Netgear XCM8810 - 8800 SERIES 10-SLOT CHASSIS SWITCH ユーザーズマニュアル
390
|
Chapter 16. Network Login
NETGEAR 8800 User Manual
Note:
Network login is not supported on BlackDiamond 20800 series
switches.
The remainder of this section describes the following topics:
Web-Based, MAC-Based, and 802.1x Authentication
Authentication is handled as a web-based process, MAC-based process, or as described in
the IEEE 802.1x specification. Web-based network login does not require any specific client
software and can work with any HTTP-compliant web browser. By contrast, 802.1x
authentication may require additional software installed on the client workstation, making it
less suitable for a user walk-up situation, such as a cyber-café or coffee shop. A workstation
running Windows 2000 Service Pack 4 or Windows XP supports 802.1x natively and does not
require additional authentication software. NETGEAR supports a smooth transition from
web-based to 802.1x authentication.
the IEEE 802.1x specification. Web-based network login does not require any specific client
software and can work with any HTTP-compliant web browser. By contrast, 802.1x
authentication may require additional software installed on the client workstation, making it
less suitable for a user walk-up situation, such as a cyber-café or coffee shop. A workstation
running Windows 2000 Service Pack 4 or Windows XP supports 802.1x natively and does not
require additional authentication software. NETGEAR supports a smooth transition from
web-based to 802.1x authentication.
MAC-based authentication is used for supplicants that do not support a network login mode,
or supplicants that are not aware of the existence of such security measures, for example an
IP phone.
or supplicants that are not aware of the existence of such security measures, for example an
IP phone.
If a MAC address is detected on a MAC-based enabled network login port, an authentication
request is sent once to the AAA application. AAA tries to authenticate the MAC address
against the configured Remote Authentication Dial In User Server (RADIUS) server and its
configured parameters (timeout, retries, and so on) or the configured local database.
request is sent once to the AAA application. AAA tries to authenticate the MAC address
against the configured Remote Authentication Dial In User Server (RADIUS) server and its
configured parameters (timeout, retries, and so on) or the configured local database.
The credentials used for this are the supplicant’s MAC address in ASCII representation and a
locally configured password on the switch. If no password is configured the MAC address is
also used as the password. You can also group MAC addresses together using a mask.
locally configured password on the switch. If no password is configured the MAC address is
also used as the password. You can also group MAC addresses together using a mask.
Dynamic Host Control Protocol (DHCP) is required for web-based network login because the
underlying protocol used to carry authentication request-response is HTTP. The client
requires an IP address to send and receive HTTP packets. Before the client is authenticated,
however, the only connection that exists is to the authenticator. As a result, the authenticator
must be furnished with a temporary DHCP server to distribute the IP address.
underlying protocol used to carry authentication request-response is HTTP. The client
requires an IP address to send and receive HTTP packets. Before the client is authenticated,
however, the only connection that exists is to the authenticator. As a result, the authenticator
must be furnished with a temporary DHCP server to distribute the IP address.
The switch responds to DHCP requests for unauthenticated clients when DHCP parameters
such as
such as
dhcp-address-range
and
dhcp-options
are configured on the network login VLAN.
The switch can also answer DHCP requests following authentication if DHCP is enabled on
the specified VLAN. If network login clients are required to obtain DHCP leases from an
external DHCP server elsewhere on the network, DHCP should not be enabled on the VLAN.
the specified VLAN. If network login clients are required to obtain DHCP leases from an
external DHCP server elsewhere on the network, DHCP should not be enabled on the VLAN.