Allied Telesis AT-S63 User Manual
Chapter 31: 802.1x Port-based Network Access Control
362
Section VIII: Port Security
Note
A supplicant connected to an authenticator port set to force-
authorized must have 802.1x client software if the port’s
authenticator mode is 802.1x. Though the force-authorized setting
prevents an authentication exchange, the supplicant must still have
the client software to forward traffic through the port.
authorized must have 802.1x client software if the port’s
authenticator mode is 802.1x. Though the force-authorized setting
prevents an authentication exchange, the supplicant must still have
the client software to forward traffic through the port.
Force-unauthorized - Causes the port to remain in the unauthorized
state, ignoring all attempts by the supplicant to authenticate. The port
forwards EAPOL frames, but discards all other traffic. This setting is
analogous to disabling a port.
state, ignoring all attempts by the supplicant to authenticate. The port
forwards EAPOL frames, but discards all other traffic. This setting is
analogous to disabling a port.
As mentioned earlier, the switch itself does not authenticate the user
names and passwords from the clients. That function is performed by the
authentication server and the RADIUS server software. The switch acts as
an intermediary for the authentication server by denying access to the
network by the client until the client has been validated by the
authentication server.
names and passwords from the clients. That function is performed by the
authentication server and the RADIUS server software. The switch acts as
an intermediary for the authentication server by denying access to the
network by the client until the client has been validated by the
authentication server.
Supplicant Role
A switch port in the supplicant role acts as a client. The port assumes it
must log in by providing a valid user name and password to whatever
device it is connected to, typically another switch port.
must log in by providing a valid user name and password to whatever
device it is connected to, typically another switch port.
Figure 39 illustrates the port role. Port 11 on switch B has been set to the
supplicant role. Now, whenever switch B is power cycled or reset and
initiates a link with switch A, it must log on by providing a username and
password. (You enter this information when you configure the port for the
supplicant role.)
supplicant role. Now, whenever switch B is power cycled or reset and
initiates a link with switch A, it must log on by providing a username and
password. (You enter this information when you configure the port for the
supplicant role.)
Figure 39. Example of the Supplicant Role
Switch A
Switch B
FAULT
RPS
MASTER
POWER
CLASS 1
LASER PRODUCT
STATUS
TERMINAL
PORT
1
3
5
7
9
11
2
4
6
8
10
12
13
15
17
19
21
23R
14
16
18
20
22
24R
AT-9424T/SP
Gigabit Ethernet Switch
1
3
5
7
9
11
13
15
17
19
21
23R
2
4
6
8
10
12
14
16
18
20
22
24R
23
24
L/A
D/C
D/C
L/A
D/C
L/A
1000 LINK / ACT
HDX / COL
FDX
10/100 LINK / ACT
PORT ACTIVITY
L/A
1000 LINK / ACT
SFP
SFP
24
SFP
23
FAULT
RPS
MASTER
POWER
CLASS 1
LASER PRODUCT
STATUS
TERMINAL
PORT
1
3
5
7
9
11
2
4
6
8
10
12
13
15
17
19
21
23R
14
16
18
20
22
24R
AT-9424T/SP
Gigabit Ethernet Switch
1
3
5
7
9
11
13
15
17
19
21
23R
2
4
6
8
10
12
14
16
18
20
22
24R
23
24
L/A
D/C
D/C
L/A
D/C
L/A
1000 LINK / ACT
HDX / COL
FDX
10/100 LINK / ACT
PORT ACTIVITY
L/A
1000 LINK / ACT
SFP
SFP
24
SFP
23
Port 6
in
Authenticator
Role
in
Authenticator
Role
Port 11
in Supplicant Role
in Supplicant Role
RADIUS
Authentication
Server
Authentication
Server