System Configuration |
Mode |
Indicates if NAS is globally enabled or disabled on the switchstack. If globally disabled, all ports are allowed forwarding of frames. |
Reauthentication Enabled |
If checked, successfully authenticated supplicants/clients are reauthenticated after the interval specified by the Reauthentication Period. Reauthentication for 802.1X-enabled ports can be used to detect if a new device is plugged into a switch port or if a supplicant is no longer attached. For MAC-based ports, reauthentication is only useful if the RADIUS server configuration has changed. It does not involve communication between the switch and the client, and therefore doesn't imply that a client is still present on a port (see Aging Period below).
|
Reauthentication Period |
Determines the period, in seconds, after which a connected client must be reauthenticated. This is only active if the Reauthentication Enabled checkbox is checked. Valid values are 1 – 3600 seconds. |
EAPOL Timeout |
Determines the time for retransmission of Request Identity EAPOL frames.
Valid values are 1 – 65535 seconds. This has no effect for MAC-based ports. |
Aging Period |
This setting applies modes using the Port Security
functionality to secure MAC addresses, such as:
- Single 802.1X
- Multi 802.1X
- MAC-Based Auth
When the NAS module uses the Port Security module to secure MAC
addresses, the Port Security module needs to check for activity on the
MAC address in question at regular intervals and free resources if no
activity is seen within a given period of time. This parameter controls
exactly this period and can be set from 10 – 1000000 seconds.
If
reauthentication is enabled and the port is in an 802.1X-based mode, this
is not so critical, since supplicants that are no longer attached to the
port will get removed upon the next reauthentication, which will fail.
But if reauthentication is not enabled, the only way to free resources is
by aging the entries.
For ports in MAC-based Auth. mode,
reauthentication doesn't cause direct communication between the switch
and the client, so this will not detect whether the client is still
attached or not, and the only way to free any resources is to age the
entry.
|
Hold Time |
This setting applies modes using the Port Security
functionality to secure MAC addresses, such as:
- Single 802.1X
- Multi 802.1X
- MAC-Based Auth
If a client is denied access—either because the RADIUS server denies the
client access or because the RADIUS server request times out (according
to the timeout specified on the page)—the client is put on hold in the Unauthorized state.
The hold timer does not count during an ongoing authentication.
In
MAC-based Auth. mode, the The switch will ignore new frames coming from
the client during the hold time.
The Hold Time can be set
from 10 – 1000000 seconds.
|
RADIUS-Assigned QoS Enabled |
RADIUS-assigned QoS
provides a means to centrally control the traffic class to which traffic
coming from a successfully authenticated supplicant is assigned on the
switch. The RADIUS server must be configured to transmit special RADIUS
attributes to take advantage of this feature (see RADIUS-Assigned QoS
Enabled below for a detailed description). The “RADIUS-Assigned QoS
Enabled” checkbox provides a quick way to globally enable/disable
RADIUS-server assigned QoS Class functionality. When checked, the
individual ports' ditto setting determine whether RADIUS-assigned QoS
Class is enabled on that port. When unchecked, RADIUS-server assigned QoS
Class is disabled on all ports.
|
RADIUS-Assigned VLAN
Enabled |
RADIUS-assigned VLAN provides a means to centrally control the VLAN on which a successfully authenticated supplicant is placed on the switch. Incoming traffic will be classified to and switched on the RADIUS-assigned VLAN. The RADIUS server must be configured to transmit special RADIUS attributes to take advantage of this feature (see RADIUS-Assigned VLAN Enabled below for a detailed description). The RADIUS-Assigned VLAN Enabled checkbox provides a quick way to globally enable/disable RADIUS-server assigned VLAN functionality. When checked, the individual ports' ditto setting determine whether RADIUS-assigned VLAN is enabled on that port. When unchecked, RADIUS-server assigned VLAN is disabled on all ports.
|
Guest VLAN Enabled |
A Guest VLAN is a special VLAN—typically with limited network access —on which 802.1X-unaware clients are placed after a network administrator-defined timeout. The switch follows a set of rules for entering and leaving the Guest VLAN as listed below. The Guest VLAN Enabled checkbox provides a quick way to globally enable/disable Guest VLAN functionality. When checked, the individual ports' ditto setting determines whether the port can be moved into Guest VLAN. When unchecked, the ability to move to the Guest VLAN is disabled on all ports.
