Deciding when a supplicant fails authentication – Allied Telesis AlliedWare Plus Operating System Version 5.4.4C (x310-26FT,x310-26FP,x310-50FT,x310-50FP) User Manual
Page 1124
Authentication Introduction and Configuration
Software Reference for x310 Series Switches
42.28
AlliedWare Plus
TM
Operating System - Version 5.4.4C
C613-50046-01 REV A
Deciding When a Supplicant Fails Authentication
Although the treatment of packets from unauthenticated supplicants does not
differentiate between the three categories of supplicant, it is still useful to know for sure
when the switch decides that a supplicant has failed authentication.
The rules for deciding that a supplicant has failed authentication are listed below for each
type of authentication available:
Deciding when a supplicant fails 802.1X authentication
If the supplicant responds to EAP authentication requests, and the supplicant’s
authentication information is sent to the RADIUS server, and the RADIUS server replies
with an Authentication-Reject, then the supplicant is immediately deemed to have failed
authentication.
If the supplicant does not respond to EAP authentication requests, then the switch will
resend the authentication requests up to a maximum number of attempts set by the
command
(the default is 2). The interval between the attempts is
set by the command
(the default is 30 seconds). If the
supplicant still has not responded after this, it is deemed to have not attempted
authentication.
See
for 802.1X authentication command information.
Deciding when a supplicant fails Web authentication
As soon as the supplicant attempts any web-browsing, the switch will intercept the web
session, and present the supplicant with an authentication request page. If the user enters
a username and password, and clicks the login button, then the switch will send the
username and password to the RADIUS server. If the RADIUS server replies with an
Authentication-Reject, then the supplicant is immediately deemed to have failed
authentication.
Until the supplicant has attempted any web-browsing, or has received the authentication
request page, but not yet clicked the login button, the supplicant is deemed to be not yet
authenticated (as against not able to authenticate).
See
Chapter 43, Authentication Commands
for Web authentication command
information.
Deciding when a supplicant fails MAC authentication
As soon as the supplicant sends any packet, the source MAC address from the packet will
be sent to the RADIUS server for authentication. If the RADIUS server replies with an
Authentication-Reject, then the supplicant is immediately deemed to have failed
authentication.
With MAC auth there really is no concept of not-yet-attempted authentication, because
authentication is attempted as soon as a supplicant sends a packet.
See
Chapter 43, Authentication Commands
for MAC authentication command
information.