Advanced EAPOL features 31Support for non-EAPOL hosts on EAPOL-enabled ports is primarilyintended to accommodate printers and other dumb devices sharing a hubwith EAPOL clients.Support for non-EAPOL hosts on EAPOL-enabled ports includes thefollowing features:• EAPOL and authenticated non-EAPOL clients are allowed on the port atthe same time. Authenticated non-EAPOL clients are hosts that satisfyone of the following criteria:— Host MAC address matches an entry in an allowed list preconfiguredfor the port.— Host MAC address is authenticated by RADIUS.• Non-EAPOL hosts are allowed even if no authenticated EAPOL hostsexist on the port.• When a new host is seen on the port, non-EAPOL authentication isperformed as follows:— If the MAC address matches an entry in the preconfigured allowedMAC list, the host is allowed.— If the MAC address does not match an entry in the preconfiguredallowed MAC list, the switch generates a pair,which it forwards to the network RADIUS server for authentication.For more information about the generated credentials, see"Non-EAPOL MAC RADIUS authentication" (page 32).If the MAC address is authenticated by RADIUS, the host is allowed.— If the MAC address does not match an entry in the preconfiguredallowed MAC list and also fails RADIUS authentication, the host iscounted as an intruder. Data packets from that MAC address aredropped.EAPOL authentication is not affected.• For RADIUS-authenticated non-EAPOL hosts, VLAN information fromRADIUS is ignored. Upon successful authentication, untagged traffic isput in a VLAN preconfigured for the port.• For RADIUS-authenticated non-EAPOL hosts, VLAN information fromRADIUS is ignored. Upon successful authentication, untagged trafficfollows the PVID of the port.• Non-EAPOL hosts continue to be allowed on the port until the maximumnumber of non-EAPOL hosts is reached. The maximum number ofnon-EAPOL hosts allowed is configurable.• After the maximum number of allowed non-EAPOL hosts is reached, anydata packets received from additional non-EAPOL hosts are dropped.Nortel Ethernet Routing Switch 2500 SeriesSecurity — Configuration and ManagementNN47215-505 (323165-B) 02.01 Standard4.1 19 November 2007Copyright © 2007, Nortel Networks.