System information
Managed Gigabit Switch
52 T1000-TM-EN-2
52
same time. Each supplicant is authenticated individually and secured in the MAC table using the Port
Security module.
In Multi 802.1X it is not possible to use the multicast BPDU MAC address as destination MAC address
for EAPOL frames sent from the switch towards the supplicant, since that would cause all supplicants
attached to the port to reply to requests sent from the switch. Instead, the switch uses the supplicant's
MAC address, which is obtained from the first EAPOL Start or EAPOL Response Identity frame sent by
the supplicant. An exception to this is when no supplicants are attached. In this case, the switch sends
EAPOL Request Identity frames using the BPDU multicast MAC address as destination - to wake up any
supplicants that might be on the port.
The maximum number of supplicants that can be attached to a port can be limited using the Port
Security Limit Controlfunctionality.
MAC-based Auth.
Unlike port-based 802.1X, MAC-based authentication is not a standard, but merely a best-practices
method adopted by the industry. In MAC-based authentication, users are called clients, and the switch
acts as the supplicant on behalf of clients. The initial frame (any kind of frame) sent by a client is
snooped by the switch, which in turn uses the client's MAC address as both username and password in
the subsequent EAP exchange with the RADIUS server. The 6-byte MAC address is converted to a string
on the following form "xx-xx-xx-xx-xx-xx", that is, a dash (-) is used as separator between the lower-
cased hexadecimal digits. The switch only supports the MD-Challenge authentication method, so the
RADIUS server must be configured accordingly.
When authentication is complete, the RADIUS server sends a success or failure indication, which in turn
causes the switch to open up or block traffic for that particular client, using the Port Security module.
Only then will frames from the client be forwarded on the switch. There are no EAPOL frames involved
in this authentication, and therefore, MAC-based Authentication has nothing to do with the 802.1X
standard.
The advantage of MAC-based authentication over 802.1X-based authentication is that the clients don't
need special supplicant software to authenticate. The disadvantage is that MAC addresses can be
spoofed by malicious users - equipment whose MAC address is a valid RADIUS user can be used by
anyone. Also, only the MD-Challenge method is supported. The maximum number of clients that can
be attached to a port can be limited using the Port Security Limit Control functionality.
RADIUS-Assigned QoS Enabled
When RADIUS-Assigned QoS is both globally enabled and enabled (checked) on a given port, the switch
reacts to QoS Class information carried in the RADIUS Access-Accept packet transmitted by the RADIUS
server when a supplicant is successfully authenticated. If present and valid, traffic received on the
supplicant's port will be classified to the given QoS Class. If (re-)authentication fails or the RADIUS
Access-Accept packet no longer carries a QoS Class or it's invalid, or the supplicant is otherwise no
longer present on the port, the port's QoS Class is immediately reverted to the original QoS Class
(which may be changed by the administrator in the meanwhile without affecting the RADIUS-assigned).
This option is only available for single-client modes, i.e.
• Port-based 802.1X
• Single 802.1X
RADIUS attributes used in identifying a QoS Class:
The User-Priority-Table attribute defined in RFC467forms the basis for identifying the QoS Class in an
Access-Accept packet.
Only the first occurrence of the attribute in the packet will be considered, and to be valid, it must follow
this rule:
• All 8 octets in the attribute's value must be identical and consist of ASCII characters in the range '0' -
'7', which translates into the desired QoS Class in the range [0; 7].
RADIUS-Assigned VLAN Enabled
When RADIUS-Assigned VLAN is both globally enabled and enabled (checked) for a given port, the
switch reacts to VLAN ID information carried in the RADIUS Access-Accept packet transmitted by the