management and configuration, catering to both novice and seasoned network administrators.

In conclusion, the Black Box PoE+ Gigabit Managed Switch series, featuring models LPB2810A, LPB2826A, and LPB2848A, stands out with its power-efficient design, extensive port options, and advanced security measures. These switches are an excellent choice for organizations that require a dependable and scalable networking solution to support their growing Ethernet and PoE device needs.