Avaya P3343T-ML Manual Do Utilizador
Chapter 11 Avaya P330 Layer 2 Features
88
Avaya P334T-ML User’s Guide
Port Based Network Access Control (PBNAC)
Port Based Network Access Control (IEEE 802.1X) is a method for performing
authentication to obtain access to IEEE 802 LANs. The protocol defines an
interaction between 3 entities:
•
authentication to obtain access to IEEE 802 LANs. The protocol defines an
interaction between 3 entities:
•
Supplicant — an entity at one end of a point-to-point LAN segment that is being
authenticated by an authenticator attached to the other end of that link.
authenticated by an authenticator attached to the other end of that link.
•
Authenticator — an entity at one end of a point-to-point LAN segment that
facilitates authentication of the entity attached to the other end of that link; in
this case, the P330.
facilitates authentication of the entity attached to the other end of that link; in
this case, the P330.
•
Authentication (RADIUS) Server — an entity that provides an authentication
service to an authenticator. This service determines, from the credentials
provided by the supplicant, whether the supplicant is authorized to access the
services provided by the authenticator.
service to an authenticator. This service determines, from the credentials
provided by the supplicant, whether the supplicant is authorized to access the
services provided by the authenticator.
The process begins with the supplicant trying to access a certain restricted network
resource, and upon successful authentication by the authentication server, the
supplicant is granted access to the network resources.
resource, and upon successful authentication by the authentication server, the
supplicant is granted access to the network resources.
How “Port Based” Authentication Works
802.1X provides a means of authenticating and authorizing users attached to a LAN
port and of preventing access to that port in cases where the authentication process
fails. The authentication procedure is port based, which means:
•
port and of preventing access to that port in cases where the authentication process
fails. The authentication procedure is port based, which means:
•
access control is achieved by enforcing authentication on connected ports
•
if an end-point station that connects to a port is not authorized, the port state is
set to “unauthorized” which closes the port to any traffic.
set to “unauthorized” which closes the port to any traffic.
•
As a result of an authentication attempt, the P330 port can be either in a
“blocked” or a “forwarding” state.
“blocked” or a “forwarding” state.
802.1X interacts with existing standards to perform its authentication operation.
Specifically, it makes use of Extensible Authentication Protocol (EAP) messages
encapsulated within Ethernet frames (EAPOL), and EAP over RADIUS for the
communication between the Authenticator and the Authentication Server.
Specifically, it makes use of Extensible Authentication Protocol (EAP) messages
encapsulated within Ethernet frames (EAPOL), and EAP over RADIUS for the
communication between the Authenticator and the Authentication Server.
PBNAC Implementation in the P330 Family
This section lists the conditions that govern the implementation of the 802.1X
standard in the P330 line:
•
standard in the P330 line:
•
You can configure PBNAC on the 10/100 Mbps Ethernet ports only.
•
PBNAC can work only if a RADIUS server is configured on the P330 and the
RADIUS server is carefully configured to support 802.1X.
RADIUS server is carefully configured to support 802.1X.
•
PBNAC and port/intermodule redundancy can co-exist on the same ports.
•
PBNAC and LAGs can coexist on the same ports.
•
PBNAC and Spanning Tree can be simultaneously active on a module.
L If either PBNAC or STP/RSTP are in a blocking state, the final state of the port