|
Guest VLAN ID |
This is the value that a port's Port VLAN ID is set to if a port is moved into the Guest VLAN. It is only changeable if the Guest VLAN option is globally enabled. Valid values are 1 – 4095. |
Max. Reauth. Count |
The number of times the switch transmits an EAPOL Request Identity frame without response before considering entering the Guest VLAN is adjusted with this setting. The value can only be changed if the Guest VLAN option is globally enabled. Valid values are 1 – 255. |
Allow Guest VLAN if EAPOL Seen |
The switch remembers if an EAPOL frame has been received on the port for the life-time of the port. Once the switch considers whether to enter the Guest VLAN, it will first check if this option is enabled or disabled. If disabled (unchecked; default), the switch will only enter the Guest VLAN if an EAPOL frame has not been received on the port for the life-time of the port. If enabled (checked), the switch will consider entering the Guest VLAN even if an EAPOL frame has been received on the port for the life-time of the port. The value can only be changed if the Guest VLAN option is globally enabled.
|
Port Configuration |
Port |
The port number for which the configuration below applies. |
Admin State |
If NAS is globally enabled, this selection controls the port's authentication mode. The following modes are available:
- Force Authorized. In this mode, the switch will send one EAPOL Success frame when the port link comes up, and any client on the port will be allowed network access without authentication.
- Force Unauthorized. In this mode, the switch will send one EAPOL Failure frame when the port link comes up, and any client on the port will be disallowed network access.
- Port-based 802.1X. In the
802.1X-world, the user is called the supplicant, the switch is the
authenticator, and the RADIUS server is the authentication server. The
authenticator acts as the man-in-the-middle, forwarding requests and
responses between the supplicant and the authentication server. Frames
sent between the supplicant and the switch are special 802.1X frames,
known as EAPOL (EAP Over LANs) frames. EAPOL frames encapsulate EAP
PDUs (RFC3748). Frames sent
between the switch and the RADIUS server are RADIUS packets. RADIUS
packets also encapsulate EAP PDUs together with other attributes like
the switch's IP address, name, and the supplicant's port number on the
switch. EAP is very flexible, in that it allows for different
authentication methods, like MD5-Challenge, PEAP,
and TLS. The important thing
is that the authenticator (the switch) doesn't need to know which
authentication method the supplicant and the authentication server are
using, or how many information exchange frames are needed for a
particular method. The switch simply encapsulates the EAP part of the
frame into the relevant type (EAPOL or RADIUS) and forwards it.
When authentication
is complete, the RADIUS server sends a special packet containing a
success or failure indication. Besides forwarding this decision to
the supplicant, the switch uses it to open up or block traffic on
the switch port connected to the supplicant. Note: Suppose two backend servers are enabled
and that the server timeout is configured to X seconds (using
the AAA configuration page), and suppose that the first server
in the list is currently down (but not considered dead). Now, if
the supplicant retransmits EAPOL Start frames at a rate faster
than X seconds, then it will never get authenticated, because
the switch will cancel on-going backend authentication server
requests whenever it receives a new EAPOL Start frame from the
supplicant. And since the server hasn't yet failed (because the
X seconds haven't expired), the same server will be contacted
upon the next backend authentication server request from the
switch. This scenario will loop forever. Therefore, the server
timeout should be smaller than the supplicant's EAPOL Start
frame retransmission rate.
- Single 802.1X. In port-based 802.1X
authentication, once a supplicant is successfully authenticated on a
port, the whole port is opened for network traffic. This allows other
clients connected to the port (for instance through a hub) to
piggy-back on the successfully authenticated client and get network
access even though they really aren't authenticated. To overcome this
security breach, use the Single 802.1X variant.
Single 802.1X is
really not an IEEE standard, but features many of the same
characteristics as does port-based 802.1X. In Single 802.1X, at
most one supplicant can get authenticated on the port at a time.
Normal EAPOL frames are used in the communication between the
supplicant and the switch. If more than one supplicant is connected
to a port, the one that comes first when the port's link comes up
will be the first one considered. If that supplicant doesn't
provide valid credentials within a certain amount of time, another
supplicant will get a chance. Once a supplicant is successfully
authenticated, only that supplicant will be allowed access. This is
the most secure of all the supported modes. In this mode, the Port
Security module is used to secure a supplicant's MAC address once
successfully authenticated.
