The Network Access Server Configuration page allows you to configure the IEEE 802.1X and MAC- based authentication system and port settings, as shown in the following figure. The IEEE 802.1X standard defines a port-based access control procedure that prevents unauthorized access to a network by requiring users to first submit credentials for authentication. One or more central servers, the backend servers, determine whether the user is allowed access to the network. These backend (RADIUS) servers are configured on the Configuration > Security > AAA page. The IEEE 802.1X standard defines port-based operation, but non-standard variants overcome security limitations. MAC-based authentication allows for authentication of more than one user on the same port and does not require the user to have special 802.1X supplicant software installed on his system. The switch uses the user's MAC address to authenticate against the backend server. Intruders can create counterfeit MAC addresses, which makes MAC-based authentication less secure than 802.1X authentication. The NAS configuration consists of two sections, a system-wide and a port-wide.Figure 4-45. Network Access Server Configuration
The Network Access Server Configuration page has the following parameters:
System Configuration:
Mode: Indicates if NAS is globally enabled or disabled on the switch. If globally disabled, then all ports are allowed forwarding of frames.
Reauthentication Enabled: If checked, successfully authenticated supplicants/clients are reauthenticated after the interval specified by the Reauthentication Period. Reauthentication for 802.1X-enabled ports can be used to detect if a new device is plugged into a switch port or if a supplicant is no longer attached. For MAC-based ports, reauthentication is only useful if the RADIUS server configuration has changed. It does not involve communication between the switch and the client, and therefore does not imply that a client is still present in a port. See Aging Period).
Reauthentication Period: Determines the period in seconds, after which a connected client must be reauthenticated. This is only active if the Reauthentication Enabled checkbox is selected. Valid values are in the range 1s–3600s.
EAPOL Timeout: Determines the time for retransmission of Request Identity EAPOL frames. Valid values are in the range 1s–65535s. This has no effect for MAC-based ports.
Aging Period: This setting applies to the following
modes, that is, the modes using the Port Security functionality to secure
MAC addresses:
Single 802.1X
Multi 802.1X
MAC-Based Auth.
When the NAS module uses the Port Security module to secure MAC
addresses, the Port Security module must check for activity on the MAC
address in question at regular intervals and free resources if no
activity is seen within a given period. This parameter controls this
period exactly and is set to a number between 10s–1000000s. If
re-authentication is enabled and the port is in an 802.1X-based mode,
then this is not so critical, as supplicants that are no longer attached
to the port get removed upon the next re-authentication, which fails.
But, if re-authentication is not enabled, the only way to free resources
is by aging the entries.
For ports in MAC-based Auth. mode,
re-authentication does not cause direct communication between the switch
and the client. Therefore, it does not detect if the client is still
attached or not, and the only way to free any resources is to age the
entry.
Hold Time: This setting applies to the following modes, that is, modes using the Port Security functionality to secure MAC addresses:
Single 802.1X
Multi 802.1X
MAC-Based Auth.
If a client is denied access - either because the RADIUS server denies the client access or because the RADIUS server request times out (according to the timeout specified on the Configuration >Security > AAA page), the client is put on hold in the Unauthorized state. The hold timer does not count during an on-going authentication. In MAC-based Auth. mode, the switch ignores new frames coming from the client during the hold time. The Hold Time can be set to a number between 10s–1000000s.
RADIUS-Assigned QoS Enabled: RADIUS-assigned QoS provides a means to centrally control the traffic class to which traffic coming from a successfully authenticated supplicant is assigned on the switch. The RADIUS server must be configured to transmit special RADIUS attributes to take advantage of this feature.
The RADIUS-Assigned QoS Enabled checkbox provides a quick way to globally enable/disable RADIUS-server assigned QoS Class functionality. When checked, the individual ports' ditto setting determines whether RADIUS-assigned QoS Class is enabled on that port. When unchecked, RADIUS-server assigned QoS Class is disabled on all ports.
