Overview of Security Methods

Authentication

This section defines the precedence rules to determine which authentication method, 802.1X (EAP) or MAC Authentication has control over an interface. Setting the 802.1X and MAC port authentication is described in Section 3.9.

When both methods are enabled, 802.1X takes precedence over MAC Authentication when a user is authenticated using the 802.1X method. If the port or MAC remains unauthenticated in 802.1X, then MAC authentication is active and may authenticate the next MAC address received on that port.

It is also recommended to have a state whereby 802.1X is completely disabled on a port leaving MAC-Authentication active. 802.1X does not explicitly provide any per port enable or disable of its authentication mechanism.

You can configure MAC Authentication and 802.1X to run concurrently on the same module, but exclusively on distinct interfaces of that module. To achieve this, the 802.1X port behavior in the force-unauthorized state is overloaded. When 802.1X and MAC Authentication are enabled, setting the 802.1X MIB to force-unauthorized for the interface in question and enabling

MAC Authentication. This allows the MAC Authentication to run unhindered by 802.1X on that interface. This, in effect, disables all 802.1X control over that interface. However, if a default policy exists on that port, the switch forwards the frames according to that policy, otherwise the switch drops them.

If a switch port is configured to enable both 802.1X and MAC Authentication, then it is possible for the switch to receive a start or a response 802.1X frame while a MAC Authentication is in progress. If this situation, the switch immediately aborts MAC Authentication. The 802.1X authentication then proceeds to completion. After the 802.1X login completes, the user has either succeeded and gained entry to the network, or failed and is denied access to the network. Regardless of success, after the 802.1X login attempt, no new MAC Authentication logins occur on this port until:

A link is toggled.

The user executes an 802.1X logout.

Management terminates the 802.1X session.

NOTE: The switch may terminate a session in many different ways. All of these reactivate the MAC authentication method. Refer to Table 3-3for the precedence relationship between MAC and 802.1X authentication.

When a port is set for concurrent use of MAC and 802.1X authentication, the switch continues to issue EAPOL request/id frames until a MAC Authentication succeeds or the switch receives an EAPOL response/id frame.

3-18Accessing Local Management

Page 55 Page 57
Page 56
Image 56
Enterasys Networks 2E253, 2H253, 2H252, 2H258 manual Authentication
Page 55 Page 57
Top Page Image Contents