Security: 802.1X Authentication
Overview
Cisco Sx350, SG350X, SG350XG, Sx550X & SG550XG Series Managed Switches, Firmware Release 2.2.5.x
In this case, the switch supports EAP MD5 functionality with the username and password
equal to the client MAC address, as shown below.
Figure 2 MAC-Based Authentication
User Data
Client
Authenticaticator
The method does not have any specific configuration.
WEB-Based Authentication
WEB-based authentication is used to authenticate end users who request access to a network
through a switch. It enables clients directly connected to the switch to be authenticated using a
captive-portal mechanism before the client is given access to the network. Web-based
authentication is client-based authentication and is supported in the multi-sessions mode in
both Layer 2 and Layer 3.
This method of authentication is enabled per port, and when a port is enabled, each host must
authenticate itself in order to access the network. So on an enabled port, you can have
authenticated and unauthenticated hosts.
When web-based authentication is enabled on a port, the switch drops all traffic coming onto
the port from unauthorized clients, except for ARP, DHCP, and DNS packets. These packets
are allowed to be forwarded by the switch so that even unauthorized clients can get an IP
address and be able to resolve the host or domain names.
All HTTP/HTTPS over IPv4 packets from unauthorized clients are trapped to the CPU on the
switch. If Web-based authentication is enabled on the port, a login page is displayed, before
the requested page is displayed. The user must enter his username/password, which is
authenticated by a RADIUS server using the EAP protocol. If authentication is successful, the
user is informed.
The user now has an authenticated session. The session remains open while it is being used. If
it is not used for a specific time interval, the session is closed. This time interval is configured
by the system administrator and is called Quiet Time. When the session is timed-out, the
username/password is discarded, and the guest must re-enter them to open a new session.
See
Authentication Methods and Port
RADIUS Protocol
EAP Protocol
Username = MAC address
Password = MAC address
Modes.
17
Authentication
Server
312