Netgear XCM8810 - 8800 SERIES 10-SLOT CHASSIS SWITCH ユーザーズマニュアル
392
|
Chapter 16. Network Login
NETGEAR 8800 User Manual
Disadvantages of 802.1x Authentication:
•
802.1x native support is available only on newer operating systems, such as Windows
XP.
•
802.1x requires an EAP-capable RADIUS Server. Most current RADIUS servers support
EAP, so this is not a major disadvantage.
•
Transport Layer Security (TLS) and Tunneled TLS (TTLS) authentication methods involve
Public Key Infrastructure (PKI), which adds to the administrative requirements.
Multiple Supplicant Support
An important enhancement over the IEEE 802.1x standard is that NETGEAR 8800 supports
multiple clients (supplicants) to be individually authenticated on the same port. This feature
makes it possible for two or more client stations to be connected to the same port, with some
being authenticated while others are not. A port's authentication state is the logical “OR” of
the individual MAC's authentication states. In other words, a port is authenticated if any of its
connected clients is authenticated. Multiple clients can be connected to a single port of
authentication server through a hub or Layer 2 switch.
multiple clients (supplicants) to be individually authenticated on the same port. This feature
makes it possible for two or more client stations to be connected to the same port, with some
being authenticated while others are not. A port's authentication state is the logical “OR” of
the individual MAC's authentication states. In other words, a port is authenticated if any of its
connected clients is authenticated. Multiple clients can be connected to a single port of
authentication server through a hub or Layer 2 switch.
Multiple supplicants are supported in ISP mode for web-based, 802.1x, and MAC-based
authentication. In addition, multiple supplicants are supported in Campus mode if you
configure and enable network login MAC-based VLANs. For more information, see
authentication. In addition, multiple supplicants are supported in Campus mode if you
configure and enable network login MAC-based VLANs. For more information, see
The choice of web-based versus 802.1x authentication is again on a per-MAC basis. Among
multiple clients on the same port, it is possible that some clients use web-based mode to
authenticate, and some others use 802.1x, but the restriction is that they must be in the same
untagged VLAN. This restriction is not applicable if you configure network login MAC-based
VLANs. For more information, see
multiple clients on the same port, it is possible that some clients use web-based mode to
authenticate, and some others use 802.1x, but the restriction is that they must be in the same
untagged VLAN. This restriction is not applicable if you configure network login MAC-based
VLANs. For more information, see
Note:
With multiple supplicant support, after the first MAC is authenticated,
the port is transitioned to the authenticated state and other
unauthenticated MACs can listen to all data destined for the first
MAC. Be aware of this as unauthenticated MACs can listen to all
broadcast and multicast traffic directed to a network
login-authenticated port.
unauthenticated MACs can listen to all data destined for the first
MAC. Be aware of this as unauthenticated MACs can listen to all
broadcast and multicast traffic directed to a network
login-authenticated port.
Campus and ISP Modes
Network login supports two modes of operation, Campus and ISP. Campus mode is intended
for mobile users who tend to move from one port to another and connect at various locations
in the network. ISP mode is meant for users who connect through the same port and VLAN
each time (the switch functions as an ISP).
for mobile users who tend to move from one port to another and connect at various locations
in the network. ISP mode is meant for users who connect through the same port and VLAN
each time (the switch functions as an ISP).