Network switches can provide open and easy access to network resources by simply attaching a client PC. Although this automatic configuration and access is a desirable feature, it also allows unauthorized personnel to easily intrude and possibly gain access to sensitive network data.
The IEEE 802.1X (dot1X) standard defines a port-based access control procedure that prevents unauthorized access to a network by requiring users to first submit credentials for authentication. Access to all switch ports in a network can be centrally controlled from a server, which means that authorized users can use the same credentials for authentication from any point within the network.
This switch uses the Extensible Authentication Protocol over LANs (EAPOL) to exchange authentication protocol messages with the client, and a remote RADIUS authentication server to verify user identity and access rights. When a client (i.e., Supplicant) connects to a switch port, the switch (i.e., Authenticator) responds with an EAPOL identity request. The client provides its identity (such as a user name) in an EAPOL response to the switch, which it forwards to the RADIUS server. The RADIUS server verifies the client identity and sends an access challenge back to the client. The EAP packet from the RADIUS server contains not only the challenge, but the authentication method to be used. The client can reject the authentication method and request another, depending on the configuration of the client software and the RADIUS server. The encryption method used to pass authentication messages can be MD5 (Message-Digest 5), TLS (Transport Layer Security), PEAP (Protected Extensible Authentication Protocol), or TTLS (Tunneled Transport Layer Security). The client responds to the appropriate method with its credentials, such as a password or certificate. The RADIUS server verifies the client credentials and responds with an accept or reject packet. If authentication is successful, the switch allows the client to access the network. Otherwise, non-EAP traffic on the port is blocked or assigned to a guest VLAN based on the "intrusion-action" setting. In "multi-host" mode, only one host connected to a port needs to pass authentication for all other hosts to be granted network access. Similarly, a port can become unauthorized for all hosts if one attached host fails re-authentication or sends an EAPOL logoff message.
Use the Security > Port Authentication (Configure Global) page to configure IEEE 802.1X port authentication. The 802.1X protocol must be enabled globally for the switch system before port settings are active.
Sets the global setting for 802.1X. (Default: Disabled)
Use the Security > Port Authentication (Configure Interface - Authenticator) page to configure 802.1X port settings for the switch as the local authenticator. When 802.1X is enabled, you need to configure the parameters for the authentication process that runs between the client and the switch (i.e., authenticator), as well as the client identity lookup process that runs between the switch and authentication server.
Port number.
Indicates if authentication is enabled or disabled on the port. The status is disabled if the control mode is set to Force-Authorized.
Displays the 802.1X authorization status of connected clients.
Connected client is authorized.
Connected client is not authorized, or port is not connected.
Sets the authentication mode to one of the following options:
Requires a dot1x-aware client to be authorized by the authentication server. Clients that are not dot1x-aware will be denied access.
Forces the port to grant access to all clients, either dot1x-aware or otherwise. (This is the default setting.)
Forces the port to deny access to all clients, either dot1x-aware or otherwise.
Allows single or multiple hosts (clients) to connect to an 802.1X-authorized port. (Default: Single-Host)
Allows only a single host to connect to this port.
Allows multiple host to connect to this port.
In this mode, only one host connected to a port needs to pass authentication for all other hosts to be granted network access. Similarly, a port can become unauthorized for all hosts if one attached host fails re-authentication or sends an EAPOL logoff message.
Allows multiple hosts to connect to this port, with each host needing to be authenticated.
In this mode, each host connected to a port needs to pass authentication. The number of hosts allowed access to a port operating in this mode is limited only by the available space in the secure address table (i.e., up to 1024 addresses).
