Cisco Systems DOC-7814982 Device Roles

8-2

Catalyst 2950 Desktop Switch Software Configuration Guide

78-14982-01

Chapter 8 Configuring 802.1X Port-Based Authentication

Unders tanding 802.1X Port-Based Authentication

Device Roles

With 802.1X port-based authentication, the devices in the network have specific roles as shown in

Figure 8-1.

Figure 8-1 802.1X Device Roles

•Client—the device (workstation) t hat reques ts access to th e LAN and swit ch servic es and responds

to requests from the switch.The workstation must be running 802.1X-compliant client software such

as tha t offere d in the Mic rosoft Windows XP opera ting syst em. ( The cli ent is th e supplicant in the

IEEE 8 02. 1X sp ec ificat ion.)

Note To resolve Windows XP network connectivity and 802.1X authentication issues, read the

Microsoft Knowledge Base article at this URL:

http://support.microsoft.com/support/kb/articles/Q303/5/97.ASP

•Authentication server—performs the actual authentication of the client. The authentication server

validates the identity of the client and notifies the switch whether or not the client is authorized to

access th e LAN a nd switch services. Beca use the swit ch acts as the prox y, the authentica tion service

is transparent to the client. In this release, the Remote Authentication Dial-In User Service

(RADIUS) security system with Extensible Authentication Protocol (EAP) extensions is the only

supported authentication server; it is available in Cisco Secure Access Control Server version 3.0.

RADIUS oper ates in a cl ient/ser ver model in which secu re authen ticati on inf ormation is e xch anged

between the RADIUS server and one or more RADIUS clients.

•Switch (edge switch or wireless access point)—controls the physical access to the network based on

the auth entica tion status of the client . The sw itch a cts as an interm ediary (proxy) bet ween t he cli ent

and the authentication server, requesting identity information from the client, ve rifying that

informatio n with the authen tication serv er , and relaying a response to the client. The switch includes

the RADIUS client, which is responsible for encapsulating and decapsulating the Extensible

Authentication Protocol (EAP) frames and interacting with the authentication server.

When the sw itch receives EAPOL fram es an d re lay s them to the auth entication server, the Ether net

header is stripped and the remaining EAP frame is re-encapsulated in the RADIUS format. The EAP

frames a re not modified or examined durin g encapsula tion, and the authent icati on server must

support EAP within the native frame format. When the switch receives frames from the

auth ent icat ion ser ver, th e server ’s frame header is removed, leaving the EAP frame, which is then

encapsulated for Ethernet and sent to the client.

The devices that can act as intermediaries include the Catalyst 3550 multilayer switch, the Catalyst

2950 swit ch, or a w ire les s a cce ss poi nt. Th ese devices m ust be ru nning so ftwar e th at sup por ts the

RADIUS client and 802.1X.

Workstations

(clients)

Catalyst 2950

or 3550

(switch)

Authentication

server

(RADIUS)

74615