1. Home
  2. D-Link
  3. D-Link DIS-300G-8PSW User Manual
  4. Page 80

D-Link DIS-300G-8PSW Industrial Gigabit Managed PoE Switch with SFP slots

User Manual - Page 80

For DIS-300G-8PSW.

PDF File Manual, 335 pages, Read Online | Download pdf file

DIS-300G-8PSW photo
Loading ...
Loading ...
Loading ...
80
requests sent from the switch. Instead, the switch uses the supplicant's MAC
address, which is obtained from the first EAPOL Start or EAPOL Response Identity
frame sent by the supplicant. An exception to this is when no supplicants are
attached. In this case, the switch sends EAPOL Request Identity frames using the
BPDU multicast MAC address as destination - to wake up any supplicants that might
be on the port.
The maximum number of supplicants that can be attached to a port can be limited
using the Port Security Limit Control functionality.
MAC-based Auth
Unlike port-based 802.1X, MAC-based authentication is not a standard, but merely a
best-practices method adopted by the industry. In MAC-based authentication, users
are called clients, and the switch acts as the supplicant on behalf of clients. The initial
frame (any kind of frame) sent by a client is snooped by the switch, which in turn
uses the client's MAC address as both username and password in the subsequent
EAP exchange with the RADIUS server. The 6-byte MAC address is converted to a
string on the following form "xx-xx-xx-xx-xx-xx", that is, a dash (-) is used as
separator between the lower-cased hexadecimal digits. The switch only supports the
MD5-Challenge authentication method, so the RADIUS server must be configured
accordingly.
When authentication is complete, the RADIUS server sends a success or failure
indication, which in turn causes the switch to open up or block traffic for that
particular client, using the Port Security module. Only then will frames from the client
be forwarded on the switch. There are no EAPOL frames involved in this
authentication, and therefore, MAC-based Authentication has nothing to do with the
802.1X standard.
The advantage of MAC-based authentication over 802.1X-based authentication is
that the clients don't need special supplicant software to authenticate. The
disadvantage is that MAC addresses can be spoofed by malicious users - equipment
whose MAC address is a valid RADIUS user can be used by anyone. Also, only the
MD5-Challenge method is supported. The maximum number of clients that can be
attached to a port can be limited using the Port Security Limit Control functionality.
RADIUS-Assigned QoS
Enabled
When RADIUS-Assigned QoS is both globally enabled and enabled (checked) on a
given port, the switch reacts to QoS Class information carried in the RADIUS Access-
Accept packet transmitted by the RADIUS server when a supplicant is successfully
authenticated. If present and valid, traffic received on the supplicant's port will be
classified to the given QoS Class. If (re-)authentication fails or the RADIUS Access-
Accept packet no longer carries a QoS Class or it's invalid, or the supplicant is
Loading ...
Loading ...
Loading ...