The maximum number of hosts that can connect to a port when the Multi-Host operation mode is selected. (Range: 1-1024; Default: 5)
Sets the maximum number of times the switch port will retransmit an EAP request packet to the client before it times out the authentication session. (Range: 1-10; Default 2)
Sets the time that a switch port waits after the Max Request Count has been exceeded before attempting to acquire a new client. (Range: 1-65535 seconds; Default: 60 seconds)
Sets the time period during an authentication session that the switch waits before re-transmitting an EAP packet. (Range: 1-65535; Default: 30 seconds)
Sets the time that a switch port waits for a response to an EAP request from a client before re-transmitting an EAP packet. (Range: 1-65535; Default: 30 seconds)
This command attribute sets the timeout for EAP-request frames other than EAP-request/identity frames. If dot1x authentication is enabled on a port, the switch will initiate authentication when the port link state comes up. It will send an EAP-request/identity frame to the client to request its identity, followed by one or more requests for authentication information. It may also send other EAP-request frames to the client during an active connection as required for reauthentication.
Sets the time that a switch port waits for a response to an EAP request from an authentication server before re-transmitting an EAP packet. (Default: 0 seconds)
A RADIUS server must be set before the correct operational value of 10 seconds will be displayed in this field.
Sets the client to be re-authenticated after the interval specified by the Re-authentication Period. Re-authentication can be used to detect if a new device is plugged into a switch port. (Default: Disabled)
Sets the time period after which a connected client must be re-authenticated. (Range: 1-65535 seconds; Default: 3600 seconds)
The maximum number of times the switch port will retransmit an EAP request/identity packet to the client before it times out the authentication session. (Range: 1-10; Default: 2)
Sets the port's response to a failed authentication.
Blocks all non-EAP traffic on the port. (This is the default setting.)
Traffic for the port is assigned to a guest VLAN. The guest VLAN must be separately configured and mapped on each port.
MAC address of authorized client.
Current state (including initialize, disconnected, connecting, authenticating, authenticated, aborting, held, force_authorized, force_unauthorized).
Number of times connecting state is re-entered.
Identifier sent in each EAP Success, Failure or Request packet by the Authentication Server.
Current state (including request, response, success, fail, timeout, idle, initialize).
Number of EAP Request packets sent to the Supplicant without receiving a response.
Identifier carried in the most recent EAP Success, Failure or Request packet received from the Authentication Server.
Current state (including initialize, reauthenticate)
Use the Security > Port Authentication (Show Statistics) page to display statistics for dot1x protocol exchanges for any port.
Authenticator
The number of EAPOL Start frames that have been received by this Authenticator.
The number of EAPOL Logoff frames that have been received by this Authenticator.
The number of EAPOL frames that have been received by this Authenticator in which the frame type is not recognized.
The number of valid EAPOL frames of any type that have been received by this Authenticator.
The protocol version number carried in the most recent EAPOL frame received by this Authenticator.
The source MAC address carried in the most recent EAPOL frame received by this Authenticator.
The number of EAP Resp/Id frames that have been received by this Authenticator.
The number of valid EAP Response frames (other than Resp/Id frames) that have been received by this Authenticator.
The number of EAPOL frames that have been received by this Authenticator in which the Packet Body Length field is invalid.
The number of EAP Req/Id frames that have been transmitted by this Authenticator.
The number of EAP Request frames (other than Rq/Id frames) that have been transmitted by this Authenticator.
The number of EAPOL frames of any type that have been transmitted by this Authenticator.
Supplicant
The number of EAPOL frames that have been received by this Supplicant in which the frame type is not recognized.
The number of valid EAPOL frames of any type that have been received by this Supplicant.
The protocol version number carried in the most recent EAPOL frame received by this Supplicant.
The source MAC address carried in the most recent EAPOL frame received by this Supplicant.
The number of EAP Resp/Id frames that have been received by this Supplicant.
The number of valid EAP Response frames (other than Resp/Id frames) that have been received by this Supplicant.
The number of EAPOL frames that have been received by this Supplicant in which the Packet Body Length field is invalid.
The number of EAPOL frames of any type that have been transmitted by this Supplicant.
The number of EAPOL Start frames that have been transmitted by this Supplicant.
The number of EAPOL Logoff frames that have been transmitted by this Supplicant.
The number of EAP Req/Id frames that have been transmitted by this Supplicant.
The number of EAP Request frames (other than Rq/Id frames) that have been transmitted by this Supplicant.