RADIUS-Assigned VLAN
Enabled: RADIUS-assigned VLAN provides a means to centrally
control the VLAN on which a successfully authenticated supplicant is placed
on the switch. Incoming traffic is classified to and switched on the
RADIUS-assigned VLAN. The RADIUS server must be configured to transmit
special RADIUS attributes to take advantage of this feature (see RADIUS-Assigned VLAN Enabled for a detailed description). The
RADIUS-Assigned VLAN Enabled checkbox provides a
quick way to globally enable/disable RADIUS-server assigned VLAN
functionality. When checked, the individual port's ditto setting determines
whether RADIUS- assigned VLAN is enabled on that port. When unchecked,
RADIUS-server assigned VLAN is disabled on all ports.
Guest VLAN Enabled: A
Guest VLAN is a special VLAN - typically with limited network access - on
which 802.1X-unaware clients are placed after a network
administrator-defined timeout. The switch follows a set of rules for
entering and leaving the Guest VLAN as follows. The Guest VLAN
Enabled checkbox provides a quick way to globally
enable/disable Guest VLAN functionality. When checked, the individual ports'
ditto setting determines whether the port can be moved into Guest VLAN. When
unchecked, the ability to move to the Guest VLAN is disabled on all
ports.
Guest VLAN ID: This is the value that a port's Port VLAN ID is set to if a port is moved into the Guest VLAN. It is only changeable if the Guest VLAN option is globally enabled. Valid values are in the range [1; 4095].
Max. Reauth. Count: The number of times the switch transmits an EAPOL Request Identity frame without response before considering entering the Guest VLAN is adjusted with this setting. The value can only be changed if the Guest VLAN option is globally enabled. Valid values are in the range [1; 255].
Allow Guest VLAN if EAPOL Seen: The switch remembers if an EAPOL frame has been received on the port for the lifetime of the port. Once the switch considers entering the Guest VLAN, it first checks if this option is enabled or disabled. If disabled (unchecked; default), the switch only enters the Guest VLAN if an EAPOL frame has not been received on the port for the lifetime of the port. If enabled (checked), the switch considers entering the Guest VLAN even if an EAPOL frame has been received on the port for the lifetime of the port. The value can only be changed if the Guest VLAN option is globally enabled.
Port Configuration: The table has one row for each port on the switch and several columns, which are as follows:
Port: The port number for which the following configuration applies
Admin State: If NAS is globally enabled, this selection controls the port's authentication mode. The following modes are available:
Force Authorized: In this mode, the switch sends one EAPOL Success frame when the port link comes up, and any client on the port is allowed network access without authentication.
Force Unauthorized: In this mode, the switch sends one EAPOL Failure frame when the port link comes up, and any client on the port is disallowed network access.
Port-based 802.1X: In the 802.1X-world, the user is called the supplicant, the switch is the authenticator, and the RADIUS server is the authentication server. The authenticator acts as the man-in-the-middle, forwarding requests and responses between the supplicant and the authentication server. Frames sent between the supplicant and the switch are special 802.1X frames, known as EAP Over LANs (EAPOL) frames. EAPOL frames encapsulate EAP PDUs (RFC3748). Frames sent between the switch and the RADIUS server are RADIUS packets. RADIUS packets also encapsulate EAP PDUs together with other attributes like the switch's IP address, name, and the supplicant's port number on the switch. EAP is very flexible and allows for different authentication methods, like MD5-Challenge, PEAP, and TLS. The important thing is that the authenticator (the switch) does not need to know which authentication method the supplicant and the authentication server are using, or how many information exchange frames are needed for a particular method. The switch simply encapsulates the EAP part of the frame into the relevant type (EAPOL or RADIUS) and forwards it. When authentication is complete, the RADIUS server sends a special packet containing a success or failure indication. Besides forwarding this decision to the supplicant, the switch uses it to open or block traffic on the switch port connected to the supplicant. For example, if two backend servers are enabled and that the server timeout is configured to X seconds (using the Authentication, Authorization and Accounting (AAA) configuration page) and suppose that the first server in the list is currently down (but not considered dead). Now, if the supplicant retransmits EAPOL Start frames at a rate faster than X seconds, then it never gets authenticated, because the switch cancels on-going backend authentication server requests when it receives a new EAPOL Start frame from the supplicant. As the server has not yet failed (because the X seconds have not expired), the same server is contacted upon the next backend authentication server request from the switch. This scenario loops forever. Therefore, the server timeout must be smaller than the supplicant's EAPOL Start frame retransmission rate.
