Before loading TCP/IP with an address acquired from the DHCP server, DHCP clients check for an IP address conflict by sending an Address Resolution Protocol (ARP) request containing the address. If a conflict is found, TCP/IP does not start, and the user receives an error message. The conflicting address should be removed from the list of active leases, or it should be excluded until the conflict is identified and resolved.

Security

IEEE 802.1X

Local Area Networks (LANs) are often deployed in environments that permit the attachment of unauthorized devices. The networks also permit unauthorized users to attempt to access the LAN through existing equipment. In such environments, you may want to restrict access to the services offered by the LAN. This section introduces the concepts associated with the two forms of security available on the IXM5414E switch module: Local Authentication and Remote Authentication Dial- In User Service (RADIUS). These mechanisms are used to authenticate user access to the switch module and conform to the specifications in IEEE 802.1X.

Port-based network access control makes use of the physical characteristics of LAN infrastructures to provide a means of authenticating and authorizing devices attached to a LAN port. Port-based network access control prevents access to the port in cases in which the authentication and authorization process fails.

Access control is achieved by enforcing authentication of entities seeking access to a port on the switch module. These entities are referred to as supplicants. The result of the authentication process determines whether the supplicant is authorized to access services on that controlled port.

A Port Access Entity (PAE) can adopt two different roles in an access control interaction:

Authenticator

A port that enforces authentication before allowing access.

Supplicant A port that attempts to access services offered by an authenticator.

Additionally, there is a third role:

Authentication server

Performs the authentication function necessary to check the credentials of the

Supplicant on behalf of the Authenticator.

All three roles are required to complete the authentication process.

The IXM5414E switch module operates in the authenticator role only. The authenticator PAE is responsible for submitting information received from the supplicant to the authentication server in order for the credentials to be checked, which will determine the authorization state of the port. The authenticator PAE controls the authorized/unauthorized state of the controlled port depending on the outcome of the authentication process. Authentication messages use the Extensible Authentication Protocol (EAP).

A port may take one of two states:

Controlled Traffic will only be exchanged if the port is in the Authorized state.

Uncontrolled

Allows the uncontrolled exchange of EAP over IEEE 802 LANs (EAPoL) PDUs between the Authenticator and Supplicant.

Intel® Blade Server Ethernet Switch Module IXM5414E

35

Page 45
Image 45
Intel IXM5414E manual Security, Ieee, Authenticator, Authentication server, Uncontrolled