Moxa Technologies PT-7728 Using Port Access Control

PT-7728 User’s Manual Featured Functions

3-52

Using Port Access Control

The PT-7728 provides two kinds of Port-Base Access Control. One is Static Port Lock and the

other is IEEE 802.1X.

The PT-7728 can also be configured to protect static MAC addresses for a specific port. With the

Port Lock function, these locked ports will not learn any additional addresses, but only allow

traffic from preset static MAC addresses, helping to block hackers and careless usage.

The IEEE 802.1X standard defines a protocol for client/server-based access control and

authentication. The protocol restricts unauthorized clients from connecting to a LAN through ports

that are open to the Internet, and which otherwise would be readily accessible. The purpose of the

authentication server is to check each client that requests access to the port. The client is only

allowed access to the port if the client’s permission is authenticated.

Three components are used to create an authentication mechanism based on 802.1X standards:

Client/Supplicant, Authentication Server, and Authenticator.

Supplicant: The end station that requests access to the LAN and switch services and responds to

the requests from the switch.

Authentication server: The server that performs the actual authentication of the supplicant.

Authenticator: Edge switch or wireless access point that acts as a proxy between the supplicant

and the authentication server, requesting identity information from the supplicant, verifying the

information with the authentication server, and relaying a response to the supplicant.

The PT-7728 acts as an authenticator in the 802.1X environment. A supplicant and an

authenticator exchange EAPOL (Extensible Authentication Protocol over LAN) frames with each

other. We can either use an external RADIUS server as the authentication server, or implement the

authentication server in PT-7728 by using a Local User Database as the authentication look-up

table. When we use an external RADIUS server as the authentication server, the authenticator and

the authentication server exchange EAP frames between each other.

Authentication can be initiated either by the supplicant or the authenticator. When the supplicant

initiates the authentication process, it sends an EAPOL-Start frame to the authenticator. When the

authenticator initiates the authentication process or when it receives an EAPOL Start frame, it

sends an EAP Request/Identity frame to ask for the username of the supplicant.

The PT-7728 supports adding unicast groups manually if required.