Single 802.1X: In port-based 802.1X authentication, once a supplicant is successfully authenticated on a port, the whole port is opened for network traffic. This allows other clients that are connected to the port (for instance through a hub) to piggy-back on the successfully authenticated client and get network access even though they are not authenticated. To overcome this security breach, use the Single 802.1X variant. Single 802.1X is not an IEEE standard but features many of the same characteristics as does port-based 802.1X. In Single 802.1X, at most one supplicant can get authenticated on the port at a time. Normal EAPOL frames are used in the communication between the supplicant and the switch. If more than one supplicant is connected to a port, the one that comes first when the port's link comes up is the first one considered. If that supplicant does not provide valid credentials within a certain amount of time, another supplicant gets a chance. Once a supplicant is successfully authenticated, only that supplicant is allowed access. This is the most secure of all the supported modes. In this mode, the Port Security module is used to secure a supplicant's MAC address once successfully authenticated.
Multi 802.1X: Multi 802.1X is like Single 802.1X—it is not an IEEE standard, but a variant that features many of the same characteristics. In Multi 802.1X, one or more supplicants can get authenticated on the same port at the same time. Each supplicant is authenticated individually and secured in the MAC table using the Port Security module. In Multi 802.1X, it is not possible to use the multicast BPDU MAC address as destination MAC address for EAPOL frames sent from the switch towards the supplicant, as that causes all supplicants attached to the port to reply to requests sent from the switch. Instead, the switch uses the supplicant's MAC address, which is obtained from the first EAPOL Start or EAPOL Response Identity frame sent by the supplicant. An exception to this is when no supplicants are attached. In this case, the switch sends EAPOL Request Identity frames using the BPDU multicast MAC address as destination: to wake up any supplicants that might be on the port. The maximum number of supplicants that can be attached to a port can be limited using the Port Security Limit Control functionality.
MAC-based Auth: Unlike port-based 802.1X, MAC-based authentication is not a standard, but merely a best-practices method adopted by the industry. In MAC-based authentication, users are called clients, and the switch acts as the supplicant on behalf of clients. The initial frame (any kind of frame) sent by a client is snooped by the switch, which in turn uses the client's MAC address as both username and password in the subsequent EAP exchange with the RADIUS server. The 6-byte MAC address is converted to a string on the following form xx-xx-xx-xx-xx-xx, that is, a dash (-) is used as separator between the lower-cased hexadecimal digits. The switch only supports the MD5-Challenge authentication method, so the RADIUS server must be configured accordingly. When authentication is complete, the RADIUS server sends a success or failure indication, which in turn causes the switch to open or block traffic for that particular client, using the Port Security module. Only then, the frames from the client can be forwarded on the switch. There are no EAPOL frames involved in this authentication, and therefore, MAC-based Authentication has nothing to do with the 802.1X standard. The advantage of MAC-based authentication over 802.1X-based authentication is that the clients don't need special supplicant software to authenticate. The disadvantage is that MAC addresses can be spoofed by malicious users: Equipment whose MAC address is a valid RADIUS user can be used by anyone. Also, only the MD5- Challenge method is supported. The maximum number of clients that can be attached to a port can be limited using the Port Security Limit Control functionality.
RADIUS-Assigned QoS Enabled: When RADIUS-Assigned QoS is both globally enabled and enabled (checked) on a given port, the switch reacts to QoS Class information carried in the RADIUS Access-Accept packet transmitted by the RADIUS server when a supplicant is successfully authenticated. If present and valid, traffic received on the supplicant's port is classified to the given QoS Class. If (re-)authentication fails or the RADIUS Access-Accept packet no longer carries a QoS Class or it's invalid, or the supplicant is otherwise no longer present on the port, the port's QoS Class is immediately reverted to the original QoS Class (which may be changed by the administrator in the meanwhile without affecting the RADIUS- assigned). This option is only available for single-client modes:
Port-based 802.1X
Single 802.1X
RADIUS Attributes Used in Identifying a QoS Class: The User-Priority-Table attribute defined in RFC4675 forms the basis for identifying the QoS Class in an Access-Accept packet. Only the first occurrence of the attribute in the packet is considered, and to be valid, it must follow this rule: All eight octets in the attribute's value must be identical and consist of ASCII characters in the range 0: 7, which translates into the desired QoS Class in the range [0; 7].