- Multi 802.1X. In port-based 802.1X
authentication, once a supplicant is successfully authenticated on a
port, the whole port is opened for network traffic. This allows other
clients connected to the port (for instance through a hub) to
piggy-back on the successfully authenticated client and get network
access even though they really aren't authenticated. To overcome this
security breach, use the Multi 802.1X variant.Multi 802.1X is really
not an IEEE standard, but features many of the same characteristics as
does port-based 802.1X. ulti 802.1X is - like Single 802.1X - not an
IEEE standard, but a variant that features many of the same
characteristics. In Multi 802.1X, one or more supplicants can get
authenticated on the same port at the same time. Each supplicant is
authenticated individually and secured in the MAC table using the Port
Security module.
In
Multi 802.1X it is not possible to use the multicast BPDU MAC
address as destination MAC address for EAPOL frames sent from the
switch towards the supplicant, since that would cause all
supplicants attached to the port to reply to requests sent from the
switch. Instead, the switch uses the supplicant's MAC address,
which is obtained from the first EAPOL Start or EAPOL Response
Identity frame sent by the supplicant. An exception to this is when
no supplicants are attached. In this case, the switch sends EAPOL
Request Identity frames using the BPDU multicast MAC address as
destination - to wake up any supplicants that might be on the
port.
The
maximum number of supplicants that can be attached to a port can be
limited using the Port Security Limit Control
functionality.
- MAC-based Auth. Unlike port-based
802.1X, MAC-based authentication is not a standard, but merely a
best-practices method adopted by the industry. In MAC-based
authentication, users are called clients, and the switch acts as the
supplicant on behalf of clients. The initial frame (any kind of frame)
sent by a client is snooped by the switch, which in turn uses the
client's MAC address as both username and password in the subsequent
EAP exchange with the RADIUS server. The 6-byte MAC address is
converted to a string on the following form “xx-xx-xx-xx-xx-xx”, that
is, a dash (-) is used as separator between the lower-cased
hexadecimal digits. The switch only supports the MD5-Challenge authentication method, so the RADIUS
server must be configured accordingly.
When authentication is
complete, the RADIUS server sends a success or failure indication,
which in turn causes the switch to open up or block traffic for
that particular client, using the Port Security module. Only then
will frames from the client be forwarded on the switch. There are
no EAPOL frames involved in this authentication, and therefore,
MAC-based Authentication has nothing to do with the 802.1X
standard.
The advantage of MAC-based authentication over port-based
802.1X is that several clients can be connected to the same port
(e.g., through a third-party switch or a hub) and still require
individual authentication, and that the clients don't need special
supplicant software to authenticate. The advantage of MAC-based
authentication over 802.1X-based authentication is that the clients
don't need special supplicant software to authenticate. The
disadvantage is that MAC addresses can be spoofed by malicious
users - equipment whose MAC address is a valid RADIUS user can be
used by anyone. Also, only the MD5-Challenge method is supported.
The maximum number of clients that can be attached to a port can be
limited using the Port Security Limit Control
functionality.
|
RADIUS-Assigned QoS Enabled |
When RADIUS-Assigned QoS is both globally enabled and enabled (checked) on a given port, the switch reacts to QoS Class information carried in the RADIUS Access-Accept packet transmitted by the RADIUS server when a supplicant is successfully authenticated. If present and valid, traffic received on the supplicant's port will be classified to the given QoS Class. If (re-)authentication fails or the RADIUS Access-Accept packet no longer carries a QoS Class or it's invalid, or the supplicant is otherwise no longer present on the port, the port's QoS Class is immediately reverted to the original QoS Class (which may be changed by the administrator in the meanwhile without affecting the RADIUS-assigned).
This option is only available for single-client modes:
- Port-based 802.1X
- Single 802.1X
RADIUS attributes used in identifying a QoS Class:
Refer to the written documentation for a description of the RADIUS attributes needed in order to successfully identify a QoS Class. The User-Priority-Table attribute defined in RFC4675 forms the basis for identifying the QoS Class in an Access-Accept packet.
Only the first occurrence of the attribute in the packet will be considered, and to be valid, it must follow this rule:
All 8 octets in the attribute's value must be identical and consist of ASCII characters in the range 0 – 7, which translates into the desired QoS Class in the range [0; 7].
|
RADIUS-Assigned VLAN Enabled |
When RADIUS-Assigned VLAN is both globally enabled and enabled (checked) for a given port, the switch reacts to VLAN ID information carried in the RADIUS Access-Accept packet transmitted by the RADIUS server when a supplicant is successfully authenticated. If present and valid, the port's Port VLAN ID will be changed to this VLAN ID, the port will be set to be a member of that VLAN ID, and the port will be forced into VLAN unaware mode. Once assigned, all traffic arriving on the port will be classified and switched on the RADIUS-assigned VLAN ID. If (re-)authentication fails or the RADIUS Access-Accept packet no longer carries a VLAN ID or it's invalid, or the supplicant is otherwise no longer present on the port, the port's VLAN ID is immediately reverted to the original VLAN ID (which may be changed by the administrator in the meanwhile without affecting the RADIUS-assigned).
