Port roles – Allied Telesis AT-S60 User Manual

Chapter 28: 802.1x Port-based Access Control

Section V: Security Features

552

7. When the supplicant sends an EAPOL-Logoff message, the switch

removes the supplicant’s MAC address from the MAC address table,
preventing the supplicant from sending or receiving any further
traffic from the port.

Port Roles

In order to implement this feature, you need to specify the roles of the
ports on the switch. You can assign a port one of the following roles:

❑ None

❑ Authenticator

❑ Supplicant

None Role

A port in the none role does not participate in port-based access control.
Any device can connect to the port and send traffic through it and
receive traffic from it without having to authenticate by providing a
username and password. This is the default setting for a port.

Set a port to this role if you do not want its client to have to authenticate
to use the network. This also happens to be the correct role for a port
that’s connected to an authentication server. Since an authentication
server cannot authenticate itself, the port to which it is connected must
be set to this role.

Authenticator Role

Placing a port in the authenticator role activates port-based access
control on the port. A port in the role of authenticator does not forward
network traffic to or from the client until the client has entered a
username and password and the authentication server has validated
them.

Determining whether a port should be set to the authenticator role is
straightforward. If you want the user of the client connected to the port
to log in before using the network, then you set the port to the
authenticator role.

The authenticator role is shown in Figure 177 on page 553. Port 1.8 on
the switch is set to the authenticator role because it is connected to a
client with 802.1x client software. The end user at the workstation must
log on to use the network.