208CHAPTER 9: AAA AND RADIUS OPERATION

The LAN access control device needs to provide the Authenticator System of 802.1x. The computers need to be installed with the 802.1x client Supplicant software, for example, the 802.1x client provided by Microsoft Windows XP. The 802.1x Authentication Server system normally stays in the carrier’s AAA center.

Authenticator and Authentication Server exchange information through EAP (Extensible Authentication Protocol) frames. The Supplicant and the Authenticator exchange information through the EAPoL (Extensible Authentication Protocol over LANs) frame defined by IEEE 802.1x. Authentication data are encapsulated in the EAP frame, which is encapsulated in packets of other AAA upper layer protocols (e.g. RADIUS). This provides a channel through the complicated network to the Authentication Server. Such procedure is called EAP Relay.

There are two types of ports for the Authenticator. One is the Uncontrolled Port, and the other is the Controlled Port. The Uncontrolled Port is always in a bi-directional connection state. The user can access and share the network resources any time through the ports. The Controlled Port will be in a connecting state only after the user passes the authentication. Then the user is allowed to access the network resources.

Figure 55 802.1x System Architecture

Requester system

Requester

Authenticator system

Services offered by

 

Authenticator

 

system

Authenticator PAE

Authenticator server system

Authenticator server

Unauthorized port

Controlled port

EAPol

EAP protocol exchanges carried in higher layer protocol

LAN

Tasks for configuring 802.1x System Architecture is described in the following sections:

802.1x Authentication Process

Implement 802.1x on Ethernet Switch

802.1x Authentication Process

802.1x configures EAP frame to carry the authentication information. The Standard defines the following types of EAP frames:

EAP-Packet: Authentication information frame, used to carry the authentication information.

EAPoL-Start: Authentication originating frame, actively originated by the Supplicant.

EAPoL-Logoff: Logoff request frame, actively terminating the authenticated state.

Page 208
Image 208
3Com 10014298 manual 802.1x Authentication Process, 802.1x System Architecture