Authentication process – Allied Telesis AT-S63 User Manual
Page 719

AT-S63 Management Software Menus Interface User’s Guide
Section VII: Port Security
719
Authenticator - The authenticator is a port on the switch that prohibits 
network access by a supplicant until the supplicant has been validated 
by the RADIUS server.
Authentication server - The authentication server is the network device 
that has the RADIUS server software. This is the device that does the 
actual authenticating of the supplicants.
The AT-9400 Series switch does not authenticate any of the supplicants 
connected to its ports. It’s function is to act as an intermediary between a 
supplicant and the authentication server during the authentication process.
Authentication
Process
Below is a brief overview of the authentication process that occurs 
between a supplicant, authenticator, and authentication server. For further 
details, refer to the IEEE 802.1x standard.
Either the authenticator (that is, a switch port) or the supplicant initiates 
an authentication message exchange. The switch initiates an 
exchange when it detects a change in the status of a port (such as 
when the port transitions from no link to valid link), or if it receives a 
packet on the port with a source MAC address not in the MAC address 
table.
An authenticator starts the exchange by sending an EAP-Request/
Identity packet. A supplicant starts the exchange with an EAPOL-Start 
packet, to which the authenticator responds with a EAP-Request/
Identity packet.
The supplicant responds with an EAP-Response/Identity packet to the 
authentication server via the authenticator.
The authentication server responds with an EAP-Request packet to 
the supplicant via the authenticator.
The supplicant responds with an EAP-Response/MD5 packet 
containing a username and password.
The authentication server sends either an EAP-Success packet or 
EAP-Reject packet to the supplicant.
Upon successful authorization of the supplicant by the authentication 
server, the switch adds the supplicant’s MAC address to the MAC 
address as an authorized address and begins forwarding network 
traffic to and from the port.
When the supplicant sends an EAPOL-Logoff message, the switch 
removes the supplicant’s MAC address from the MAC address table, 
preventing the supplicant from sending or receiving any further traffic 
from the port.
