Allied Telesis sr264-03 manual Authentication Server, Steps in the Authentication Process

The Authentication Server

The authentication server verifies the supplicant’s details, passed to it by the authenticator. This implementation of 802.1x control requires that a port acting as an authenticator must communicate with a RADIUS authentication server. The RADIUS server must be capable of receiving and deciphering EAP in RADIUS packets.

The authentication server must be connected to a port on the switch which does not have port authentication enabled, or is set with CONTROL=AUTHORISED.

The supported supplicant encryption mechanisms for communication with the RADIUS server are EAP-MD5 and EAP-OTP. With this enhancement the encryption methods supported by authenticators are EAP-MD5, EAP-OTP, EAP-TLS, EAP-TTLS, and EAP-PEAP.

Steps in the Authentication Process

Until authentication is successful, the supplicant can only access the authenticator to perform authentication message exchanges, or access services not controlled by the authenticator’s controlled port.

Initial 802.1x control begins with an unauthenticated supplicant and an authenticator. A port under 802.1x control acting as an authenticator is in an unauthorised state until authentication is successful.

1.Either the authenticator or the supplicant can initiate an authentication message exchange. The authenticator initiates the authentication message exchange by sending an EAPOL packet containing an encapsulated EAP-Request/Identity packet. The supplicant initiates an authentication message exchange by sending an EAPOL-Start packet, to which the authenticator responds by sending an EAPOL packet containing an encapsulated EAP-Request/Identity packet.

2.The supplicant sends an EAPOL packet containing an encapsulated EAP-Response/Identity packet to the authentication server via the authenticator, confirming its identity.

3.The authentication server selects an EAP authentication algorithm to verify the supplicant’s identity, and sends an EAP-Request packet to the supplicant via the authenticator.

4.The supplicant provides its authentication credentials to the authenticator server via an EAP-Response packet.

5.The authentication server either sends an EAP-Success packet or EAP-Reject packet to the supplicant via the authenticator.

6.Upon successful authorisation of the supplicant by the authenticator server, a port under 802.1x control is in an authorised state, unless the MAC associated with the port is either physically or administratively inoperable. Also upon successful authorisation of the supplicant by the authenticator server, the supplicant is allowed full access to services offered via the controlled port. If piggybacking is enabled on the authorised authenticator port, any other device connected will also be give full access.

Patch sr264-03 for Software Release 2.6.4 C613-10407-00 REV C