Below is a brief overview of the authentication process that occurs between a supplicant, authenticator, and authentication server. For further details, refer to the IEEE 802.1x standard.
Either the authenticator (that is, a switch port) or the supplicant can initiate an authentication prompt exchange. The switch initiates an exchange when it detects a change in the status of a port (such as when the port transitions from no link to valid link), or if it receives a packet on the port with a source MAC address not in the MAC address table.
An authenticator starts the exchange by sending an EAP-Request/ Identity packet. A supplicant starts the exchange with an EAPOL-Start packet, to which the authenticator responds with a EAP-Request/ Identity packet.
The supplicant responds with an EAP-Response/Identity packet to the authentication server via the authenticator.
The authentication server responds with an EAP-Request packet to the supplicant via the authenticator.
The supplicant responds with an EAP-Response/MDS packet containing a username and password.
The authentication server sends either an EAP-Success packet or EAP-Reject packet to the supplicant.
Upon successful authorization of the supplicant by the authentication server, the switch adds the supplicant’s MAC address to the MAC address as an authorized address and begins forwarding network traffic to and from the port.
When the supplicant sends an EAPOL-Logoff prompt, the switch removes the supplicant’s MAC address from the MAC address table, preventing the supplicant from sending or receiving any further traffic from the port.
All of the ports on the AT-9400 Series switch are authenticator ports. An authenticator port can have one of three settings. These settings are referred to as the port control settings. The settings are:
Auto - Activates 802.1x port-based authentication. An authenticator port with this setting does not forward network traffic to or from the end node until the client has entered a username and password that the authentication server must validate. The port begins in the unauthorized state, sending and receiving only EAPOL frames. All other frames, including multicast and broadcast frames, are discarded. The authentication process begins when the link state of the port changes or the port receives an EAPOL-Start packet from a supplicant. The switch requests the identity of the client and begins relaying authentication prompts between the client and the authentication server. Each client that attempts to access the network is uniquely identified by the switch using the client's MAC address.
