beautypg.com

Authentication process – Allied Telesis AT-S39 User Manual

Page 204

background image

Section II: Local and Telnet Management

204

❑ Authentication server - The authentication server is the network

device that has the RADIUS server software. This is the device that
will do the actual authenticating of the user names and password
from the supplicants.

The AT-8524M switch itself does not authenticate the username and
passwords from the clients. Rather, it simply acts as an intermediary
between a supplicant and the authentication server during the
authentication process.

Authentication

Process

Below is a brief overview of the authentication process that occurs
between a supplicant, authenticator, and authentication server. For
further details, refer to the IEEE 802.1x standard.

1. Either the authenticator port or the supplicant can initiate an

authentication message exchange. The switch initiates an exchange
when it detects a change in the status of a port (such as when the port
transitions from no link to valid link), or if it receives a packet on the
port with a source MAC address not in the MAC address table.

An authenticator starts the exchange by sending an EAP-
Request/Identity packet. A supplicant starts the exchange with an
EAPOL-Start packet, to which the authenticator responds with a EAP-
Request/Identity packet.

2. The supplicant responds with an EAP-Response/Identity packet to

the authentication server via the authenticator.

3. The authentication server responds with an EAP-Request packet to

the supplicant via the authenticator.

4. The supplicant responds with an EAP-Response/MDS packet

containing a username and password.

5. The authentication server sends either an EAP-Success packet or EAP-

Reject packet to the supplicant.

6. Upon successful authorization of the supplicant by the

authentication server, the switch adds the supplicant’s MAC address
to the MAC address as an authorized address and begins forwarding
network traffic to and from the port.

7. When the supplicant sends an EAPOL-Logoff message, the switch

removes the supplicant’s MAC address from the MAC address table,
preventing the supplicant from sending or receiving any further
traffic from the port.