Enterasys 6000 Betriebsanweisung
Overview of Security Methods
3-22
Accessing Local Management
3.6.3.3
Concurrent Operation of 802.1X and MAC Authentication
This section defines the precedence rules to determine which authentication method, 802.1X
(EAP) or MAC Authentication has control over an interface. Setting the 802.1X and MAC port
authentication is described in
(EAP) or MAC Authentication has control over an interface. Setting the 802.1X and MAC port
authentication is described in
.
When both methods are enabled, 802.1X takes precedence over MAC Authentication when a user
is authenticated using the 802.1X method. If the port or MAC remains unauthenticated in 802.1X,
then MAC authentication is active and may authenticate the next MAC address received on that
port.
is authenticated using the 802.1X method. If the port or MAC remains unauthenticated in 802.1X,
then MAC authentication is active and may authenticate the next MAC address received on that
port.
You can configure MAC Authentication and 802.1X to run concurrently on the same module, but
exclusively on distinct interfaces of that module. To achieve this, the 802.1X port behavior in the
force-unauthorized state is overloaded. When 802.1X and MAC Authentication are enabled, set
the 802.1X MIB to force-unauthorized for the interface in question and enable
MAC Authentication. This allows the MAC Authentication to run unhindered by 802.1X on that
interface. This, in effect, disables all 802.1X control over that interface. However, if a default
policy exists on that port, the switch forwards the frames according to that policy, otherwise the
switch drops them.
exclusively on distinct interfaces of that module. To achieve this, the 802.1X port behavior in the
force-unauthorized state is overloaded. When 802.1X and MAC Authentication are enabled, set
the 802.1X MIB to force-unauthorized for the interface in question and enable
MAC Authentication. This allows the MAC Authentication to run unhindered by 802.1X on that
interface. This, in effect, disables all 802.1X control over that interface. However, if a default
policy exists on that port, the switch forwards the frames according to that policy, otherwise the
switch drops them.
If a switch port is configured to enable both 802.1X and MAC Authentication, then it is possible
for the switch to receive a start or a response 802.1X frame while a MAC Authentication is in
progress. If this situation, the switch immediately aborts MAC Authentication. The 802.1X
authentication then proceeds to completion. After the 802.1X login completes, the user has either
succeeded and gained entry to the network, or failed and is denied access to the network. After the
802.1X login attempt, no new MAC Authentication logins occur on this port until:
for the switch to receive a start or a response 802.1X frame while a MAC Authentication is in
progress. If this situation, the switch immediately aborts MAC Authentication. The 802.1X
authentication then proceeds to completion. After the 802.1X login completes, the user has either
succeeded and gained entry to the network, or failed and is denied access to the network. After the
802.1X login attempt, no new MAC Authentication logins occur on this port until:
•
A link is toggled.
•
The user executes an 802.1X logout.
•
Management terminates the 802.1X session.
When a port is set for concurrent use of MAC and 802.1X authentication, the switch continues to
issue EAPOL request/id frames until a MAC Authentication succeeds or the switch receives an
EAPOL response/id frame.
issue EAPOL request/id frames until a MAC Authentication succeeds or the switch receives an
EAPOL response/id frame.
NOTE: The switch may terminate a session in many different ways. All of these
reactivate the MAC authentication method. Refer to
reactivate the MAC authentication method. Refer to
relationship between MAC and 802.1X authentication.