Port-based authentication authenticates users on a per-port/per mac basis via an external server. Only authenticated and approved system users can transmit and receive data. Ports are authenticated via the RADIUS server using the Extensible Authentication Protocol (EAP). The 802.1x Access Control protocol consists of the following vital components which stabilize Access Control Security:
Component Description
Authenticators The Authenticator is an intermediary between the Authentication Server and the Client. The authenticator:
Requests certification information via the Client (EAPOL packets). The EAPOL packets are the only information allowed to pass between supplicants and the authentication server until the authenticator is granted system access.
Verifies the information gathered from the Client with the Authentication Server, and relays the information to the Client.
Supplicants/Clients Specifies the host connected to the authenticated port requesting to access the system services. Authentication Server Specifies the server that performs the authentication on behalf of the authenticator, and
indicates whether the supplicant is authorized to access system services. The Authentication Server is a remote device connected to the Client network and Authenticator. The Authentication Server must have RADIUS Server application enabled and configured. Clients connected to a port on the Switch must be authenticated by the Authentication Server before accessing any system services. The Authentication Server certifies the client’s identity attempting to access the network by exchanging secure information between the RADIUS server and the Client.
Port-based authentication creates two access states:
State Description
Controlled Access Permits communication between the supplicant and the system, if the supplicant is authorized. Uncontrolled Access Permits uncontrolled communication regardless of the port state.
To enable the 802.1X:
1. Click Security > 802.1X Setting. The 802.1X Setting Page opens:
Figure 5-12. 802.1X Setting Page
The 802.1X Setting Page contains the following fields:
Field Description
802.1X Indicates if 802.1X is enabled on the device. The possible field values are: Enabled — Enables 802.1X on the device.
Disabled —Disables 802.1X on the device. This is the default value. QuietPeriod (0-65535) sec Indicates the number of seconds that the device remains in the quiet state
following a failed authentication exchange. The possible field range is 0- 65535. The field default is 60 seconds.
SuppTimeout (1-65535) sec Indicates the amount of time that lapses before EAP requests are resent to the supplicant. The field value is in seconds. The field default is 30 seconds. ServerTimeout (1-65535) sec Defines the amount of time that lapses before the device re-sends a request
to the authentication server. The field value is specified in seconds. The field default is 30 seconds.
MaxReq (1-10) times Displays the total amount of EAP requests sent. If a response is not received after the defined period, the authentication process is restarted. The field default is 2 retries.
TxPeriod (1-65535) sec Defines the amount of time (in seconds) that lapses before EAP requests are resent. The field default is 30 seconds.
Field Description value.
Disabled — Disables re-authenticating the port or MAC addresses after the port or MAC address authentication has timed out.
Control Indicates the host status. If there is an asterisk (*), the port is either not linked or is down. The possible field values are:
ForceUnauthorized — Indicates that either the port control is Force Unauthorized and the port link is down, or the port control is Auto but a client has not been authenticated via the port.
ForceAuthorized — Indicates that the port control is Forced Authorized, and clients have full port access.
Auto — Indicates that the port control is Auto. The user has to authenticate and get full access..
Unit Indicate the stacking member for which the 802.1X parameters are defined. From Port Indicates the first port for which the 802.1X parameters are defined. To Port Indicates the last port for which the 802.1X parameters are defined.
Mode Indicates the 802.1X mode enabled on the device. The possible field values are:
Port Base — Enables 802.1X on ports. This is the default value. MAC Base — Enables 802.1xon MAC addresses.
2. Enable or disable the 802.1X status in the 802.1X field. 3. Define the Mode field.
4. In the 802.1X Port Access Control section, define thefields. 5. Set the ReAuthEnabled field and the Control fields.
6. Set the values in the Unit, From Port, and To Port fields.
7. Click . The 802.1x Access Control is configured, and the device is updated. MAC Authentication (MAC-Based MAC Access Control)
MAC Authentication is configured in DGS-3100 series via ‘802.1x Setting’ WEB page.
This functionality enables the user to allow specific MAC address to enter the switch while rejecting the unauthorized MAC addresses. The database of the authorized MAC addresses resides in a Radius Server.
NOTE: The system does not support dynamic VLAN assignment within mac-based authentication via the radius server.
To enable MAC Authentication:
1. Click Security > 802.1X Setting. The 802.1X Setting Page opens:
The 802.1X Setting Page contains the following fields:
Field Description
802.1X Indicates if 802.1X is enabled on the device. The possible field values are: Enabled — Enables 802.1X (and MAC Authentication) on the device. Disabled —Disables 802.1X on the device. This is the default value. QuietPeriod (0-65535) sec Indicates the number of seconds that the device remains in the quiet state
following a failed authentication exchange. The possible field range is 0- 65535. The field default is 60 seconds.
SuppTimeout (1-65535) sec Indicates the amount of time that lapses before EAP requests are resent to the supplicant. The field value is in seconds. The field default is 30 seconds. ServerTimeout (1-65535) sec Defines the amount of time that lapses before the device re-sends a request
to the authentication server. The field value is specified in seconds. The field default is 30 seconds.
MaxReq (1-10) times Displays the total amount of EAP requests sent. If a response is not received after the defined period, the authentication process is restarted. The field default is 2 retries.
TxPeriod (1-65535) sec Defines the amount of time (in seconds) that lapses before EAP requests are resent. The field default is 30 seconds.
Field Description value.
Disabled — Disables re-authenticating the port or MAC addresses after the port or MAC address authentication has timed out.
Control Indicates the host status. If there is an asterisk (*), the port is either not linked or is down. The possible field values are:
ForceUnauthorized — Indicates that either the port control is Force Unauthorized and the port link is down, or the port control is Auto but a client has not been authenticated via the port.
ForceAuthorized — Indicates that the port control is Forced Authorized, and clients have full port access.
Auto — Indicates that the port control is Auto and at least single client or single MAC has been authenticated via the port.
Unit Indicate the stacking member for which the 802.1X parameters are defined. From Port Indicates the first port for which the 802.1X parameters are defined. To Port Indicates the last port for which the 802.1X parameters are defined.
Mode Indicates the 802.1X mode enabled on the device. The possible field values are:
Port Base — Enables 802.1X on ports. This is the default value. MAC Base — Enables 802.1X on MAC addresses.
2. Enable or disable the 802.1X status in the 802.1X field. 3. Define the Mode field (MAC Base for MAC Authentication) 4. In the 802.1X Port Access Control section, define the time fields. 5. Set the ReAuthEnabled field and the Control fields.
6. Set the values in the Unit, From Port, and To Port fields.
7. Click . The MAC Authentication is configured, and the device is updated.
In order to activate MAC Based Authentication, the user should first enable 802.1X globally on the switch. Then the user should define the port(s) that needs to be configured for MAC Authentication.
In the Mode control the user needs to select the ‘MAC Base‘option.
In addition to that the user needs to switch the ‘port Control’ to Auto and enable reauthentication In order to complete the configuration the port must be member in the guest VLAN.