This option is only available for single-client modes:
- Port-based 802.1X
- Single 802.1X
For troubleshooting VLAN assignments, use the pages. These pages show which modules have (temporarily) overridden the current Port VLAN configuration.
RADIUS attributes used in identifying a VLAN ID
RFC2868 and RFC3580 form the basis for the attributes used in identifying a VLAN ID in an Access-Accept packet. The following criteria are used:
- The Tunnel-Medium-Type, Tunnel-Type, and Tunnel-Private-Group-ID attributes must all be present at least once in the Access-Accept packet.
- The switch looks for the first set of these attributes that have the same Tag value and fulfil the following requirements (if Tag == 0 is used, the Tunnel-Private-Group-ID does not need to include a Tag):
- Value of Tunnel-Medium-Type must be set to “IEEE-802” (ordinal 6).
- Value of Tunnel-Type must be set to “VLAN” (ordinal 13).
- Value of Tunnel-Private-Group-ID must be a string of ASCII chars in the range 0 – 9, which is interpreted as a decimal string representing the VLAN ID. Leading zeros are discarded. The final value must be in the range [1; 4095].
|
Guest VLAN Enabled |
When Guest VLAN is both globally enabled and enabled (checked) for a given port, the switch considers moving the port into the Guest VLAN according to the rules outlined below.
This option is only available for EAPOL-based modes, that is:
- Port-based 802.1X
- Single 802.1X
- Multi 802.1X
For troubleshooting VLAN assignments, use the pages. These pages show which modules have (temporarily) overridden the current Port VLAN configuration.
Guest VLAN Operation
When a Guest VLAN enabled port's link comes up, the switch starts transmitting EAPOL Request Identity frames. If the number of transmissions of such frames exceeds Max. Reauth. Count and no EAPOL frames have been received in the meanwhile, the switch considers entering the Guest VLAN. The interval between transmission of EAPOL Request Identity frames is configured with EAPOL Timeout. If Allow Guest VLAN if EAPOL Seen is enabled, the port will now be placed in the Guest VLAN. If disabled, the switch will first check its history to see if an EAPOL frame has previously been received on the port (this history is cleared if the port link goes down or the port's Admin State is changed), and if not, the port will be placed in the Guest VLAN. Otherwise it will not move to the Guest VLAN, but continue transmitting EAPOL Request Identity frames at the rate given by EAPOL Timeout.
Once in the Guest VLAN, the port is considered authenticated, and all attached clients on the port are allowed access on this VLAN. The switch will not transmit an EAPOL Success frame when entering the Guest VLAN.
While in the Guest VLAN, the switch monitors the link for EAPOL frames, and if one such frame is received, the switch immediately takes the port out of the Guest VLAN and starts authenticating the supplicant according to the port mode. If an EAPOL frame is received, the port will never be able to go back into the Guest VLAN if the “Allow Guest VLAN if EAPOL Seen” is disabled.
|
Port State |
The current state of the port. It can undertake one of the following values:
- Globally Disabled: NAS is globally disabled.
- Link Down: NAS is globally enabled, but there is no link on the port.
- Authorized: The port is in Force Authorized or a single-supplicant mode and the supplicant is authorized.
Unauthorized: The port is in Force Unauthorized or a single-supplicant mode and the supplicant is not successfully authorized by the RADIUS server.
- X Auth/Y Unauth: The port is in a multi-supplicant mode. Currently X clients are authorized and Y are unauthorized.
|
Restart |
Two buttons are available for each row. The buttons are only enabled when authentication is globally enabled and the port's Admin State is in an EAPOL-based or MAC-based mode. Clicking these buttons will not cause settings changed on the page to take effect.
- Reauthenticate: Schedules a reauthentication whenever the quiet-period of the port runs out (EAPOL-based authentication). For MAC-based authentication, reauthentication will be attempted immediately.
- The button only has effect for successfully authenticated clients on the port and will not cause the clients to get temporarily unauthorized.
- Reinitialize: Forces a reinitialization of the clients on the port and thereby a reauthentication immediately. The clients will transfer to the unauthorized state while the reauthentication is in progress.
|