POEGEM12T2SFP User Manual

3-16. 802.1x Configuration

The 802.1x port-based network access control provides a method to restrict users to access network resources via authenticating user’s information. This restricts users from gaining access to the network resources through an 802.1x-enabled port without authentication. Any user wishing to access the network through a port under 802.1x control, must first input their account name for authentication and then wait for the authorisation to complete before sending or receiving any data from an 802.1x-enabled port.

Before the devices or end stations can access the network resources through the ports under 802.1x control, the devices or end stations connected to a controlled port send the authentication request to the authenticator, the authenticator passes the request to the authentication server to authenticate and verify the username and password, and the server then tells the authenticator if the request has been granted access for that port.

According to IEEE802.1x, there are three components implemented. They are the Authenticator, the Supplicant and the Authentication server.

Supplicant:

It is an entity being authenticated by an authenticator. It is used to communicate with the Authenticator PAE (Port Access Entity) by exchanging the authentication message when the Authenticator PAE requests it.

Authenticator:

The Authenticator controls the state of the port, authorized or unauthorized, according to the result of the authentication message exchanged between it and a supplicant PAE. The authenticator may request the supplicant to re- authenticate itself at a configured time period. Once re-authentication to the supplicant starts, the controlled port will stay in the authorised state until re- authentication fails.

A port acting as an authenticator is thought to be two logical ports, a controlled port and an uncontrolled port. A controlled port can only pass packets when the authenticator PAE is authorised, otherwise, an uncontrolled port will unconditionally pass the packets with the PAE group MAC address, which has a value of 01-80-c2-00-00-03 and will not be forwarded by the MAC bridge, at any time.

Authentication server:

A device that provides the authentication service, through EAP, to an authenticator by using authentication credentials supplied by the supplicant to determine if the supplicant is authorised to access the network resource.

94

Alloy Computer Products Pty Ltd Copyright ©2006

Page 98
Image 98
Alloy Computer Products POEGEM12T2SFP user manual 16 .1x Configuration, Supplicant, Authenticator, Authentication server