RADIUS-Assigned VLAN Enabled: When RADIUS-Assigned VLAN is both globally enabled and enabled (checked) for a given port, the switch reacts to VLAN ID information carried in the RADIUS Access-Accept packet transmitted by the RADIUS server when a supplicant is successfully authenticated. If present and valid, the port's Port VLAN ID is changed to this VLAN ID, the port is set to be a member of that VLAN ID, and the port is forced into VLAN unaware mode. Once assigned, all traffic arriving on the port is classified and switched on the RADIUS-assigned VLAN ID. If (re-)authentication fails or the RADIUS Access-Accept packet no longer carries a VLAN ID, it is invalid, or the supplicant is otherwise no longer present on the port, then the port's VLAN ID is immediately reverted to the original VLAN ID (which may be changed by the administrator in the meanwhile without affecting the RADIUS-assigned). This option is only available for single-client modes:
Port-based 802.1X
Single 802.1X
For trouble shooting VLAN assignments, use the Monitor > VLANs > VLAN Membership and VLAN Port pages. These pages show which modules have (temporarily) overridden the current Port VLAN configuration.
RADIUS attributes used in identifying a VLAN ID:
RFC2868 and RFC3580 form the basis for the attributes used in identifying a VLAN ID in an Access-Accept packet. The following criteria are used:
The Tunnel-Medium-Type, Tunnel-Type, and Tunnel-Private-Group-ID
Attributes must all be present at least once in the Access-Accept packet.
The switch looks for the first set of these attributes that have the same Tag value and fulfill the following requirements (if Tag == 0 is used, the Tunnel-Private- Group-ID does not need to include a Tag):
Value of Tunnel-Medium-Type must be set to IEEE-802 (ordinal 6)
Value of Tunnel-Type must be set to VLAN (ordinal 13)
Value of Tunnel-Private-Group-ID must be a string of ASCII chars in the range 0: 9, which is interpreted as a decimal string representing the VLAN ID. Leading 0s are discarded. The final value must be in the range [1; 4095].
Guest VLAN Enabled: When Guest VLAN is both globally enabled and enabled (checked) for a given port, then the switch considers moving the port into the Guest VLAN according to the following rules. This option is only available for EAPOL-based modes:
Port-based 802.1X
Single 802.1X
Multi 802.1X
For trouble shooting VLAN assignments, use the Monitor > VLANs > VLAN Membership and VLAN Port pages. These pages show which modules have (temporarily) overridden the current Port VLAN configuration.
Port State:The current state of the port. It can undertake one of the following values:
Globally Disabled: NAS is globally disabled
Link Down: NAS is globally enabled, but there is no link on the port
Authorized:The port is in Force Authorized or a single-supplicant mode and the supplicant is authorized
Unauthorized:The port is in Force Unauthorized or a single-supplicant mode and the supplicant is not successfully authorized by the RADIUS server
X Auth/Y Unauth: The port is in a multi-supplicant mode. Currently, X clients are authorized and Y are unauthorized.
Restart: Two buttons are available for each row. The buttons are only enabled when authentication is globally enabled, and the port's Admin State is in an EAPOL-based or MAC-based mode. Clicking these buttons will not cause settings change on the page to take effect.
Reauthenticate:Schedules a re-authentication when the quiet-period of the port runs out (EAPOL-based authentication). For MAC-based authentication, re-authentication is attempted immediately. The button only has the effect for successfully authenticated clients on the port and does not cause the clients to get temporarily unauthorized.
Reinitialize:Forces a reinitialization of the clients on the port and thereby a re-authentication immediately. The clients transfer to the unauthorized state while the re-authentication is in progress.
The online versions of the documents are provided as a courtesy. Verify all content and data in the device’s PDF documentation found on the device product page.
